Data residency is one of those things that gets said a lot and verified rarely. This post explains exactly where TicketMate stores and processes your data, how we arrived at each decision, and what it means for your Privacy Act obligations.
Where your data lives
Every component of TicketMate that touches customer data runs in Australia.
Application server and database. Our application runs on a server in Sydney, managed via Laravel Forge on DigitalOcean's Sydney region. Your tenant database never leaves that server.
File storage. Attachments uploaded to tickets or the customer portal are stored in Amazon S3, ap-southeast-2 (Sydney). Files go directly to S3 and are served back from there. They do not transit through servers in other regions.
Email delivery. Outbound email uses Amazon SES, also configured for ap-southeast-2. Inbound email arrives via SES and is temporarily staged in S3 before being parsed into tickets. Both legs stay in Sydney.
AI inference. The AI Assistant, where enabled, runs on AWS Bedrock using the AU cross-region inference profile. This profile routes requests only between ap-southeast-2 (Sydney) and ap-southeast-4 (Melbourne). Ticket content submitted to the AI Assistant is processed within Australia and is not sent to Anthropic's infrastructure or any overseas endpoint.
Why this matters
The Privacy Act 1988 (Cth) and the Australian Privacy Principles impose obligations on how personal information is handled and where it may be disclosed. Sending data offshore triggers APP 8, which requires either a specific contractual framework with the overseas recipient or an assessment that the recipient's jurisdiction provides comparable protections.
Keeping all processing within Australia avoids that complexity entirely. Your data is subject to Australian law. Full stop.
This also matters for organisations with internal data sovereignty policies, government contracts with locality requirements, or sector-specific obligations in areas like health, finance, and legal services.
What we use and what we do not
We use a small number of third-party services. Here is the full list of anything that touches your data:
- DigitalOcean (Sydney): application server and PostgreSQL database
- AWS ap-southeast-2/ap-southeast-4: S3 (file storage), SES (email), Bedrock (AI inference)
- Stripe: billing only. Payment card data is handled entirely by Stripe and never reaches our servers.
- Loops.so: newsletter delivery, for subscribers who have opted in. Only the subscriber email address is shared.
No analytics services, no CRM integrations, and no advertising platforms have access to your ticket data or your users' information.
How AI processing works
This one is worth explaining in detail because AI products often have the murkiest data handling.
When an agent sends a message to the AI Assistant, TicketMate constructs a prompt that includes the ticket subject, description, conversation history, and agent message. That prompt is sent to AWS Bedrock using the au.anthropic.claude-haiku-4-5-20251001-v1:0 inference profile.
The au. prefix designates the AU geographic inference profile. AWS defines this profile as routing only within Sydney and Melbourne. Requests never leave that boundary regardless of load conditions. This is enforced at the AWS infrastructure level, not by us.
Bedrock handles the model execution. The response comes back to our server and is displayed in the ticket view. Nothing is retained by AWS Bedrock after the request completes.
The Privacy Act angle
We are a small business, subject to the Privacy Act by election rather than obligation (small businesses with turnover under $3 million are generally exempt, but we have chosen to comply). We think this is the right approach for a product that handles personal data on behalf of other businesses.
Our privacy policy reflects these infrastructure decisions. Section 6 lists every third party that handles data on our behalf, and Section 7 documents that all storage and processing occurs within Australia.
If you run an organisation that needs to demonstrate data residency for compliance, audit, or procurement purposes, we are happy to provide written confirmation of our infrastructure configuration. Get in touch at support@ticketmate.com.au.