Australian Data Residency: Why It Matters for Your Documents
If your VDR stores data in the US or EU, your Australian clients' documents are subject to foreign laws. Here's what that means in practice.
When your virtual data room stores documents in the US or EU, your Australian clients' data is subject to foreign laws. The US CLOUD Act allows American authorities to compel access to data stored by US companies — regardless of where the data physically sits. For Australian professional services firms handling client documents, this isn't a theoretical risk.
What data residency actually means
Data residency refers to the physical location where your data is stored and processed. Australian data residency means your documents are stored on servers in Australia, operated under Australian law, and subject to Australian regulatory frameworks. It does not mean the company is Australian — it means the infrastructure is.
Why it matters for professional services
The Australian Privacy Principles (APPs) under the Privacy Act 1988 require organisations to take reasonable steps to protect personal information. When personal information is stored overseas, APP 8 (cross-border disclosure) creates additional obligations. If that overseas provider suffers a breach, the Australian entity that shared the data is liable — not the foreign host.
The APRA and ATO angle
APRA-regulated entities (financial services firms) must comply with CPS 234 (Information Security), which includes requirements around data location and third-party provider management. The ATO's data handling guidelines don't explicitly mandate Australian hosting, but they create a strong preference — and auditors notice when sensitive tax data is hosted overseas.
What to check
When evaluating a VDR provider, ask: (1) Where is the data physically stored? (2) Which cloud provider and region? (3) Is the provider itself subject to foreign laws (e.g., US CLOUD Act)? (4) Can you contractually guarantee that data will not be transferred overseas? (5) What happens to your data if the provider is acquired by a foreign company?
ShareAndGo's approach
All ShareAndGo data is stored and processed in Sydney, Australia, on Google Cloud Platform's australia-southeast1 region. The company is Australian-owned with an Australian ABN. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). No data is transferred outside Australia unless the customer explicitly configures an integration that does so.