Company policies & guidelines

ABN: 70 631 043 966

ACN: 631 043 966


Table of contents

Legal, Regulatory, Reputational and Financial Risk

Risk management is about understanding and managing the risk environment and taking measures, where necessary, to ensure that risks are contained to acceptable levels consistent with risk appetite as outlined in the Risk Appetite Statement. This document sets out, at a high level, policies for managing this process.


This policy applies to all Tawakal Sii Pty Ltd (The Company). activities. It forms part of the company governance framework, and it applies to all employees, contractors and volunteers.


The objective of the Risk Management Policy is to ensure the implementation of an effective risk management framework consistent with the company achieving its policy and operating objectives. In doing so, it follows accepted standards and guidelines for managing risk.

The principle underpinning the company’s approach is that risk management is an integral part of the management function in the organisation and, as such, is the clear responsibility of management. Line managers have the responsibility to evaluate their risk environment, to put in place appropriate controls and to monitor the effectiveness of these controls.

General Responsibilities


Provides policy, oversight and review of risk management

Technology Leads

Continuously improving risk management policy, strategy and supporting framework


Comply with risk management policies and procedures



The company’s framework endeavours to cover the full spectrum of risks faced by the Company through evaluating risk from a business perspective. This framework is consistent with the accepted Australian standard (ISO 31000-2018 Risk Management) and comprises several important steps:

● Identifying and analysing the main risks facing the company.

● Evaluating those risks and making judgements about whether they are acceptable or not.

● Implementing appropriately designed control systems to manage these risks in a way which is consistent with the Company’s Risk management policy,

● Treating unacceptable risks by formulating responses following the identification of unacceptable risks, including actions to reduce the probability or consequences of an event and formulation of contingency plans.

● Documenting these processes, with summary tables (risk registers) the main forms of documentation, supplemented by risk manuals or related documents as appropriate.

● Ongoing monitoring, communication and review.

● While the framework is applied consistently across the company, individual areas must identify and analyse the risks in their own areas, assess the controls in place to deal with those risks, and make decisions about whether to mitigate a particular risk – fully or partially – given its effects and the costs of mitigation. If a residual risk is judged to be unacceptable, the ‘owner’ area is responsible for developing and implementing/overseeing a remedial plan.

● Where risks are considered ‘cross-sectional’ or ‘common’ – that is, owned by one area and managed by another (e.g. IT-related risks) – a process is established for ensuring that the risks are both communicated, and action agreed, between the areas concerned.

● Processes are also in place that facilitate appropriate liaison and consultation with external entities whose activities could inform the Company’s risk environment.

Access Control Policy

This policy outlines the rules relating to authorising, monitoring and controlling access to Digipayment Pty Ltd. developed Applications and information systems.


This policy applies to any person or systems that are granted or that grant access to accounts, information or information systems owned, developed or operated by the DigiPayment Pty Ltd (The Company).


Compliance with this policy enables consistent controls to be applied to all applications and information systems, minimising exposure to security breaches, whilst allowing developers, customers, systems and security administration and technical support staff to conduct their activities within the framework of the law.

This policy aims to ensure that, by having the appropriate access controls in place, the right information is accessible by the right people at the right time and that access to information, in all forms, is appropriately managed and periodically audited.

General Responsibilities

All personnel (e.g. employees, contractors, vendors and third-parties) working with the company must abide by relevant Information Security and Access Control policies and procedures.

● Only use their account and access in accordance with the company’s Code of Practice.

● Secure their credentials in line with the University’s password guidance.

● Be responsible for the systems, services and data within their control.

● Access administrators must:

○ Only grant access requests that have:

○ A documented request

Access Control Implementation

Developer Guideline for Identity Management Implementation

● All applications must be password protected where necessary and only authenticated users can access the applications.

● Implement two-factor authentication (SMS and Google Authenticator) for all administrator-level application access

● All logins must be developed role-based, so that users can only perform actions limited to their access and role level.

● All logins must be developed role-based, so that users can only perform actions limited to their access and role level.

● Formal user registration and de-registration processes must be implemented to enable the assignment of identities and accounts on an individual basis.

● provides access to information, accounts, systems and resources based on the principle of least privilege

● Implement a One-Time Password (OTP) system where possible, the dynamic PINs work as extra layers of protection.

● Recommendation to implement Mandatory password change to significantly reduce security risks by forcing a regular password change for customers and application users.

● An easy to track monitoring system should be in place to detect and analyse suspicious activity. Furthermore, the solution to prevent data breaches by blocking an account after several suspicious transactions should always be implemented.

Database Access Control Guideline

● Our database access should be blocked on the internet and only applications running in the same Virtual Private Cloud (VPC) should be allowed to access the database with their own username and password with restricted permissions.

● Only database administrators should have access to databases via a secure ssh tunnel or over a virtual private network.

Dispute resolution/Complaints management

The Company has developed internal complaints handling procedures which it believes to be compliant with the relevant dispute handling legislation within Australia and is relevant for the Company having regard for:

● The size and type of our business;

● the financial services offered by our AFSL;

● the nature of our client base; and

● the likely number and complexity of complaints.


This procedure aims to:

a. Ensure clients have easy access to an inexpensive complaints handling process;

b. Enhance client confidence in the Company’s services; and

c. Give important feedback to the Company about the level of client satisfaction. This procedure is intended to be used when a client makes a complaint about:

i. the services and products received or recommended by the Company; or

ii. the operation of the Company in general.

Policy & Procedures

1. Receiving Complaints

All complaints are to be dealt with promptly and in a professional manner. On receiving a complaint from a client by any means, the staff member will take the following steps:

a. Thank the client for the call or contact and re-assure them of the Company’s commitment to dealing promptly with the matter.

b. In any first contact inform the client that it is the Company’s policy to respond to the client within 48 hours either addressing the issue, or with an estimated (and compliant) timeframe in which to address the complaint;

c. Complete a Complaints Form and submit it to the Compliance Officer asap

d. The Compliance Officer must then:

i. Log the complaint into the Company’s complaints register;

ii. Decide, with the engagement of the appropriate staff member, the course of actions necessary to resolving the complaint and record these actions into the complaints register and assigning the agreed actions to the appropriate company officer or staff member;

iii. Diarise the dates necessary to complete the actions and achieve the agreed timeframes with the client but within 30 days at a maximum;

iv. Keep the client informed of the progress as agreed or as detailed in below.

2. Complaint Procedure Rules for complaint handling.

All of the above 1 a through d will be completed with that agreed with the client or at least within these timeframes and actions. These MUST be diarised to avoid a breach of the laws surrounding complaints handling and therefore the need to report a breach of these rules.

a. Within fourteen (14) days of receiving a complaint, send an acknowledgement of having received the complaint to the complainant by letter;

b. Within forty-five (45) days of receiving a complaint, make a determination on the complaint; and

c. within fourteen (14) days of the determination of a complaint, the Company must give to the complainant:

i. a written notice of that determination and advice of any action the Company has, or will, take in respect of the complaint; and Complaints Handling Policy

ii. advice that the client may complain to the external dispute resolution scheme if they are dissatisfied with the outcome of the complaint.

3. Resolved Complaint

a. The Compliance Officer will determine if it is appropriate for the complaint to be confirmed with the client by a particular staff member and in what format the final response will take (i.e. by phone or in writing). The Compliance Officer may consider this in conjunction with a Company Officer;

b. When resolved, the Compliance Officer will confirm that the complaint has been resolved and the appropriate procedures have been followed and finalise the entry within the complaints register.

4. Unresolved Disputes and External Dispute Handling

a. If the complaint remains unresolved the Compliance Officer will:

i. Inform the client of the decision to stand by its assessment of the complaint;

ii. If the client, inform the client of their rights under external dispute processes as per below.

iii. Take notes as to any further comments or correspondence in relation to the client’s attitude, behaviours and comments.

5. Process for referring complaints to External Dispute Resolution Bodies.

The Company’s processes for referring complaints will include:

a. providing in a disclosure document details of the internal complaints handling procedure and the details for the Company’s external complaints resolution scheme with a brief description of its role; and

b. where a complaint is unable to be resolved by the Company’s internal complaints resolution scheme, the final letter advising the client of the outcome of their complaint will contain the details for the external dispute body (E.G The Financial DigiPayment Technologies Pty Ltd.) will handle all the disputes in accordance with the policies and requirement.

c. From our end, we will be providing a full log for any disputed transaction.

d. Any fraudulent transaction will be dealt with in accordance with the Australian law

e. If any refund is required due to any dispute DigiPayment will provide the refund for the disputed transaction

f. While not a regulator, the Australian Financial Complaints Authority (AFCA) is a free, fair and independent dispute resolution scheme. It considers complaints about financial products and services as well as credit products. AFCA’s service is offered as an alternative to tribunals and courts to resolve complaints consumers and small businesses have with financial service providers. DigiPayment Technologies Pty Ltd will be considering the dispute resolution via the above service

g. All complaints must be logged into the ticket management system

Fraud Prevention Guidelines & Management

This document outlines a comprehensive fraud prevention strategy for Tawakal Sii Pty Ltd, specifically aimed at addressing common fraud types in money transfer services. The policy includes definitions of fraudulent actions, allocation of responsibilities, procedures for suspected fraud, and steps for post-fraud action.

Definition of Fraudulent Actions

Fraud in the context of money transfer encompasses various schemes including:

i. Advanced Fee/Prepayment Scam:

Victims pay upfront for a service or product that never materializes.

ii. Anti-Virus Scam:

Scammers claim the victim’s computer is infected and charge for unnecessary software.

iii. Charity Scam: Fraudulent solicitation of funds for fake charities.

iv. Emergency Scam: Impersonators claim to be in urgent need of money due to an emergency.

v. Employment Scam: Fake job offers that solicit personal information or money.

vi. Extortion: Demanding money through threats or coercion.

vii. Fake Check Scam: Victims receive a fraudulent check and are tricked into refunding a portion.

viii. Grandparent Scam: Scammers pose as a grandchild in distress asking for money.

ix. Identity Theft: Unauthorized use of someone’s personal information for financial gain.

x. Immigration Scam: Offers of fake assistance with immigration processes for
a fee.

x. Internet Purchase Scam: Online seller frauds involving payment without
delivering goods.

xi. Lottery/Prize Scam: Notifications of a false win requiring payment to claim.

xii. Money-Flipping Scam: Promises of fast returns on cash investments.

xiii. Military Scam: Impersonating military personnel to solicit money.

xiv. Mystery Shopping Scam: Fake offers to pay for evaluating services.

xvi. Overpayment Scam: Sending fraudulent overpayments and requesting a refund of the excess.

xvi. Phishing: Attempting to acquire sensitive information through deceit.

xvii. Relationship Scam: Exploiting emotional connections to solicit money.

xviii. Rental Property Scam: Listing non-existent properties for rent.

xix. Social Networking Scam: Fraudulent activities conducted through social media.

xxi. SMS/Smishing: Phishing conducted via text messages.

xxii. Tax Scam: Fraudulent communications claiming to be from tax authorities.

xxiii. Telemarketing Scam: High-pressure sales tactics or false claims to solicit money or information.

xxiii. Allocation of Responsibilities

- Agents: Responsible for identifying and reporting suspicious activities.

- Management: Oversee the implementation of fraud prevention measures and training.

- Security Team: Manage technological solutions to safeguard against digital fraud.

Fraud Prevention Measures

Education and Training: Regular training sessions for agents on recognizing and handling the above fraud types.

Customer Verification: Strict customer identification processes to prevent identity theft and related frauds.

Transaction Monitoring: Vigilant monitoring for signs of suspicious activities, such as unusual transaction patterns.

● Secure Communication: Ensuring secure and private communication channels to prevent phishing and related scams.

● Public Awareness: Educating customers about common fraud types and prevention methods.

Technology Use: Implementing and updating anti-fraud technology like AI monitoring systems.

Compliance and Reporting: Adhering to legal standards and reporting suspicious activities to authorities.

Procedures for Suspected Fraud

● Immediate Reporting: Agents should report suspected fraud immediately to the management.

● Preliminary Investigation: Conduct an internal review to assess the situation.

● Escalation: If fraud is confirmed, escalate to law enforcement and legal teams.

Post-Fraud Actions

● Asset Recovery: Efforts to recover any lost funds or assets.

Customer Support: Assisting affected customers through the recovery process.

Legal Action: Pursuing legal action against fraud perpetrators.

Media Handling: Designated spokesperson to handle media inquiries.

● Evidence Preservation: Secure all evidence related to the fraud for investigation.

Encouragement of Reporting

● Whistleblower Protection: Assure confidentiality and protection for employees reporting fraud.

● Open Communication: Maintain clear channels for employees to report suspicious activities.


Compliance with these guidelines is essential for the integrity and security of Tawakal Sii Pty Ltd. Agents play a critical role in preventing fraud and protecting the interests of our clients. Regular updates to this policy will be made to address evolving fraud tactics.

Information Security Policy


All processes, activities and assets are within the scope of this information security e-mails, especially:

● Implementation and maintenance of information systems

● Secure development

● Intellectual property and sales / contractual information protection

● Human resources security

Data and information exchange procedures and interfaces with regulatory authorities, contractual workers, clients and other relevant parties.


Confidentiality—only individuals with authorisation should access data and information assets

● Integrity—data should be intact, accurate and complete, and IT systems must be kept operational

● Availability—users should be able to access information or systems when needed

● Create an overall approach to information security.

● Detect and pre-empt information security breaches such as misuse of networks, data, applications, and computer systems.

● Maintain the organisation’s reputation, and uphold ethical and legal responsibilities.

● Respect customer rights, including how to react to inquiries and complaints about non-compliance.

Policies, Procedures and Guidelines

All the Information Security policies and their need have been addressed below:

1. Information Risk management Procedure

Detailed risk assessments for Information risks (e.g. application risk assessment, Infra risk assessment) shall be undertaken in order to identify pertinent threats, the extent of vulnerability to those threats, the likelihood and the potential impact should a threat mature as a result of the vulnerability. This assessment shall determine acceptable, transferable and avoidable risk and the risk that shall be reduced by risk treatments (control mechanisms).

2. Access Control Policy

Data must have sufficient granularity to allow the appropriate authorised access. There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorised purposes. This balance should be recognised. The Access Control Policy addresses this need.

3. E-mail Security Policy

DigiPayment Technologies Pty Ltd shall implement effective systems and procedures to ensure that e-mails are used as an efficient mode of business communication and implement control procedures so that the e-mail facility is not misused by the users. It also needs to be ensured that e-mail service and operations remain secure, and efficient.

4. Internet & Intranet Security Policy

DigiPayment Technologies Pty Ltd should utilise the internet as an important resource for information and knowledge to carry on the business more efficiently. Users must also understand that any connection to the Internet offers an Information Security Policy opportunity for unauthorised users to view or access other information. Towards this direction, DigiPayment Technologies Pty Ltd has developed systems & procedures to ensure that the Internet is used only for business purposes securely (without endangering the security of the DigiPayment Technologies Pty Ltd’s network) with a uniform code of conduct.

5. Password Security Policy

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords and the frequency of change. All Application software in DigiPayment Technologies Pty Ltd will have to comply with minimum password standards as specified in this document.

All password must be

● minimum eight characters or long

● Must contain at least 1 Number and 1 Special Character

● Password expire every six months

6. Application Security Policy

It may be required to develop and maintain software, applications and add-on modules from time to time. Proper procedures, access controls and security requirements need to be addressed in the entire process. The application security policy has been framed to address these needs. Please refer to the Access Control Policy Developer Guideline for more details.

7. Operating System Security Policy

DigiPayment Technologies Pty Ltd shall protect its operating system resources by using security at a level that is appropriate for the nature of the data being processed. The operating system security policy has been framed for achieving this. DigiPayment Technologies Pty Ltd shall protect all business data, related application systems and operating systems software from unauthorised or illegal access.

8. Backup & Recovery Policy

To safeguard information and computing resources from various business and environmental threats, systems and procedures have been developed for backup of all business data, related application systems and operating systems software on a scheduled basis and in a standardised manner across DigiPayment Technologies Pty Ltd. The backup and recovery procedures must be automated wherever possible using the system features and be monitored regularly. The backup & recovery policy that has been framed for DigiPayment Technologies Pty Ltd considers these points.

9. Log and Audit Trail Policy

The log and audit trail policy addresses the framework for logging & auditing operating system events, application events, database events in the local area network and the network events. Ref: ISMS-Log and Audit Trail Policy

10. Version Control Policy

The version control policy of DigiPayment Technologies Pty Ltd addresses implementing, managing and controlling the changes in versions of application systems, and customised add-on modules, network and operating system software, interfaces and utilities. This Policy is aimed at ensuring uniformity in versions running across DigiPayment Technologies Pty Ltd and would involve maintaining up to date documentation for the entire version change process. Ref: ISMS-Version Control-Policy

11. Data Archival Policy

Proper data management will facilitate and improve the retrieval, evaluation, use and storage of critical and related information. The purpose of the data archival policy for DigiPayment Technologies Pty Ltd is to address the proper archival all its project related data as per the client requirement to support its high quality research service and also to ensure availability, integrity and confidentiality of the data. Ref: ISMS-DataArchivalPolicy.doc

12. Encryption Policy

In the current environment of increasingly open and interconnected systems and networks, network and data information security are essential. This policy describes cryptography as a tool for satisfying Information Security Policy a wide spectrum of the Information Security Management System (ISMS) needs and requirements. Ref: ISMS-Encryption Policy

13. Data Migration Policy

Sometimes, a need may arise to migrate data from one system/database to another. This typically occurs during replacement of existing application/database. This policy outlines the care to be taken during such migrations of data.

14. Data Security

Physical, Technical and Organisational Security Measures Appropriate physical, technical and organisational security procedures that restrict access to and disclosure of personal data within company are implemented. Company uses encryption, firewalls and other technology and security procedures to help protect the accuracy and security of sensitive personal information and prevent unauthorised access or improper use. Company adapts best practice guidelines for Physical, Technical and Organisational measures to ensure the security of personal data including the prevention of their alteration, loss, damage, unauthorised processing or access.

15. Database Security Procedure

In accordance with the Information Security Policy, all databases owned by DigiPayment Technologies Pty Ltd must be adequately protected to ensure confidentiality, integrity, availability, and accountability of such systems. Databases normally provide a data storage mechanism as a back-end to an application that provides access to the data. In addition to electronic data storage, databases typically are associated with management systems which organise data into a collection of schemes, tables, queries, reports, views and other objects.

16. Key Management Procedure

Key management is the set of techniques and procedures supporting the establishment and maintenance of cryptographic key relationships between authorised parties within Company and its business partners, regulatory entities etc.

17. Cloud computing

Cloud computing requirements shall be assessed in detail for data security, privacy, legal requirements, sustainability of the provider, service levels, geographical location of data storage and processing, including trans-border data flows, business continuity requirements, log retention, data retention, audit trails, etc, during the risk assessment process.

18. Digital security of systems containing our data

● We will be encrypting data at rest.

● We will be using AES-256 for encryption of data at rest

● Our database access is blocked on the internet and only applications running in the same Virtual Private Cloud are allowed to access the database with their own username and password.

● When encrypting data in motion, AWS services use the Transport Layer Security (TLS) protocol to provide encryption between your application

● All API requests transit over a secure protocol (HTTPS) only.

● We implement geography-based firewalls to allow application access within required services regions, which is Australia only at the moment.

19. Physical security of systems hosting application & data

All data is hosted on Amazon web services, please refer to the AWS data centre physical security link below.

Change Management, Incident Response & Exception Management

This policy outlines the rules relating to the management of change, Incident Response and Exception management for any Digipayment Pty Ltd. projects.


This policy applies to any person or systems that are developed or operated by Digipayment Pty Ltd (The Company).


The purpose of this policy is to:

● Manage changes to the Application & its infrastructure

● To enable developers and clients to plan accordingly

● Promote communication and collaboration regarding change items

● To share knowledge with the End Users regarding any modifications

● Enable a smooth transition for new changes

● Minimize the likelihood of outages

● Maintain compliance with applicable regulations

● To reduce the impact of changes on other tasks/projects


The following outlines the process for submitting, reviewing, approving, deferring and closing change items.

Submittal of a Change Request

● Change requests is to be submitted via the Company’s Change Management system by the owner of the change.

● The change should not be completed until reviewed and approved according to procedures defined within this policy.

● All sections of the change request should be completed in a thorough manner.

● The documentation must identify the scope of the change, areas affected, back-out process, testing completed, communication plan and planned date of deployment.

● This to be done at a level to ensure the scope as described can be accomplished and to provide assurance that the change will have the desired result.

● Once a change request is submitted it will be known as a change item and is assigned a change number.

Review of New Change Items

● New change items to be reviewed during daily meetings.

● The agenda of the change meeting should be to review each pending change item with the group to ensure all attending understand the change and its dependencies.

● Items that are understood and agreed to by all are motioned for approval.

● Any incomplete requests will be held or deferred as decided on during the meeting.

Approval & Deferral of Change Items

● Authorization of a change item occurs after the change is reviewed and depends on the priority.






This type of change is performed on a regular basis and is considered routine.

Chance Manager team manager always has an option of classifying some standard changes as major or emergency, forcing through the approval process

Approval Required Unless labelled as major or emergency

Considered SOP (standard operating procedures)


This type of change is usually a response to a failure or error that needs an urgent fix.

Approval Required



This type of change requires a lot of items or dependencies and may require other associated change requests.

Approval Required

Non-Emergency. Similar to Significant but the impact is less


Small changes or changes that have a small or minor effect are classified such.

Approval Required



These changes have a large impact on the organization. Similar to major except that significant changes might need to be divided into several partial subsequent changes that together would constitute a large significant change, depending on the policies and requirements of your organization.

Approval Required


Items that are not approved according to the table above should not be implemented until the review and approval process is followed. Unapproved change items should only remain so for a short period of time. Items that cannot be approved and/or will not be deployed in a reasonable timeframe should be moved to deferred status and reactivated when the change is ready for deployment

Closing a Change Request

● Change items that are previously approved and subsequently deployed are reviewed for closure during the change meeting.

● The owner of the change (or an informed representative) should be available at the change meeting to discuss the implementation. The review should note the status of the change item execution and any service or infrastructure impacts.

● If the change has performed as desired it may be closed.

● In the event a change does not perform as expected or causes issues to one or more areas of the production environment, the attendees of the change meeting will determine if the change should be removed and the production environment returned to its prior stable state.

● Appropriate action should be noted within the change application and successfully acted upon prior to marking the item closed.

Exceptions Management:

Exceptions to this policy will be handled in accordance with the Security Policy.

Incident Response:

In emergency cases, actions may be taken by the Development Team in accordance with the procedures in the ITS Incident Response Policy. These actions may include rendering systems inaccessible.

Business Continuity Plan & IT Disaster Recovery Plan


This policy applies to any person or systems that are developed or operated by DigiPayment Pty Ltd (The Company).


The purpose of this policy is to define what would happen to our product(s) if any of the following services running in AWS region XYZ experienced an outage (S3, RDS, Dynamo, SNS, SES, Lambda, etc.)

How long before we fully recover?

How much data loss would we incur?

What process would we follow to recover?

How would we communicate status and next steps internally? How would we communicate status and next steps to customers?

These questions quickly reminded us that DR planning requires direction from the business.

Recovery Time Objective (RTO): the length of time it would take us to swap to a second, hot production service in a separate AWS region.

Recovery Point Objective (RPO): the acceptable amount of offline time measured in time.

Policy & Procedure

This checklist provides possible initial actions that you might take following a disaster.

Plan initiation:

1. Notify senior management

2. Contact and set up disaster recovery team

3. Determine degree of disaster

4. Implement proper application recovery plan dependent on extent of disaster

5. Monitor progress

6. Notify users of the disruption of service

Application & API (Web Services)

All web services we develop are serverless and auto-scalable. We can redeploy our web services from our CI/CD channel in different availability regions in less than 15 minutes in case of disaster and redirect all traffic.

The UI component will be hosted as static web content and JavaScript.


Failure of database will be low as we have two instances of database in two different availability zones, if one data centre is affected the second instance will be available for service.

Disaster recovery for database:

● Option 1: Restore data using the point in time feature

● Option 2: Restore database from latest snapshot

● Option 3: Restore data from daily backup (cloud storage)

● Option 3: Restore data from offsite daily backup

Privacy Policy


We look after your personal information as if it was our own. Our Privacy Policy presents our commitment to:

● Limit the types of personal information that we need to collect to provide you with the customised edQuire experience;

● Collect personal information from the students, the students’ teachers, the students’ school to ensure that the information is accurate;

● Limit the purpose of collecting personal information for without it we can’t provide you with the edQuire experience;

● Provide you with access to your personal information that we hold and to update it;

● Limit the circumstances of your personal information being sent overseas and the measures we take to protect it as an Australian company operating internationally.

Kinds Of Personal Information That We Collect And Hold

Personal information includes information or an opinion about an individual that is reasonably identifiable. For example, this may include your name, age, gender, postcode and contact details.

We may collect the following types of personal information:

● Name

● Business name including ABN/ ACN numbers

● Email addresses

● Telephone number and other contact details

● Statistics on page views, traffic to and from the sites, ad data, IP address and standard web log information

● Any additional information relating to you that you provide to us directly through our website or indirectly through your use of our website or online presence or through other websites or accounts from which you permit us to collect information; or any other personal information that may be required in order to facilitate your dealings with us.

How We Collect And Hold The Personal Information

We may collect personal information either directly from you, or from third parties. We may collect this information when you:

● Register on our website or in person;

● Communicate with us through correspondence, email, or when you share information with us from, emails/electronic messages sent by you to us: your email/electronic message address will be recorded automatically;

● Other social applications, services or websites; or

● Interact with our websites, services, content and apps: when you visit our website or use our products, services or apps;

● Web analytic software/cookies/click stream data: we use this to evaluate the effectiveness of our website;

● social media: we may participate in social media and contact you;

● If you give us personal information about other individuals (e.g. staff, directors/partners or authorised persons) we ask that you tell the individual that you have done so and make them aware of this policy, for example, by giving them the link to it.

We protect your personal information from unauthorised access or alteration, disclosure or destruction. In particular, data that is transmitted on public networks is either anonymised or sent encrypted. We have protection measures for our personal information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to our information technology systems. We restrict access to personal information to authorised employees and contractors. Where contractors need to know that information in order to process it for us, they are subject to strict contractual confidentiality obligations.

Purposes For Collecting, Holding, Using And Disclosing Personal Information

We may collect, hold, use and disclose your personal information for the following purposes:

● To offer you tailored content like giving you more relevant features and services

● To enable you to access and use our website and our other services

● To operate, protect, improve and optimise our website, business and our members’ experience, such as to perform analytics, conduct research

● To send you service, support and administrative messages, reminders, technical notices, updates, security alerts, and information requested by you or related to your membershi

● To comply with our legal obligations, resolve any disputes that we may have with any of our users or members, and enforce our agreements with third parties

We may also disclose your personal information to:

● Our business partners whom we have endorsed to offer relevant services such as insurance, training and the like to our members; and

● Trusted third parties who also hold other information about you. This third party may combine that information in order to enable it and us to develop anonymised consumer insights so that we can better understand your preferences and interests, personalise your experience and enhance the services that you receive.

Accessing And Updating Your Personal Data

Whenever you use our services, we aim to provide you with access to your personal information. If that information is wrong, we strive to give you ways to update it quickly or to delete it unless we have to keep that information for legitimate business or legal purposes. When updating your personal information, we may ask you to verify your identity before we can act on your request.


We may hold your personal information in either electronic or hard copy form. We take reasonable steps to protect your personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure and we use a number of physical, administrative, personnel and technical measures to protect your personal information in accordance with company security policy. However, we cannot guarantee the security of your personal information.

Complaint Resolution Mechanism

If you have a question, concern or complaint regarding the way in which we handle your personal information, you should contact our Privacy Officer direct at:



We will respond to you within a reasonable period to let you know who will be handling your request and when you can expect a further response.

If you are unsatisfied with our response you can contact the Office of the Australian Information Commissioner.



Access Control 5, 13

Accounts 4, 5

Applications 5

Assets 12

authentication 5


Client 6, 7, 8, 11, 17

Communication 11, 17

Complaint 6, 7, 8, 9, 23

Compliance 5, 11, 17

Compliance Officer 7, 8

Confidentiality 12, 14

Contractors 3, 5, 22

Control system 4

Customer 5, 10, 11


Data 5, 6, 12, 13, 14, 15, 16, 20, 21, 22, 23

Database 6, 14, 15, 16, 20

Developers 5


Education 10

Employees 5


Fee 9

Financial Risk 3

Framework 4

Fraud 8, 9, 10, 11


Guideline 5, 6, 12, 15


Implementation 5

Information 4, 5, 9, 12, 13, 15, 22, 23

information system 4, 5, 12


Legal Action 11

Line managers 3

Login 5


Media 11


One-Time Password 6

Owner 3, 4


Password 6, 13

Personnel 5

Policy 3, 4, 5, 8, 9, 12, 13, 14, 15, 16, 17, 19, 20, 21, 22

Post-Fraud 9, 11

Procedure 6, 7, 9, 11, 12, 13, 15, 20


Refund 8

Registration 5

Reporting 11

Resolution 8, 23

Resource 5, 8, 14

Risk 3, 4, 12

Risk Management 3, 4, 12


Scam 9, 10

Security 13, 14, 15, 16, 22, 23

Security administration 5

Security breaches 5

Services 7

Staff 3, 5, 7

Systems 5


Technology 11

Technology Leads 3

Third-parties 5

Training 10

Transaction 6, 10


User 13, 17, 20, 23


Vendor 5