Privacy Policy

Effective date: 30 June 2026
Last reviewed: 30 June 2026

Cyber Audit Team Pty Ltd (ACN 619 724 506, ABN 43 619 724 506), trading as Cyber Audit Team, respects your privacy and is committed to protecting personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and other applicable Australian privacy and data protection obligations.

This Privacy Policy explains how we collect, hold, use, disclose, protect, and manage personal information. It applies to personal information collected through our website, client engagements, service delivery, events, communications, and ordinary business activities.

This Privacy Policy is intended to satisfy our obligations under Australian Privacy Principle 1. For the purposes of this Privacy Policy, “Cyber Audit Team”, “CAT”, “we”, “us”, or “our” means Cyber Audit Team Pty Ltd.

1. About Cyber Audit Team

Cyber Audit Team is an Australian cyber security and advisory services provider. We provide services that may include managed security services, security monitoring, security assessments, virtual Chief Information Security Officer (vCISO) services, Essential Eight (E8) and Microsoft 365 hardening, ISO 27001 and NIST Cybersecurity Framework (CSF) assessments, staff awareness training, incident support, and related cyber security advisory services.

In delivering these services, we may collect and handle personal information about clients, client personnel, website visitors, suppliers, business contacts, job applicants, contractors, and other individuals who interact with us.

2. What is personal information?

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether it is recorded in a material form or not.

Examples include a person’s name, role, employer, email address, phone number, IP address where it can reasonably identify the person, and other information linked to that person.

3. What personal information we collect

The personal information we collect depends on how you interact with us and the services we provide. We may collect the following kinds of personal information:

  • Identity and contact information, such as your name, job title, employer, email address, phone number, business address, and communication preferences.
  • Business relationship information, such as records of enquiries, proposals, contracts, meetings, correspondence, service requests, training attendance, and client relationship notes.
  • Website and technical information, such as IP address, browser type, device type, operating system, referring website, pages viewed, date and time of access, approximate location derived from IP address, cookie identifiers, and analytics information.
  • Service delivery information, such as information required to deliver cyber security assessments, monitoring, advisory, incident response, training, or managed security services.
  • Security and telemetry information, such as logs, alerts, user account metadata, device or endpoint identifiers, domain names, email metadata, security event information, and other technical information relevant to the services we provide.
  • Training and awareness information, such as course enrolment, completion records, quiz results, phishing simulation results, and related reporting where these services are provided.
  • Supplier and contractor information, such as contact details, business information, payment details, and engagement records.
  • Recruitment information, if you apply for a role with us, such as your resume, employment history, qualifications, references, and other information provided during recruitment.
  • Compliance and legal information, such as records needed to manage contractual obligations, complaints, investigations, disputes, legal claims, regulatory enquiries, or audit requirements.

We generally do not seek to collect sensitive information through our public website. Sensitive information includes information about health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, criminal record, biometric information, and certain other categories under the Privacy Act.

If we need to collect sensitive information, we will only do so where permitted by law, such as where we have your consent and the collection is reasonably necessary for one or more of our functions or activities, or where another exception under the Privacy Act applies.

Please do not submit sensitive information, confidential business information, security credentials, passwords, access keys, vulnerability details, legal advice, regulated data, or other highly confidential information through our website enquiry forms unless we have specifically requested it and appropriate safeguards have been agreed. If you provide sensitive information or highly confidential information to us without being asked, we will handle it in accordance with applicable laws and may delete, destroy, or de-identify it where we are not required to retain it.

4. Information we may handle when providing cyber security services

Because we provide cyber security services, we may handle information that is technically generated or client-controlled. This may include system logs, alerts, user account metadata, endpoint information, email security metadata, vulnerability information, incident artefacts, access records, configuration information, and other cyber security data.

Some of this information may contain personal information. For example, a log entry may contain a user’s name, email address, IP address, device identifier, or account activity. Where our tools or analysis generate information that is about an identified or reasonably identifiable individual, we treat that information as personal information and handle it in accordance with this policy.

Where we handle information on behalf of a client, we will usually do so in accordance with our contract, the client’s lawful instructions, and applicable legal obligations. The client may remain primarily responsible for notifying its own personnel, customers, or other individuals about how their personal information is handled within the client’s systems.

This Privacy Policy does not replace a client’s own privacy policy or collection notices for information collected within the client’s systems, applications, networks, or business processes.

5. How we collect personal information

We may collect personal information:

  • directly from you, such as when you contact us, complete a website form, subscribe to updates, attend a meeting, complete training, request a proposal, or communicate with us;
  • from your employer or organisation, such as when your details are provided as part of a client engagement;
  • from our clients, where we provide cyber security, advisory, monitoring, assessment, or incident response services.
  • automatically through our website, systems, security tools, cookies, analytics tools, and logging technologies;
  • from third parties, such as technology vendors, managed service providers, professional advisers, referees, event organisers, public registers, or publicly available sources;
  • from security platforms, endpoint tools, cloud systems, email security systems, ticketing systems, identity systems, and other tools used to deliver our services.

Where required, we will take reasonable steps to make individuals aware of relevant collection matters, including who we are, why we collect the information, who we may disclose it to, and how individuals may contact us about privacy matters.

We will collect personal information by lawful and fair means and, where reasonable and practicable, directly from the individual concerned.

6. Why we collect, use, and disclose personal information

We collect, use, and disclose personal information for purposes reasonably necessary for our business, services, and legal obligations.

These purposes may include:

  • responding to enquiries and requests;
  • providing proposals, quotes, contracts, and service information;
  • delivering cyber security, monitoring, advisory, assessment, training, and incident response services;
  • managing client relationships and service delivery;
  • operating, maintaining, securing, and improving our website, systems, and services;
  • administering training, awareness, phishing simulation, and reporting services;
  • detecting, investigating, preventing, and responding to cyber security threats, suspicious activity, fraud, misuse, or unlawful activity;
  • managing incidents, alerts, investigations, escalations, and support requests;
  • communicating with clients, suppliers, business contacts, and other stakeholders;
  • maintaining accurate business, financial, contractual, and audit records;
  • managing recruitment, employment, and contractor relationships;
  • meeting legal, regulatory, insurance, audit, professional, and contractual obligations;
  • protecting our rights, property, personnel, clients, systems, and lawful business interests;
  • improving our services, reporting, quality assurance, and client experience;
  • providing updates, newsletters, event invitations, or relevant service information where permitted by law.
  • any other purpose notified to you at the time of collection, or otherwise permitted by law.

We may also use de-identified or aggregated information for reporting, analytics, benchmarking, service improvement, and business planning. We will take reasonable steps to ensure that de-identified information does not identify an individual.

We do not currently offer customer accounts, memberships, payment processing, or online purchasing through our website.

7. Direct marketing

We may use your business contact details to send you relevant information about cyber security updates, services, events, training, or resources where permitted by law. We will only send electronic marketing communications in accordance with applicable laws, including the Spam Act 2003 (Cth).

You can opt out of marketing communications at any time by using the unsubscribe function in the communication or by contacting us using the details in this policy.

We will not sell your personal information to third parties.

8. Cookies, analytics, and website technologies

Our website may use cookies, pixels, analytics tools, server logs, and similar technologies to operate the website, understand website usage, improve functionality, support security, and measure the effectiveness of our content.

Cookies are small text files placed on your device by a website. Some cookies are necessary for the website to function. Others help us understand how visitors use our website.

Depending on our website configuration, we may use:

  • essential cookies required for site operation and security;
  • analytics cookies to understand website usage and performance;
  • preference cookies to remember settings or choices;
  • security-related cookies to help detect abuse or unauthorised activity.

You can control cookies through your browser settings. If you block cookies, some parts of the website may not function properly.

If we use advertising, remarketing, or behavioural tracking technologies, we will ensure that our website notices and this Privacy Policy accurately describe those technologies, and we will obtain consent where required by law.

9. When we disclose personal information

We may disclose personal information where reasonably necessary for the purposes described in this policy, including to:

  • our personnel, contractors, and related service delivery team members;
  • clients, where information is relevant to services we provide to that client or where the information was collected or generated in the course of providing services to that client;
  • technology vendors, cloud providers, hosting providers, security platforms, ticketing systems, analytics providers, communications providers, and managed service tools;
  • professional advisers, such as lawyers, accountants, auditors, insurers, and risk advisers;
  • training, event, and business administration providers;
  • payment, billing, and finance service providers;
  • regulators, government agencies, courts, tribunals, law enforcement bodies, and dispute resolution bodies where required or authorised by law;
  • third parties involved in a business sale, restructure, merger, acquisition, financing, or due diligence process;
  • other parties with your consent or as otherwise permitted by law.

We take reasonable steps to ensure that third parties who handle personal information on our behalf protect that information and use it only for authorised purposes.

10. Overseas disclosure

Some of our service providers, technology vendors, cloud providers, or support providers may store or process personal information outside Australia. The countries in which information may be handled can change depending on the systems and vendors used. The countries in which overseas recipients are likely to be located include Australia, New Zealand, the United States, the United Kingdom, member countries of the European Economic Area, and Singapore. These locations may change as our cloud, security, communications, analytics, and business service providers change. Where it is not practicable to specify a country, we will identify the general region instead.

Where we disclose personal information overseas, we will take reasonable steps to ensure that the overseas recipient handles the information consistently with the Australian Privacy Principles, unless an exception applies under the Privacy Act. These steps may include reviewing provider privacy and security practices, using contractual privacy, confidentiality, and security obligations, selecting reputable service providers, limiting the personal information disclosed, applying access controls, monitoring provider arrangements where reasonable, and requiring providers to use appropriate safeguards when engaging sub-processors.

Where our clients require specific data residency or overseas disclosure arrangements, these should be addressed in the relevant service agreement or statement of work.

11. Security of personal information

We take the security of personal information seriously. We take reasonable steps, including both technical and organisational measures, to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

Depending on the nature of the information and service, these measures may include:

  • access controls and least-privilege access;
  • multi-factor authentication;
  • encryption in transit and, where appropriate, encryption at rest;
  • logging and monitoring;
  • network and endpoint security controls;
  • vulnerability management;
  • secure configuration practices;
  • personnel confidentiality obligations;
  • supplier due diligence;
  • incident response processes;
  • backup and recovery controls;
  • secure disposal and retention processes.

No method of transmission or storage is completely secure. However, we take reasonable steps to protect personal information in line with our legal obligations, the sensitivity of the information, and the risks associated with our services. We limit access to personal information to personnel, contractors, and service providers who need access for authorised business purposes.

12. Data breaches and incident response

If we become aware of a suspected or actual data breach involving personal information, we will assess and respond to the incident in accordance with our legal obligations and incident response processes.
We aim to assess a suspected eligible data breach as soon as practicable, and in any event within 30 days of becoming aware of the suspected breach.

Where the Notifiable Data Breaches (NDB) scheme applies, we will assess whether the breach is likely to result in serious harm to affected individuals. If an eligible data breach has occurred, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.

Where we handle information on behalf of a client, we will work with the client in accordance with the applicable contract and incident response arrangements.

13. Retention and deletion

We keep personal information for as long as reasonably necessary for the purposes for which it was collected, including to provide services, meet legal and contractual obligations, resolve disputes, maintain business records, support security, and comply with audit, insurance, and regulatory requirements.

Retention periods may vary depending on the type of information, the service provided, contractual requirements, legal obligations, and operational need.

Security logs, incident records, assessment records, and service records may be retained for periods reasonably required for cyber security, audit, insurance, contractual, legal, and evidentiary purposes.
When personal information is no longer required, we will take reasonable steps to destroy it or de-identify it, unless we are required or permitted by law to retain it.

14. Access to personal information

You may request access to personal information we hold about you. We will respond to access requests within a reasonable period and in accordance with the Privacy Act. We may need to verify your identity before providing access.

In some circumstances, we may refuse access or provide limited access where permitted by law, such as where access would unreasonably affect another person’s privacy, prejudice security, reveal commercially sensitive information, or be otherwise unlawful. If we refuse access, we will explain the reason where it is reasonable and lawful to do so.

15. Correction of personal information

We take reasonable steps to ensure that personal information we hold is accurate, up to date, complete, relevant, and not misleading. You can help us keep your personal information accurate by advising us if your details change or if you believe information we hold about you is incorrect.

You may ask us to correct personal information we hold about you. If we are satisfied that the information is inaccurate, out of date, incomplete, irrelevant, or misleading, we will take reasonable steps to correct it. If we do not agree to a correction request, you may ask us to associate a statement with the information noting that you consider it to be inaccurate, out of date, incomplete, irrelevant, or misleading.

Where we hold personal information on behalf of a client, we may need to refer an access or correction request to that client or consult with the client before responding.

16. Anonymity and pseudonymity

Where practicable and lawful, you may interact with us anonymously or using a pseudonym. However, this may not be possible where we need to identify you to provide services, respond to a request, manage a contract, deliver training, investigate a security matter, or comply with legal obligations.

17. Government identifiers

We do not adopt, use, or disclose government-related identifiers, such as tax file numbers or Medicare numbers, as our own identifiers unless permitted or required by law.

18. Automated decision-making and artificial intelligence assisted tools

We do not use personal information collected through our website to make automated decisions that have a legal or similarly significant effect on an individual.

In providing cyber security services, we may use automated or artificial intelligence assisted tools to help identify, prioritise, investigate, or report on cyber security risks, alerts, vulnerabilities, training activity, or suspicious activity. These tools support our service delivery and do not replace human review where a decision could materially affect an individual.

Where we use artificial intelligence assisted tools, we take reasonable steps to ensure that personal information is handled lawfully, securely, and consistently with this Privacy Policy. We do not knowingly input sensitive information, confidential client information, passwords, access credentials, security keys, regulated data, or other highly confidential information into public artificial intelligence tools unless appropriate safeguards have been assessed and implemented.

If we use, or arrange for the use of, a computer program to make, or do something substantially and directly related to making, a decision that could reasonably be expected to significantly affect an individual’s rights or interests, and personal information is used in that program, we will update this Privacy Policy in accordance with applicable Privacy Act requirements.

19. Employee records

This Privacy Policy applies to personal information we collect about job applicants, contractors, and prospective personnel. In some circumstances, the Privacy Act contains an exemption for employee records that are directly related to a current or former employment relationship. Where the exemption applies, we may rely on it. We will still take reasonable steps to handle employee information securely and appropriately.

20. Children and young people

Our website and services are primarily intended for business and organisational users. We do not knowingly collect personal information from children through our website. If we become aware that we have collected personal information from a child without appropriate authority, we will take reasonable steps to delete or de-identify that information, unless we are required or authorised by law to retain it. Where we provide services to a client that involve children or young people, we will handle relevant personal information in accordance with our contract, the client’s lawful instructions, and applicable legal obligations.

21. Links to third-party websites

Our website may contain links to third-party websites, services, or resources. We are not responsible for the privacy practices, content, or security of third-party websites.

You should review the privacy policy of any third-party website you visit.

22. Complaints and enquiries

If you have a question, concern, or complaint about how we handle personal information, please contact us using the details below.

Privacy Contact
Cyber Audit Team Pty Ltd
Email: privacy@cyberauditteam.com
Phone: 1300 077 022
Address: 16 Nexus Way, Southport QLD 4215

Please include enough information for us to understand and respond to your enquiry or complaint.

We will acknowledge your complaint within a reasonable period and aim to respond within 30 days of receiving the information we reasonably need to assess it. If we need more time, we will let you know.

If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner.

Office of the Australian Information Commissioner
Website: https://www.oaic.gov.au
Phone: 1300 363 992

23. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our business, services, systems, legal obligations, or privacy practices.

The current version will be published on our website. The effective date and last reviewed date at the top of this policy indicate when it was last updated.

We review this Privacy Policy at least annually and when our practices or legal obligations change.