They're a Melbourne-based company, but their servers are in other countries. Does ASIS' reach include data stored in other countries? (NYC, Amsterdam, Iceland)
Yes it does, because they can compel the company employees. A previous company that I worked for used to have data centres in Amsterdam and Sydney (pre-cloud), but it was an Australian company with Australian engineers, so it wouldn't matter very much in this context.
It's the old xkcd "million-dollar cluster to crack encryption VS wrench"[1]
If you or your engineers with production access live within a jurisdiction then your security and laws are impacted by that jurisdiction.
