本文结构In This Post
一、法律基线I. Legal Baseline
澳大利亚市场的核心法律基线是《1988 年隐私法》(联邦)及其 APP 原则。若业务覆盖其他法域,还需依据实际适用范围满足相关国际数据保护法规。In Australia, the baseline is the Privacy Act 1988 (Cth) and its APP framework. If services reach other jurisdictions, additional international data protection obligations apply where relevant.
二、控制者与处理者职责II. Controller and Processor Roles
在企业 SaaS 场景中,客户通常是控制者,IdP 平台常作为处理者执行授权指令。但在平台安全、计费和合规义务相关处理上,平台方也可能作为控制者承担责任。In enterprise SaaS, customers are typically controllers while the IdP acts as processor for instructed operations. For security, billing, and compliance obligations, the platform may also act as controller.
三、数据驻留与跨境访问III. Data Residency and Cross-Border Access
如果承诺澳洲数据驻留,应明确主托管区域(如 Microsoft Azure Australia East)以及何种场景会发生跨境访问(如支持与应急)。跨境访问必须受合同与技术控制约束。If Australian data residency is promised, specify the primary hosting region (for example Microsoft Azure Australia East) and when cross-border access can occur, such as support or incident response, under contractual and technical safeguards.
四、可审计证据清单IV. Audit Evidence Checklist
建议准备四类材料:数据处理协议(DPA)、子处理方清单、保留与删除策略、事件响应流程。没有这些文档,隐私承诺很难被企业采购与法务接受。Prepare four artifacts: Data Processing Agreement, subprocessor list, retention and deletion policy, and incident response process. Without these, privacy claims are hard to pass procurement and legal review.
合规不是一页政策,而是一套可验证的交付体系。Compliance is not a single policy page; it is a verifiable delivery system.