Does Australian data have to be stored in Australia?

Not universally, but some government, defence-related and regulated organisations are required to keep certain data onshore, and many contracts specify Australian storage. Where it is not mandatory, it is still often a customer expectation.

Why does backup location matter for sovereignty?

Because a backup stored overseas is subject to that country’s laws, which can undermine an onshore data strategy. Sovereignty requirements should apply to every copy of your data, including backups and disaster-recovery copies.

Data sovereignty: why where your backups live matters

Q: What is the difference between data sovereignty and data residency?

Data residency is where your data is physically stored. Data sovereignty is the legal principle that data is subject to the laws of the country in which it resides. Residency determines which laws apply under sovereignty.

When your data crosses a border, it can come under another country’s laws — even if you never intended it to. Data sovereignty is the principle that data is subject to the laws of the place it is stored. For Australian businesses, where your backups live is a decision worth making deliberately.

Key takeaways

Data sovereignty means data is governed by the laws of the country where it resides.
Data residency is the related, narrower question of where data is physically stored.
Some Australian obligations and contracts require data to stay onshore.
Knowing and controlling your backup location is part of good governance.

Sovereignty vs residency

Data residency is simply where your data is physically located. Data sovereignty goes further: it is the idea that data is subject to the laws and jurisdiction of the country in which it is stored. The two are linked — residency determines which laws apply — but sovereignty is the legal consequence that businesses must reason about.

Why it matters

If your data is stored overseas, it may be accessible to foreign authorities under their laws, regardless of your intentions. For some Australian organisations — government, defence-adjacent suppliers under DISP, healthcare, and businesses bound by certain contracts — keeping data onshore is a requirement, not a preference. Even where it is not mandatory, customers increasingly ask where their data lives.

The backup blind spot

Businesses often scrutinise where their primary SaaS data is hosted but forget to ask the same question of their backups. A backup quietly replicated to an overseas region can undo an onshore data strategy. If sovereignty matters to you, it must extend to every copy of the data, including archives and disaster-recovery copies.

Questions to ask

In which country is each copy of my data — primary and backup — physically stored?
Can I choose or restrict the storage region?
Who can legally compel access to it, and under what law?
Does any contract or regulation require onshore storage for my data?

Keeping control

The way to satisfy sovereignty requirements is to choose where your backups are written — your own infrastructure, your own cloud region, or a provider that guarantees Australian storage. The principle is the same as the 3-2-1 rule: deliberate choices about every copy, not assumptions. With CINDA you decide where snapshots live, including Australian-sovereign options, so location is a setting you control rather than a surprise.

Sovereignty vs residency

Why it matters

The backup blind spot

Questions to ask

Keeping control

Frequently asked questions

What is the difference between data sovereignty and data residency?

Does Australian data have to be stored in Australia?

Why does backup location matter for sovereignty?

The 3-2-1 backup rule in a SaaS world

What is DISP? The Defence Industry Security Program explained

Immutable backups and WORM storage, explained