Legal
Last updated: 1 May 2026
Primary region
GCP australia-southeast2 (Melbourne)
Offshore replication
Never — contractually prohibited
Encryption at rest
AES-256 via Google Cloud KMS (Melbourne keys)
Framework alignment
PSPF, ISM, Privacy Act 1988
For government-adjacent procurement, data residency is not optional — it is a compliance requirement. The Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM) both impose controls on where sensitive government information can be stored and processed. Using a platform that stores data offshore — even temporarily — creates compliance exposure for both buyers and vendors.
SovereignMesh was designed from day one to keep all data in Australia. Every database, object store, cache, log sink, and backup is provisioned in Google Cloud Platform australia-southeast2 (Melbourne). Our GCP organisation policy includes resource location constraints that prevent any resource from being created outside australia-southeast2, providing technical enforcement — not just a policy promise.
A small number of third-party services are used to operate the platform (e.g., transactional email delivery). Where these services process personal or procurement data, we assess them against our Supplier Security Standard and require contractual data residency commitments. Services that cannot commit to Australian data residency are not used.
All backups and disaster-recovery snapshots are stored in GCP australia-southeast2 (Melbourne). No cross-region replication is enabled. Our RTO/RPO targets are 4 hours and 1 hour respectively for Tier 1 platform components.
Enterprise customers can request a Data Residency Attestation Letter confirming the above commitments, signed by our Chief Technology Officer. GCP data-residency confirmation is available via the Google Cloud Compliance Reports Manager. Contact compliance@sovereignmesh.com.au to request documentation.