Where is my data stored?

Primary data residency is AWS Sydney (ap-southeast-2). Backups remain within the same region. No production data is transferred outside the Australia / New Zealand boundary.

Can I get a copy of your DPA?

Yes. Email security@staffchecks.co.nz from a verified domain and we'll send our standard Data Processing Agreement within one business day.

Yes — SAML SSO and SCIM provisioning are available on Enterprise plans.

Are you ISO 27001 certified?

We operate to an ISO 27001-aligned ISMS and are working toward formal certification. We can share our current control evidence under NDA.

Who has access to candidate data?

Only the candidate, the requesting organisation's authorised users, and a small number of named StaffChecks support staff who require it to operate the service. Every access is logged.

Compliance and security

The standards New Zealand employers, regulators and candidates expect.

StaffChecks is built to comply with the Privacy Act 2020, the Credit Contracts and Consumer Finance Act 2005 and the Anti-Money Laundering and Countering Financing of Terrorism Act. Everything from data flow to incident response is documented and externally auditable.

Request DPA / security pack Talk to our security team

Privacy Act 2020

Personal information is collected lawfully, with explicit purpose, and only with informed candidate consent. Candidates may request access and correction of their data at any time.

CCRA 2005

Credit checks are run only after the candidate has given explicit, written consent that is logged with a timestamp, IP address and user agent.

AML/CFT

Identity verification flows are designed to meet AML/CFT Tier 1 standards: government-issued photo ID combined with a liveness-checked biometric selfie.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Documents stored in per-job, private storage buckets with signed-URL access only.

Row-level security

Every database row is scoped to its owning organisation. No application code path can bypass it; security is enforced at the database engine itself.

ISO 27001 alignment

We operate to an ISO 27001-aligned information security management system. Independent audits scheduled annually.

Data residency

Your data stays in the region.

All production data — database rows, documents, backups, audit logs — is hosted within AWS Sydney (ap-southeast-2). No production data is processed or stored outside the Australia / New Zealand boundary.

All systems operational

Live status updates: status.staffchecks.co.nz

Critical incident acknowledgement: < 1 hour
Customer notification of confirmed breach: < 72 hours
Privacy Commissioner notification (where required): < 72 hours
Service uptime target: 99.9%
Planned maintenance notice: ≥ 5 business days

Sub-processors

The third parties we trust with your data — and why.

Provider	Purpose	Region
Amazon Web Services	Primary infrastructure and database hosting	Sydney (ap-southeast-2), Australia
Cloudflare	Edge compute, DDoS protection, TLS termination	Global edge, AU/NZ priority
Resend	Transactional and notification email delivery	United States
Centrix	Consumer credit file enquiries (NZ)	Auckland, New Zealand
NZ Ministry of Justice	Criminal record check source-of-truth	Wellington, New Zealand
Immigration NZ (VisaView)	Right-to-work verification	Wellington, New Zealand

Material changes to this list are notified to customers at least 30 days before they take effect.

Retention

We keep only what we have to, only for as long as we have to.

Data	Period	Why
Completed check results	7 years	Employer record-keeping obligations under NZ employment law
Supporting documents (ID images, etc.)	90 days	Minimum needed to defend a disputed result
Consent records	7 years	Matched to the result they authorised
Audit logs	7 years	Immutable evidence of access and changes
Backups	30 days rolling	Disaster recovery; aged out automatically

Data lifecycle

01
Collection
We collect only the personal information necessary to complete the checks the candidate has consented to.
02
Storage
Stored in AWS Sydney (ap-southeast-2). Encrypted at rest. Backed up daily; backups encrypted with separate keys.
03
Access
Access scoped to the candidate's job organisation. Every read and write is logged to an immutable audit table.
04
Retention
See the retention table above — 7 years for results, 90 days for supporting documents unless in dispute.
05
Disposal
Cryptographic erasure on storage objects; database rows hard-deleted. Backups age out within 30 days of deletion.

FAQ

Security & compliance — common questions

Primary data residency is AWS Sydney (ap-southeast-2). Backups remain within the same region. No production data is transferred outside the Australia / New Zealand boundary.