Customer due diligence creates a concentrated, high-value dataset: government IDs, biometrics, beneficial-ownership maps and transaction histories. Where that dataset is stored, who can subpoena it, and whose jurisdiction governs a breach are all questions the Privacy Act, the AML/CTF Rules and the Notifiable Data Breaches scheme treat seriously.
The four storage profiles
- Australian-only cloud (AWS Sydney / Azure Australia East / GCP Sydney) — strongest position.
- Australia primary with offshore failover — common; check the failover trigger conditions.
- US or EU cloud with Australian access — common for global vendors; subject to CLOUD Act and equivalent regimes.
- Vendor-managed infrastructure with unclear residency — avoid.
Questions to ask the provider
- What is the primary region and the failover region?
- Who has root access to the database and where are they located?
- What is the breach notification SLA and which regulators are notified?
- On exit, what is the data deletion process and the verification artefact?