Back to blog

Where does your CRM data actually live?

Brandon Connor 11 May 2026 8 min read

When you put your customer's phone number into a CRM, where does that number actually go?

Most tradies and small business owners have never asked that question. They signed up for the free tier, imported their contacts, and kept moving. But that phone number, that email address, those job notes: they live somewhere. Usually in the United States.

This post is not written to scare you. It is written to give you the facts, because the Australian Privacy Act has specific rules about offshore data and most small businesses have no idea they apply.

The reality: almost no CRM hosts in Australia

HubSpot's primary data centres are in the United States, with some European availability for EU customers. Salesforce is in the US. Pipedrive is in Germany and the US. Zoho is in India and the US. Freshsales is in the US and the EU.

You are almost certainly not finding an exception to this list. The major CRM vendors built their infrastructure in the US because that is where the venture capital was, that is where their first customers were, and data-centre costs in the US were (and still are) lower than Australia.

If you are an Australian small business using any of these tools, your customers' names, phone numbers, email addresses, and job histories are sitting on servers in Oregon, Virginia, or Ohio.

That is not automatically illegal. But it comes with obligations you may not know you have.

Why it matters under Australian privacy law

Australia's Privacy Act 1988 includes a set of Australian Privacy Principles (APPs). The one that applies here is APP 8: cross-border disclosure of personal information.

APP 8 in plain English Before you send personal information about an Australian individual to an overseas recipient, you must take reasonable steps to ensure the recipient will handle that information in a way that is at least equivalent to Australian Privacy Act standards. If you do not, and the overseas recipient mishandles the data, you can be held accountable — not them.

That word "accountable" is load-bearing. If HubSpot has a data breach involving your customers' contact details, and you never did the due diligence to verify HubSpot met Australian standards, the Privacy Commissioner can come to you. Not HubSpot.

The law provides two paths for complying with APP 8. The first is APP 8.2(a): you reasonably believe the overseas recipient is subject to a substantially similar privacy law or binding scheme. The second is APP 8.2(b): you obtain informed consent from the individual, telling them their data will be sent overseas and may not be protected by Australian law. Most small businesses do neither.

What "reasonable steps" actually means

Reasonable steps is deliberately vague — the Office of the Australian Information Commissioner (OAIC) has guidance on it, but it is not a checklist. In practice, for a small business, reasonable steps look like this:

  • Read the CRM's privacy policy and check whether it names a security certification (SOC 2, ISO 27001, or equivalent).
  • Check whether the CRM publishes a sub-processor list — a named list of every third-party company that touches your data (cloud hosts, email providers, analytics tools).
  • Check whether the CRM's data processing agreement (DPA) commits to encryption at rest and in transit.
  • Tell your customers, in your own privacy policy, that their data may be stored overseas and with which countries or providers.

SOC 2 is a US security audit framework that most major CRMs hold. ISO 27001 is the international equivalent. Holding either means an independent auditor has checked the vendor's security controls. It is not a guarantee, but it is evidence of reasonable steps.

Most small businesses skip all of this because their privacy policy is a boilerplate template they copied from somewhere and have never updated.

The CLOUD Act: the thing nobody tells you about

There is a complication with US-hosted data that sits above the privacy policy conversation. It is called the Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed in the United States in 2018.

Under the CLOUD Act, US law enforcement can compel a US-based cloud provider to hand over data stored anywhere in the world, including on servers in Australia, Ireland, or Singapore, without notifying the account holder or the foreign government.

This is not a theoretical risk. Microsoft was in an extended legal fight over exactly this point before the CLOUD Act was passed. The Act resolved that fight by explicitly giving the US government cross-border reach.

For most small businesses, this is not a practical concern — US law enforcement is not interested in a plumbing company's customer list. But if you handle sensitive client information (legal matters, medical referrals, financial records), US-hosted software is a genuine risk factor. Knowing it exists lets you make an informed choice.

What good privacy disclosure looks like

When you read a CRM's privacy policy, here is what you are looking for:

Country names, not vague regions "We may transfer data to the United States" is better than "we may transfer data internationally." Named countries let you actually look up what protections apply.
Named certifications SOC 2 Type II, ISO 27001, and PCI DSS are the ones to look for. A vendor claiming "bank-grade security" without naming a certification is saying nothing.
A published sub-processor list Who else handles your data? The CRM vendor uses Amazon Web Services or Google Cloud for hosting, Stripe or PayPal for payments, SendGrid or Mailgun for email. That means your data touches those companies too. A good privacy policy names them.
A data processing agreement (DPA) This is the contract that defines exactly what the vendor can do with your data. GDPR-compliant vendors in Europe produce these as standard. Australian law does not require them, but their existence signals that the vendor takes data handling seriously.

A privacy policy that does not name countries, does not list certifications, and does not include a sub-processor list is not complying with the spirit of APP 8. It may not technically breach it either — the law is flexible — but it gives you nothing to rely on if something goes wrong.

How Big Bear CRM handles it

I will be upfront about this because it matters, and because transparency is the whole point of this post.

Big Bear CRM runs on Render, a US cloud platform. Render's primary region is Oregon. That means your data is also outside Australia.

Here is what we do about it:

  • We disclose it explicitly in the privacy policy, naming Render as a sub-processor and Oregon as the region.
  • We publish a full sub-processor list at /legal/subprocessors/, naming every company that touches your data.
  • Our sign-up flow includes an APP 8.2(b) informed consent step: you are told that your data will be stored in the US, and you can read the sub-processor list before accepting.
  • We use field-level encryption for sensitive fields (BSB, bank account numbers, API tokens) so that even a database-level breach does not expose those values in plain text.

We do not currently hold SOC 2 or ISO 27001. We are a small product, not an enterprise vendor. What we do instead is publish the technical details of our security controls in the privacy policy, so you can read the actual implementation rather than trust a logo.

In the future, as the product grows, formal certification is on the roadmap. But I would rather tell you where we are now than hand you a glossy badge that does not reflect reality.

What you can do as a small business owner

You do not need to become a privacy lawyer. You need to do three things.

First, read the privacy policy of any CRM, software, or cloud tool that touches your customer data. You are looking for country names, certifications, and a sub-processor list. If the policy is three paragraphs of vague language, that is a red flag.

Second, update your own privacy policy to tell your customers where their data goes. Most off-the-shelf privacy policy templates say nothing about this. If you are using a US-hosted CRM and collecting customer contact details, you need to disclose that. The OAIC has plain-English guidance and a free privacy policy generator if you need a starting point.

Third, ask your CRM vendor directly if you are unsure. A good vendor will tell you the country, the certification status, and who the sub-processors are. A vendor who dodges those questions is telling you something.

None of this is complicated. It is just a set of questions that most people have not thought to ask because nobody told them to ask.

The bottom line

Every major CRM stores your data overseas. That is a fact, not a scandal. What matters is whether the vendor is transparent about where it goes, what protections exist, and what your obligations are under Australian law.

Before you sign up for any CRM tool: read the privacy policy. Find the countries. Find the certifications. Find the sub-processor list. If you can't find any of those things in under five minutes, ask.

Your customers' phone numbers and job histories deserve at least that much thought.

Want a CRM that tells you exactly where your data lives?

Big Bear CRM publishes its sub-processor list, names every country, and explains the security controls in plain English. Start a free trial or read the privacy policy first.

See Big Bear CRM

This post is general information, not legal advice. If you handle sensitive personal information or operate in a regulated industry, talk to a privacy lawyer before choosing a CRM. The OAIC website at oaic.gov.au is a good starting point for understanding the Australian Privacy Principles. See also our own privacy policy.