April 4, 2026 · Tim Fraser, Cloud Operations Lead

Choosing Cloud Tools That Keep Your Data in Australia

When you evaluate a new cloud tool — monitoring, security, cost management, anything that connects to your AWS account — you probably compare features and pricing. But there's a question that matters just as much and rarely appears on comparison charts: where does this tool process and store your data?

For Australian businesses operating under the Privacy Act, APRA prudential standards, or government hosting requirements, this isn't a nice-to-have. It's a compliance requirement. And it's surprisingly hard to get a straight answer.

The problem with "we take security seriously"

Most SaaS vendors will tell you their platform is secure. They'll mention SOC 2 compliance, encryption at rest, encryption in transit, and role-based access control. All of that is good and necessary. But none of it answers the data residency question.

Security and sovereignty are different concerns:

• Security asks: can unauthorised parties access my data?
• Sovereignty asks: which country's laws govern my data, and can I prove where it physically resides?

A tool can be perfectly secure and still store your data in Virginia. For compliance purposes, you need to know both.

Five questions to ask every vendor

Before you connect any tool to your AWS account, ask these questions. If the vendor can't answer them clearly, that's a red flag.

1. Where is your infrastructure hosted?

You want a specific answer: region, provider, data centre location. "AWS" is not enough — AWS has regions on every continent. You need "AWS ap-southeast-2" or "Azure Australia East" or a specific Australian data centre.

2. Where is my data processed?

Hosting and processing can be different. A vendor might store your data in Australia but send it to a US region for analytics or ML. Ask specifically: does any processing happen outside Australia?

3. Where is my data stored at rest?

This includes primary storage, backups, logs, and derived data. Backups are a common gap — the primary database might be in Sydney, but backups replicate to Singapore or Oregon.

4. Can you provide evidence for an auditor?

A verbal assurance is not enough. You need documentation: architecture diagrams showing data flows, contractual commitments to data residency, or a compliance report that specifically addresses Australian data sovereignty.

5. What happens if you're subject to a foreign government data request?

If the vendor is a US company, the CLOUD Act applies regardless of where they store your data. US authorities can potentially compel disclosure even if the data sits in an Australian data centre. Ask how the vendor handles this and whether they notify you.

Building a vendor assessment checklist

For teams that evaluate tools regularly, formalise this into a checklist covering: infrastructure location, data processing location, data storage at rest, backup location, corporate jurisdiction (foreign law exposure), and subprocessors. For each, document the requirement and the evidence the vendor provided.

This looks like overhead, but it saves time in the long run. When an auditor asks "how did you assess this vendor's data residency?", you hand them the completed checklist instead of scrambling to reconstruct the decision.

The Australian cloud tools market

Australian-hosted options exist for most categories, but they're the minority. Most popular DevOps and cloud management tools are US-hosted SaaS platforms.

When evaluating, look for tools built on Australian cloud regions that can demonstrate end-to-end data residency. Be wary of vendors who "support" Australian data residency but require an enterprise plan to enable it. If data residency is an afterthought rather than a default, the implementation may have gaps.

How plainfra fits this framework

plainfra is built entirely in AWS Sydney (ap-southeast-2). Here's how it answers each of the five questions:

• Infrastructure: 100% hosted in AWS ap-southeast-2. Lambda, DynamoDB, S3, API Gateway, CloudFront — all Sydney.
• Processing: AI inference runs on Amazon Bedrock in ap-southeast-2. Conversation processing happens in Lambda functions in ap-southeast-2. Nothing is sent offshore.
• Storage: Conversation history is stored in S3 in ap-southeast-2. Customer records are in DynamoDB in ap-southeast-2. There is no cross-region replication.
• Audit evidence: The entire infrastructure is defined in CloudFormation with explicit region configuration. Every resource can be independently verified in the AWS console.
• Jurisdiction: plainfra is an Australian company. There is no US parent entity and no exposure to the CLOUD Act.

This isn't a premium feature or an enterprise add-on. It's the default and only configuration. Every customer gets the same Australian-hosted infrastructure because there is no other option.

For teams building their vendor assessment checklist, plainfra is a straightforward tick in every box.