Identity verification platforms commonly route document and biometric data through services hosted overseas. For an Australian accounting firm, that creates a chain of jurisdictional exposure: the Privacy Act applies to you, but the processor may also be subject to the laws of the United States, Singapore, or the European Union.
For most clients, this is invisible — until something goes wrong. A subpoena in a foreign jurisdiction, a data breach in a foreign data centre, or a change in the foreign processor's terms can all create disclosure obligations or risk exposures that the firm has no way to control after the fact.
BPSI's platform is hosted exclusively in australia-southeast1 (Sydney) on Google Cloud. Document verification routes via the Commonwealth Document Verification Service. We retain only what we are required to retain, encrypt at rest with AES-256, and the data never leaves Australian jurisdiction. For accountants planning for Tranche 2, this is not a nice-to-have — it is the lowest-risk default.
Drop us a line and we'll come back to you with practical next steps tailored to your firm.
