Skip to content
NZ5 min read

NZ data residency for ERP: why "hosted in Australia" is not the same as "hosted in NZ"

NZ businesses often accept "hosted in Australia" as equivalent to "hosted in NZ".

It is not. The Privacy Act 2020 treats them as different jurisdictions.

NZ businesses choosing an ERP get told "data hosted in Australia" and assume it is the same as NZ.

It is not. The Privacy Act 2020 treats Australia as a separate jurisdiction.

Here is the honest picture of what NZ data residency means, and why OpsUI hosts NZ customer data in NZ.

What "data residency" actually means

Data residency is where customer data physically lives at rest: which data centre, in which country, under which legal jurisdiction. It is distinct from data sovereignty (who has legal authority over the data) and data localisation (legal requirements that force certain data to stay in-country).

For NZ businesses, the relevant question is: when my ERP is running, where is my customer data, supplier data, and financial data physically stored?

What the Privacy Act 2020 actually says

The NZ Privacy Act 2020 does not legally require NZ customer data to be hosted in NZ. It requires NZ businesses to ensure that any overseas processor handles personal information with protections comparable to NZ law.

In practice, this means:

  • Hosting in Australia is permitted, but you carry responsibility for the contractual protections
  • Hosting in the US or EU is permitted with the same caveat
  • IPP 12 (the disclosure principle) requires you to take "reasonable steps" to confirm comparable protection

The legal threshold is comparable protection, not in-country residency. But the practical threshold is different.

Why "Australia" is not the same as "NZ" in practice

Three operational reasons NZ residency matters in practice, even if the law allows AU hosting:

1. Latency. A round trip from Auckland to Sydney is ~25–35ms. To Melbourne is ~40–50ms. To US East is ~180–220ms. For interactive ERP workflows (warehouse scanners, order entry), 25ms vs 200ms is the difference between feeling instant and feeling laggy.

2. Subpoena and data access. Data hosted in Australia is subject to Australian law enforcement subpoena under the Telecommunications (Interception and Access) Act. NZ businesses concerned about commercial confidentiality of their customer or supplier data may prefer NZ jurisdiction.

3. Vendor proximity and accountability. A NZ-hosted vendor with a NZ legal entity is accountable under NZ courts. A global vendor with AU hosting (and a Delaware parent) is harder to compel through a NZ court.

For most ANZ businesses, these are commercial concerns rather than legal blockers. But "Australian-hosted" is not a substitute for "NZ-hosted" when those concerns matter.

How most ERPs actually handle ANZ residency

The honest map of how each tier handles ANZ residency:

Global ERP suites (NetSuite, SAP, Oracle, Microsoft Dynamics): Multi-tenant cloud hosted in AWS or Azure regions. Most run ANZ customers out of the Sydney (ap-southeast-2) Azure or AWS region. NZ customer data physically sits in Australia. Some vendors offer dedicated-tenant options with NZ hosting, at significant cost premium.

Mid-market global ERPs (MYOB Acumatica, Sage X3, Acumatica): Typically Azure ANZ regions. NZ residency varies by partner and contract.

Inventory and ANZ-localised platforms (Cin7 Core, Unleashed, Katana): AWS-hosted, region not separated by domain. Usually pooled trans-Tasman.

Xero and MYOB (accounting): Xero hosts NZ customer data in AWS Sydney region. MYOB has historically hosted in AU but offers NZ-specific data centre options for some products.

ANZ-built modular ERP (OpsUI): NZ customer data in NZ. AU customer data in AU. Separate regional domains (opsui.co.nz and opsui.au) with separate infrastructure footprints.

The pattern: global products pool ANZ data into AU regions; ANZ-built products separate by country.

Questions to ask an ERP vendor about data residency

When evaluating an ERP, the residency questions that matter:

1. Where is NZ customer data physically stored at rest? Not "ANZ": the specific country and data centre.

2. Where are backups stored? Often a separate region; can be a residency loophole.

3. Where are read replicas stored? Same question.

4. Where is the encryption key management hosted? Sometimes US-based even when data is regional.

5. Which legal entity owns my data? A NZ entity or a parent company in another jurisdiction?

6. What is the contractual position on subpoena and law-enforcement disclosure?

7. What happens to my data on termination? Repatriation guarantees and timeframes.

The honest test is whether the vendor can answer these in writing. Vendors that can are usually compliant; vendors that hedge usually have residency edge cases they prefer not to discuss.

How OpsUI handles NZ data residency

OpsUI operates two separate regional infrastructures:

  • opsui.co.nz: NZ customer data hosted in NZ. AES-256 encryption at rest, TLS 1.3 in transit, NZ-based encryption key management.
  • opsui.au: AU customer data hosted in AU. Equivalent controls scoped to AU residency.

A NZ customer running OpsUI never has data physically stored in Australia. An AU customer running OpsUI never has data physically stored in New Zealand. Trans-Tasman businesses run both tenants if they need both jurisdictions.

The trade-off is operational (OpsUI runs two infrastructures rather than one) but it eliminates the residency edge cases that pooled trans-Tasman platforms carry.

When NZ residency matters most

Five operational shapes where NZ residency tends to be a hard requirement:

  • Government-adjacent businesses with central or local government customers
  • Healthcare operators carrying patient or pharmaceutical data
  • Financial services with FMA or RBNZ-supervised activity
  • Legal firms with client confidentiality obligations
  • Trade-secret-heavy operations (specialty manufacturing, R&D-led businesses) where commercial confidentiality is the moat

For these shapes, "Australian-hosted with comparable protections" is not enough. The business needs NZ hosting with a NZ legal entity.

For everyone else, AU hosting is usually fine commercially. But the answer should be a deliberate decision, not a vendor default.

See also

For deeper coverage of ANZ compliance and security, see /security on the OpsUI site and the data residency compliance deep dive on the OpsUI knowledge base.

Frequently asked

Is NZ customer data legally required to be hosted in NZ?

No. The Privacy Act 2020 requires NZ businesses to ensure overseas processors handle personal information with protections comparable to NZ law (IPP 12). It does not legally mandate in-country hosting. Many ANZ businesses host with Australian providers under that framework. The practical case for NZ hosting is operational (latency, vendor proximity, jurisdiction) rather than purely legal.

Is Xero hosted in NZ?

No. Xero hosts NZ customer data in AWS Sydney region (ap-southeast-2), like most ANZ-pooled global products. Xero complies with the Privacy Act 2020 under the comparable-protection framework. NZ businesses concerned about NZ-jurisdiction residency would need to pair Xero with NZ-hosted infrastructure for their operational data.

Where does OpsUI host NZ customer data?

OpsUI hosts NZ customer data in NZ. Physical data centres in country, with AES-256 encryption at rest, TLS 1.3 in transit, and NZ-based encryption key management. AU customer data is hosted separately in Australia. The two regional tenants run on separate infrastructures rather than a pooled trans-Tasman deployment.

Does AU hosting still satisfy NZ privacy requirements?

Yes, as long as the AU provider commits to comparable protections under the Privacy Act 2020 framework. The legal threshold is comparable protection, not in-country residency. The practical case for NZ residency is operational (latency, subpoena jurisdiction, vendor accountability) rather than legal mandate.

See how OpsUI approaches this differently.

No hidden fees. No six-month implementations. Just warehouse software that works.

Book a Consultation