An ADA December 2025 Newsletter article (also on their website) asks if business owners are satisfied with their subscriber data (TFN’s and dates of birth) being stored offshore? It mentions Xero (the accounting/payroll software – based in New Zealand), which stores its data on AWS Servers, located in the USA. A technical expert from XERO is quoted: “if you don’t want your personal information to be transferred to a server located in the US, you shouldn’t provide Xero with your personal information or use Xero.” Advice from an IT company states most risk comes not from where the data is stored, but from how securely the organisation manages access to it.
They suggest the following risk mitigation strategies:
- Strengthen authentication and access controls
Using strong MFA (multi factor authentication) is essential, whether that is number matching MFA or phish resistant MFA depending on the environment. This greatly reduces the chances of unauthorised access, even if credentials are exposed. - Restrict access by region (geo blocking)
If a business operates solely within Australia, geo blocking helps prevent login attempts from high risk countries, significantly reducing exposure to credential based attacks. - Ensure secure data transfer and storage practices
Internal policy documents emphasise encrypted email, secure file transfers, and avoiding storage of sensitive data on removable media. - Vendor due diligence
For any platform storing personal or financial information, it’s important to review the provider’s compliance posture (ISO 27001, SOC 2, Australian Privacy Act alignment). While customers can’t change where SaaS data is stored, they can choose vendors with strong transparency and security maturity. - Backup and business continuity
Regular backups, documented DR plans, and the ability to recover quickly reduce the impact of service outages or incidents, regardless of data location. - Staff awareness
Human error remains a leading cause of breaches. Policies, onboarding processes, and security education help users understand obligations around storing and handling sensitive data.
