Australian Data Residency: Why It Matters for Your Documents
If your VDR stores data in the US or EU, your Australian clients' documents are subject to foreign laws. Here's what that means in practice.
When your virtual data room stores documents in the US or EU, your Australian clients' data is subject to foreign laws. The US CLOUD Act lets American authorities compel a US company to hand over data it controls, regardless of where the data physically sits. For Australian professional services firms handling client tax, deal, and legal documents, this isn't a theoretical risk — it's a question a client, an auditor, or your own insurer can ask you, and you need a real answer.
What data residency actually means
Data residency refers to the physical location where your data is stored and processed. Australian data residency means your documents sit on servers in Australia, operated under Australian law, and subject to Australian regulatory frameworks. Note the distinction: it's about the infrastructure, not the company's logo. A US-headquartered provider can offer an "Australian region" while the parent company remains subject to the CLOUD Act — so residency and legal exposure are two separate questions you have to ask separately.
The CLOUD Act problem, concretely
The US Clarifying Lawful Overseas Use of Data Act (2018) means a US-based provider can be served a warrant compelling production of customer data it controls — even data hosted in its Sydney data centre — and, in some cases, without notifying the customer. So "our data is in an Australian region" from a US company is a statement about latency and residency, not about who can legally reach into it. An Australian-incorporated provider operating Australian infrastructure isn't subject to that reach in the same way.
Why it matters for professional services
The Australian Privacy Principles under the Privacy Act 1988 require organisations to take reasonable steps to protect personal information. The sting is in APP 8 (cross-border disclosure): when you disclose personal information to an overseas recipient, you generally remain accountable for that recipient's handling of it. In plain terms — if your offshore VDR provider suffers a breach, the Australian entity that put the data there can carry the liability, not the foreign host. Keeping the data onshore removes the cross-border disclosure entirely, which is the cleanest way to discharge the obligation.
The APRA and ATO angle
APRA-regulated entities must comply with CPS 234 (Information Security), which includes managing the information-security capability of third-party providers and understanding where data is held — offshore arrangements attract extra scrutiny and board-level attention. The ATO's data-handling guidance doesn't strictly mandate Australian hosting, but it creates a strong preference, and in practice auditors and review teams notice when sensitive tax data is hosted overseas. For TPB-registered tax practitioners, onshore hosting is also the simplest way to evidence the confidentiality obligations under the Code of Professional Conduct.
What residency does and doesn't cover
Residency is necessary but not sufficient. Data in Australia that's poorly access-controlled is still a breach waiting to happen. Pair onshore hosting with the controls that actually prevent disclosure: role-based access, email-verified guests, a tamper-evident audit trail, view-only documents, and link expiry. Residency answers "whose laws apply"; those controls answer "who can actually see it."
Five questions to ask any VDR provider
- Where is the data physically stored — which cloud provider and which region?
- Is the provider company subject to foreign laws such as the US CLOUD Act?
- Can you contractually guarantee data will not be transferred or replicated overseas?
- What happens to my data and its residency if the provider is acquired by a foreign company?
- Are backups and any AI/processing also kept onshore, or do they leave the country?
Frequently asked questions
Is "stored in Australia" the same as "protected by Australian law"? Not necessarily — if the provider is a foreign company, foreign law can still reach the data. You need both onshore infrastructure and an onshore provider. Does data residency satisfy the whole Privacy Act? No, but keeping data onshore removes the APP 8 cross-border disclosure problem, which is one of the harder obligations to manage with an offshore tool.
ShareAndGo's approach
All ShareAndGo data is stored and processed in Sydney, Australia, on Google Cloud Platform's australia-southeast1 region. The company is Australian-owned with an Australian ABN. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+), and the AI processing runs in-region too — so client data doesn't leave the country. No data is transferred overseas unless you explicitly configure an integration that does so.