Back to Blog
Compliance3 March 2026

Data Residency Requirements for Government Contracts

Federal and state government tenders increasingly require Australian data residency. Here's how to ensure your document sharing stack qualifies.

Australian government tenders increasingly require data to be stored and processed within Australia. If you're bidding for government work — federal, state, or local — understanding the data residency rules is essential.

The baseline requirement

Most Commonwealth government contracts include clauses requiring that personal information and sensitive data be stored within Australia, or in a jurisdiction with substantially similar privacy protections. In practice, "within Australia" is the safe answer — the list of jurisdictions deemed equivalent is short and contentious.

State governments (NSW, Victoria, WA, Queensland, SA) have their own variations, and many local councils have followed suit. The specifics vary but the pattern is consistent: data residency is a hard requirement, not a negotiation point.

The IRAP regime

For sensitive federal government work, there's an additional requirement: ASD's Information Security Registered Assessors Program (IRAP). Cloud services handling PROTECTED-classified information must be IRAP-assessed to the PROTECTED level. Services handling OFFICIAL: Sensitive information have lower but still specific assessment requirements.

The IRAP assessment confirms that the cloud service meets the ASD's Information Security Manual controls. It's not a one-time thing — it needs to be renewed periodically and the service provider has to actively maintain compliance.

What Australian data residency actually means

"Data resides in Australia" needs to be unpacked:

  • The primary storage is in Australia
  • Backups are in Australia
  • Processing (any compute) happens in Australia
  • Metadata, logs, and caching don't leak to non-Australian regions
  • Support staff with access to the data are in Australia (or in a jurisdiction with equivalent privacy protections)

A surprising number of "Australian" cloud services fail on the last two. Their data is in Sydney, but their support team is in the Philippines or India, and support access means data access.

The practical checklist for tender responses

When responding to a government tender that includes data residency requirements, be ready to demonstrate:

  • The cloud region where data is stored (must be AU-based)
  • Where backups are held
  • Where support staff are located and their access rights
  • IRAP assessment status (if applicable)
  • Your sub-processor list and their locations
  • Your data breach response procedures

Being able to answer all of these in a single document response can be the difference between winning and losing a tender.

ShareAndGo's position

All ShareAndGo infrastructure is hosted in australia-southeast1 (Sydney). Primary storage, backups, processing, and support access are all Australian-based. For detailed compliance documentation, contact andy@interetail.com.