A public spat on X (formerly Twitter) this week between Keith Rabois, Managing Director of Khosla Ventures and Airwallex’s co-founder and CEO Jack Zhang has raised the issue of customer data residency and trust in global fintech infrastructure.
The back-and-forth started when Rabois, an early investor in payment service provider Stripe, posted a thread alleging that Airwallex’s structure and operations expose sensitive U.S. customer data to the Chinese government. Zhang pushed back firmly, claiming that the allegations were driven by competitive motives and insisted the company’s data residency setup prevents U.S. customer information from reaching China.
Rabois Alleges Airwallex Obscures China Ties
Keith Rabois launched a blistering critique of Airwallex, writing in a thread:
“Airwallex has become a Chinese backdoor into sensitive American data like from AI labs and defense contractors. You must already know this, but your China-based ops, infra, and investors create legal obligations to assist with CCP espionage upon request.”
“Have you disclosed to US customers like Rippling, Bill.com, Zip, Brex and Navan that you’re quietly sending their customers’ data to China?” the investor challenged. Those payment processors in turn serve customers including OpenAI, Anthropic, Coinbase, Databricks, Snowflake, Robinhood and Scale.
Rabois alleged that Beijing could obtain data on supplier and vendor payments for AI labs, payroll data for defense contractors and personal data for employees of financial and crypto firms abroad through Airwallex. The investor asserted there are “multiple points of vulnerability”, including on-the-ground engineers in mainland China, “which obligates these individuals to comply with Chinese government demands to hand over data,” legal structure and the fact that over 20 percent of the company is owned by Chinese firms such as Tencent and HongShan.
Rabois wrote that Airwallex presents itself as a Singaporean company, but around 40 percent of its 1,700 employees globally are located in mainland China and Hong Kong. The fintech was founded in Melbourne, Australia in 2015 to simplify cross-border payments for businesses, and moved its global headquarters to Singapore in 2022 to access the Asian financial hub.
Airwallex counts Australian VCs Blackbird, Airtree and Square Peg, as well as Salesforce Ventures and Visa Ventures, among its investors, completing a $300 million Series F funding round at a $6.2 billion valuation in May 2025.
Rabois made four claims around Airwallex’s handling of customer data:
- “You route global payments for US companies in critical sectors, without disclosing that you are under Chinese jurisdiction.”
- “You moved HQ to Singapore, but your largest operational footprint is in China and hundreds of your engineers in mainland China touch production payment systems.”
- “You are subject to Chinese law that requires Airwallex employees to support CCP intelligence requests and quietly hand over data when asked.”
- “You hide this from your customers, but you are well aware of your obligations to China and that is why you insist on protection of Chinese data access in your contracts.”
Rabois then added: “Thanks to you, the Chinese government now has direct, covert, legally enforceable access to sensitive financial information belonging to America’s AI labs, defense contractors, financial institutions, healthcare firms, and Fortune 500s. Maybe this wasn’t your intent when you started the company, but it’s clear you’ve allowed this to happen.”
Zhang Hits Back on Data Security and Residency
Zhang responded sharply in denying the accusation, writing on X:
“It’s disappointing to see an investor circulating inaccurate claims to give a portfolio company an edge in competing. Airwallex operates under strict global data-residency and security frameworks. No U.S. customer data is sent to China. Full stop.”
Zhang noted that the company hires talent globally like Apple, Tesla and Microsoft.
“But where our engineers sit is different from where your data sits and who has access to that data. US customer data is stored in US, Netherlands and Singapore data centers and subject to strict security and access controls.”
Zhang added that no members of Airwallex’s Chinese or Hong Kong entities have access to personally identifiable information (PII) on US customers. The company holds more than 70 licenses globally and is regulated in over 48 U.S. states.
The fintech’s co-founder then emphasized: “We do not answer to foreign intelligence demands for non-local sensitive data, our technical and legal structures prevent that cross-border reach. We comply with U.S. federal requirements with respect to China and Hong Kong access to US sensitive personal information. Our leadership team operates across the U.S., Europe, Singapore, and Australia.”
Shannon Scott, Chief Product Officer at Airwallex, entered the fray, posting on X that Airwallex is focused on data sovereignty to meet customer needs and preferences:
“Airwallex will continue to build data centers that isolate customer data into their respective region, going beyond regulatory requirements and customer expectations. Many of our customers are multi-national themselves, so creating customer choice will also be key.”
Lucy Liu, Airwallex’s President and Co-Founder, also defended the company on X, posting: “Our legal structure and technical architecture are intentionally designed to prevent cross-border data access, regardless of where engineers are located.”
Who Really Controls Customer Data?
The argument has landed in the midst of heightened scrutiny of supply chain and data risks tied to Chinese technology firms, as part of broader geopolitical risks, especially for companies that provide infrastructure to sensitive sectors such as AI, defense and finance. It also comes in the context of growing enterprise customer concerns around data sovereignty. Customers increasingly demand clarity around where data is stored, who has access and how a vendor would respond to lawful requests from foreign governments.
At the heart of the clash is a simple but high-stakes question: Does having engineers, operations or investors in China automatically expose a company to Chinese legal demands, even if data storage and access controls sit elsewhere?
Rabois says yes. Airwallex says no. Neither side is backing down.
Both claims can be true in different senses. One is raising a legal and operational “what if” about obligations under Chinese law, while the other is pointing to how the systems are implemented and where the data lives.
For customers, especially those handling sensitive financial or employee data, the distinction matters. Vendors can make strong technical claims about where data lives, but geopolitical risk has shot to the top of due-diligence checklists.
Customers should look for verifiable data residency assertions about which data center locations store their data, contractual terms that set out cross-border rules, and clear details about who on the vendor’s side can access sensitive systems and PII. They should also expect solid technical evidence, like architecture diagrams, encryption details and access-control explanations—to back up those claims.
The episode is a reminder that public accusations, whether they’re true or not, can shape customer perceptions fast, and trust is built on transparency, audits, and verifiable controls. Whether you side with Rabois’ warnings or Zhang’s reassurances, it’s clear that data residency and access control policies are becoming central to the customer experience.
