This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
In short: Ask any AI vendor exactly where data is stored, where it's processed (these can differ), whether it's used for model training, and what happens to it if you cancel. Vague or evasive answers to any of these are themselves useful information.
Why this is a narrower question than general vendor due diligence
This guide focuses specifically on data location and sovereignty questions, not the full vendor evaluation. If you want the broader checklist covering security certifications, breach notification clauses, and contract terms as well, see our AI vendor due diligence checklist. This one is deliberately narrow: ten questions specifically about where your data physically goes.
The ten questions
Storage and Processing Location
- Where is the data stored at rest? (Get a specific country or region, not "the cloud")
- Where is the data processed when the AI tool generates a response? (This can be a different location from storage)
- Does the vendor offer any regional choice, or is location fixed?
- If regional choice exists, does it apply to all data, or only some categories?
Training and Retention
- Is your business data used to train the vendor's models, and can you opt out?
- How long is data retained after you stop actively using it?
- What happens to your data if you cancel your subscription entirely?
Sub-Processors and Onward Transfer
- Does the vendor use any third-party sub-processors, and where are they located?
- Can the vendor's stated data location change without notifying you?
- Is there a written commitment (not just marketing language) covering data location that you can point to later?
Why vague answers matter
A vendor that can answer these questions specifically and in writing is telling you something useful about how seriously they treat data handling generally. A vendor that responds with general reassurance rather than specifics ('we take security seriously,' 'your data is safe with us') without answering the actual location questions is also telling you something, just not what they intend. Treat evasiveness on location questions as a data point in itself, not a formality to skip past.
Where this fits with your Privacy Act obligations
Australian Privacy Principle 8 (APP 8) covers cross-border disclosure of personal information, which is directly relevant if any of these ten answers reveal your data leaves Australia. Getting clear answers before you buy, rather than discovering the location after a breach or a customer complaint, is the practical difference between a five-minute question and an unplanned compliance review. See our guide to where AI tools store data for the answers already confirmed for major named tools.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with AUD or other local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Tools are assessed for suitability by a business with no dedicated IT department.
Related reading: our can staff upload customer data to AI tools, our AI and the Privacy Act guide, and our AI data residency in Australia.
Try our free AI Compliance Checker to check whether your AI tools meet your compliance obligations.
Related reading: our AI vendor contracts and Privacy Act.
What if a vendor won't answer these questions before I sign up?
Treat that as a real answer. A vendor unwilling to commit to specifics about data location before you've paid is unlikely to become more transparent afterward.
Do I need a lawyer to ask these questions?
No, these are practical questions any business owner or manager can ask directly, usually via the vendor's sales or support contact, before signing up. A lawyer becomes useful once you're negotiating contract terms, which is a separate step covered in our AI contract clauses guide.
Is it reasonable to ask these questions for a free or low-cost AI tool?
Yes, arguably more so, since free tools sometimes monetise through broader data use than paid enterprise tiers. Price point isn't a reliable signal of data handling practices on its own.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
<a href="/tools/ai-privacy-risk-scorer/">AI Privacy Risk Scorer</a> to score your current AI tool setup against Privacy Act requirements
Score Your Setup