Privacy Policy | CyberCorp Australia

1. Introduction

CyberCorp Australia ("we," "us," or "our") is committed to protecting and respecting your privacy. As a leading cybersecurity services provider, we understand the critical importance of data protection and privacy in today's digital landscape.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website at cybercorp.com.au (the "Site") or engage with our cybersecurity services.

Our services include network security, cloud security, threat detection and response, compliance consulting, penetration testing, security operations center (SOC) services, and data protection solutions. Given the sensitive nature of our work, we maintain the highest standards of privacy and data protection.

Regulatory Compliance: This Privacy Policy complies with:

Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
General Data Protection Regulation (GDPR) for EU/EEA clients
Notifiable Data Breaches (NDB) scheme
Essential Eight Maturity Model for information security
Information Security Manual (ISM) published by the Australian Cyber Security Centre (ACSC)

2. Data Controller Information

CyberCorp Australia

Email: privacy@cybercorp.com.au

Phone: +61 (08) 6555 4935

For privacy-related inquiries, data access requests, or to exercise your rights under this policy, please contact our Privacy Officer at the email address above.

3. Information We Collect

3.1 Information You Provide Directly

Contact and Inquiry Information:

When you contact us or request information:

Full name and job title
Email address and phone number
Company name and size
Industry sector
Nature of inquiry or security concerns
Preferred contact method and time
Current security posture and requirements

Client Service Information:

When you engage our cybersecurity services:

Network and system architecture details
IP addresses and domain information
Security incident reports and logs
Vulnerability assessment data
Compliance documentation and audit trails
Access credentials for authorised security testing (encrypted)
Threat intelligence sharing preferences

Authentication and Account Data:

Email address and username
Encrypted password (hashed with bcrypt/Argon2)
Multi-factor authentication tokens
Security questions and answers (encrypted)
Account preferences and settings
Session information and activity logs

3.2 Information Collected Automatically

Security and Analytics Data:

IP address (logged for security monitoring)
Browser type, version, and language settings
Device type, operating system, and screen resolution
Pages visited, time spent, and navigation patterns
Referring website and search terms used
Geographic location (country/city level)
Security events and anomaly detection data
Failed login attempts and security violations

Cookies and Tracking Technologies:

We use secure cookies for:

Secure user authentication and session management
Security preferences and remember-me functionality
CSRF protection and security token validation
Analytics to improve user experience
Fraud detection and prevention

All authentication cookies are HttpOnly, Secure, and SameSite protected.

3.3 Sensitive Information

Special Category Data:

We generally do not collect sensitive information as defined by the Privacy Act 1988 (such as health information, racial or ethnic origin, political opinions, religious beliefs, etc.) unless:

You explicitly consent to such collection
It's required or authorised by law
It's necessary for legal proceedings or law enforcement
It's included in security incident reports you provide

4. Legal Basis for Processing

Under Australian Privacy Principles (APPs) and GDPR (where applicable), we process your personal information based on the following legal grounds:

Consent (APP 2.1, GDPR Art. 6(1)(a)):

Newsletter subscriptions
Marketing communications
Non-essential cookies
Testimonials and case studies

Contractual Necessity (APP 3, GDPR Art. 6(1)(b)):

Providing cybersecurity services
Responding to inquiries and quotes
Delivering threat intelligence
Managing service accounts

Legitimate Interests (APP 6, GDPR Art. 6(1)(f)):

Improving service quality and security
Analytics and performance monitoring
Network security and fraud prevention
Threat detection and incident response

Legal Obligation (APP 1, GDPR Art. 6(1)(c)):

Compliance with Australian law
Notifiable data breach reporting
Law enforcement cooperation
Regulatory compliance requirements

5. How We Use Your Information

We process your personal information for the following purposes, all related to providing and improving our cybersecurity services:

Service Delivery and Operations:

Providing cybersecurity services and support
Conducting vulnerability assessments and penetration testing
Monitoring security threats and anomalies
Incident response and forensic analysis
SOC operations and 24/7 security monitoring
Compliance auditing and reporting
Security configuration and hardening

Communication and Support:

Responding to inquiries and service requests
Providing security alerts and threat notifications
Delivering security reports and recommendations
Customer support and technical assistance
Training and security awareness programs

Security and Fraud Prevention:

Detecting and preventing security breaches
Identifying fraudulent activities and unauthorised access
Conducting security research and threat intelligence
Maintaining audit logs and forensic evidence
Enforcing our acceptable use policies

Analytics and Improvement:

Analyzing security trends and attack patterns
Improving our services and detection capabilities
Developing new security solutions
Performance monitoring and optimisation
Research and development activities

Legal and Compliance:

Complying with legal obligations and regulations
Responding to law enforcement requests
Protecting our legal rights and interests
Enforcing our terms and conditions
Reporting notifiable data breaches when required

Marketing (With Consent):

Sending newsletters and security updates
Informing you about new services and features
Sharing cybersecurity insights and best practices
Inviting you to webinars and training events

You can opt-out of marketing communications at any time using the unsubscribe link in our emails.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances:

Service Providers and Partners:

We work with trusted third-party service providers who assist us in delivering our services:

Cloud infrastructure providers - data hosting and storage
SIEM and security analytics platforms - threat detection and monitoring
Threat intelligence vendors - security research and analysis
Payment processors - secure billing and invoicing
Email and communication platforms - customer notifications

All service providers are bound by data processing agreements and required to maintain strict confidentiality and security standards.

Legal Requirements:

We may disclose your information when required by law:

To comply with court orders, subpoenas, or legal processes
To respond to law enforcement or government requests
To report notifiable data breaches to the OAIC
To protect against legal liability or fraud
To enforce our rights or defend against claims

Business Transfers:

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the business transaction. We will notify you via email and/or prominent notice on our website of any such change in ownership or control of your personal information.

Threat Intelligence Sharing:

With your consent, we may share anonymized and aggregated threat intelligence with:

Industry security consortiums and ISACs
Government cybersecurity agencies (e.g., ACSC)
Trusted security research communities

Shared threat intelligence is always anonymized and cannot be used to identify individuals or organisations.

Emergency Situations:

We may disclose information without consent when necessary to prevent or lessen a serious threat to life, health, or safety, or to prevent or detect serious criminal activity, as permitted under APP 6.2.

7. International Data Transfers

Your information may be transferred to, stored, or processed in countries outside Australia, including the United States, European Union, and Singapore, where our service providers operate data centers.

Safeguards for International Transfers:

Standard Contractual Clauses (SCCs): We use EU-approved SCCs when transferring data to countries outside the EEA
Adequacy Decisions: We prioritize transfers to countries recognised by the EU Commission as providing adequate data protection
APP 8 Compliance: All cross-border disclosures comply with Australian Privacy Principle 8 requirements
Encryption in Transit: All international data transfers use TLS 1.3 encryption
Data Sovereignty: Australian government client data remains within Australian borders unless explicitly authorised

Primary Data Storage Locations:

Primary Storage:

Australia (Sydney) - AWS ap-southeast-2
Australia (Melbourne) - Azure australiaeast

Backup and Redundancy:

Singapore (ap-southeast-1)
European Union (Frankfurt)
United States (encrypted backups only)

By using our services, you acknowledge that your information may be transferred internationally as described above. You have the right to request that your data remain solely within Australian borders, though this may limit certain service features.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, improve security, and analyze our website performance.

Essential Cookies (Always Active):

Required for basic website functionality and security:

Session ID: Secure user authentication (HttpOnly, Secure, SameSite=Strict)
CSRF Token: Cross-site request forgery protection
Security Preferences: Remember your security settings
Load Balancing: Distribute traffic for optimal performance

Lifespan: Session duration or 30 days (remember-me functionality)

Analytics Cookies:

Help us understand how visitors use our website:

Google Analytics: Traffic analysis and user behavior (anonymized IP)
Heatmap Tracking: Understand user interaction patterns
Performance Monitoring: Page load times and errors

Lifespan: 13-24 months

Functional Cookies:

Language and region preferences
Dark/light theme selection
Form auto-fill preferences
Chat widget state

Lifespan: 12 months

Security and Fraud Prevention:

Bot detection and prevention
Anomaly detection for suspicious behavior
Rate limiting and DDoS protection
Device fingerprinting (for security only)

Lifespan: Varies (30 days to 24 months)

Managing Your Cookie Preferences:

You can control cookies through:

Our Cookie Consent Banner: Adjust your preferences when you first visit our site
Browser Settings: Most browsers allow you to refuse or delete cookies
Opt-Out Tools: Use Google Analytics Opt-out Browser Add-on

Note: Disabling essential cookies may impact website functionality and security features.

9. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy and comply with legal obligations.

Retention Periods by Data Type:

Account and Service Data:

Active accounts: Duration of service + 3 years
Closed accounts: 7 years (audit requirements)
Service contracts: 7 years after expiry

Security and Incident Data:

Security logs: 13 months (Essential Eight)
Incident reports: 7 years
Vulnerability scans: 3 years
Penetration test results: 5 years

Communication Data:

Email correspondence: 3 years
Support tickets: 5 years
Chat transcripts: 2 years

Analytics and Logs:

Website analytics: 26 months
Access logs: 13 months
Error logs: 90 days

Financial Records:

Invoices and receipts: 7 years (ATO requirement)
Payment information: 3 years

Marketing Data:

Newsletter subscribers: Until unsubscribed + 2 years
Marketing consent: 3 years from last interaction

Secure Data Deletion:

When retention periods expire, we securely delete or anonymize your data using:

Cryptographic Erasure: Encryption keys are destroyed, rendering data unrecoverable
Secure Deletion: DoD 5220.22-M or NIST 800-88 standards for data wiping
Anonymization: Personal identifiers removed for statistical analysis
Hardware Destruction: Decommissioned storage devices physically destroyed

We may retain data longer if required by law, legal proceedings, or to establish, exercise, or defend legal claims. You can request early deletion of your data subject to these requirements.

10. Your Privacy Rights

Under Australian Privacy Principles and GDPR (where applicable), you have the following rights regarding your personal information:

Right to Access (APP 12, GDPR Art. 15)

Request a copy of the personal information we hold about you, including details of how it's used and who it's shared with.

Right to Rectification (APP 10, GDPR Art. 16)

Request correction of inaccurate, incomplete, or out-of-date personal information.

Right to Erasure (APP 11, GDPR Art. 17)

Request deletion of your personal information, subject to legal retention requirements and security obligations.

Right to Restrict Processing (GDPR Art. 18)

Request limitation of how we process your data in certain circumstances.

Right to Data Portability (GDPR Art. 20)

Receive your data in a structured, machine-readable format (JSON, CSV, or XML) for transfer to another service provider.

Right to Object (APP 6, GDPR Art. 21)

Object to processing of your data for direct marketing, research, or where processing is based on legitimate interests.

Right to Withdraw Consent (APP 2, GDPR Art. 7)

Withdraw your consent for data processing at any time, though this won't affect processing that occurred before withdrawal.

Right to Lodge a Complaint (APP 1, GDPR Art. 77)

File a complaint with the Office of the Australian Information Commissioner (OAIC) or relevant EU supervisory authority.

How to Exercise Your Rights:

To exercise any of these rights, contact our Privacy Officer at privacy@cybercorp.com.au

What we need from you:

Proof of identity (to prevent unauthorised access)
Specific details of your request
Preferred method of response (email, postal mail, phone)

Response timeframes:

Standard requests: 30 days
Complex requests: Up to 60 days (we'll notify you if extension needed)
Urgent security-related requests: 5 business days

Most requests are free. We may charge a reasonable fee for excessive or manifestly unfounded requests, or for additional copies of data beyond the first.

11. Security Measures

As a cybersecurity company, we employ industry-leading security measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction.

Our Security Framework:

Essential Eight Compliance:

Application control and whitelisting
Patch management (automated within 48 hours)
Multi-factor authentication (mandatory)
Application hardening
Restricted administrative privileges
Operating system hardening
Daily backups with offline storage
Continuous security monitoring

ISO 27001 Controls:

Information Security Management System (ISMS)
Risk assessment and treatment
Access control policies
Cryptographic controls
Physical and environmental security
Incident management procedures
Business continuity planning
Supplier security assessments

Technical Security Measures:

Encryption:

TLS 1.3 for data in transit
AES-256 for data at rest
End-to-end encryption for sensitive communications
Encrypted backups with separate key management

Access Controls:

Role-based access control (RBAC)
Principle of least privilege
Mandatory MFA for all accounts
Biometric authentication options

Network Security:

Next-generation firewalls (NGFW)
Intrusion detection/prevention systems (IDS/IPS)
Web application firewall (WAF)
DDoS protection and mitigation

Monitoring & Response:

24/7 Security Operations Center (SOC)
SIEM with real-time alerting
Automated threat detection
Incident response team on standby

Organisational Security:

Security Clearances: All staff undergo background checks and security vetting
Training: Mandatory annual security awareness training and quarterly updates
Confidentiality Agreements: All personnel sign NDAs and confidentiality clauses
Vendor Management: Third-party security assessments and ongoing monitoring
Audit Trails: Comprehensive logging of all data access and modifications

Testing and Validation:

Penetration Testing: Quarterly external and internal pentests by certified professionals
Vulnerability Scanning: Continuous automated scanning with weekly reports
Code Reviews: Security-focused code reviews for all production deployments
Disaster Recovery Drills: Bi-annual full DR testing and validation
Red Team Exercises: Annual adversary simulation and purple team operations

Security Breach Notification:

In the unlikely event of a data breach that poses serious harm to affected individuals, we will:

Notify the OAIC within 72 hours (as required by the NDB scheme)
Notify affected individuals as soon as practicable
Provide clear information about the breach and recommended protective steps
Offer identity protection services if appropriate
Conduct a thorough post-incident review and implement corrective measures

12. Children's Privacy

Our services are designed for business and enterprise use. We do not knowingly collect personal information from individuals under 18 years of age without parental or guardian consent.

If you believe we have inadvertently collected information from a minor without appropriate consent, please contact us immediately at privacy@cybercorp.com.au, and we will promptly delete such information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We Notify You:

Material Changes: We will notify you by email at least 30 days before the changes take effect
Minor Updates: Posted on this page with an updated "Last Updated" date
Significant Changes: May require your re-consent where legally required

We encourage you to review this Privacy Policy periodically. Continued use of our services after changes take effect constitutes acceptance of the updated policy.

14. Privacy Complaints Process

If you believe we have breached the Australian Privacy Principles or have a privacy-related complaint:

Step 1: Contact Us

Email our Privacy Officer at privacy@cybercorp.com.au with:

Your name and contact details
Details of your complaint
Any supporting evidence or documentation
The outcome you're seeking

We will acknowledge your complaint within 5 business days.

Step 2: Investigation

We will investigate your complaint and provide a written response within 30 days. For complex matters, we may request an extension and will keep you informed of progress.

Step 3: External Resolution

If you're not satisfied with our response, you can escalate to:

Office of the Australian Information Commissioner:

Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au

For EU/EEA residents:

Your local supervisory authority
Directory: edpb.europa.eu

Contact Information

For any questions, concerns, or requests regarding this Privacy Policy:

Privacy Officer: CyberCorp Australia Privacy Team

Email: privacy@cybercorp.com.au

Phone: +61 (08) 6555 4935

Phone: +61 (08) 6555 4935
Email: contact@cybercorp.com.au
Response time: 2 business days

We will respond to inquiries within 2 business days.

This Privacy Policy complies with the Privacy Act 1988 (Cth), Australian Privacy Principles, GDPR, and cybersecurity best practices. CyberCorp Australia is committed to protecting your privacy with industry-leading security measures.