Compliance
GDPR, data residency, SOC 2 readiness, PIPEDA, and regulatory compliance information.
Data Residency
BackupEngine allows you to choose where your backup data is stored at signup. Once selected, your data never leaves the chosen region. This is a hard architectural guarantee, not a policy-based control.
- •United States: Data stored in US-based iDrive e2 data centers.
- •Canada: Data stored in Canadian data centers. Meets PIPEDA and Canadian data sovereignty requirements.
- •European Union: Data stored in EU data centers. Designed to meet GDPR data residency requirements.
- •Your region choice is permanent for the lifetime of your account. Contact support if you need to migrate regions.
- •Metadata (file names, sizes, backup timestamps) is stored in Supabase, hosted in Canada.
ℹ Note
Even metadata stored in Supabase is protected by encryption in transit (TLS 1.3) and at rest. File names in metadata can optionally be encrypted with your encryption key if you enable the encrypted metadata option in Settings.
GDPR Compliance
BackupEngine is designed with GDPR compliance in mind for users in the European Union and the European Economic Area.
- •Data minimization: BackupEngine collects only the data necessary to provide the backup service (email, device info, backup metadata).
- •Right to erasure: Users can delete their account and all associated backup data from the Customer Portal. Deletion is permanent and irreversible.
- •Data portability: Users can export their backup data at any time using the restore functionality.
- •Consent: Clear consent is obtained during account creation. No pre-checked boxes.
- •Data Processing Agreement (DPA): Available upon request for business customers.
- •Sub-processors: A current list of sub-processors (Supabase, iDrive, Stripe) is maintained and available in the privacy policy.
PIPEDA Compliance
For Canadian users and organizations, BackupEngine is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
- •Canadian data residency option ensures backup data is stored within Canada.
- •Meaningful consent is obtained for all data collection and processing.
- •Users can access, correct, and delete their personal information at any time.
- •Data breach notification: BackupEngine will notify affected users and the Privacy Commissioner within 72 hours of discovering a qualifying breach.
- •Accountability: BackupEngine has designated a privacy officer responsible for PIPEDA compliance.
SOC 2 Readiness
BackupEngine is pursuing SOC 2 Type II certification. The following controls are already in place as part of our SOC 2 readiness program.
- •Access controls: Role-based access, mandatory MFA, principle of least privilege for all internal systems.
- •Encryption: AES-256-GCM client-side encryption, TLS 1.3 in transit, encryption at rest in storage.
- •Monitoring: Real-time security monitoring, intrusion detection, and automated alerting.
- •Audit logging: All administrative actions, data access, and configuration changes are logged with immutable audit trails.
- •Incident response: Documented incident response plan with defined escalation paths and communication procedures.
- •Vendor management: All sub-processors are evaluated for security posture and compliance.
💡 Tip
For enterprise customers requiring compliance documentation, contact our sales team for access to our security whitepaper, completed security questionnaires, and Data Processing Agreement templates.