Effective date: 15 June 2026

This policy forms part of the Terms and the Privacy Policy and outlines how we collect, store, protect, process and manage user and client information. We are committed to commercially reasonable administrative, technical and physical safeguards designed to protect data against unauthorised access, misuse, interference, loss, corruption, alteration, disclosure or destruction, consistent with Australian law, including the Privacy Act 1988 (Cth), the APPs, the Notifiable Data Breaches scheme, and the Electronic Transactions Act 1999 (Cth).

10.1 Purpose

The purpose of this policy is to protect data; maintain confidentiality, integrity and availability; set security obligations for users, staff, contractors and authorised third parties; support compliance and security best practice; and minimise risks from cyber threats, data breaches, fraud and system compromise.

10.2 Security measures

We implement layered controls and commercially reasonable safeguards across the data lifecycle, which may include, without limitation:

• Encryption and secure transmission: encryption of data at rest and in transit; secure HTTPS and TLS communications; encrypted storage and backups; and secure API authentication, including tokenised authentication and encrypted ingestion for bank feed data via Fiskil.
• Access controls and authentication: role-based access controls; multi-factor authentication; secure credential management; and session and account monitoring.
• Monitoring and threat detection: continuous monitoring; automated detection of suspicious activity; security logging and audit trails; and intrusion detection and incident response.
• Testing and maintenance: internal security reviews and vulnerability assessments; independent penetration testing where appropriate; and timely deployment of patches and updates.
• Data handling and storage: segregation of sensitive data where appropriate; controlled production access; secure storage and backup procedures; and data minimisation and retention controls.

We may modify or enhance security measures at any time to address evolving threats or operational requirements.

10.3 User responsibilities

Security is a shared responsibility. You must maintain secure credentials; enable multi-factor authentication where available; securely store exported or downloaded records; restrict unauthorised access to your devices and accounts; promptly notify us of any suspected unauthorised access, security incident, phishing attempt or data breach; ensure information you upload does not contain malicious code or unlawful material; and comply with reasonable security instructions. You are responsible for activity under your account caused by a failure to maintain adequate security.

10.4 Information handling

Information may be collected and processed to provide the Services, including user data, system logs, processed information, Bank Feed Data via Fiskil, AI Memory data, and depreciation schedules and fixed asset registers. Information may be stored in secure hosted environments; retained for legal, compliance, backup, operational and audit purposes; accessed by authorised personnel, contractors or providers strictly on a need-to-know basis; and disclosed where required by law. We take reasonable steps to keep personal information accurate and protected against misuse, interference and loss.

10.5 Security commitments

We are committed to alignment with ISO 27001 security principles where commercially appropriate; compliance with applicable Australian privacy and data protection laws; regular internal reviews and penetration testing where applicable; ongoing monitoring and incident response; secure encryption standards; and compliance with applicable breach-notification obligations.

10.6 Data breach and incident response

We maintain procedures to identify, investigate, contain, document and remediate suspected incidents, as described in the Incident Response and Breach Notification Policy. You must promptly report any suspected incident or unauthorised access involving your account.