Skip to content
LegalAccountingMarcoPricingSign inBook a Demo

Data Residency

Your data stays where the law puts it.

No surprises, no "global cloud," no data quietly crossing borders. We pin every customer’s data to a region at the moment their firm signs up, and we never move it without your written instruction.

Where your data lives.

Marco Reid hosts customer data in the region matched to the firm’s primary jurisdiction. Replication and backup never leave the region.

NZLive

New Zealand

Primary
AWS Sydney (ap-southeast-2)
Backup
AWS Sydney — multi-AZ replication
Governed by
Privacy Act 2020 · OPC guidance · Cloud Computing Code of Practice
AULive

Australia

Primary
AWS Sydney (ap-southeast-2)
Backup
AWS Sydney — multi-AZ replication
Governed by
Privacy Act 1988 · APP cross-border principles
UKRolling out

United Kingdom

Primary
AWS London (eu-west-2)
Backup
AWS Ireland (eu-west-1)
Governed by
UK GDPR · Data Protection Act 2018 · ICO guidance
EURolling out

European Union

Primary
AWS Frankfurt (eu-central-1)
Backup
AWS Ireland (eu-west-1)
Governed by
GDPR · EDPB Schrems II safeguards · standard contractual clauses
USRolling out

United States

Primary
AWS Oregon (us-west-2)
Backup
AWS Virginia (us-east-1)
Governed by
CCPA / CPRA · HIPAA-eligible architecture · state breach laws
CARolling out

Canada

Primary
AWS Canada Central (ca-central-1)
Backup
AWS Canada Central — multi-AZ replication
Governed by
PIPEDA · provincial privacy laws (Quebec Law 25, etc.)

The plain-English guarantees.

We never move your data without your written instruction.

If your firm is provisioned in the New Zealand region, your data does not silently move to a US region for a feature that happens to be cheaper there. Region pinning is part of your contract.

Sub-processors are listed and updated in public.

Stripe, Plaid, Akahu, OpenAI, and AWS are our material sub-processors. The current list lives at the Trust Center and we email customers fourteen days before any change.

Cross-border transfers use real safeguards.

Where a transfer is unavoidable (e.g. Stripe-hosted card data leaves region for the card networks), we use standard contractual clauses, GDPR Schrems II safeguards, and Privacy Act 2020 IPP-12 disclosures.

AI inference happens inside your region where the provider supports it.

OpenAI and Anthropic regional endpoints are used wherever available. Where they are not yet, we publish exactly which workloads route out of region and the safeguards that apply.

You can export everything, any time.

Full account export in JSON and PDF, including matter files, time entries, trust account history, Marco research transcripts, and every audit-trail event. No throttle, no fee, no dark pattern.

On termination we delete on a schedule you can verify.

Soft-deletion within 24 hours, hard-deletion within thirty days unless you ask for an extended hold for litigation. We provide a deletion certificate on request.

Have a question about a specific transfer?

Email privacy@marcoreid.com. Our DPO replies within two business days, in writing, with the answer you can attach to your file.

Read the full Trust Center →