Airwallex CEO denies data leakage! No US customer data transmitted to China

Investor Keith Rabois accuses Airwallex of data leakage risks due to its large engineering team and shareholders in China. Airwallex CEO and co-founder Jack Zhang denied the allegations, emphasizing they are untrue, and stated that the company would never transfer any US customer data to China. He clarified that US customer data is stored only in the US, the Netherlands, and Singapore, and that employees in Mainland China and Hong Kong have no access rights.

Investor Keith Rabois’ Social Media Allegations Ignite Debate

Before Zhang’s public denial, well-known investor Keith Rabois raised a series of serious allegations against Airwallex on X (formerly Twitter). Rabois claimed that Chinese law requires companies and citizens to cooperate with state intelligence efforts, so any company closely connected to China may face data security risks. He specifically pointed out Airwallex’s large engineering team in China, saying this inevitably creates a risk of data leakage.

Rabois’ argument is based on provisions in China’s National Intelligence Law, which states that “any organization and citizen shall support, assist, and cooperate with state intelligence efforts according to the law.” He argued that even if data is stored on US servers, Chinese law could still compel engineers working in China to provide access or help obtain the data. Rabois also cited Airwallex’s Chinese shareholders as another major risk factor.

These allegations sparked widespread discussion in the fintech and crypto space. While some posts were later deleted, the controversy had already spread. Supporters of Airwallex pushed back, with some users questioning the evidence behind the allegations and calling them pure speculation. A senior Airwallex executive also responded, saying the company continuously invests in regional data isolation and has adopted measures exceeding regulatory requirements.

Airwallex CEO Details Data Storage Architecture

In his response, Zhang provided a detailed explanation of Airwallex’s data storage architecture. He clarified that Airwallex stores US customer data only in the US, the Netherlands, and Singapore. He emphasized that employees in Mainland China and Hong Kong have no access to US customers’ personally identifiable information (PII). This data isolation strategy is a core part of Airwallex’s global compliance framework.

Zhang specifically explained the difference between the geographical location of engineering teams and data access rights: “Talent can be distributed globally, but data access rights are not.” He pointed out that where engineers work is not the same as where customer data is stored, and that data access is determined by role and necessity, not by employee location. This role-based access control (RBAC) is standard practice in modern cloud security architectures.

Airwallex currently holds more than 70 licenses worldwide and is regulated in over 48 US states. The company stated that its legal and technical systems can prevent any foreign government from unauthorized access to US data. Zhang also said that Airwallex will not respond to foreign intelligence agencies’ requests for non-local sensitive data, and that the company adheres to US federal cross-border data protection standards.

The Four Pillars of Airwallex’s Data Protection

Geographical Isolation: US customer data is stored only in the US, the Netherlands, and Singapore

Access Control: Data access rights are assigned based on role and necessity, not employee location

Multi-jurisdictional Regulation: Holds financial services licenses in over 70 jurisdictions worldwide

Refusal of Foreign Requests: Will not respond to foreign government requests for non-local sensitive data

At the same time, Airwallex’s leadership team is distributed across the US, Europe, Singapore, and Australia. Zhang added that he himself resides in London and has no operational duties in China. This decentralized leadership structure further reduces any single country’s influence over company decision-making.

Privacy Policy Wording Sparks New Round of Scrutiny

However, the controversy has not subsided. Some users have pointed out ambiguous language in Airwallex’s global privacy policy. The document states that the company may process customer data in various countries, including China. Critics argue this contradicts Zhang’s public statements and have called for further clarification.

Such differences in wording highlight the complex compliance challenges faced by global fintech companies. Firms need to cover all their operating regions in global privacy policies, but must also ensure stricter protections for specific regions (such as the US). Airwallex’s global privacy policy may be intended to cover its various business lines in different countries, but it fails to clearly distinguish the special handling of US customer data.

Airwallex has yet to officially clarify whether these privacy policy provisions apply to US customers who are protected by stricter federal standards. The company maintains that US customers’ PII is confined to approved regions, but the inconsistency between oral statements and written policy documents leaves room for criticism.

From a legal perspective, vague global privacy policy wording may be intended to retain operational flexibility, but in today’s geopolitically sensitive environment, such ambiguity can become a corporate liability. Many multinational fintech companies are now adopting more granular regional privacy policies to explicitly differentiate how customer data is handled in different regions.

No Regulatory Violations, but National Security Concerns Persist

So far, no regulatory agency has confirmed any violation by Airwallex. Relevant regulators such as the US Treasury and FinCEN have not announced any formal investigation. Legally, Airwallex remains in compliance, holds the necessary operating licenses, and undergoes regular audits.

Nevertheless, this conflict has put Airwallex in the national security spotlight, especially as cross-border fintech companies face sensitive times. Against the backdrop of intensifying US-China tech competition, any cross-border data flows involving China are likely to face extra scrutiny. The experiences of companies like TikTok and Huawei show that even without concrete evidence of data misuse, national security concerns alone can significantly impact business operations.

As of now, Airwallex stands by its position. Zhang stated that facts speak louder than words and that online accusations will pave the way for the truth. The company is considering more transparent measures, including possibly inviting third-party independent audits of its data protection architecture and publishing more detailed regional data processing policies.