Every New Zealand organisation generating unstructured data — backups, archives, media files, research datasets — eventually faces the same question: where should it live? The Amazon S3 API has become the de facto standard for object storage, and a growing number of S3-compatible storage NZ providers now offer alternatives that promise simpler billing, stronger compliance, or data residency within Aotearoa. But not all platforms are equal, especially when the Privacy Act 2020, NZISM (New Zealand Information Security Manual) requirements, and egress fees enter the picture.
This guide walks through the factors that matter most when choosing object storage in NZ — from API compatibility depth to cross-border data transfer rules most comparison guides treat as a footnote.
What S3-Compatible Storage Actually Means (and Where Compatibility Breaks Down)
Amazon Web Services (AWS) S3 established the object storage API that most developers, backup tools, and data platforms now expect. “S3-compatible” means the platform accepts the same API calls — PUT, GET, DELETE, multipart uploads, bucket policies — so existing tools work without code changes.
But compatibility is a spectrum. At one end, providers support core operations covering roughly 80 per cent of everyday workflows. At the other, advanced features diverge: Object Lock for immutability, S3 Select for in-place queries, event notifications, and complex lifecycle policies may be partially implemented or missing entirely. MinIO, once the go-to open-source S3-compatible layer, archived its Community Edition in February 2026 — a reminder that the compatibility landscape shifts quickly.
If you rely on Veeam, Commvault, or another enterprise backup tool that writes to S3-compatible targets, partial API support means silent failures. A backup job that appears to complete may fail to restore when you need it most. Three capabilities are worth verifying rather than assuming:
- Object Lock and WORM (Write Once Read Many) for ransomware-resilient backups and regulatory retention.
- Multipart uploads for files over 100 MB; without them, large backup sets time out.
- Lifecycle policies and versioning for automated tiering and point-in-time recovery.
Ask for an S3 API compatibility matrix and test your toolchain against it before production data goes near the bucket.
Data Sovereignty as a Primary Decision Axis, Not a Footnote
Most global S3 comparison guides treat data residency as a bullet at the bottom of a feature table. For NZ organisations — especially in education, local government, and the public sector — sovereignty should be the first filter, not the last.
Information Privacy Principle 12 (IPP12) governs the disclosure of personal information outside New Zealand. There is an exception for cloud providers that store or process data solely on your behalf — they are not considered to be “receiving” a disclosure. But your organisation remains accountable for that data regardless of where it lives. Three practical realities follow:
- You retain liability. If an offshore provider suffers a breach, the Office of the Privacy Commissioner holds your organisation responsible, not the provider.
- Contractual safeguards are mandatory. Offshore storage means binding agreements ensuring protection comparable to NZ law — and ongoing monitoring, not just a signature at onboarding.
- Onshore storage simplifies compliance. Keeping data on NZ-hosted infrastructure removes the cross-border question entirely.
For government agencies handling RESTRICTED or higher classifications, NZISM adds another layer: controls around access, transmission, and storage, and at higher classifications, no public-internet exposure of the storage environment. An NZ-hosted provider already aligned with NZISM and Protective Security Requirements is often the simplest path to meeting both Privacy Act and security obligations at once.
The Hidden Cost That Reshapes Total Ownership: Egress Fees
Storage is rarely just about putting data somewhere — you also retrieve it for restores, analytics, content delivery, or migration. Egress fees are where total cost of ownership quietly comes apart.
Major cloud providers charge for data leaving their network. The base storage rate looks competitive, but the moment you retrieve regularly, the effective rate climbs. For backups this is particularly dangerous: you store steadily and retrieve rarely, so egress looks negligible month-to-month — until a disaster recovery event triggers a full restore and the retrieval bill exceeds your annual storage spend.
S3-compatible providers broadly fall into three pricing structures. Tiered egress pricing scales retrieval costs with volume — AWS S3 being the most prominent example, and the hardest to forecast. Flat-rate with conditional free egress offers a single rate with no egress charges provided downloads stay within a defined ratio of stored volume; exceed the ratio and charges kick in. Zero-egress or transparent pricing charges nothing for retrieval regardless of volume, so the storage rate is the total rate. NZ-hosted providers increasingly adopt this model.
A provider that looks cheaper per terabyte stored can become the most expensive option during a disaster recovery event.
Is S3-Compatible Storage Suitable for Backups? And Which Provider Fits Which Workload?
Yes — and for many NZ organisations it is now the preferred target. Object storage scales horizontally, so you do not forecast capacity years ahead or rotate physical media. Providers that support S3 Object Lock allow immutable backup copies that ransomware cannot modify or delete within a defined retention window. Enterprise-grade platforms maintain multiple copies through erasure coding, often reaching eleven nines durability or higher. Veeam, Commvault, and Rubrik support S3-compatible targets natively — provided the implementation is deep enough.
The right provider depends on workload, regulatory obligations, and tolerance for billing surprises:
- Government agencies and classified data. NZ-hosted, NZISM-aligned storage is the baseline. The Privacy Act’s cross-border provisions stop mattering when data never leaves the country.
- Backup-and-restore workloads. Prioritise zero-egress or flat-rate providers, then model a full disaster recovery restore and compare retrieval cost across providers — not just the per-terabyte storage rate.
- Education, research, and content-serving applications. Data volumes grow unpredictably and retrieval patterns vary. Providers offering automated lifecycle tiering between hot and cold storage manage costs without constant oversight; zero-egress economics suit content-heavy applications best.
How to Get Started with S3-Compatible Object Storage
Moving to S3-compatible storage does not have to be a forklift migration. Most organisations start with a single workload — typically backups or archive data — and expand from there.
- Audit your footprint and map compliance requirements. Understand how much data you store, how often you access it, and whether the Privacy Act, NZISM, or sector-specific rules mandate onshore storage.
- Test API compatibility against the provider’s S3 endpoint. Run your toolchain in a trial environment before committing production data.
- Model total cost for your actual workload. Include storage, egress, API requests, and worst-case restore scenarios — not just the headline rate. Pilot before scaling up.
ASI Solutions offers InfiniStor, an S3-compatible object storage platform with NZ data residency, hot and cold storage tiers, Veeam integration, and up to 19 nines of data durability — purpose-built for organisations that need their data to stay in Aotearoa. Whether you are migrating from an offshore provider or setting up your first S3-compatible target, ASI Solutions can walk you through the options for your specific workload.
Ready to see how NZ-hosted object storage compares for your environment? Book a meeting with the team to map your requirements against InfiniStor’s capabilities.