MyCustomsInfo® - Customs Compliance Platform
MyCustomsInfo®

Trust

Data governance, hosting and residency at MyCustomsInfo\u00ae

Customs data is sensitive. Procurement teams, security reviews and regulators all need clear answers before a platform earns access to it. This page is our answer. Four commitments, written plainly, that apply to every MCI tenant from day one.

The four commitments at a glance

Commitment 01

Hosting in your region

UK and EU customer data hosted in AWS Europe (London) eu-west-2. US broker records hosted in US AWS regions per 19 C.F.R. §111.23.

Commitment 02

Jurisdictional residency

Your customs data stays in the legal jurisdiction it belongs to. No cross-region replication for convenience. No exceptions.

Commitment 03

True tenant isolation

Schema-per-tenant database design. Row-level security on every table. Tenant-specific encryption keys. A breach of one tenant cannot expose another.

Commitment 04

ISO 27001:2022 in progress

Certification target Q4 2026. All 93 Annex A controls mapped. Independent CREST-certified penetration testing annually.

Commitment 01

We host your data in your region

MyCustomsInfo\u00ae runs on Amazon Web Services. Where your tenant lives depends on which jurisdiction your customs business operates in.

For UK and EU clients, your tenant is provisioned in AWS Europe (London), region eu-west-2. For US clients whose data includes broker records subject to 19 C.F.R. §111.23, your tenant is provisioned in US AWS regions. The jurisdiction of your customs business is captured at signup and the tenant is provisioned accordingly.

What this means in practice

UK CDS data, EU UCC data and Norwegian customs data sit in eu-west-2. US ACE entry data, broker entry worksheets and Section 232 evidence sit in US AWS regions. The two sets do not mix and do not replicate across regions for convenience.

The AWS regions we use

Client jurisdictionAWS regionRegion code
UKEurope (London)eu-west-2
EU member statesEurope (London)eu-west-2
United StatesUS East (N. Virginia) or US West (Oregon)us-east-1 / us-west-2

For multi-jurisdiction clients with operations in both the UK and the US, separate tenants are provisioned in the appropriate regions. Data does not move between them.

Commitment 02

Your data stays in the jurisdiction it belongs to

Hosting region tells you where data lives at rest. Jurisdictional residency tells you which legal regime applies to it. The two are not the same.

MyCustomsInfo\u00ae commits to keeping your customs data inside the jurisdictional boundaries it belongs to. For UK clients, that means your data is governed by UK law and processed under the UK GDPR. For US clients with broker records, that means compliance with 19 C.F.R. §111.23. We do not replicate, mirror, back up or process your data outside its source jurisdiction for any reason without your explicit written authorisation.

The substantive commitments

  • UK and EU client data: stored, processed and backed up inside the UK (eu-west-2). Subject to UK GDPR and the Data Protection Act 2018.
  • US client broker records: stored, processed and backed up inside the United States. Compliant with 19 C.F.R. §111.23 recordkeeping requirements for licensed customs brokers.
  • No cross-region access for support: our engineering and support teams access client data through region-locked controls. UK data is accessed from UK-based personnel; US data from US-cleared personnel.
  • Sub-processors: our sub-processor list (AWS, MongoDB Atlas) inherits the regional commitments above. Any change to the sub-processor list triggers thirty days prior written notice with your right to object.
  • Backups: retained inside the source region. Backup retention periods are documented in your Data Processing Agreement.

If your procurement team needs more detail: our full Data Processing Agreement is available on request and is mandatory schedule to every MCI Subscription Agreement. Contact us to request a copy.

Commitment 03

Your tenant is genuinely isolated from every other tenant

Most multi-tenant SaaS platforms isolate clients with application logic. A breach of the application layer potentially exposes every tenant on the platform. We thought that was the wrong way to design a customs compliance platform.

MyCustomsInfo\u00ae isolates tenants at the storage layer. Three architectural commitments enforce this. A breach of one tenant cannot expose any other tenant through any failure mode we have been able to design.

How tenant isolation works at MCI

Schema-per-tenant

Every tenant gets its own database schema in our PostgreSQL Aurora cluster. Your tables, your views, your indexes. No tenant can query across schema boundaries.

Row Level Security

Every table carries a Row Level Security policy enforced by the database engine. Even an application-layer bug cannot read rows belonging to another tenant.

Tenant-specific KMS keys

Every tenant’s data is encrypted with its own AWS KMS Customer Managed Key. A breach of one tenant’s key cannot decrypt another tenant’s data. End of subscription means key destruction, which renders the data cryptographically inaccessible.

What about Piers, our AI assistant?

Piers answers your questions about your customs data and the rules that apply to your declarations. It does this on your tenant only.

  • Piers references your tenant data and our regulatory knowledge base only.
  • Piers does not see, reference or learn from any other tenant\u2019s data.
  • Your data is not used to train any underlying AI model.
  • No co-mingling of any kind between tenants.

For your security team

Detailed architecture documentation, including our tenant isolation pen test results, is available under NDA for procurement security reviews. Schema-per-tenant, RLS policies and KMS key management are all independently tested annually by a CREST-certified penetration testing provider. Request a security pack.

Commitment 04

ISO 27001:2022 certification by Q4 2026

MyCustomsInfo\u00ae is implementing the international standard for information security management, ISO/IEC 27001:2022. Our target for certification is Q4 2026.

We publish this commitment in advance of certification because we believe the work matters more than the badge. Our position on each of the 93 Annex A controls is mapped, the implementation roadmap is in delivery, and annual independent penetration testing is in place. Prospects and existing clients can see the trajectory rather than infer absence.

Where we are

Programme elementStatus
All 93 Annex A controls mappedComplete
Information Security Management System (ISMS) documentedIn place
Annual penetration testing by CREST-certified providerIn place
Vulnerability remediation SLAs (Critical 24h, High 7 days, Medium 30 days)In place
Stage 1 audit (documentation review)Scheduled Q3 2026
Stage 2 audit (operational verification)Scheduled Q4 2026
CertificationTarget Q4 2026

This page is updated as our ISO 27001 milestones complete. If a milestone slips, we update this page rather than remove the commitment. Last reviewed: 30 April 2026.

What happens if something goes wrong

We maintain a documented Incident Response Plan covering security incidents, suspected breaches and service disruptions. The plan classifies incidents by severity (P1 Critical through P4 Low) and sets response times for each.

In the event of a personal data breach affecting your tenant, we notify you and, where required by UK GDPR, the Information Commissioner\u2019s Office within 72 hours. Notification includes the nature of the breach, the categories and approximate number of affected data subjects, the likely consequences and the measures taken in response.

Our incident response procedures are reviewed annually and tested through tabletop exercises. The full Incident Response Plan is available under NDA for procurement security reviews.

Documentation available on request

Data Processing Agreement

UK GDPR Article 28 compliant. Mandatory schedule to every MCI Subscription Agreement. Available for review during procurement.

Request DPA

Sub-processor list

Complete list of organisations that may process client data on our behalf, with their location, purpose and security commitments.

Request list

Architecture documentation

Detailed architecture pack covering tenant isolation, data flows, encryption, access controls and ISO 27001 control mapping. Available under NDA.

Request architecture pack

Questions from your security or procurement team?

We respond to security questionnaires, RFI documents and procurement reviews directly. The fastest route is email. We aim to respond to security questionnaires within five working days.

Contact us →

Or call us on +44 151 808 0103.

This page describes the data governance, hosting and residency commitments that apply to MyCustomsInfo\u00ae tenants provisioned from the date of publication forward. Last reviewed 30 April 2026. The substantive commitments are contractually formalised through your Data Processing Agreement and MCI Subscription Agreement; this page is a plain-English summary of those commitments and not a substitute for them.

MyCustomsInfo\u00ae is operated by CustomsPlus Ltd, registered in England and Wales, Company No. 12327750. Registered office: Cholmondeley House, Dee Hills Park, Chester, CH3 5AR, United Kingdom.

US Regulatory Notice. MyCustomsInfo® is an independent compliance auditor. It does not conduct customs business as defined under 19 U.S.C. §1641. The specific tariff classification to be applied to any entry of merchandise is to be determined by a licensed Customhouse broker. MyCustomsInfo® output does not constitute entry preparation, classification advice, or customs broker services. Preparation and filing of Post-Entry Amendments, Post-Summary Corrections, protests, and drawback claims must be performed by a licensed customs broker. US broker records are held in US AWS regions in compliance with 19 C.F.R. §111.23. Primary authority: CBP HQ H272798 (January 2017). Supporting authority: CBP HQ H350722 (January 2026).

Ask Piers, our AI assistant