When a mortgage broker collects a client's income details, debt information, and identity documents, that data falls under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). If your CRM stores that data on a server in Virginia or Frankfurt, you may be violating APP 8, cross-border disclosure of personal information.
What the law actually says
APP 8 requires that before disclosing personal information to an overseas recipient, the entity must take reasonable steps to ensure the overseas recipient doesn't breach the APPs. In practice, this means either getting explicit consent from every client for overseas storage, or keeping the data in Australia. For financial services, keeping it in Australia is the cleaner compliance path.
APRA's position
APRA's Prudential Standard CPS 234 (Information Security) applies to APRA-regulated entities and their service providers. While brokers aren't directly APRA-regulated, lenders are, and lenders increasingly require their broker panels to demonstrate compliant data handling. A CRM with Australian data residency is becoming a panel requirement, not just a nice-to-have.
How to verify your CRM's data residency
Ask your CRM provider three questions: (1) Which specific data centre region stores my data? (2) Is replication confined to Australian regions? (3) Can you provide a written guarantee of Australian-only storage? If they can't answer all three clearly, your data may be overseas without your knowledge.
Frequently asked questions
Where does CRMandGo store data?
Is my data safe in an Australian data centre?
Ready to see it in action?
CRMandGo is built for Australian brokers. Start your free trial, no credit card, no lock-in.
Start free trial