Mauritian DPA + GDPR: where should your client data live?

The Data Protection Act 2017 governs how personal data is processed in Mauritius, including transfers outside the country. If your business also serves European clients, the GDPR applies in parallel. Your hosting choice — local, foreign or hybrid — directly determines how complex compliance will be.
Two frameworks, one logic
A Mauritian business processing personal data falls first under the Data Protection Act 2017 (DPA): lawful basis for processing, defined purpose, data security, rights of data subjects and a framework for cross-border transfers.
As soon as it offers goods or services to European residents, the GDPR stacks on top of the DPA: the European regulation applies beyond the Union's borders. The good news: both texts share the same philosophy, and serious compliance work done for one covers much of the other. The caution: the two transfer regimes apply cumulatively — and that is exactly where hosting comes into play.
Cross-border transfers: the question that decides everything
Hosting personal data outside Mauritius is a transfer under the DPA; storing or routing it outside Europe raises the same question under the GDPR. In both cases, you must be able to answer three questions precisely:
- Where is the data stored — country, data centre, including replicas and backups?
- Who can access it — your provider, its sub-processors, its offshore support teams?
- On what basis does the transfer rest — contractual clauses, documented safeguards, consent?
With a large public cloud, answering these three questions honestly often means documenting a chain of sub-processors you do not control. And do not forget the invisible transfer: pasting client data into a public AI tool is a transfer too — see what happens to your data in a public AI.
Classify your data before choosing where it lives
Not all data deserves the same regime. A simple grid is enough to start: public data (no strong constraint), internal data (access to be controlled), personal data (DPA and, where relevant, GDPR), sensitive or critical data (health, finance, data whose loss stops the business). This classification, detailed in our article on the data that should never leave the island, comes before any hosting decision: it turns an ideological debate ("everything local" versus "everything cloud") into a category-by-category decision.
The practical rule that follows: the more sensitive the data, the simpler its hosting must be to explain. An auditor — or a client — should understand in one page where it lives, who accesses it and how it is protected.
Why a private cloud makes audits easier
Compliance is not only written policies: it has to be demonstrated. On that ground, a locally hosted private cloud has structural advantages:
- An identified perimeter: you know physically where servers, replicas and backups sit.
- No cascading sub-processing: the access chain is documented in one page, not thirty.
- Complete access logs: who viewed what, and when — the raw material of any audit.
- Transfers cut to the strict minimum: fewer transfers, fewer legal bases to maintain.
This is the approach SOVALYX applies with its clients: a private cloud whose record of processing practically fills itself in, because the architecture was designed to be auditable (see our private cloud and SLA approach).
In practice: compliance by data type
| Data type | Examples | Key question | Hosting approach |
|---|---|---|---|
| Public | Website, catalogue, brochures | No strong constraint | Free choice: local or public cloud |
| Internal | Working documents, projects | Who accesses it? | Controlled cloud, managed access |
| Personal | Client accounts, HR, invoicing | Documented transfers (DPA/GDPR)? | Local hosting or solid contractual safeguards |
| Sensitive / critical | Health, finance, KYC | Can you prove the perimeter and accesses? | Local private cloud, logs, regular audits |
One last piece of advice: do not treat compliance as a one-off project. Every new supplier, every new SaaS or AI tool reopens the transfer question. An annual review is often enough — and if you are starting from scratch, a hosting audit is the fastest starting point.
How SOVALYX can help
If you need to show where your clients' data lives and who can access it, SOVALYX can start with a diagnostic of your hosting and data flows to map the transfers you already have. A private cloud hosted in Mauritius then brings personal and sensitive data back into an identified physical perimeter, with full access logs and no cascading subcontractors — DPA and GDPR compliance you can document in a few pages. And on the AI side, our private internal LLMs let your teams use AI without any data leaving for a public service.
Talk compliance with an engineer🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.
Reviewed and optimised by AI.