← All posts

Where does your CCTV footage actually live? (And why Australian businesses should ask)

11 February 2026 · Nasugn Vigil · 3 min read
data residencyprivacy actcloud cctvaustralia

When you put a camera on the wall, you know exactly where the footage is: on a box in the back office. When you move to cloud CCTV, that certainty disappears — and most people never think to ask where it went. For an Australian business, that’s the wrong question to skip.

”The cloud” is always someone else’s computer, somewhere

Every cloud camera platform stores your video in a data centre. The two questions that matter are: whose data centre, and which country is it in? Plenty of popular platforms are headquartered overseas and, by default, store or route footage through regions outside Australia. That can be perfectly legal — but it changes who has legal reach over your recordings, how quickly you can get them back, and what you have to disclose to your own customers and staff.

Surveillance footage is not neutral data. It shows faces, number plates, movements, patterns of life. Under Australian privacy law, a lot of it is personal information — and once it’s personal information, where it lives and how it’s secured becomes your responsibility, not just your vendor’s.

What the Privacy Act expects of you

The Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to many businesses that operate CCTV. Two principles are especially relevant:

  • APP 8 (cross-border disclosure). If you send personal information overseas — which can include storing footage in an offshore region — you generally remain accountable for how it’s handled there. That’s an obligation you take on the moment your vendor’s default region sits outside Australia.
  • APP 11 (security). You must take reasonable steps to protect personal information from misuse and loss. Where and how footage is stored is central to that.

You don’t escape these duties by outsourcing to a cloud provider. You inherit a shared responsibility — so you want a vendor whose defaults make your side easy, not harder.

Why in-region storage is the simpler answer

Keeping footage in an Australian region removes the whole APP 8 conversation for that data: there’s no cross-border disclosure to assess, no overseas jurisdiction to reason about, and a clean answer when procurement, a customer or a regulator asks “where is this stored?”

This is exactly why we built Vigil to keep everything in AWS Sydney (ap-southeast-2). Every stream, recording and exported clip is stored and served from that single Australian region. It does not leave the country for storage or playback. When someone on your risk or legal team asks where the footage physically sits, the answer is one line.

Questions to ask any cloud CCTV vendor

Before you sign, get these in writing:

  1. Which AWS/GCP/Azure region — or which data centre — stores my recordings by default? “The cloud” is not an answer.
  2. Does footage ever leave Australia for processing, backup, analytics or support access?
  3. Who can access my footage, and is it served over public URLs or expiring signed links?
  4. Can I export and permanently delete my recordings and account, on my terms?
  5. Is the platform aligned with the Privacy Act and the APPs — and are they honest about what’s certified versus simply designed-for?

A vendor that answers these crisply is telling you they’ve thought about your obligations. One that waves them away is quietly making them your problem.

The short version

Cloud CCTV is a genuine upgrade over a dusty NVR — but only if you know where the footage lands. For an Australian business, in-region storage isn’t a nice-to-have; it’s the difference between a one-line answer and a cross-border compliance exercise. Ask the question early, and pick the platform that already has the boring, correct answer.


Ready to see it? Vigil turns the cameras you already own into cloud CCTV in an afternoon — hosted in AWS Sydney, A$10/camera/month. Start free →