AustraliaOS is an independent practice. I assess the foreign legal reach created when Australian institutions place critical data with globally controlled technology providers. Every assessment is primary source verified, every contestable judgment is named, and the reasoning is open to review.
Australian institutions are moving their most critical data onto infrastructure that is owned, operated, or legally controlled offshore. Where the data physically sits is not the question that matters most. The question is whose law can compel its disclosure.
A provider incorporated in a foreign jurisdiction can be compelled by that jurisdiction's government to hand over data, regardless of where it is stored. The United States CLOUD Act is the clearest case. It compels US incorporated providers to disclose on valid US legal process, wherever the data is held. Existing prudential standards require institutions to assess offshoring and country risk, but none isolates this question. It falls between procurement, privacy, and security. So it is rarely assessed at all.
I sell no infrastructure, resell no provider, and hold no incentive to reach a particular conclusion. The assessment serves the institution accountable for the decision, and no one else.
Conclusions rest on statute, binding agreements, and provider terms. Each is cited and independently checkable. Not summaries. Not vendor assurances.
Every contestable judgment is named, not buried. The reasoning is published so a board, an accountable officer, or an opposing expert can interrogate it.
A practice that assesses foreign legal reach should be held to the standard it applies to others. So here is the honest position of every component behind AustraliaOS today, and where it is going. AustraliaOS is currently exposed to the reach it assesses. That is disclosed deliberately. No party should claim a sovereignty position it has not earned, including this one.
| Component | Today | Phase 2 |
|---|---|---|
| Inference | Anthropic API, United States (CLOUD Act) | Australian hosted inference |
| Persistent storage | Supabase, United States | Australian hosted Postgres |
| Compute (web layer) | Vercel Inc. (Delaware), execution in US East (iad1) | Australian incorporated provider, execution within Australia |
| Source code hosting | GitHub (Microsoft, US incorporated), subject to 18 USC 2713 reach | Sovereign hosted Git, provider not yet selected |
| Audit log | Ephemeral (Vercel /tmp) | Persistent Australian hosted storage |
Phase 2 migration onto Australian controlled hosting is the practice's primary technical commitment. Until it completes, every dependency is named here, not hidden. Every decision made on the strength of this practice should be made with full knowledge of what runs where.
A jurisdictional assessment of Commonwealth dependence on VMware products contracted through corporate entities controlled by Broadcom Inc. Every factual claim is verified against named primary sources. Every contestable judgment is named. The full reasoning is open to inspection on the verification record.
Three layers, one standard.
Every assessment is built in three layers, each carrying a different kind of attestation. Facts are verified. Reasoning is named. Recommendations rest on the reasoning. You can see exactly where verified fact ends and judgment begins.
Facts tested against primary sources. Each is cited and checkable, and marked supported, partial, not supported, or unverified. No opinion. No sentiment.
Author reasoning over the verified facts. Each block names the step at which a reasonable reader could disagree.
Proposed actions, each citing the analysis that motivates it. Author proposed, and labelled as such, never presented as verified fact.