Data Transfer Impact Assessment

Last Updated: May 1, 2023

MoveData takes the protection of our customers’ information seriously. We have taken steps to comply with applicable EU and UK law regarding international data transfers.

1. What products and services does MoveData provide?

MoveData provides subscriptions to our “software as a service” (SaaS) platform to automate workflows, transfer data, and provide other functionalities available to our customers as part of the MoveData platform (“MoveData Services”).

2. What types of personal data does MoveData process?

Our customers control the types of personal data they provide to us in connection with their use of MoveData Services. Accordingly, the types of personal data we process include any personal data that a customer uploads to MoveData Services. Customers are responsible for compliance requirements that may apply to such uploaded data, including ensuring a lawful basis for processing. The exact nature of the processed data varies per MoveData Service and each customer’s own use cases. MoveData processes personal data governed by European data protection laws as a data processor (on behalf of our customers), in accordance with our obligations under MoveData’s Data Processing Addendum.

3. Where do we store and otherwise process data?

We store and otherwise process personal data in Australia via Amazon Web Services. We also store data with our subprocessors. Information about our subprocessors and their locations is available here.

4. What controls do we have in place with subprocessors?

We make onward transfers to subprocessors and take steps to agree to appropriate transfer safeguards, such as relevant standard contractual clauses, with each subprocessor. We take measures to evaluate the privacy and security practices of our subprocessors, including:

  • Each subprocessor is required to agree to a data processing agreement
  • We evaluate the data privacy and security practices of each subprocessor prior to engaging and onboarding such subprocessors
  • We conduct periodic audits of key subprocessors throughout the terms of our respective agreements with them

5. How long is data retained?

Information regarding data retention and deletion is available here

6. How do we manage requests from data subjects to exercise their GDPR rights?

We have processes to receive, analyse, and respond to data subject requests. Additionally, our customers may delete and export data from their MoveData Services account by raising a support ticket with MoveData.

7. How do we respond to government requests to access personal data of our customers?

As of the “last updated” date at the top of this page, MoveData has never received a data access request in connection with MoveData Services.

If we were to receive a request from a governmental authority for personal data that we process on behalf of a customer, we will promptly notify the customer, unless prohibited by law from doing so. In any such notice, we would include information about the personal data requested, the requesting authority, the legal basis for the request, and the response provided. Where legally permissible, we would also notify the customer if we became aware of any direct access by public authorities to personal data that we process on behalf of such customer.

If we were to be prohibited by law from doing so, we would use reasonable efforts to obtain a waiver of the prohibition with a view to communicating as much information as possible to our customer in an expeditious manner.

8. What measures does MoveData take to protect personal data?

MoveData undertakes technical and organisational measures to secure customer data, as well as security measures, including encryption, which are further described here.

MoveData’s contractual measures are set out in our Data Processing Addendum. These include:

Technical measures MoveData is contractually obligated to have in place appropriate technical and organisational measures to safeguard personal data.
Transparency MoveData is obligated to notify our customers in the event we are made subject to a request for government access to customer personal data from a government authority. In the event MoveData is legally prohibited from making such a disclosure, we will use reasonable efforts to obtain the right to waive the prohibition to communicate as much information to you as possible.
Actions to challenge access MoveData is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.


MoveData will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.