Skip to main content
Industry Insights9 min read

Where Is Your Business Data Actually Stored? The Question Most Australian Owners Never Think to Ask

LP
Lachlan Pagan

Amara runs a mid-sized HR consulting firm in Brisbane. Twelve staff, solid client roster, good reputation. She's meticulous about compliance, keeps her contracts tight, and has never once missed a superannuation deadline.

Last year, a client asked her a question she couldn't answer.

"Where is our employee data stored?"

The client was a government contractor. They had their own compliance requirements. They needed to know whether the HR platform Amara used was storing sensitive employee records inside Australia or somewhere else entirely.

Amara opened a browser tab and started digging through the terms of service for the platform she'd been using for three years. She found a clause buried on page eleven. Data was stored on servers in the United States, with backups in Ireland.

She lost the client.

Not because she'd done anything wrong, exactly. But because she couldn't give them the assurance they needed. And because she'd never thought to ask the question in the first place.

The Default Setting Is Overseas

Here's the reality of the modern SaaS landscape: the vast majority of business software used by Australian companies stores data offshore. That's not a conspiracy. It's just economics. The big cloud providers, AWS, Azure, Google Cloud, built their infrastructure in the United States and Europe first. Most software companies built on top of that infrastructure without thinking twice about where their customers' data would end up.

For a long time, it didn't matter much. The data was "in the cloud," which felt abstract and safe, and nobody was asking hard questions.

That's changing.

The Australian Privacy Act has been under significant reform. The Privacy and Other Legislation Amendment Act 2024 introduced new requirements around transparency, automated decision-making, and cross-border data flows. Regulators are paying more attention. And clients, particularly those in government, healthcare, finance, and legal services, are starting to ask the same question Amara's client asked.

Where is this data, exactly?

What Data Sovereignty Actually Means

Data sovereignty is a straightforward concept dressed up in technical language. It means that the laws governing your data are determined by where the data physically sits, not where you or your software vendor are located.

If your business data is stored on a server in Virginia, it is subject to US law. That includes the CLOUD Act, which gives US authorities the ability to compel American companies to hand over data stored anywhere in the world, including on overseas servers. Your Australian Privacy Act protections don't travel with your data.

This isn't a hypothetical concern for large corporations. It applies to the invoices in your accounting software, the client records in your CRM, the employee timesheets in your HR platform, and the project files in your document management system.

For most small and medium businesses, the practical risk of a US government subpoena is low. But the broader principle matters: when your data sits offshore, you're operating under a legal framework you didn't choose and may not fully understand.

And there are more immediate concerns than government surveillance.

The Practical Risks You're Actually Exposed To

Breach notification and liability

Australia's Notifiable Data Breaches scheme requires organisations to notify affected individuals and the Office of the Australian Information Commissioner when a data breach is likely to cause serious harm. The obligation sits with you, the Australian business, regardless of whether the breach happened at your vendor's US data centre.

If your CRM provider suffers a breach in their Oregon facility, you're the one who has to call your clients. You're the one who wears the reputational damage. And you're the one who may face regulatory scrutiny if your vendor relationships weren't properly documented.

Knowing where your data is stored, and having contractual protections around it, is part of managing that risk.

Latency and performance

This one is less dramatic but more constant. When your team opens a project dashboard and it takes four seconds to load, that's often because the request is travelling to a server in Singapore or Frankfurt and back. Four seconds doesn't sound like much. Multiply it by every page load, every report, every file fetch, across a team of fifteen people, across a full working year, and you're looking at a meaningful drag on productivity.

Australian-hosted software communicates with servers in Sydney or Melbourne. The round trip is measured in milliseconds, not seconds. The difference is noticeable.

Vendor lock-in and data portability

When your data is held by an overseas provider, getting it back can be surprisingly difficult. Some platforms make export straightforward. Others bury data portability in enterprise tiers, charge for bulk exports, or provide data in formats that are technically yours but practically useless without their proprietary tools to read them.

If an overseas vendor shuts down, gets acquired, or simply decides to change their pricing model, your options are limited. You're negotiating from a position of dependency.

Who This Affects Most

Every business that holds client data is touched by this issue. But some industries feel it more acutely.

Professional services firms (lawyers, accountants, HR consultants, financial advisers) hold sensitive personal and commercial information. Their clients increasingly expect, and sometimes contractually require, that this data stays in Australia.

Healthcare and allied health providers operate under both the Privacy Act and the My Health Records Act. The Australian Digital Health Agency has clear guidance on data sovereignty for health information. Storing patient data offshore creates compliance exposure that most practitioners haven't fully considered.

Government contractors and suppliers often face explicit requirements that data remain onshore. Losing a tender because you can't answer the data sovereignty question is an avoidable problem.

Trades and field services businesses might assume this doesn't apply to them. But their platforms hold client addresses, access codes, payment details, and job histories. That's personal information under the Privacy Act, and it deserves the same consideration.

The truth is, any business that uses software to manage clients, projects, finances, or staff has a data sovereignty question worth answering.

The Fragmented Tools Problem

Here's where it gets complicated for most SMEs. They're not using one piece of software. They're using eight, or twelve, or twenty.

A typical small business might have client data in HubSpot (US), project files in Asana (US), financial records in Xero (New Zealand, with data hosted in Australia for Australian customers, but worth verifying), team communication in Slack (US), documents in Google Drive (varies), and time tracking in Harvest (US).

Each of these tools has its own data storage policy, its own terms of service, and its own approach to breach notification. Keeping track of where each piece of data lives, and whether each vendor's practices meet your obligations, is a genuine compliance task that most business owners are simply not doing.

This is one of the less-discussed costs of the patchwork SaaS approach: it doesn't just create inefficiency and integration headaches. It creates a fragmented data sovereignty profile that's hard to audit and harder to explain to a client who asks the question Amara's client asked.

What to Look For When Evaluating Software

When you're assessing any platform, these are the questions worth asking before you sign up.

  • Where are the servers physically located?: "Cloud-hosted" is not an answer. Sydney, Melbourne, or a specific Australian AWS region is an answer.
  • Who owns the infrastructure?: Some vendors host on Australian AWS or Azure regions. That's meaningfully better than offshore, though it still involves a US-headquartered cloud provider. Fully Australian-operated infrastructure is a different proposition again.
  • What are the cross-border data transfer provisions?: Does the vendor send data to overseas sub-processors for analytics, support, or backup purposes?
  • What is the breach notification process?: How quickly will they tell you if something goes wrong, and in what form?
  • What are your data portability rights?: Can you export everything, in a usable format, at any time?

Most vendors will answer these questions if you ask. The ones who won't, or who give vague answers, are telling you something.

The Single Database Advantage

There's a related issue that doesn't get enough attention: even if all your tools are hosted in Australia, if they're separate tools with separate databases, your data sovereignty profile is still fragmented.

Every integration between tools is a data transfer. When your project management platform syncs with your CRM, or your time tracking tool pushes data to your invoicing system, data is moving between systems. Each of those movements is a potential point of exposure, and each integration involves a third party, often an overseas middleware provider like Zapier or Make, sitting in the middle.

A platform built on a single database, where projects, clients, finances, timesheets, and communications all live in one place, eliminates most of those transfers. There's no sync to trigger. There's no middleware to route data through. The information was never in separate places to begin with.

From a data sovereignty perspective, that architecture is cleaner. One vendor, one data location, one set of terms to understand.

Sovereignty Without the Sermon

It would be easy to turn this into a flag-waving exercise. Buy Australian, support local, keep data onshore because patriotism. That's not really the point.

The point is practical. Australian businesses operate under Australian law. Their clients have Australian expectations. Their staff have Australian privacy rights. When the software running the business stores data in jurisdictions with different legal frameworks, different breach notification requirements, and different government access powers, there's a genuine mismatch between where the obligations sit and where the data sits.

Fixing that mismatch isn't about nationalism. It's about running a business that can answer the questions clients are starting to ask, that meets the obligations regulators are starting to enforce, and that doesn't create unnecessary exposure for something as preventable as server location.

Amara eventually rebuilt her HR practice on software that could give her clear answers. She now includes a data sovereignty clause in her own client agreements, specifying that all data will be stored on Australian-hosted systems. It's become a selling point, particularly with government-adjacent clients.

She didn't change her practice because she was worried about US government subpoenas. She changed it because a client asked a question she couldn't answer, and she decided that was never going to happen again.

A Practical Starting Point

If you've read this far and you're not sure where your own business data actually lives, that's the place to start. Open the terms of service for each platform you use. Search for "data storage," "data location," and "sub-processors." Most modern platforms publish a list of their sub-processors somewhere, often buried in their privacy policy or a dedicated security page.

Make a simple list: tool name, data location, last reviewed. It takes an afternoon. It's the kind of admin that sits firmly in the 20% of your time that should be spent on operations, not the kind that should be consuming your week. But it's worth doing, because the alternative is finding out the hard way, the way Amara did.

Once you know where your data is, you can make informed decisions about whether that's acceptable, and whether consolidating onto fewer, better-located platforms makes sense for your business.

Opus is built and hosted in Australia, operated by an Australian company, and built on a single database architecture that keeps your business data in one place rather than scattered across a dozen integrations. If you're evaluating your options, the [features page](https://opus.net.au) is a reasonable place to start, and there's a free tier available if you want to see how it works before committing to anything.

Ready to simplify your business?

Start your free 14-day trial and discover why businesses choose Opus Management Platform.

Free 14-day trial · No credit card required · Cancel anytime