The US CLOUD Act
and Your New Zealand Business
How storing your passwords overseas could put your business at risk
A Plain English Guide for NZ Business Owners
No legal jargon. No tech speak. Just the facts that matter.
Why This Matters to You
If your business uses a password manager, or any online service, provided by an American company, there is an American law that could affect your data. It’s called the CLOUD Act, and most New Zealand business owners have never heard of it.
This guide explains what the CLOUD Act is, what it means for your business, and why where your passwords are stored matters far more than you might think.
You don’t need to be a lawyer or an IT expert to understand this. We’ve written it in plain English, because every business owner in New Zealand deserves to know what’s happening with their most sensitive information.
What Is the US CLOUD Act?
The CLOUD Act, the Clarifying Lawful Overseas Use of Data Act, is an American law passed in 2018. In simple terms, it gives the United States government the legal power to demand access to data held by any American company, no matter where in the world that data is physically stored.
Let’s say that again, because it’s important:
The Key Point
If you use a service provided by a US company — such as a password manager like 1Password, LastPass, or Dashlane — the US government can legally demand that the company hand over your data. It doesn’t matter that your business is in New Zealand. It doesn’t matter that you’re a New Zealand citizen. It doesn’t even matter if your data is stored on a server located in New Zealand. If the company is American, US law applies to your data.
Before the CLOUD Act, there was a proper process in place for these things. If a foreign government wanted access to data stored in another country, they had to go through official diplomatic channels — a slow, careful process with checks and balances. The CLOUD Act bypassed all of that. US authorities can now go directly to the American company and demand your data.
The company doesn’t have to tell you. They don’t need permission from the New Zealand government. And there is very little your business can do about it.
Why This Matters for New Zealand Businesses
Your Passwords Are Your Keys to Everything
Think about what a password manager holds: the login details for your bank accounts, your accounting software, your email, your client records, your supplier accounts, your social media, your internal systems — essentially, the keys to your entire business.
Now imagine a foreign government having the legal right to access all of that, without asking you, without telling you, and without needing the approval of our own government. That’s the reality of the CLOUD Act.
It Applies Even If the Server Is in New Zealand
This is the part that catches most people off guard. Some US companies have started building data centres in New Zealand and Australia, and they market this as a solution to data sovereignty concerns. But having a server in Auckland doesn’t change the law.
Location of the server doesn’t matter, ownership of the company doesIf a US company stores your data on a server in Auckland, that data is still subject to the US CLOUD Act because the company that controls the server is American.True data sovereignty means your data is stored by a company that is owned, operated, and based entirely in New Zealand, with no American parent company, no US corporate structure, and no obligation to comply with US law. |
As one of New Zealand’s leading law firms has noted, even data physically stored in New Zealand can be subject to foreign access laws if the company holding that data falls under US jurisdiction. Using a New Zealand-based data centre does not remove the jurisdictional risk if the owner or operator of that data centre is subject to offshore legislation.
New Zealand Has Its Own Privacy Laws — But They Can’t Protect You From This
New Zealand’s Privacy Act 2020 sets out clear rules for the handling of personal information. It includes Principle 12, which specifically addresses the issue of sending personal information overseas. The law requires businesses to make sure that any personal information transferred outside New Zealand is protected by standards comparable to our own.
The problem is that when you store your passwords with a US company, the US CLOUD Act can override these protections. US law enforcement can compel the American company to hand over your data, even if doing so would conflict with New Zealand’s privacy laws. Your New Zealand legal rights effectively become irrelevant once the data is in the hands of a company subject to US law.
What does this mean in practice?
If you’re a New Zealand business storing client information, financial records, or employee data behind passwords managed by a US company, you may not be meeting your obligations under the Privacy Act 2020. A US company being compelled to hand over your data under the CLOUD Act could constitute an unauthorised disclosure — something your business could be held responsible for.
What Could Actually Happen?
Let’s look at some real-world scenarios that could affect a typical New Zealand business:
Scenario 1: Your accounting firm stores client tax records behind passwords in a US password manager. |
With a US provider: US authorities issue a warrant to the password provider. The provider hands over your vault data, including the passwords that unlock your client records. You are never told. Your clients are never told. Their private financial information has now been accessed by a foreign government.With SafeKey: Your vault is stored in New Zealand by a New Zealand company. No foreign law applies. Your clients’ information stays exactly where it should be — under your control and in accordance with New Zealand law. |
Scenario 2: Your business handles health or legal information protected by professional obligations. |
With a US provider: A US court order compels the password manager to provide access. This could put you in breach of your professional obligations under New Zealand law, because a foreign government has accessed information you were legally required to keep confidential.With SafeKey: Your data stays in New Zealand, governed only by New Zealand law. Your professional obligations remain intact, and your clients’ confidentiality is preserved. |
Scenario 3: You’re applying for cyber insurance, and the insurer asks where your passwords are stored. |
With a US provider: Your passwords are held by a US provider subject to the CLOUD Act. The insurer may flag this as a data sovereignty risk, which could affect your premiums or even your eligibility for cover.With SafeKey: You can confirm that all credentials are stored in New Zealand by a New Zealand-owned company, with no foreign jurisdiction risk. This strengthens your insurance application. |
US-Based Providers vs SafeKey: A Direct Comparison
Here’s a clear, side-by-side look at the difference between using a US-based password manager and SafeKey:
US-Based Providers | SafeKey (NZ) | |
Company headquarters | United States | New Zealand |
Where data is stored | US, EU, or mixed | New Zealand only |
Subject to the US CLOUD Act | Yes – always | No – never |
Can the US government demand your data? | Yes – without your knowledge | No – not possible |
Governed by the NZ Privacy Act | May conflict with US obligations | Fully compliant |
Your vault is shared with other customers | Yes – shared infrastructure | No – dedicated private vault |
Support available during NZ hours | Rarely – overseas support | Yes – real people in NZ |
You know exactly where your data is | Not always transparent | Yes – always in NZ |
Cost per user per year | $60–$96+ NZD | $36 NZD |
Data Sovereignty: What It Really Means
You may have heard the term “data sovereignty” mentioned in the news or by IT professionals. It sounds complicated, but it’s actually a simple idea:
Data sovereignty in plain English
Data sovereignty means that your data is subject only to the laws of the country where it is stored and where the company storing it is based. If both the data and the company are in New Zealand, then only New Zealand law applies. No foreign government has legal power over your information.
For a New Zealand business, true data sovereignty means three things need to be true at the same time:
Your data is physically stored in New Zealand — not in the United States, Europe, or anywhere else.
The company storing your data is a New Zealand company — not an American company with a New Zealand office or data centre.
There is no foreign parent company or legal structure that could be compelled by a foreign government to hand over your data.
SafeKey meets all three of these requirements. The major US-based password managers — 1Password, LastPass, Dashlane, and others — meet none of them.
Your Obligations Under the NZ Privacy Act 2020
The Privacy Act 2020 is New Zealand’s main law governing how businesses handle personal information. If your business collects, stores, or uses personal information — which almost every business does — then you are subject to this law.
There are two key principles that are directly relevant to where you store your passwords:
Principle 5: Storage and Security
You must take reasonable steps to protect personal information against loss, unauthorised access, or disclosure. Storing the passwords that protect your client and business data with a company that is legally obligated to hand that data to a foreign government on demand raises serious questions about whether you’re meeting this obligation.
Principle 12: Disclosure Outside New Zealand
If you send personal information to an organisation outside New Zealand, you must be satisfied that it will be protected by comparable standards to our own Privacy Act. The CLOUD Act creates a direct conflict here — US companies cannot guarantee that your data won’t be disclosed to US authorities, because they are legally required to comply with CLOUD Act requests.
What this means for you
If a US password provider is compelled to disclose your data under the CLOUD Act, this could constitute an unauthorised disclosure of personal information under New Zealand law.
Your business, not the US password provider, could be held responsible for failing to adequately protect the personal information in your care.
The Privacy Commissioner has the power to investigate complaints and impose penalties of up to $10,000 for breaches of the Act. More importantly, there is the reputational damage and the loss of trust from your clients.
Common Objections — And the Reality
“The US government isn’t interested in my little business.”
That may well be true today. But the point is not whether they are interested — it’s whether they legally can access your data. Laws don’t expire when they’re not being used. The CLOUD Act gives US authorities a standing legal power to access your data at any time, for any investigation, without your knowledge. The question isn’t whether it’s likely — it’s whether you’re comfortable with it being possible.
“Our provider says our data is encrypted, so it’s safe.”
Encryption is important, and most reputable password managers do encrypt your data. However, the CLOUD Act is a legal instrument, not a technical one. A US court order can compel a company to provide access to data in whatever form the government requires. If the company holds the means to decrypt your data — or if they can be compelled to build a way to do so — encryption alone is not a complete answer. The safest approach is to ensure that no foreign law applies to your data in the first place.
“They have a data centre in New Zealand, so we’re covered.”
This is the most common misconception. A US company with a data centre in New Zealand is still a US company. The CLOUD Act applies to the company, not the data centre. Having servers in Auckland does not stop a US court from ordering that company to hand over your data. True data sovereignty comes from the company being New Zealand-owned, not from the server having a New Zealand address.
“We’ve been using them for years and nothing has happened.”
That’s the nature of the risk — you would never know it happened. The CLOUD Act does not require the US government or the provider to notify you when your data has been accessed. You could have your vault contents disclosed to a foreign government tomorrow and you would never find out. The absence of visible harm is not the same as the absence of risk.
“Switching providers sounds like too much hassle.”
We understand the concern, but moving to SafeKey is surprisingly straightforward. We support importing your existing passwords from all major providers, and our New Zealand-based team will walk you through every step. Most businesses are fully set up in under an hour. The small effort of switching is nothing compared to the ongoing risk of leaving your most sensitive business data under the control of a foreign law.
Why SafeKey Is the Solution
SafeKey was built specifically to address these concerns. Here’s what makes us different:
- 100% New Zealand owned and operated. We are not an American company. We have no US parent company, no US investors, and no US corporate structure. The CLOUD Act simply does not apply to us.
- Your data is stored exclusively in New Zealand. Not in the US, not in Europe, not in Australia. Your passwords live on New Zealand servers, governed by New Zealand law, full stop.
- Your own private vault. Unlike the big US providers, which put all customers into a shared system, SafeKey gives every customer their own dedicated vault. If something happens to another customer, it doesn’t affect you.
- Fully compliant with the NZ Privacy Act 2020. Your obligations under Principles 5 and 12 are met without question. No conflict with foreign laws, no grey areas, no risk.
- Real support, during your business hours. Our team is right here in New Zealand. When you need help, you talk to a real person who understands Kiwi businesses, during normal New Zealand working hours.
- Enterprise-grade security at a small business price. Just $36 per user per year — that’s $3 per person per month. Fewer than many of the US-based alternatives, with none of the foreign legal risk.
The Bottom Line
The US CLOUD Act is not a theoretical risk. It is a real, active law that applies right now to every US-based technology company, including every US-based password manager. If your business uses one of these services, your most sensitive data — the passwords that unlock everything — could be accessed by a foreign government at any time, without your knowledge or consent.
As a New Zealand business owner, you have a choice. You can continue to entrust your passwords to a company that is legally obligated to comply with foreign government data requests. Or you can move to a New Zealand provider that operates entirely under New Zealand law, with no foreign obligations and no foreign jurisdiction.
SafeKey gives you that choice. New Zealand owned. New Zealand hosted. New Zealand law. Your business passwords, under your control, where they belong.
Take Control of Your Business Passwords
Visit www.safekey.co.nz or contact our New Zealand team today.
$36 per user/year • 100% NZ owned & hosted • No foreign jurisdiction • Local support
Disclaimer: This document is intended as a general guide for New Zealand business owners. It is not legal advice. If you have specific legal questions about data sovereignty, the CLOUD Act, or your obligations under the Privacy Act 2020, we recommend speaking with a qualified New Zealand lawyer. The information in this document is current as of February 2026.