PRIVACY & CONFIDENTIALITY POLICY
What data do we collect?
We collect private and confidential data that is required to provide the agreed services and during our free consultations and support. We secure all data that is collected from our potential and existing clients in confidence. This includes non-disclosure to any data to third parties without permission and non-disclosure agreements in place.
We encourage you to contact us and provide your company details so that we can tailor our responses to your needs and provide accurate quotations and services. Only the name and email address fields are mandatory for these enquiries. You can refrain from submitting any other details you may not wish to disclose.
We use Google Ads, Analytics, Tag Manager, Hubspot and other tools for the website for marketing and to analyse traffic and trends. Our manner of using this does not identify individuals and their user navigation behaviours. We do not export data outside of these application or share it with any third parties, including our established partners.
Where does your data go?
We may use the data collected in following systems, depending on the stage and requirements of the support we are providing you:
Checkbox.ai: the platform used for our free tools, automated SOC 2 assessments and workflows. Checkbox.ai have completed a SOC 2 Type II report issued by a Big4 firm.
Google Workspace: Google Business products used for our client communications. We secure these systems with multi-factor authentication and Google Business grade security practices. Google issues SOC 1, SOC 2 and SOC 3 reports at least annually.
Hubspot: Our customer relationship (CRM) system used for marketing emails, account tracking, and hosting of our website content management system (CMS). Hubspot issues SOC 2 Type II reports annually.
Pillar: Our in-house developed platform for managing audits and supporting our clients compliance program. We conduct annual SOC 2 audits & penetration tests.
Trello: Used for some clients, when preferred, for tracking your requirements and assurance reporting steps. Atlassian issues SOC 2 Type II reports for Trello.
Xero: A cloud-based application used for company accounting and invoicing. Xero issues SOC 2 Type II reports.
In each of the above, we minimise the data stored in each location based on what is required to effectively support our services to you.
Data Retention and Disposal
We retain all data collected until deletion is requested, in order to ensure we can effectively provide our services and tailor our support based on the history of your interactions with us. You may request deletion of your data at any stage by contacting us on firstname.lastname@example.org. Based on our own compliance requirements, we retain audit files for seven (7) years. This includes all audit documentation shared with us to verify your compliance. We encourage our clients to sanitise, mask or otherwise reduce the sensitivity of documentation shared with us.
Our free tools, assessments and applications are built in Checkbox.ai and our platform, Pillar. They collect data from your responses to questions to provide automated and tailored outputs like readiness reports, policy automation and system descriptions that help you prepare for and support your compliance goals using our services.
We use the data for providing you with our services. We may also use that data at an anonymised and statistical level to provide guidance and benchmarking to our clients, partners and associates. We avoid the use of any statistics that would compromise confidentiality, including any 0% or 100% stats or with specifics that may be used to identify attributes of an individual customer or user. The raw data is stored in Checkbox.ai or Pillar, hosted in the Amazon Web Services (AWS) environment. We do not export any data from this environment, except in the output reports sent to you, or after it has been anonymised for statistical analysis.
If you have any concerns over security, privacy or confidentiality, we support the use of an alias contact and company name to prevent your data from being identifiable. This requires the use of a non-business email address and contacting us separately to advise of the alias so we can send the report to the correct person and in a secure manner.
What are your rights?
We support all rights under the EU GDPR, the Australian Privacy Act, Californian Consumer Protection Act and any other reasonable requests related to your private data. For any requests related to your data please email email@example.com, or call +61 (0) 490 086 000.