medOS ultra

Multi-Country Residency & Compliance

Data-residency and compliance posture across target jurisdictions (posture/design, not legal advice).

4 min read diagramsUpdated 2026-06-04docs/architecture/multi-country-residency-compliance.md

Status: Posture / design — NOT legal advice. Every specific below (frameworks, retention, cross-border rules) must be verified with counsel + the relevant authority for the target deployment. Phase H of data-activation-twin-go-live-master.md; complements its §4 (China) / §5 (Australia) and the per-pack complianceProfile in each infrastructure/market-packs/medos-*/manifest.json.

The posture model (data, not code)

Each market pack declares a complianceProfile — the deployment reads it; no per-country code branches:

Field Meaning
dataResidency where the read model + backend must run (local_only / china_pipl / australia_onshore / …) — not just the write path
retentionDays minimum record retention
requiresConsentUpload consent artifact required before PHI migration
requiresDpia a DPIA/PIA is required
phiMaskingLevel strict / pipl_sensitive_pi / …

The twin’s de-identified aggregate (sync_health_aggregate, facility_hash not hospcode) is the only thing designed to cross a tier — and even that must terminate in-jurisdiction where residency is hard (see China).

Per-country snapshot

Country dataResidency Hardness Key frameworks Retention (verify) Cross-border de-id emit
Thailand local_only baseline PDPA; NHSO 43-file per policy OK within design
Philippines local_only baseline Data Privacy Act; PhilHealth per policy OK within design
Japan local_only moderate APPI; MHLW per policy OK within design
China china_pipl hard PIPL + Cybersecurity Law + Data Security Law inpatient ~30y (10950) terminate in-country; cross-border triggers CAC assessment
Australia australia_onshore soft–moderate Privacy Act 1988 + APPs; My Health Records Act 2012; state Acts; NDB adult ~7y (2555), minors→25 onshore stack; far less fraught than CN

China — the hard wall

  • Localization (PIPL + CSL + DSL). Personal/health information is sensitive personal information and plausibly “important data” — store in-country. The medOS read model (Supabase/Postgres + edge functions), not just the write path, must run in a China region.
  • Cross-border transfer. Even the de-identified aggregate leaving to an offshore tier can constitute a cross-border transfer requiring a CAC security assessment / standard contract / certification. The roll-up tier must terminate inside China (the twin_rollup_sync_health in-cloud path keeps it local).
  • Cloud + LLM. Foreign Supabase (AWS global) + foreign LLM weights are non-starters as-is — need a China-region stack, ICP filing, and ideally a domestic LLM for the narrative layer.
  • Retention. 10950 days (~30y) reflects the inpatient-record maximum under 医疗机构病历管理规定; outpatient is shorter — confirm.
  • Crypto-shred gap. PIPL key-erasure leans on crypto-shredding, which the platform currently disavows (“EVFS is a UI label string”, hospital-decision-twin.md §4) — close before promising key-erasure.

Australia — the soft wall

  • Privacy regime. Privacy Act 1988 + Australian Privacy Principles, plus My Health Records Act 2012 and state health-records legislation (e.g. Victoria’s Health Records Act 2001, NSW) — confirm which jurisdiction(s) apply.
  • Onshore expectation. Health-data onshoring is a near-universal procurement requirement rather than an absolute statutory ban — but in practice means an ap-southeast-2 read model + backend.
  • NDB. The Notifiable Data Breaches scheme applies — wire a breach-notification runbook before go-live.
  • Cross-border de-id emit is far less fraught than China, but should still land onshore for a clean procurement story.
  • Retention. 2555 days (~7y) is the common adult baseline; minors are commonly retained until age 25 and states differ — confirm per jurisdiction.

Deployment implications

  1. In-region stack per hard-residency country (CN mandatory; AU expected): region-pin Supabase + backend; for CN add ICP + domestic LLM + in-country roll-up termination.
  2. The twin stays compliant by construction — raw never leaves the node; only the de-identified aggregate rolls up, and where residency is hard that roll-up terminates in-jurisdiction.
  3. Per-pack, not per-branch — adding a country = a new complianceProfile + region pin + (where needed) a legal review, not new application code.

Open items (verify before any production)

  • CN: confirm the cross-border mechanism (assessment vs standard contract vs certification) for the de-id aggregate, and the in-country LLM choice.
  • AU: confirm the binding jurisdiction(s), retention per state, and the onshore region contractually.
  • Both: retention + breach-notification runbooks; consent-artifact capture wired to requiresConsentUpload.
Ask Anything