Are you in the EU and a financial entity (or have financial entity customers)? Congratulations: you get to worry about DORA. A little over a year ago I spelled out a rough overview of how Fly.io fits into your overall DORA compliance strategy and it’s worth an update based on our experience since then.
The big update first: since DORA is a custom contract that grants you (our customer) and your regulator(s) a whole bunch of rights to perform custom audits of Fly.io or involve our staff in investigations and whatnot, we’ve made having an Enterprise Support package a pre-requisite. Which, frankly, is the best arrangement for customer-you as well: you get a direct line to us if the day comes when a regulator knocks on your door (heaven forfend).
In terms of the actual contract, we have to be consistent about the delivery requirements (SLA, reporting obligations) so we’re not varying delivery terms from customer to customer, but we expect our overall terms are wholly boring and unremarkable, as they should be.
There is, however, one possibly interesting element to our terms and that’s how we address the DORA requirement that mandates documenting the regions/countries where we’re processing/storing data. Because our customers unilaterally control where their data is processed, which is a nice-to-have for financial entities managing their data residency requirements, the language we use says:
- we backup to the US
- the customer is responsible for selecting the data processing regions
- we won’t process any data outside of the US + configured regions without notice
So while there won’t be a concrete list of locations baked into the contract, on regulatory review there would be a clear mapping of where the data is currently being processed to what was agreed upon in the contract.
Anyway, feel free to reach out to us at compliance@fly.io and hammer us with your DORA questions: we’re here to answer them!