Home / Free Tools / Data Sovereignty Checker
Free tool · Risk & compliance

Data Sovereignty Checker

In short

This is a free tool that assesses whether a legal AI vendor meets Australian data sovereignty expectations: where data is stored, where it is processed, whether sub-processors are disclosed, and whether the contract meets Privacy Act 1988 (Cth) and APP 8 cross-border disclosure obligations.

Try the full Quillio platform — free trial
About

What this tool does

Vendor marketing pages routinely claim "Australian-hosted" without clarifying whether inference runs on US GPUs, whether prompts are logged in overseas monitoring systems, or whether sub-processors have SOC 2 coverage. This tool gives you the structured questions to ask and scores the answers against AU regulatory expectations.

How to use it

  1. Enter the vendor name and the product you are evaluating
  2. Answer 15 structured questions about where data is stored, processed, and backed up
  3. Upload or paste the relevant sections of the vendor's DPA, security pack, or sub-processor list
  4. Review the sovereignty score and the gap analysis against APP 8 expectations
  5. Export the assessment as a vendor due diligence record

What you'll learn

  • Which APP 8 cross-border disclosure obligations apply to legal AI vendors
  • Where "Australian-hosted" claims commonly break down on closer inspection
  • Which sub-processor and monitoring questions to ask in vendor due diligence
  • How to document the assessment to satisfy your firm's risk committee

Interactive tool coming soon

The interactive Data Sovereignty Checker is currently in development. In the meantime, start a free Quillio trial — the time savings are real and measurable on your own matters within the first week.

Start free trial
Questions

Tool FAQs

What does "data sovereignty" actually mean for legal AI?

It is the combination of (a) where your data is stored at rest, (b) where it is processed in memory during inference, (c) where backups and logs live, and (d) what contractual restrictions apply to access from overseas staff or sub-processors. True sovereignty requires all four.

Is AU hosting required by law?

Not strictly. The Privacy Act allows overseas disclosure under APP 8 if certain conditions are met. But legal professional privilege, confidentiality obligations under the ASCR, and client expectations often push firms towards AU-only hosting regardless.

What about vendors who say "data never leaves Australia"?

Ask about inference workloads specifically. Some vendors store data in AU but send prompts to US-hosted foundation models. That may or may not meet your client's expectations — the tool highlights exactly this gap.

Does the Essential Eight matter for AI vendor due diligence?

The ACSC Essential Eight is baseline cyber hygiene — important but not sovereignty-specific. A vendor can be Essential Eight compliant and still have cross-border data flows. The tool covers both dimensions.

What is APP 8 in plain English?

Australian Privacy Principle 8 says if you disclose personal information overseas, you remain accountable for what happens to it unless a narrow exception applies. For legal AI vendors handling matter data, that means you stay on the hook even if a US sub-processor mishandles the data.

How is this different from a SOC 2 report?

SOC 2 tells you a vendor has security controls in place. It does not tell you where data resides or how cross-border flows are structured. This tool is specifically about the residency and sovereignty questions SOC 2 does not answer.

Can the assessment be used in a risk committee paper?

Yes. The exported PDF is structured as a vendor due diligence record with the questions, answers, and gap analysis — suitable for a risk committee pack or a professional indemnity insurance disclosure.

Use with Quillio

Test the savings on your own work

Quillio is AU-hosted across storage, inference, and backup. The free trial is the fastest way to test sovereignty in practice rather than on a datasheet — run this checker against Quillio before you run it against anyone else.

This tool is a structured due diligence aid. It does not constitute legal or regulatory advice. Final vendor approval should involve your firm's privacy officer, risk partner, and — for significant engagements — independent legal review of the DPA.

Stop estimating. Start measuring.

The free trial is the fastest way to know whether AI saves you the hours this calculator estimates. No credit card, no sales call — sign up and measure the difference in your first week.

Start your free trial