Most recruitment agencies pick their CRM based on features, price, and how well the sales rep presented. Very few ask the question that could cost them a major contract: where is my data actually stored, and what happens to it when it crosses a border?

For agencies recruiting in the private sector, this has historically been a background concern. For those working with federal government departments, large enterprise clients, or any organisation bound by the Australian Privacy Act, the answer to that question is increasingly the difference between winning a panel and being excluded from it.

The Quiet Risk in Your Tech Stack

Most of the dominant recruitment platforms sold into the Australian market, including Loxo, Bullhorn's US-hosted instances, and various LinkedIn-adjacent tools, were built for North American or European markets and store data on infrastructure outside Australia. For many agencies this creates no immediate visible problem. The CRM works, the data syncs, and nobody raises a flag.

The risk becomes real the moment an agency bids on a federal government contract, signs a large enterprise MSA with data handling clauses, or recruits for any client operating under the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Act or sector-specific frameworks like the ISM (Information Security Manual).

According to the Australian Signals Directorate, federal agencies are required to store data classified at PROTECTED or above on Australian-hosted infrastructure. Recruitment data touching security-cleared candidates, their contact details, employment history, and referee information can easily fall into sensitive categories even before classification is formally applied.

Australian federal agencies are required by the Australian Signals Directorate's Information Security Manual to store sensitive data, including recruitment-related candidate information, on Australian-hosted infrastructure. Agencies using offshore CRM platforms may be ineligible to recruit for federal government clients regardless of their own internal security practices.

What Atlas and Loxo Actually Offer AU Agencies

Atlas CRM is one of the platforms that markets directly to Australian recruitment agencies. It has a reasonable feature set for mid-market agencies and has built some local integrations. Loxo positions itself as an all-in-one ATS and CRM with AI sourcing features that appeal to agencies wanting to reduce tool sprawl.

The core issue is not whether these tools are well-built. Many of them are. The issue is infrastructure. Loxo's primary hosting is AWS us-east. Atlas, depending on the instance and contract tier, may or may not offer AU-based data residency, and the default is not always clear from the sales process. Agencies should request a Data Processing Agreement and ask directly which AWS or Azure region their data lives in before signing.

This is not a theoretical concern. The Office of the Australian Information Commissioner received 483 data breach notifications in the second half of 2024, with professional services firms, including recruitment agencies, among the most affected sectors. When data is stored offshore, the jurisdictional complexity of a breach response multiplies quickly.

The Office of the Australian Information Commissioner recorded 483 notifiable data breaches in the second half of 2024, with professional services and recruitment firms among the most frequently affected sectors. Offshore data storage adds jurisdictional complexity to breach response and may delay mandatory 72-hour notification timelines under the Notifiable Data Breaches scheme.

For agencies considering their options, our guide to recruitment CRMs covers the core features to evaluate before committing to a platform.

Federal Government Recruitment and the Panel Reality

The Australian federal government recruits through a panel system. To sit on a panel, agencies must satisfy procurement requirements that increasingly include data sovereignty clauses. The Digital Transformation Agency's Whole of Government procurement guidelines specifically address where supplier data and Commonwealth data must reside.

An agency using a CRM that stores candidate data in Virginia or Frankfurt can find itself technically non-compliant with panel requirements, even if it has done nothing wrong operationally. The problem is the default infrastructure choice made by a US-headquartered software vendor years before the agency signed up.

The practical consequence is that agencies have to either maintain a separate, compliant system for government-related recruitment work, which creates data duplication and process problems, or they risk being audited and found non-compliant mid-contract. Neither outcome is good.

Large enterprise clients, particularly those in financial services, critical infrastructure, and defence supply chains, are applying similar scrutiny. Their procurement and legal teams are asking vendors, including their recruitment partners, for data residency confirmations. The APS (Australian Public Service) and organisations operating under APRA's CPS 234 information security standard are particularly focused on this.

Australia's Digital Transformation Agency requires that Commonwealth data handled by suppliers be stored within Australian borders under standard Whole of Government procurement conditions. Recruitment agencies using offshore CRM platforms may fail data residency checks during panel assessment, regardless of the quality of their service delivery.

AU-Built Platforms and What That Actually Means

There is a difference between a platform that sells into Australia and a platform built for Australia. The distinction matters in several ways beyond just server location.

AU-specific data sources are a practical example. SEEK job ad scraping, ABR (Australian Business Register) lookups for company verification, Google Places AU for local office data, and +61 phone number validation are features that require intentional engineering decisions. A platform that was built for the US market and localised for Australia tends to bolt these on. A platform built in Australia tends to treat them as first principles.

Phone validation is a good illustration of why this matters operationally. Australian mobile numbers follow specific formats and the +61 prefix has its own routing logic. Bulk dialling campaigns that misdial or mis-format numbers waste credit, create compliance exposure under the Do Not Call Register Act 2006, and damage sender reputation. This is the kind of detail that a platform built on Australian defaults gets right from day one.

For contact data specifically, enrichment waterfall logic needs to understand the AU supplier landscape. Our contact enrichment explainer covers how waterfall sourcing works and why local data source priority affects match rates for AU businesses.

Kolvera's Company Search covers more than 10,000 Australian companies sourced from AU directories and ABR data, with +61 phone validation built into every enrichment result. That is not a feature added for marketing purposes. It reflects the fact that the platform was designed around the AU market from the start, with data hosted in Australia.

What to Check Before You Sign

If you are evaluating any recruitment CRM or sales intelligence platform and your agency works with, or intends to work with, government or large enterprise clients, these are the specific questions worth asking.

First, ask for the Data Processing Agreement before any trial or contract. This document should specify the data region explicitly, not just say "AWS" or "Azure" without naming the region.

Second, ask whether AU data residency is the default or an add-on tier. Some platforms offer AU hosting but only at enterprise pricing, which changes the cost comparison significantly.

Third, check subprocessor lists. A CRM might host its primary database in Sydney but route data through a US-based analytics or AI processing service. Subprocessors are required to be disclosed under GDPR-aligned principles and many AU contracts now require this disclosure explicitly.

Fourth, ask about breach notification procedures. Under the Notifiable Data Breaches scheme, Australian agencies must notify the OAIC within 72 hours of becoming aware of an eligible breach. If your CRM vendor's incident response team is in a different timezone and jurisdiction, that window shrinks fast.

The RCSA (Recruitment, Consulting and Staffing Association) has published guidance noting that data handling obligations have become a material consideration in enterprise and government client procurement, particularly since the 2022 Optus and Medibank breaches raised public and regulatory scrutiny of how personal data is stored and protected across the industry.

The RCSA has noted that data handling obligations are now a material factor in enterprise and government client procurement for Australian recruitment agencies. Following high-profile breaches in 2022, regulatory scrutiny of personal data storage practices across the recruitment sector increased significantly, with data residency now a standard due diligence question from large clients.

The Broader Competitive Consideration

There is a commercial angle here that goes beyond compliance. Agencies that can credibly demonstrate AU data residency, AU-sourced contact data, and AU-compliant processes have a differentiator when pitching to government panels or enterprise procurement teams. It is not a guarantee of winning business, but it removes a reason to be excluded.

As the recruitment industry consolidates around fewer, more capable platforms, the agencies that thrive are the ones that treat their tech stack as part of their value to clients, not just an internal operations tool. Data sovereignty is one of the things clients are increasingly willing to ask about, and in some cases, willing to pay a premium for an agency partner who can answer confidently.

If you want to see how Kolvera approaches this for Australian agencies, including how AU data sources, hosting, and compliance defaults work in practice, the customer stories page covers agencies working across government, enterprise, and specialist markets. You can also review the pricing page to see how credits work across the different plan tiers.

For agencies ready to see the platform directly, booking a demo is the fastest way to get specific questions answered about data residency and AU compliance defaults.

Frequently Asked Questions

Does using an offshore CRM automatically make an Australian recruitment agency non-compliant?

Not automatically, but it creates risk in specific contexts. Federal government contracts, enterprise MSAs with data residency clauses, and roles involving security-cleared candidates are the most common situations where offshore data storage creates a compliance problem. Agencies should review their client contracts for data handling requirements before choosing a platform.

What is data residency and why does it matter for recruitment agencies?

Data residency refers to the physical location where data is stored and processed. For recruitment agencies, this matters because Australian law, government procurement rules, and enterprise client contracts increasingly require that personal data about Australian candidates and contacts be stored within Australian borders. A platform hosted in the US or Europe may not meet these requirements regardless of its other capabilities.

Are Loxo and Atlas compliant with Australian privacy law?

Both platforms are required to comply with the Australian Privacy Act when operating in Australia, but compliance with the Privacy Act is a different question from data residency. A platform can be Privacy Act compliant while still storing data offshore. Agencies working with government or enterprise clients need to check specifically where data is stored, not just whether the vendor has a privacy policy.

How does Kolvera handle AU data residency?

Kolvera is an Australian-built platform designed with AU data sources and AU hosting as defaults. This includes SEEK and ABR-sourced company data, +61 phone validation, and infrastructure choices made for the AU market. Agencies with specific data residency requirements should confirm the details for their use case directly with the Kolvera team via the demo booking process.

What should I include in a vendor data audit for my recruitment CRM?

Request the vendor's Data Processing Agreement, subprocessor list, and a written confirmation of the primary data region. Check whether AU hosting is the default or requires an upgrade tier. Ask how the vendor handles breach notification and whether their incident response procedures align with Australia's 72-hour Notifiable Data Breaches reporting requirement. Review these documents with your legal or compliance adviser if government or enterprise clients are involved.