The short version
Evidence Packs, source-check results, timestamps, risk flags, and stored certificates: AU/APAC preference. Account records: AU/APAC preference. Card data: Stripe. Transactional email: Postmark, with no PPSR data in email bodies. Error logs: Sentry AU, redacted before send.
When an AI agent or MCP host calls Hoist, the result is returned to the caller. Hoist keeps its own source records and logs. What the agent or host does with the result after it receives it is outside Hoist's control.
Per-category breakdown
| Data category | Storage | Region | Encryption |
|---|---|---|---|
| PPSR certificates | Encrypted document storage | AU/APAC preference | Encrypted at rest |
| Evidence Pack results | Returned to caller; retained only where needed for your account records | AU/APAC preference | TLS in transit; encrypted if stored |
| Due Diligence Records | Encrypted document storage | AU/APAC preference | Encrypted at rest |
| Search metadata | Hoist operational storage | AU/APAC preference | Encrypted at rest |
| Search logs | Hoist operational storage | AU/APAC preference | Encrypted at rest |
| User accounts | Clerk plus Hoist account storage | AU/APAC preference; identity provider may process outside AU | Encrypted at rest; TLS in transit |
| Payment cards | Stripe | AU + US (Stripe-managed) | PCI-DSS Level 1 |
| Transactional email content | Postmark | US | TLS 1.3; emails contain record IDs, no PPSR data |
| Application error logs | Sentry | AU | PII scrubbed pre-send |
"Best-effort" residency, honestly
Our default storage posture prefers AU/APAC locations for source records and logs. The internet still has global routing, identity, payment, email, and monitoring providers. That means residency is strong preference by category, not a blanket promise that every byte always stays in Australia.
If you need a contractual AU-only storage commitment, contact us before production. That is an enterprise discussion, not something we should imply on a public page.
Sovereignty
Cloudflare and Stripe are US-headquartered; the US CLOUD Act could in theory compel them to disclose AU-resident data to US authorities. We've never received such a request. If we do, we'll publish a warrant canary in /changelog.