Australian cloud compliance guide: Evaluating vendors for privacy, security & certifications

Cloud and compliance go hand in hand. There’s no getting around it. Choosing the wrong cloud provider is a serious risk, not just to IT, but to your entire organisation. The fallout of non-compliant infrastructure can derail projects and expose your organisation to financial penalties.  

 And as Australian organisations place ever-increasing importance on their IT infrastructure, this pressure is only ramping up. Recent amendments to the Privacy Act 1988 (Cth) (Privacy Act) have raised the stakes. In October 2025, Australian Clinical Labs (ACL) received a $5.8 million penalty for their failure to stop a data breach. It was the first civil penalty of its kind under the Privacy Act.  

 What happened? In short: ACL were deemed to have breached the Privacy Act by not taking “reasonable steps to protect personal information.” In this case, the breach was caused by a supplier. But the precedent set by this judgment means that supplier negligence is no longer an excuse – if it ever was. The Office of the Australian Information Commissioner (OAIC), the regulatory body that enforces the Privacy Act, determined that ACL remained responsible for ensuring its suppliers met its privacy standards, and the Federal Court agreed.  

In previous years, such an incident might have resulted in a warning. Today, it constitutes a clear compliance failure and sets a clear precedent: Organisations are responsible for adhering to the privacy act, not the third parties that enable them to do it. As the backbone of your organisation, your cloud providers play a key role in keeping you secure and compliant with regulations such as the Privacy Act. In today’s regulatory environment, your compliance depends on theirs.    

 But how can you be sure that a cloud provider meets these, and all other relevant, regulatory compliance standards? Every cloud provider will tell you they’re “compliant.” The hard part is proving it.  

So, when evaluating vendors, the questions every IT and procurement leader should be asking are: 

• How do you verify vendor compliance claims when every brochure says the same thing? 
• What certifications actually matter, and which are just marketing gloss? 
• Where does your responsibility end and theirs begin under Australian law? (Spoiler alert: your accountability doesn’t stop when your responsibility does) 

This article will help you answer them, with practical guidance helps you verify vendor compliance claims. We break down how to evaluate cloud providers against Australian privacy requirements. You’ll then learn which certifications you’ll need to see, what questions to ask in RFPs, how to spot red flags early. Finally, we’ll show you how to (responsibly) share the compliance load across your vendors, so you don’t overburden your IT team. 

Understanding the Australian privacy principles: Your vendor evaluation framework

Why they’re important in cloud services procurement

Every cloud provider operating in Australia should demonstrate built-in compliance with the Australian Privacy Principles (APPs). Why? Because ultimately, you’re responsible for ensuring they do. So, if a cloud provider is transparent about their ongoing compliance, they’re reducing the burden on your internal teams who need to chase them up to continually prove it.  

The 13 APPs: Vendor Assessment Checklist

Australian organisations remain accountable for how their vendors handle personal information under the Privacy Act. The Australian Privacy Principles (APPs) are the core rules set out under the Privacy Act, and the OAIC expects organisations to demonstrate verification.  

 Here are the Australian Privacy Principles relevant to cloud infrastructure. For each, we’ll break down what you’ll need to verify with any potential cloud providers to ensure compliance, the questions you should ask to validate IT, and the red flags that suggest they’re not up to the task.  

APP 1: Open and transparent management

 Example breach: A cloud vendor’s privacy policy is a vague US boilerplate with no mention of where they store Australian data or who can access it. When customers ask, no one can explain the data flow. 

 What to verify:  

• Does the provider have a clear, specific privacy policy explaining how they handle your data? 

 Red flag:  

• Generic privacy statements that ignore cloud-specific storage and access. 

RFP question:  

• “Can you provide your privacy management framework and data governance framework documentation?” 

 APP 2: Anonymity and pseudonymity

 Example breach: The vendor’s system can’t anonymise or mask records for analytics, so support staff and subcontractors can see raw personal data. 

 What matters:  

• Can the platform support anonymised or pseudonymised processing where required? 

 Ask:  

• “What anonymisation or pseudonymisation capabilities are built into your system?” 

 APP 3–5: Collection, use, disclosure

 Example breach: A cloud provider uses your customer data stored on its platform to train AI models or run analytics without consent or clear disclosure. 

 Critical for evaluation:  

• How does the provider use your customer data? (The only correct answer is “we don’t”.) 

Red flag:  

• Vendors that reserve rights to analyse or monetise customer data. 

 RFP question:  

• “Do you access, analyse, or use customer data for any purpose other than service delivery?” 

 APP 6: Use or disclosure

 Example breach: A cloud vendor uses offshore subcontractors but never discloses them.  

 Vendor assessment:  

• Which subprocessors handle your data, and are they disclosed? 

RFP question:  

• “Can you provide a complete list of subprocessors and their locations?” 

 APP 8–9: Cross-border disclosure 

 Example breach: Your provider says data is stored “in Australia,” but helpdesk access is routed through a team in another country. 

 What to verify:  

• Where is data stored, and who can access it? 

 Red flag:  

• Data is stored in Australia but accessed by overseas support staff. 

 RFP questions: 

• “Where are all data centres located?” 
• “Where are support and administrative staff based?” 
• “Can data ever leave Australia? Under what circumstances?” 

Smart choice: Sovereign infrastructure means data is stored within Australian data centres, with Australian-based operations. It means data never leaves Australian jurisdiction, simplifying compliance with APP 8-9. 

 APP 11: Security of personal information

Example breach: A cloud vendor boasts “bank-level security” but has no MFA, no encryption at rest and hasn’t had a third-party audit. Without those settings, all it takes is a misconfigured storage space to leak sensitive data.  

 What to verify: 

• Encryption at rest and in transit (AES-256 minimum). 
• Multi-factor authentication and role-based access control. 
• Regular security assessments and audit logging. 
• Alignment with the Essential Eight framework. 

 Red flags: 

• “Bank-level security” without specifics 
• No third-party audit or certification 
• Can’t provide SOC 2, ISO 27001, or IRAP certification 

RFP questions: 

• “What certifications validate your security controls?” (ISO 27001 Australia, SOC 2 Australia, IRAP certified cloud) 
• “When was your last penetration test? Can we see the executive summary?” 
• “How do you implement Essential Eight compliance?” 

APP 12–13: Access and correction

Example breach: Excessive or unmanaged downtime stops customers from accessing their own data.  

 Vendor assessment:  

• Can customers easily access and correct their data? 

 RFP question:  

• “What’s the process and turnaround time for data access or correction requests?” 

Privacy impact assessments: Evaluating vendor risk

Before moving sensitive workloads to the cloud, you’re expected to run a Privacy Impact Assessment (PIA). A PIA is meant to validate your cloud service provider’s ability to adhere to the Privacy Act. Yet, most organisations wait until an audit forces the issue. By then, the damage is done. 

Smart organisations choose providers that have already completed PIAs on their platform and built privacy into their architecture. That alone can halve your internal assessment time. Quality providers treat privacy as an engineering standard, not a marketing claim. Ask about their PIA work during procurement — it’s one of the fastest ways to separate mature platforms from checkbox compliance. 

 Vendor PIA evaluation questions 

 When assessing cloud vendors, make privacy maturity part of the RFP conversation. Ask any potential provider:  

• Have you conducted privacy impact assessments for this service? 
• Can we review your PIA documentation or executive summary? 
• How do you apply privacy by design across systems and operations? 
• What privacy risks have you identified, and how are they mitigated? 

However, their word alone is not enough. Even with a compliant provider, you still need your own assessment. Document: 

• What personal information flows into the cloud (eg customer data, employee records, financial details). 
• How the cloud service processes, stores, and secures your data. 
• Findings from your cloud risk assessment, including vulnerabilities and controls verified. 
• Mitigation steps implemented through contracts, configuration, or policy. 

This shared-responsibility model is core to the OAIC’s privacy management framework. It’s what the regulator means by “taking reasonable steps” under the Privacy Act. You can delegate privacy, but you can’t outsource it. 

 PIA quick reference for IT teams 

 When running your internal PIA for cloud adoption, focus on three things. 

Assess 

• What data types are moving? Customer, employee, financial?
• What could go wrong? A breach, unauthorised access, offshore exposure?
• How does the provider reduce those risks?

Document 

• Risk-assessment findings.
• Validated provider controls, such as certifications and architecture reviews.
• Management acceptance of residual risks, and the ongoing monitoring plan.

Pro tip: Pick IRAP-certified or ISO 27001-certified cloud platforms. Their security controls have already been audited, cutting your privacy impact assessment workload and giving you a stronger compliance position from day one. 

Notifiable data breach scheme: Understanding shared responsibility 

When a data breach involves your customer information, your organisation must notify both the OAIC and affected individuals, no matter where or how the breach occurred. Under Australia’s Notifiable Data Breach Scheme, this must happen as soon as practicable after discovery, ideally within 72 hours. A Late notification (or none at all) can trigger significant penalties and reputational damage. 

Here’s the compliance reality: if your cloud provider suffers a breach, it’s still your problem. You’re the data controller, they’re just the processor. Responsibility ultimately sits with you, but that doesn’t mean you need to shoulder the workload. That’s why vendor selection is a compliance decision as much as a technical one.  

You need providers who: 

• Prevent breaches through strong security controls 
• Detect incidents fast through continuous monitoring 
• Notify you immediately through clear SLA commitments 

The shared responsibility model explained 

A strong cloud partnership works on a clear shared responsibility model. A shared responsibility model clearly defines what your cloud provider is responsible for delivering, and what remains your job. Of course, everything’s ultimately your responsibility. However, clearly defined roles and responsibilities help streamline the process.  

Here’s what a typical division of responsibilities under the shared responsibility model looks like:  

What your cloud provider manages: 

• Physical data centre security 
• Infrastructure protection (hypervisor, network, storage) 
• Employee access controls within their environment 
• Platform security updates and patches 

What you remain responsible for: 

• Application-level and endpoint security 
• User access management within your organisation 
• Data classification, retention, and handling 
• Secure configuration and deployment 

 Where the lines overlap: 

When an incident occurs, both parties must quickly detect and report it. In practice, that means the provider must alert you the moment they identify a breach. You must have a defined internal process to assess and report eligible breaches to the OAIC. 

Jurisdiction matters. Breach investigations and legal processes are simpler when both you and your provider operate under Australian jurisdiction. Choosing sovereign cloud services removes the complexity of foreign investigations and accelerates response time. 

To assure compliant breach response readiness, include clear RFP questions asking potential providers their breach notification SLA, and how quickly they will notify you of security incidents. 

Breach response checklist for IT teams 

Include these in your cloud provider SLA: 

• Notification timelines: The provider must notify your organisation of any confirmed or suspected breach within two hours of detection. 
• Incident response support: The provider must assist in containment, investigation, and resolution efforts in coordination with your internal response team. 
• Forensic preservation: Procedures must be in place to preserve relevant forensic evidence for regulatory and legal purposes. 
• Escalation and communication protocols: Clearly defined lines of communication should specify who is notified, how, and in what sequence during an incident. 
• Post-incident reporting: The provider must deliver a formal incident report summarising cause, impact, remediation steps, and lessons learned. 

Your internal processes should cover: 

• Incident assessment: A structured process to evaluate the nature and scope of the breach, and to determine whether it is notifiable under the Privacy Act 1988 (Cth). 
• Notification readiness: Pre-approved OAIC notification templates and processes for rapid submission. 
• Customer and media communication: Prepared templates and messaging to ensure consistent, transparent communication with affected customers and the media. 
• Executive escalation: Defined decision-making pathways to ensure senior leadership is informed promptly and can authorise notifications or public statements. 
• Legal and PR coordination: Pre-established procedures for working with legal counsel and communications teams to manage regulatory, contractual, and reputational risks. 

The OAIC can impose penalties of up to $50 million or 30% of revenue (whichever is higher) on companies for serious or repeated privacy breaches under the Privacy Act. Choosing compliant, transparent providers is the most effective way to reduce regulatory risk under Australia’s data breach notification requirements and shared responsibility model. 

Cloud certification framework: What actually matters 

Every cloud vendor claims to be secure and compliant. The challenge for procurement teams is knowing who can prove it. The key, and your shortcut to getting the evidence you need, are third-party certifications. They show that independent auditors have verified a provider’s controls and that those controls are re-assessed annually. Certification reduces your due diligence workload and gives your compliance team a defensible audit trail. 

For IT teams, certified providers mean less documentation to create and maintain. For CFOs, certifications reduce compliance risk and can even lower cyber insurance premiums. In short, certifications significantly reduce your risk profile.

IRAP certification: The Australian gold standard 

 The Information Security Registered Assessors Program (IRAP) is the benchmark for assessing cloud security in Australia. It uses Australian Signals Directorate (ASD)-endorsed assessors to evaluate providers against government-grade controls under the Information Security Manual (ISM) and Essential Eight compliance. 

The IRAP assessment process includes: 

• Comprehensive technical and administrative control testing. 
• Assessment against ASD’s security framework and Essential Eight maturity. 
• Remediation of findings before certification is granted. 
• Ongoing compliance reviews through the ASD certified cloud program. 

IRAP certified cloud environments come in two main levels: 

• PROTECTED: suitable for handling sensitive government and private-sector data. 
• SECRET: for classified government workloads. 

 What organisations need an IRAP certified cloud service? 

• Government or defence contracts 
• Critical infrastructure sectors 
• Healthcare, financial services, and legal sectors managing sensitive or regulated data 

Red flag: Vendors claiming to be “IRAP compliant” without formal certification. Compliance is self-declared. Certification is independently verified.

ISO 27001 

ISO 27001 is the global standard for an Information Security Management System (ISMS). It requires formalised processes for risk management, annual surveillance audits, and continuous improvement. For procurement teams, ISO 27001 certification proves a vendor has mature governance and documented controls aligned to international best practice. 

SOC 2 Compliance  

SOC 2 compliance Australia focuses on operational controls. It evaluates how a vendor manages Security, Availability, and Confidentiality. Type II reports are the gold standard because they test controls over time, not just at a point in time. SOC 2 is particularly valuable when assessing SaaS or cloud service providers that manage customer data daily. 

Look for providers with multiple certifications. Each covers different aspects: 

• IRAP: Australian government standards and ASD controls
• ISO 27001: security governance and management system maturity
• SOC 2: operational effectiveness and day-to-day transparency

Together, they demonstrate a provider’s security posture, governance, and accountability. 

Certification validation and red flags 

 Always verify certifications. Request certificate copies, check issue and expiry dates, and confirm the scope covers the services you’re buying. Contact the certifying body or assessor to confirm validity. 

Certification red flags include: 

• “Working toward certification” statements.
• The provider’s overseas-based parent company certified, but Australian operations are not.
• Expired or soon-to-expire certificates.
• Certifications that don’t cover the relevant cloud service.
• Vendors refusing to provide documentation.

Cloud security is only as strong as its verification. If a provider can’t prove it, assume they haven’t earned it. 

Industry-specific cloud compliance requirements 

Naturally, specific industries will have their own unique set of compliance requirements that reflect the nature of their sector.  

Healthcare and Aged Care sector requirements 

Healthcare and aged care organisations handle some of the most sensitive personal data under the Privacy Act. Health information privacy and patient data protection depend on secure systems that meet APP 11 standards for security of personal information. Vendors must demonstrate airtight controls for handling and storing health data. 

 Vendor requirements checklist for healthcare: 

• IRAP certified cloud (PROTECTED level minimum) 
• ISO 27001 Australia certification 
• Australian data centres only 
• Healthcare references or case studies 
• Detailed access logging and audit trails 

Must-haves: Data sovereignty, no overseas access to patient data, and a breach notification SLA under two hours. 

Financial services requirements 

 Financial services institutions operate under APRA cloud requirements (CPS 234), which mandate strict oversight of banking and financial data protection and third-party risk. Material service providers must demonstrate strong governance and rapid incident response, including notification to APRA within prescribed timeframes. 

Cloud vendor requirements checklist for financial services: 

• IRAP or equivalent certification 
• ISO 27001 and SOC 2 Type II compliance 
• Regular penetration testing (quarterly minimum) 
• Disaster recovery within four hours 
• Contractual audit rights 

These controls protect against financial data loss, regulatory exposure, and reputational risk. 

Legal sector requirements 

Law firms rely on technology partners who understand law firm data protection, confidentiality, and legal professional privilege. Adherence to the Australian Privacy Principles is mandatory, but many providers still fall short on transparency and data segregation. 

Vendor requirements checklist: 

• ISO 27001 certification (minimum) 
• Australian data centres 
• Clear data segregation and retention controls 
• eDiscovery and legal hold capabilities 

 The sector’s barrier to entry is lower than government or finance, but ISO 27001 and SOC 2 should be the minimum baseline for compliance maturity. 

Government sector requirements 

 Government agencies face the strictest cloud compliance requirements. The Australian Government’s Cloud Policy mandates that agencies host sensitive workloads on IRAP-certified cloud infrastructure. Providers must demonstrate Essential Eight compliance, data sovereignty, and strong personnel vetting. 

 Vendor requirements (non-negotiable): 

• IRAP certified cloud (typically PROTECTED level) 
• Essential Eight implementation 
• Australian ownership (preferred and often required) 
• Security-cleared support staff 
• Sovereign cloud infrastructure 

As government work requires the highest level of security, providers that meet government cloud requirements automatically exceed most commercial compliance baselines. 

Your vendor evaluation framework: Score & compare 

To help you evaluate competing vendors, we’ve put together a vendor evaluation framework. The framework helps you evaluate the different compliance criteria based its relative importance to a robust, secure cloud environment that meets compliance obligations. 

How to score each criterion: 

0 = Does not meet requirements 

1 = Partially meets requirements 

2 = Meets requirements 

3 = Exceeds requirements 

Post-selection: Your implementation checklist  

• Conduct a compliance gap analysis (what obligations still sit with you). 
• Document your shared responsibility model. 
• Configure security settings and access controls  correctly. 
• Establish a data governance framework. 
• Schedule regular compliance and security reviews. 
• Set up breach notification and escalation procedures. 

Cloud compliance isn’t a one-time project. It’s an ongoing discipline that depends on consistent governance, clear accountability, and shared responsibility. 

Your Action Plan: Choosing the right cloud provider 

Vendor selection checklist

 Certifications and compliance 

• Current IRAP, ISO 27001, and SOC 2 certificates provided 
• The provider’s additional certification scope covers the services you need 
• No certification expiries within the next 12 months 

 Data sovereignty 

• Data stored exclusively in Australian data centres
• No overseas access to data, including offshore support
• Only Australian legal jurisdiction applies 

Security and operations 

• Encryption at rest and in transit 
• Essential Eight aligned 
• Breach notification SLA documented 
• Incident response plan shared 

Documentation 

• Privacy management framework provided 
• A documented data governance framework 
• Clearly defined shared responsibility model  
• A complete, exhaustive subprocessor list that includes their locations 

If you’re looking for a cloud services provider that ticks all these boxes, look no further than Interactive. We wouldn’t bother writing this otherwise! 

How Interactive simplifies your cloud compliance 

Interactive’s cloud services are built for organisations that need performance, control, and compliance. Our managed Private Cloud combines performance and flexibility with the assurance of locally-owned and operated infrastructure. Every environment is engineered for resilience, governed by local compliance frameworks, and supported by certified experts 24/7.  

IRAP certified cloud with ISO 27001 and SOC 2 delivers pre-audited security you can trust. Interactive supports thousands of Australian organisations with 100% Australian data centres, eliminating cross-border complexity. Being Australian-owned and operated simplifies legal jurisdiction and streamlines compliance. Our transparent data governance framework streamlines audit documentation. And our robust SLAs, which include a two-hour breach notification, helps you meet your obligations easily and efficiently. 

 To see how we can help your organisation maintain compliant cloud infrastructure, schedule a compliance assessment call. We’ll get to know your compliance obligations, fill in the gaps, and design a solution that meets your needs.