Two questions sit at the centre of any compliance review of a messaging provider: where is the data stored, and whose laws can reach it.
Does your business need to determine where Data is stored at transit and at rest?
π’ TNZ is sovereign to New Zealand and Australia by default, on every plan and every TNZ-operated channel.
Enterprise plans add a further option: tie your account to a single jurisdiction (NZ-only or AU-only) through dedicated API endpoints, enforced at the infrastructure layer. The full detail follows.
The Data Privacy Obligation
Data sovereignty is the principle that personal information is governed by the laws of the jurisdiction where it is collected, stored, and processed.
For New Zealand and Australian organisations sending SMS, email, or voice traffic, that principle reaches into the messaging payload itself: phone numbers, recipient lists, message content, voice recordings, sender metadata. Most of this material typically falls within the definition of personal information under the Privacy Act 2020 (NZ) and the Privacy Act 1988 (AU).
In practice, the customer carries the primary obligation. A messaging provider acts as a sub-processor, and regulators generally treat the provider's handling of the data as the customer's handling.
For government agencies, the bar is higher. It is generally understood in NZ public sector procurement, and reflected in Government Chief Privacy Officer guidance, that citizen data should remain in New Zealand. Australian Commonwealth and state agencies operate under equivalent expectations, including the Hosting Certification Framework. Cross-border disclosure is subject to specific conditions under IPP 12 (NZ) and APP 8 (AU); compliance teams should review the applicability of those conditions with their own counsel.
π Why the Provider's Home Jurisdiction Matters
Where the data is stored is half the question. The other half is who can compel its disclosure.
The US CLOUD Act (2018) allows US authorities to compel any US-controlled provider to hand over customer data on lawful demand, regardless of where the data is physically stored. A US-owned provider with a Sydney data centre is still reachable by US authorities under the CLOUD Act. An aggregator routing through several sub-processors across multiple continents introduces a disclosure point at every hop.
The aggregator model compounds this. Many global CPaaS providers route SMS and voice through chains of sub-processors across multiple continents before final delivery. Each hop is a potential disclosure point.
For an auditor reviewing a provider, the questions are:
π
Where is the data stored at rest?
The physical location of stored payloads.
π
Where does it transit?
The networks and regions data passes through in flight.
π
Which sub-processors can read the payload?
Every third party in the chain is a potential disclosure point.
π₯
Where is the support team based, and can they access content?
Staff jurisdiction matters as much as infrastructure jurisdiction.
π
What replication happens cross-border?
Backups and replicas can land data outside the primary jurisdiction.
βοΈ
What is the provider's home jurisdiction, and what compulsion powers apply?
Foreign laws like the US CLOUD Act can reach data anywhere in the world.
Those six questions are the bar. The rest of this article is how TNZ clears it.
π‘οΈ How TNZ Handles It
π³πΏπ¦πΊ Default: NZ & AU Sovereign
- Available on every plan, every TNZ-operated channel
- No opt-in, no Enterprise tier required
- Resolves 5/6 auditor checklist lines
ποΈ Enterprise: Single-Jurisdiction
- NZ-only or AU-only, your choice
- NZ-private data (not subject to US CLOUD Act)
Default: Sovereign to New Zealand and Australia
TNZ infrastructure sits in New Zealand and Australia. Data at rest, data in processing, and the operational handling around it all stay within those borders.
For an auditor, this resolves five of the six checklist lines in a single position, with no opt-in or Enterprise tier required.
π‘ What this means for your compliance review
TNZ's sovereign position is the default, not a paid upgrade. There is no toggle to verify and no plan tier to check. Every TNZ-operated channel on every plan is processed inside New Zealand and Australia.
Local team, local jurisdiction
The team matters as much as the infrastructure. TNZ's support, engineering, and operations staff sit in New Zealand and Australia. Anything they can see is held under local law, and there is no offshore support team subject to a foreign compulsion order.
This is the gap a careful auditor checks for after data residency. Offshore support, or follow-the-sun support handed across regions, can land customer content in front of staff in a jurisdiction the customer never agreed to. Foreign compulsion can reach those staff even when it cannot reach the data.
For an auditor, this answers the fourth checklist line: where is the support team based, and can they access content.
Enterprise: Single-jurisdiction processing
Enterprise customers can go a step further and tie their account to a single national node, either New Zealand only or Australia only, by routing all API calls through dedicated endpoints for that jurisdiction.
The selection is enforced at the infrastructure layer rather than as a configuration flag. A configuration flag can be flipped or bypassed; an infrastructure-level binding cannot. An NZ-tied account is architecturally incapable of being processed on the AU node, and the same holds in reverse for AU-tied accounts. The compliance position is enforced by where the data physically goes, not by a setting somewhere.
Single-jurisdiction processing is uncommon in the NZ/AU market. Customers take it up for reasons such as:
- NZ public sector agencies with NZ-only data residency requirements
- Australian agencies and APP-bound enterprises requiring single-jurisdiction processing
- Organisations operating in both markets that want activity separated for audit and reporting
β οΈ Third-party app channels
Single-jurisdiction processing covers TNZ-operated channels: SMS, Email, Voice, and Fax. Third-party app channels (for example, WhatsApp) route through the channel provider's own infrastructure by design, and sit outside this scope. Customers using those channels should review the channel provider's own data handling separately.
π‘ What this means for your compliance review
If your obligation is to keep data inside New Zealand specifically or Australia specifically, TNZ Enterprise gives you that as an architectural guarantee, not a contractual promise. Few providers in the NZ/AU market offer single-jurisdiction processing enforced at the infrastructure layer.
π Closing the Auditor's Questions
TNZ's position on each line of the checklist:
| The auditor's question |
TNZ's position |
| Where is the data stored at rest? |
NZ and AU. |
| Where does it transit? |
NZ and AU. Processing does not cross those borders. |
| Which sub-processors can read the payload? |
Listed in the TNZ Privacy Policy; all within NZ/AU jurisdictional scope. |
| Where is the support team based, and can they access content? |
NZ and AU. No offshore support team. |
| What replication happens cross-border? |
None. |
| What is the provider's home jurisdiction, and what compulsion powers apply? |
New Zealand. For NZ data, only NZ legal process applies. AU data passes through Amazon Web Services' Sydney node. |
π Why TNZ
Sovereignty is not worth much on a platform that cannot carry the load. TNZ has been operating in New Zealand and Australia for more than 30 years, and now carries serious annual volumes:
30+
Years operating in NZ & AU
15M+
Voice calls per year
Customers range from small businesses to NZX-50 corporations, and include government agencies, ISPs, and SaaS platforms. Many of them run TNZ as the messaging layer behind business-critical applications. The sovereign position above is what sits underneath all of that traffic, every day, by default.
β
Verifying the Position
Compliance reviewers can confirm the points above using public and contracted artefacts:
- The TNZ Privacy Policy lists current sub-processors and the jurisdictions in which they operate.
- For Enterprise customers, the chosen node is recorded in account configuration and reflected in the API endpoints in use.
- Procurement and privacy teams can request a compliance pack covering data flow, sub-processors, and the support model. Contact details are below.
π Talk to Us About Your Sovereignty Position
Whether you need the standard NZ/AU sovereign default or Enterprise single-jurisdiction routing, our team in New Zealand and Australia can walk through your compliance position with you and provide the artefacts your procurement and privacy teams need.
Get In Touch →
π Legal notice
This article describes how TNZ handles data and is not legal advice. Compliance positions should always be verified against the Privacy Act 2020 (NZ), the Privacy Act 1988 and the Australian Privacy Principles (AU), any applicable state, territory, or sector-specific legislation (for example, health records or financial services rules), and your own organisation's privacy, security, and procurement policies. Discuss specific obligations with your privacy officer or legal counsel before relying on the information here.