Australian Data Residency and Access
At Zanda, we understand that data security and residency are especially important to many Australian healthcare providers-particularly when working with government agencies, insurers, or service purchasers that may require assurance around where data is stored and who has access to it.
This article provides specific information for Zanda customers based in Australia. It outlines where data is stored, how it is protected, and under what limited circumstances it may be accessed or processed from outside Australia.
Note: Zanda uses region-specific infrastructure. This article refers exclusively to the data storage and processing practices for Australian customers. Customers in other regions (such as the UK or North America) have their data handled via local infrastructure within those regions.
Have a Canada, USA (United States), or UK account? Zanda supports Canadian, US, and UK practices on region-specific infrastructure. For where data is hosted for those accounts — including a Canadian data server / data residency answer — see the Other regions (US, Canada, and UK accounts) FAQ near the end of this article.
Key Points – Data Residency and Security for Australian Customers
- All data for Australian accounts is stored in Australia
We use Amazon Web Services (AWS) data centres located within Australia to store and back up all customer data for Australian-based Zanda accounts. Data is encrypted both at rest and in transit. - Australian-owned, Australian-based
Zanda is an Australian company, headquartered in Victoria. We prioritise local data handling and Australian-based service delivery wherever feasible. - Local customer support
Our Australian-based support team is the default contact for Australian customers. We also conduct police and background checks on all team members with potential access to customer data. - Consent-driven access
We do not access customer data unless explicitly authorised by the account holder, and always for the purpose of providing support or resolving an issue. - Dedicated Data Protection Officer
We have an internal Data Protection Officer responsible for overseeing data privacy, security, and compliance across all operations. - We are ISO 27001 certified
Both Zanda and our infrastructure providers meet the globally recognised ISO 27001 standard for information security. - Comprehensive, externally audited privacy program
We maintain a robust privacy program that is externally audited and aligned with Australian Privacy Principles (APPs), ensuring ongoing compliance with relevant privacy regulations. - Direct integration with Medicare
We have a native, direct integration with Medicare and comply with their strict data access and processing residency requirements, ensuring sensitive health data is handled in line with Australian government standards. - We actively choose local providers where possible
Whenever practical, we work with Australian-based providers and services to help maintain high standards of privacy and data residency.
Situations Where Data May Be Accessed or Processed Overseas
While our default approach for Australian customers is to keep data stored and managed within Australia, there are limited and specific circumstances where data may be accessed or processed from outside the country:
- After-hours or urgent support
Zanda provides 24/7 customer support. While Australian customers are primarily supported by our local team, there may be situations-especially during urgent or after-hours events-where team members based in the UK or USA assist. These staff are subject to the same training, compliance obligations, and background checks.
We also ensure compliance with Australian Privacy Principle (APP) 8 before granting any access, including requiring that all staff handle data in accordance with Australian privacy standards. - Optional third-party integrations
Some integrations, such as online payments via Stripe, may involve limited data transfer (e.g., name, email, and card details) outside Australia. Stripe is PCI DSS compliant and handles this data securely.
Similarly, our default email provider (SendGrid) may process email data (e.g., recipient email addresses) outside of Australia. Customers are able to configure their own email service if preferred. - Accessing Zanda while travelling
If a customer logs into Zanda from overseas (e.g., while travelling), data is transmitted securely over the internet. This does not involve a change in data storage location, but may constitute international access under some definitions.
Summary
Zanda takes data residency and security seriously. For Australian customers, our systems, partners, and policies are built to ensure that data is stored locally by default, and that any overseas access-when it occurs-is secure, limited, and appropriately governed.
For more information, you can also refer to:
Other regions (US, Canada, and UK accounts)
The key points above apply to Australian accounts. Zanda uses region-specific infrastructure, so data for accounts outside Australia is handled by local infrastructure in those regions. For general data residency and hosting questions across all regions, the published Security and Sub-processors pages are the primary reference, and Zanda Support can provide written, account-specific confirmation when you need it.
❓ Where is data hosted for accounts outside Australia?
Zanda stores customer data in Amazon Web Services (AWS) data centers, encrypted at rest and in transit. For accounts outside Australia, the hosting region is determined by local regulations and is located in London, Northern Virginia, or Sydney as needed. United States accounts are hosted in North American data centers. For written confirmation of the region tied to your own account, contact Zanda Support and include the reason you need it (for example, a service purchaser, insurer, oversight body, audit, or internal policy).
❓ Where is data hosted for Canadian accounts?
Zanda does not publish a Canada-specific data center city. Data for Canadian accounts is hosted in London, Northern Virginia, or Sydney based on local requirements, in line with Canadian privacy standards — the Personal Information Protection and Electronic Documents Act (PIPEDA) and, in Ontario, the Personal Health Information Protection Act (PHIPA). For account-specific confirmation, contact Zanda Support.
❓ Can I use this article as evidence for a non-Australian account?
The detailed key points above cover Australian accounts only. For Canadian, UK, US, or other regional accounts, use the Security and Sub-processors pages together with account-specific confirmation from Zanda Support.
If you’re asked about data residency by a service purchaser, insurer, or oversight body, feel free to link them to this article to provide a complete, contextual answer.