Multi-Country Residency & Compliance
Data-residency and compliance posture across target jurisdictions (posture/design, not legal advice).
Status: Posture / design — NOT legal advice. Every specific below (frameworks, retention, cross-border rules) must be verified with counsel + the relevant authority for the target deployment. Phase H of
data-activation-twin-go-live-master.md; complements its §4 (China) / §5 (Australia) and the per-packcomplianceProfilein eachinfrastructure/market-packs/medos-*/manifest.json.
The posture model (data, not code)
Each market pack declares a complianceProfile — the deployment reads it; no per-country code branches:
| Field | Meaning |
|---|---|
dataResidency |
where the read model + backend must run (local_only / china_pipl / australia_onshore / …) — not just the write path |
retentionDays |
minimum record retention |
requiresConsentUpload |
consent artifact required before PHI migration |
requiresDpia |
a DPIA/PIA is required |
phiMaskingLevel |
strict / pipl_sensitive_pi / … |
The twin’s de-identified aggregate (sync_health_aggregate, facility_hash not hospcode) is the only thing designed to cross a tier — and even that must terminate in-jurisdiction where residency is hard (see China).
Per-country snapshot
| Country | dataResidency | Hardness | Key frameworks | Retention (verify) | Cross-border de-id emit |
|---|---|---|---|---|---|
| Thailand | local_only |
baseline | PDPA; NHSO 43-file | per policy | OK within design |
| Philippines | local_only |
baseline | Data Privacy Act; PhilHealth | per policy | OK within design |
| Japan | local_only |
moderate | APPI; MHLW | per policy | OK within design |
| China | china_pipl |
hard | PIPL + Cybersecurity Law + Data Security Law | inpatient ~30y (10950) |
terminate in-country; cross-border triggers CAC assessment |
| Australia | australia_onshore |
soft–moderate | Privacy Act 1988 + APPs; My Health Records Act 2012; state Acts; NDB | adult ~7y (2555), minors→25 |
onshore stack; far less fraught than CN |
China — the hard wall
- Localization (PIPL + CSL + DSL). Personal/health information is sensitive personal information and plausibly “important data” — store in-country. The medOS read model (Supabase/Postgres + edge functions), not just the write path, must run in a China region.
- Cross-border transfer. Even the de-identified aggregate leaving to an offshore tier can constitute a cross-border transfer requiring a CAC security assessment / standard contract / certification. The roll-up tier must terminate inside China (the
twin_rollup_sync_healthin-cloud path keeps it local). - Cloud + LLM. Foreign Supabase (AWS global) + foreign LLM weights are non-starters as-is — need a China-region stack, ICP filing, and ideally a domestic LLM for the narrative layer.
- Retention.
10950days (~30y) reflects the inpatient-record maximum under 医疗机构病历管理规定; outpatient is shorter — confirm. - Crypto-shred gap. PIPL key-erasure leans on crypto-shredding, which the platform currently disavows (“EVFS is a UI label string”,
hospital-decision-twin.md§4) — close before promising key-erasure.
Australia — the soft wall
- Privacy regime. Privacy Act 1988 + Australian Privacy Principles, plus My Health Records Act 2012 and state health-records legislation (e.g. Victoria’s Health Records Act 2001, NSW) — confirm which jurisdiction(s) apply.
- Onshore expectation. Health-data onshoring is a near-universal procurement requirement rather than an absolute statutory ban — but in practice means an
ap-southeast-2read model + backend. - NDB. The Notifiable Data Breaches scheme applies — wire a breach-notification runbook before go-live.
- Cross-border de-id emit is far less fraught than China, but should still land onshore for a clean procurement story.
- Retention.
2555days (~7y) is the common adult baseline; minors are commonly retained until age 25 and states differ — confirm per jurisdiction.
Deployment implications
- In-region stack per hard-residency country (CN mandatory; AU expected): region-pin Supabase + backend; for CN add ICP + domestic LLM + in-country roll-up termination.
- The twin stays compliant by construction — raw never leaves the node; only the de-identified aggregate rolls up, and where residency is hard that roll-up terminates in-jurisdiction.
- Per-pack, not per-branch — adding a country = a new
complianceProfile+ region pin + (where needed) a legal review, not new application code.
Open items (verify before any production)
- CN: confirm the cross-border mechanism (assessment vs standard contract vs certification) for the de-id aggregate, and the in-country LLM choice.
- AU: confirm the binding jurisdiction(s), retention per state, and the onshore region contractually.
- Both: retention + breach-notification runbooks; consent-artifact capture wired to
requiresConsentUpload.