Data sovereignty: why Australian hosting matters for regulated industries

The Privacy Act 1988 treats cross-border disclosure of personal information as a regulated act, not a technical detail. Australian Privacy Principle 8 requires that before an organisation discloses personal information to an overseas recipient, it must take reasonable steps to ensure the recipient will handle the information in a way that is at least as protective as the APPs — or, alternatively, obtain the individual's express consent to the transfer with acknowledgement that APP protections will not apply. For regulated industries handling sensitive categories of information — health records, disability support data, financial intelligence — this obligation has real teeth.

The practical consequence is that where personal information is stored and processed matters enormously. A compliance software platform that routes data through US-based servers, uses European data centres as a failover, or relies on AI processing infrastructure hosted outside Australia is making cross-border disclosures every time it handles a record. Most Australian providers are not aware that their software vendor's infrastructure choices constitute disclosures under the Privacy Act. Even where consent has been collected, the downstream implication is that foreign intelligence laws — including the US CLOUD Act — may allow government agencies to compel disclosure of data hosted in their jurisdiction, regardless of Australian law.

For NDIS providers, the sensitivity of participant data elevates this concern substantially. Participant records include diagnoses, behaviour support plans, incident histories, and financial transactions linked to disability. For AML/CTF reporting entities, the data includes suspicious matter reports, customer due diligence records, and beneficial ownership information — material that carries strict confidentiality obligations under the AML/CTF Act, including the tipping-off prohibition. Hosting this data offshore is not just a privacy risk; it may constitute a breach of the specific confidentiality provisions in those regulatory regimes.

Supabase operates a Sydney region (ap-southeast-2), and for Australian compliance applications it is the only appropriate choice. Data at rest remains within Australian jurisdiction; compute occurs within the region; backups are stored domestically. This is not a marketing claim — it is a verifiable infrastructure configuration that can be documented in a data governance register and provided to regulators on request. The ability to produce clear documentation of data flows, storage locations, and access controls is increasingly expected by regulators including the NDIS Quality and Safeguards Commission, AUSTRAC, and the Office of the Australian Information Commissioner.

When evaluating compliance software, data residency should be a first-order question, not an afterthought. Ask vendors to specify exactly which regions store your data, whether any processing — including backups, analytics pipelines, and AI-assisted features — occurs outside Australia, and what contractual protections exist against vendor-initiated transfers. A vendor who cannot answer these questions clearly is not a vendor who has thought carefully about their obligations under Australian privacy law. For organisations handling the categories of information that regulatory software typically manages, the question of where data lives is inseparable from the question of whether you are complying with the law.