A few years back, when I joined my first “grown-up” board, I ended up having a memorable chat with one of the executives. He told me, with absolute confidence, that his organisation would never, under any circumstances, move anything to “the cloud.” Every time the topic came up, he reacted as if I had suggested handing his savings to a stranger in a car park. He had heard the same story many others have: once your data leaves New Zealand, foreign governments can swoop in and help themselves. Better, in his view, to trust the dusty little box under the desk than some massive international outfit he had never met.
The amusing part is that the same organisation now uses the everyday: applications, hosting, telephony, you name it. Reality has a way of catching up.
I have been thinking about that conversation lately as more companies around Aotearoa push the idea of “sovereign cloud.” The marketing pitch is familiar. The big global platforms from Amazon, Microsoft and Google are foreign, and foreign things are risky. Local providers, on the other hand, are nearby, friendly and supposedly free from all those scary overseas laws. It is a tidy story. It is also a bit too tidy.
Part of the confusion comes from the way people imagine data works. We still tend to treat it like a physical object, like a crate in a warehouse. If it is in New Zealand, it feels safe. If it crosses a border, it feels exposed. But data does not behave that way. It moves, it is copied, it is backed up and it relies on a maze of interconnected systems. Even when your information lives in a data centre down the road, the hardware, software and teams that support it almost always span multiple countries. Likewise, New Zealand itself cooperates with other nations on legal matters. So “keeping it local” does not magically create a legal force field.
It is also worth remembering that international laws, whether American, European or anything else, are not the free-for-all they are sometimes painted to be. Governments cannot simply poke around in your data because they feel like it. There are processes, checks, authorisations and ways for companies to push back. You do not need to know the fine print to understand the broad truth. The system is much more controlled and contested than the scare stories suggest.
None of this means local providers are not valuable. Many are excellent. They offer personal service, quick responses and deep knowledge of local requirements. Some genuinely go above and beyond for their customers. But when the conversation drifts into fear, especially the idea that foreign equals dangerous, the nuance disappears. And nuance is exactly what this topic needs.
The big global cloud companies, for all their flaws, invest staggering amounts of money and expertise into security, compliance and oversight. They are scrutinised constantly by customers and governments. They publish transparency reports, they challenge questionable requests and they employ teams who exist purely to prevent misuse. Smaller providers often do not have the resources to match that scale. That does not make them unreliable. It simply means the comparison is not as simple as local versus foreign.
Thinking back to that executive, it is clear his hesitation was not really about international laws or politics. He was unsure because he did not understand how the system worked. And honestly, who can blame him? Digital infrastructure is complicated. Data does not sit still. Platforms work across borders. Companies can be local and global at the same time. It is confusing enough to make anyone cling to the one thing they can see and touch: the old server under the desk.
If you are a business trying to navigate this space, here are a few plain questions that actually matter, regardless of who you choose.
First, ask any provider, big or small, which rules they operate under. Not the horror stories, just the actual jurisdictions that apply.
Second, ask how they handle official requests for data. Do they have formal processes? Do they push back when something looks off? Do they publish anything about it publicly?
Third, look at how well they run their operation. Are they investing in security? Do they have a track record? Are they likely to still be around in five years? An underfunded provider with good intentions is still an underfunded provider.
Jurisdiction is one factor, but it is only one. Operational maturity, security discipline and long-term stability often matter far more.
And ultimately, pick a provider based on your real risks, not the imaginary ones. That executive mate of mine eventually moved all his business systems to a reputable cloud platform. He has not thought about international surveillance since. These days, his energy goes into the things that genuinely matter to him, like staffing, payroll, suppliers and hoping the coffee machine will survive another Monday.
That is probably a good reminder for all of us. Worry about the things that actually affect your business. The cloud, whether local or global, is far less mysterious than it seems and a lot more secure than the old boxes quietly rattling away in back rooms across the country.
