Where Your Data Lives — You Choose
Transparent data residency with a global footprint and clear Australian sovereignty options. Singapore for APAC reach; AWS Sydney when Australian soil is required.
Choose the Region That Fits Your Requirements
Both regions run the same application stack, the same security controls, and the same compliance posture. The difference is geography and which certifications matter for your procurement.
Singapore
Our global default — APAC-optimised, low latency for Australian and New Zealand users, and built on Render’s managed platform for fast, reliable delivery.
- Low latency across APAC including Australia and NZ
- SOC 2 Type II certified (Render)
- ISO 27001 certified (Render)
- Singapore PDPA — strong regional data protection
- Australian Privacy Principle 8 compliant via contract and technical safeguards
- AES-256 encryption at rest; TLS 1.2+ in transit
Australia
For organisations that require data on Australian soil — government-ready infrastructure with IRAP-assessed AWS Sydney and full Australian data sovereignty.
- Data and compute in Australia — AWS Sydney
- AWS Sydney is IRAP-assessed infrastructure
- SOC 2 Type II and ISO 27001 (AWS)
- ISO 27017 / 27018 cloud security (AWS)
- Same application, same security model — different region
- AES-256 at rest (AWS KMS); TLS 1.2+ in transit
The Same Security Bar, Regardless of Region
We maintain one security standard. Only the location and the provider’s certification set changes — not the controls themselves.
| Requirement | 🌏 Singapore (Render) | 🇦🇺 Australia (AWS Sydney) |
|---|---|---|
| Encryption at rest | ✓ AES-256 | ✓ AES-256 (AWS KMS) |
| Encryption in transit | ✓ TLS 1.2+ | ✓ TLS 1.2+ |
| Access control | ✓ RBAC, SSO, MFA | ✓ RBAC, SSO, MFA |
| Audit logging | ✓ Full, immutable | ✓ Full, immutable |
| Australian Privacy Act (APPs) | ✓ APP 8 compliant | ✓ Fully compliant |
| SOC 2 Type II | ✓ Render | ✓ AWS |
| ISO 27001 | ✓ Render | ✓ AWS |
| IRAP-assessed infrastructure | — (not applicable) | ✓ AWS Sydney |
| GDPR (if applicable) | ✓ Compliant | ✓ Compliant |
| Multi-tenant isolation | ✓ | ✓ |
Workforce data only. IRIS is designed and technically enforced to hold workforce data only — roster assignments, availability, leave, and shift information. It does not store or process patient data, and My Health Record residency rules do not apply. For full details, see our Privacy Policy.
What Matters Most
Global Default
Singapore (Render) — low APAC latency, SOC 2 Type II, ISO 27001.
Australian Option
AWS Sydney — data on Australian soil, IRAP-assessed infrastructure. Live now.
One Security Bar
Same encryption, access controls, and audit logging in both regions.
Compliance-First
Privacy Act, APPs, GDPR. Documented and contractually backed.
What We Stand Behind
These aren’t marketing claims — they’re design decisions baked into how we built the platform.
Transparency
We state clearly where your data is stored, which provider runs it, and which certifications apply. No vague “secure cloud” language.
Your Choice of Region
Singapore and AWS Sydney are both live and available. We will add more regions if compliance or demand requires it. You are not locked to one geography.
No Lock-In
Containerised workloads and standard PostgreSQL mean we can migrate regions or providers without rewriting the product. Migration typically takes weeks, not months.
Deploy on Australian Soil
AWS Sydney is live and available now. Tell us your requirements and we’ll align your deployment to your timeline and governance framework.