International privacy laws
How Koji aligns with the major privacy regimes beyond the EU and the US. The list is comprehensive but not exhaustive; if your country is missing, contact compliance and we add coverage per customer.
How we approach jurisdictions outside the EU and US
Most modern privacy regimes are modeled on GDPR or move toward it. The same operating practices that satisfy GDPR — written processor / operator / data-intermediary contracts, strict sub-processor governance, defined breach-notification windows, data-subject rights support, and accountability documentation — satisfy the privacy laws of most other jurisdictions in substance.
The variation is in the labels (controller / processor vs. controller / operator vs. organisation / data intermediary), the cross-border transfer mechanism (SCCs, BCRs, adequacy, binding contractual safeguards), and the regulator. Koji adapts the paperwork to the regime where required, and the underlying controls do not change.
Coverage by jurisdiction
Status definitions: Covered means our standard DPA and operating practices already satisfy the regime; Covered with config means specific contractual or documentation additions are made per customer; On request means we have not yet documented a formal position and will work with the customer to do so.
| Country / region | Law | Regulator | Status | Notes |
|---|---|---|---|---|
| Switzerland | Revised Federal Act on Data Protection (nFADP / nDSG), effective 2023-09-01 | Federal Data Protection and Information Commissioner (FDPIC) | Covered | Substantively aligned with GDPR. Swiss customers benefit from EU adequacy in both directions. Where US transfer is required, our DPA uses the EU SCCs which Switzerland recognizes (via FDPIC guidance) as a valid transfer mechanism with FDPIC-specific addenda available on request. |
| United Kingdom | UK GDPR + Data Protection Act 2018 | Information Commissioner's Office (ICO) | Covered | See the dedicated UK GDPR page for full treatment. UK Addendum to EU SCCs is incorporated in our DPA. |
| Canada (federal) | Personal Information Protection and Electronic Documents Act (PIPEDA) | Office of the Privacy Commissioner of Canada (OPC) | Covered | Canadian customers select EU or US residency at provisioning. Cross-border transfers from Canada are addressed through our DPA and accountability framework consistent with PIPEDA Principle 1. |
| Canada (Quebec) | An Act respecting the protection of personal information in the private sector (Law 25) | Commission d'accès à l'information (CAI) | Covered | Quebec Law 25 (in force in phases since 2022) is stricter than PIPEDA and closer to GDPR. Koji's standard practices and DPA satisfy the privacy impact assessment, consent, and transparency requirements; specific Quebec-language documentation on request. |
| Brazil | Lei Geral de Proteção de Dados (LGPD) | Autoridade Nacional de Proteção de Dados (ANPD) | Covered | Substantively aligned with GDPR; our DPA and service-provider commitments cover LGPD's controller-operator framework. Brazilian customers should select US residency; data is processed via standard contractual safeguards. |
| Singapore | Personal Data Protection Act (PDPA) | Personal Data Protection Commission (PDPC) | Covered | Koji acts as a data intermediary under the PDPA. Our DPA satisfies the written-contract obligation under Section 4(2). Standard transfer obligations are met via contractual safeguards. |
| Australia | Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) | Office of the Australian Information Commissioner (OAIC) | Covered | Koji satisfies the APP 8 cross-border disclosure obligation through binding contractual safeguards in our DPA. The Notifiable Data Breaches scheme is supported by our 72-hour breach-notification commitment. |
| Japan | Act on the Protection of Personal Information (APPI) | Personal Information Protection Commission (PPC) | Covered | Japan has mutual EU adequacy. APPI cross-border transfer requirements are satisfied by Koji's contractual safeguards. Sensitive personal information handled per APPI Article 17 only where the customer's lawful basis applies. |
| New Zealand | Privacy Act 2020 | Office of the Privacy Commissioner | Covered | Cross-border disclosure requirements addressed through DPA equivalence; breach notification under Part 6 supported by our IR process. |
| South Africa | Protection of Personal Information Act (POPIA) | Information Regulator | Covered with config | Operator agreement equivalent to our DPA is available for South African customers. Information Officer designation lies with the customer. |
| South Korea | Personal Information Protection Act (PIPA) | Personal Information Protection Commission (PIPC) | Covered with config | Koji acts as an outsourcee under PIPA Article 26. Korean-specific data subject notice and outsourcing disclosure supported on request. |
| India | Digital Personal Data Protection Act 2023 (DPDPA) | Data Protection Board of India (to be operationalized) | On request | DPDPA rules and the Data Protection Board are still being operationalized as of mid-2026. Koji can act as a data processor under DPDPA; documentation provided to Indian enterprise customers on request. |
Cross-border transfer mechanics
For transfers from a non-EU/non-US jurisdiction to either of Koji's processing regions, our DPA relies on the contractual safeguard appropriate to the originating jurisdiction:
- EU/EEA, UK, Switzerland to US: European Commission's 2021 SCCs (Module Two), with UK Addendum and FDPIC-specific addendum where applicable.
- Canada to anywhere: PIPEDA accountability + DPA equivalence.
- Brazil to anywhere: Standard contractual clauses recognized by ANPD; DPA equivalence.
- Singapore, Australia, New Zealand, Japan: Local equivalent of binding contractual safeguards in our DPA, calibrated to the local regulator's expectations.
- Korea, South Africa: Outsourcing / operator-agreement equivalents added to the DPA per jurisdiction.
What if your jurisdiction is not listed?
The list above reflects the jurisdictions where Koji has documented a position based on customer evaluation questions. If your jurisdiction is missing, email [email protected]. We confirm coverage feasibility within one business day and add the jurisdiction to the table once a customer-driven position is finalized.
Contact
For international compliance and contract questions, email [email protected]. For data-subject requests across any jurisdiction, email [email protected].