Trust & compliance

Data Protection

Last updated: 19 June 2026
Harmonova handles customs and trade data for businesses that expect it to be protected properly. This page sets out how Harmonova approaches data protection, the role we play when we handle your data, the safeguards we apply, the sub-processors we rely on, and how we help you meet your own obligations under the GDPR, the Australian Privacy Principles, and other applicable laws. For how we handle personal data as a controller, see our Privacy Policy.
01

Encrypted by default

Data is encrypted in transit (TLS) and at rest. Secrets are stored using envelope encryption with rotation.

02

Least-privilege access

Access to production data is scoped, authenticated, and logged. Only personnel who need it have it.

03

Vetted sub-processors

Every vendor that touches data is bound by a data-processing contract with appropriate safeguards.

04

Your data, your control

You keep ownership of your data, can export it, and can ask us to delete it when you stop using the Service.

01 Our role: controller and processor

Data protection law distinguishes between the controller (who decides why and how data is processed) and the processor (who processes data on the controller's instructions).

  • For data about visitors, account holders, and prospective customers, Harmonova is the controller. How we handle that data is described in our Privacy Policy.
  • For data you submit through the platform to be processed on your behalf (for example, catalogue and shipment data sent for classification), we act as your processor, and you are the controller. We process that data only to provide the Service and on your documented instructions.

02 What we process on your behalf

When acting as your processor, we process the categories of data you submit to obtain a result, which is generally commercial product and shipment data (descriptions, HS codes, prices, origins, quantities) and the account identifiers needed to attribute and secure the request. Where that data contains personal data, we process it only to provide, secure, and support the Service for the duration of our agreement with you.

We do not use catalogue data submitted for classification to train third-party AI models, and we do not sell it.

03 Sub-processors

We rely on a small set of vendors to run the Service. Each is bound by a contract requiring it to protect data and to process it only as needed to provide its service to us.

Sub-processors and the regions where they process data
Sub-processorPurposeRegion
CloudflareHosting (Pages), CDN, edge delivery, DNS, and privacy-first web analyticsGlobal edge network; Australia points of presence
Fly.ioApplication hosting and computeSydney, Australia
NeonManaged PostgreSQL databaseSydney, Australia (ap-southeast-2)
UpstashManaged Redis cache and job queueAsia-Pacific (Sydney)
ClerkAuthentication and user / session managementUnited States
StripeBilling and payment processingUnited States / global
ResendTransactional and support email deliveryUnited States
AnthropicAI classification inference (Claude; zero data retention, no training on your data)United States

We give notice of changes to this list as required by our agreements, so you can object to a new sub-processor where you have that right.

04 International transfers

We may process data in countries other than your own. Where we transfer personal data out of the EEA, the UK, or Australia, we rely on an appropriate transfer mechanism, such as the Standard Contractual Clauses (and the UK Addendum), or transfers to countries recognised as providing adequate protection, together with supplementary measures where needed.

05 Security measures

We maintain technical and organisational measures appropriate to the risk, including:

  • encryption of data in transit (TLS) and at rest;
  • scoped, authenticated access to production systems, with access logging;
  • secret management with envelope encryption and key rotation;
  • network controls, rate limiting, and monitoring of the Service;
  • regular dependency and security updates, and least-privilege defaults;
  • backups and recovery procedures for core data.

No method of transmission or storage is completely secure; we work to protect data but cannot guarantee absolute security.

06 Helping you meet your obligations

As your processor, we assist you, taking into account the nature of the processing, with:

  • responding to requests from individuals to access, correct, delete, or port their data;
  • security of processing, breach notification, and data protection impact assessments;
  • returning or deleting data at the end of our agreement, except where retention is required by law.

07 Data breach notification

If we become aware of a personal data breach affecting data we process for you, we will notify you without undue delay after becoming aware, and provide the information you reasonably need to meet your own notification obligations.

08 Data Processing Agreement

If you require a Data Processing Agreement (DPA), including the Standard Contractual Clauses, one is available on request — contact [email protected]. Where signed, the DPA governs our processing of personal data on your behalf and prevails over any conflicting terms on this page.

09 Compliance posture

Our practices are designed to be aware of, and to support your compliance with, the following frameworks. These are alignment statements, not certifications; we do not claim a certification we do not hold.

GDPR / UK GDPR aware Australian Privacy Act / APPs aware CCPA / CPRA aware Encryption in transit & at rest

10 Contact

For data protection questions, DPA requests, or to report a concern, contact Harmonova at [email protected].