Back to Blog
Compliance17 February 2026

ASIC's Position on Cloud Storage for Regulated Documents

Can you store ASIC-regulated records in the cloud? Yes, but there are conditions. Here's what the regulatory guidance actually says.

Can you store ASIC-regulated documents in the cloud? Yes — with conditions. The regulatory guidance is clearer than most people realise, and most cloud providers can meet the standard if configured correctly. The problem is that most cloud providers aren't configured correctly out of the box, and "default settings" is exactly how firms end up with unenforceable retention. Here's what ASIC actually requires, where the traps live, and what to ask of any provider before you trust them with corporate records.

What ASIC actually requires

ASIC's primary record-keeping requirements come from Section 286 of the Corporations Act 2001 and supporting regulations, supplemented by industry-specific guidance (RG 78 for licensees, RG 104 for AFS licensees, RG 105 for responsible entities). The substantive obligations are:

  • Form. Records must be kept in writing in English (or readily convertible to English).
  • Availability. Records must be available for inspection by ASIC on request, generally within a reasonable timeframe.
  • Retention period. Seven years for most corporate financial records under section 286; longer for some specific categories (registered managed investment schemes, AFS licensee client files).
  • Tamper resistance. Records cannot be modified after the fact without leaving an evidentiary trace. Audit trails of access and changes must be preserved.
  • Director duty. Directors must take reasonable steps to ensure the company keeps these records. A breach is a personal liability matter under sections 180-184.

The cloud question — answered clearly

Nothing in the Corporations Act specifies where records must be physically stored. ASIC's published guidance (most recently updated in RG 78 in 2023) explicitly confirms that electronic record-keeping, including cloud storage, is acceptable provided the substantive requirements above are met. There is no Australian-residency mandate for general corporate records in the Act itself.

However: storing records overseas creates a compounding obligation set:

  • APP 8 cross-border disclosure under the Privacy Act for any personal information contained in the records.
  • Practical accessibility risk if a foreign government were to seize the data (CLOUD Act in the US, similar regimes elsewhere).
  • Potential supervisory friction with APRA or industry-specific regulators that explicitly prefer Australian storage.

In practice, you can store regulated records with a cloud provider — Australian or otherwise — but you remain responsible for ensuring they're retained, retrievable, and tamper-resistant for the required period. If your cloud provider goes bust, loses the data, or gets breached, ASIC holds you (the company / director) responsible, not them.

The tamper-resistance trap (where most providers fail in practice)

This is the requirement most often missed. A plain object store (S3, Azure Blob, Google Cloud Storage) CAN be configured with versioning, object lock, and retention policies that meet the tamper-resistance requirement. But the default configuration almost never does. Object versioning is typically off by default. Object lock requires explicit setup. Retention policies aren't applied automatically.

The compliance question ASIC asks isn't "is your provider capable of tamper resistance," it's "did you actually configure it that way, and can you prove it?" The evidentiary burden falls on you.

A purpose-built data room with tamper-evident audit logging gets you to "yes" by default. Every access, every modification, every deletion attempt is hash-chained into the audit log. The audit log itself cannot be modified without breaking the chain. That's the kind of evidence an ASIC investigator can audit.

What to look for in a provider — the practical checklist

  • Australian data residency. Not required by the Corporations Act for general corporate records, but strongly preferred — simplifies Privacy Act compliance, reduces APP 8 burden, aligns with APRA expectations for prudentially-regulated entities, and removes foreign-government-seizure risk.
  • Tamper-evident audit logging. Hash-chained, immutable, exportable. "We have access logs" is not the same as "we have tamper-evident audit logs."
  • Documented retention controls. The provider's retention policy must align with your obligation period. "Best effort" or "as long as you stay a customer" isn't sufficient.
  • Deletion behaviour. When you delete a record, what happens? Soft delete with recovery window? Hard delete with audit-log evidence? The wrong answer compromises your retention story.
  • Clear exit path. If you need to switch providers, can you extract your records in a usable, complete format within the period your contract specifies?
  • Sub-processor visibility. Does the provider use other providers (CDN, backup, analytics)? Are those sub-processors contractually bound to equivalent standards?

The financial services advisor rule (RG 104)

For licensed AFS providers, ASIC RG 104 applies in addition to section 286. It explicitly allows electronic records but requires that records be:

  • Backed up to protect against loss or corruption.
  • Protected from unauthorised access through appropriate security controls.
  • Readily retrievable on request — the practical test being whether an ASIC investigator could obtain a client file from three years ago within a reasonable time.
  • Maintained for at least seven years from the date of the relevant client transaction.

RG 104 specifically calls out that "the licensee remains responsible for the records regardless of where they are stored or who maintains them on the licensee's behalf." Outsourcing record-keeping to a cloud provider doesn't outsource accountability.

The responsible entity / managed investment scheme angle (RG 105)

For responsible entities of registered MIS, RG 105 imposes additional record-keeping obligations on scheme documents, member registers, and unit-pricing records. Some retention periods extend beyond seven years. Many responsible entities have moved to immutable, audit-traceable cloud storage specifically because the documentary burden is otherwise unmanageable across the life of the scheme.

Common mistakes

  • Treating "we keep backups" as tamper resistance. Backups don't satisfy the tamper-evident requirement unless they're immutable AND the audit trail of who accessed each backup version is preserved.
  • Mixing regulated and unregulated records in the same folder. When ASIC asks for "all records relating to the X transaction," the producer has to sift through everything to identify what's responsive. Separate retention by category.
  • Default-on deletion. Some cloud providers default to deleting old objects to manage storage. If your retention period requires the record to be live, default deletion is a regulatory hazard.
  • Cross-border data flow without explicit risk acceptance. If your records are replicated offshore, you've taken on APP 8 obligations without necessarily having documented the risk acceptance.
  • No exit plan. When the relationship with the cloud provider ends, you may have a brief window to retrieve records. Not knowing that window is a regulatory exposure.

The practical posture for a typical Australian licensee

  1. Pick an Australian-data-residency provider with hash-chained audit trails and immutable storage capabilities.
  2. Document your retention policy in writing, signed off by the responsible officer. State the retention period per record class.
  3. Run a quarterly spot-check confirming records are retrievable within the timeframe RG 104 expects.
  4. Maintain an exit plan with explicit data-export procedures.
  5. Include the cloud provider in your annual compliance attestation. Don't let it become a shadow IT exposure.

That's 90% of what ASIC actually cares about during a supervisory review.

How ShareAndGo fits

ShareAndGo provides Sydney-resident, audit-traceable, tamper-evident document storage with documented retention controls and a clear export path. For AFS licensees, responsible entities, and other ASIC-regulated entities sharing sensitive documents externally — auditor engagement, regulatory submissions, client matter files — the compliance story is operationally simpler than for an equivalent US-based provider.

Companion reading: APRA CPS 234 obligations for cloud providers, the Privacy Act primer, and the legal-practice workflow which addresses many of the same record-keeping concerns for advisors representing licensees.

This is general information, not legal or compliance advice. For specific guidance on your firm's obligations, refer to ASIC's published Regulatory Guides at asic.gov.au or engage compliance counsel.

Related reading

ComplianceAustralian Data Residency: Why It Matters for Your DocumentsComplianceGDPR for Australian Businesses: Do You Need to Care?ComplianceHow to Draft a Data Sharing Agreement That Actually Protects YouTry it on ShareAndGoShareAndGo for Australian tax auditsSee it for tax audits