DV3 Holdings Pty Ltd trading as Assurance Bureau ("Assurance Bureau", "we", "us", "our") is committed to handling personal information responsibly and transparently. This policy explains how we collect, use, store, and disclose personal information in the course of providing assurance, auditing, consulting, and advisory services, and sets out our voluntary alignment with the Australian Privacy Principles (APPs).

Our Position Under the Privacy Act

The Privacy Act 1988 (Cth) applies to Australian Government agencies and to private sector organisations that meet specific eligibility criteria — principally an annual turnover exceeding $3 million, or operation in certain regulated sectors such as health services, credit reporting, or as a contracted service provider to the Commonwealth. Assurance Bureau does not currently meet those criteria and is not required to comply with the Privacy Act or the Australian Privacy Principles (APPs) as an APP entity.

It is also possible for a small business to voluntarily elect to be treated as an APP entity under section 6EA of the Privacy Act, by notifying the Office of the Australian Information Commissioner. Assurance Bureau has not made that election. We note that many businesses represent themselves as being bound by the Privacy Act without meeting the eligibility criteria or making a formal section 6EA election — a common but technically inaccurate position. Information about the opt-in mechanism is available from the OAIC here.

Notwithstanding the above, we have chosen to voluntarily align our personal information handling practices with the APPs as a matter of professional commitment and good practice, informed by our background in information security, governance, risk, and compliance. References to specific APPs throughout this policy reflect that voluntary alignment rather than a legal obligation. Our privacy practices are also informed by ISO 27701 (Privacy Information Management) as a recognised international privacy framework, reflecting our professional engagement with that standard in the course of our audit and consulting work.

The Privacy Act will apply to Assurance Bureau's handling of personal information in the following circumstances:

• Where we are directly engaged by a Commonwealth Government agency under a contract involving the handling of personal information, in accordance with the contracted service provider provisions of the Act.

• Where we are engaged by any client — government or private — whose contract requires us to comply with the Privacy Act or the APPs in respect of personal information handled under that engagement.

• Where flow-down privacy obligations from a prime contractor's government engagement require us to handle personal information consistently with the Act.

In those circumstances, our voluntary alignment means no material change to how we handle information in practice — our standards already meet or exceed the APPs.

Open and Transparent Management (APP 1)

This policy sets out how Assurance Bureau handles personal information, consistent with our voluntary alignment with Australian Privacy Principle 1. We make this policy publicly available and review it at least annually and following any material change to our services or technology tools. Active clients will be notified directly of material changes.

We handle two distinct categories of information:

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not, as defined in the Privacy Act 1988 (Cth).

Confidential corporate information is information provided by clients in the course of an engagement that is not publicly known and relates to the client's systems, operations, security posture, or business. This includes audit evidence, ISMS documentation, assessment artefacts, system architectures, and similar engagement materials. The handling of confidential corporate information is governed primarily by our Engagement Terms, available at assurancebureau.org/engagement-terms. This policy applies to personal information only.

Collection of Personal Information (APP 3)

Consistent with Australian Privacy Principle 3, we collect only personal information that is reasonably necessary for our functions and activities.

We may collect personal information such as:

• Contact details (name, email address, phone number)

• Business and role information

• Information provided as part of audit, IRAP assessment, or consulting engagements

• Information submitted via forms, email, or phone

• Email addresses collected through our website or social media pages for marketing communications, where you have opted in to receive them

• Information collected from publicly available sources, including LinkedIn, company websites, and public registries, in the course of pre-engagement research, audit scoping, or marketing activities

• Information provided through referrals or introductions from third parties such as partners or industry contacts

• Information collected in the context of government panel or tender processes, including personnel details, credentials, and clearance information where required

• Website usage data (analytics, device information, IP address)

We do not knowingly collect sensitive information unless required for lawful or engagement-related purposes.

Where we collect personal information from publicly available sources or third parties, we will only use it for purposes that would be reasonably expected given the context of collection, consistent with APP 3.

How We Use Personal Information (APP 6)

Consistent with Australian Privacy Principle 6, we use personal information collected under this policy only for the primary purpose for which it was collected, or a directly related secondary purpose that individuals would reasonably expect.

We use personal information to:

• Deliver audit, IRAP assessment, consulting or advisory services

• Communicate with clients, certification bodies, the Australian Signals Directorate, and other relevant stakeholders

• Operate, maintain and improve our website and services

• Meet contractual, legal, audit-scheme or IRAP program requirements

• Manage our business operations and records

• Send service updates or marketing communications where you have opted in — you may withdraw consent and opt out at any time using the unsubscribe link in any communication or by contacting us via the privacy contact form on our website

We do not sell personal information.

Disclosure of Personal Information (APP 6)

Consistent with Australian Privacy Principle 6, we disclose personal information only where authorised or required. We may disclose personal information to:

• Certification bodies where work is performed under their authority

• The Australian Signals Directorate (ASD) where required in connection with IRAP assessment activities

• Legal or regulatory authorities where required by law

• Parties authorised by the individual or organisation providing the information

• Technology and cloud service providers used to operate our business systems, as described in section 10

We do not engage human subcontractors or associates who access client personal data in the course of delivering services on our behalf. Where this changes in the future, any such parties will be subject to confidentiality obligations and required to handle personal information consistently with this policy and the APPs. Where we engage third-party service providers who handle personal information, we require that they hold ISO 27001 certification or an equivalent recognised security standard at a minimum.

Overseas Disclosure (APP 8)

Consistent with Australian Privacy Principle 8, we take reasonable steps to ensure that personal information disclosed to overseas recipients is handled in a manner consistent with the APPs.

Engagement and business data is stored primarily within Microsoft 365, which provides Australian data centre residency for core workloads including email, documents, and SharePoint. Our primary operational data does not leave Australia under standard usage.

Some technology service providers we use may store or process information outside Australia, including in the United States, United Kingdom, or European Union. These providers are engaged under commercial agreements that include appropriate data processing, security, and confidentiality terms. We do not disclose personal information to overseas recipients for purposes unrelated to the delivery of our services.

Confidential Corporate Information

The handling of confidential corporate information is governed by our Engagement Terms, available at assurancebureau.org/engagement-terms. Key commitments under those terms include:

• Confidential information is used only to deliver the engagement, meet legal obligations, or comply with audit-scheme requirements

• Confidential information is not shared with third parties without consent, unless required by law or scheme rules

• Assurance Bureau personnel hold appropriate security clearances where required

• Client information is handled consistently with the Australian Privacy Principles where it contains personal information

• At the conclusion of an engagement, client corporate information is returned or destroyed at the client's request, with written confirmation provided

Where Assurance Bureau delivers services through a certification body or white label arrangement and operates within that organisation's technology environment, personal information processed in that environment is subject to the CB's or principal's privacy policy and data handling practices. This policy applies to information handled within Assurance Bureau's own systems only.

IRAP Assessments and Government Engagements

Information handled in the context of IRAP assessments or Australian Government engagements may be subject to additional confidentiality and handling obligations under ASD program requirements, the Protective Security Policy Framework (PSPF), or agency-specific agreements. Where applicable, those obligations take precedence over the general terms of this policy and our Engagement Terms.

Assurance Bureau personnel hold appropriate security clearances where required for the handling of sensitive information. All personnel are subject to background verification and criminal history checks. Client information provided for assessment purposes is used solely for that purpose and is not retained beyond engagement requirements.

Security of Information (APP 11)

As practitioners in information security, GRC, and ISO 27001 auditing, we apply the same frameworks we use to assess our clients to our own operations. Our security controls are informed by ISO 27001 and ISO 27701, ensuring our practices reflect recognised international standards rather than a minimum compliance threshold.

Consistent with Australian Privacy Principle 11, we take reasonable steps — including technical and organisational measures — to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. These controls apply to all information we hold, including personal information and confidential corporate information.

Our controls include:

• Endpoint security: All devices used for business purposes are centrally managed and subject to enforced configuration and compliance policies, including full disk encryption, automated patching, and endpoint protection. Devices that do not meet compliance requirements are prevented from accessing business systems and data.

• Identity and access: Strong authentication is enforced across business accounts. Access is provisioned on a least privilege basis, with administrative access segregated from standard user access.

• Credential management: Business credentials are managed using a dedicated password manager with MFA enforcement, ensuring unique and strong credentials across all systems and services.

• Data protection: Engagement and business data is stored in a secured cloud environment with Australian data residency. Data is encrypted in transit and at rest. Retention and deletion are enforced through automated policy controls.

• Device loss or theft: Remote wipe capability is available and full disk encryption ensures data is not accessible without authentication if a device is lost or stolen.

• Personnel security: All Assurance Bureau personnel hold current background verification and criminal history checks, and appropriate security clearances where required.

• Security awareness: We maintain ongoing awareness of the Australian cyber threat landscape, supported by professional certifications across information security, governance, and assurance disciplines.

Where clients have specific requirements for secure transfer of engagement materials, we can accommodate client-specified methods and controls on request.

Data Breach Notification

Assurance Bureau is not subject to the Notifiable Data Breaches (NDB) scheme as a small business operator not currently covered by the Privacy Act 1988 (Cth). However, we are committed to handling any breach of personal information responsibly and transparently.

Where we become aware of a data breach involving personal information we hold that is likely to result in serious harm to any affected individual, we will:

• Notify affected individuals as soon as practicable, with details of the nature of the breach, the information affected, steps taken to contain it, and any recommended actions

• Where the breach involves information held in connection with a client engagement, notify the relevant client organisation promptly as the primary point of contact

• Take immediate steps to contain the breach and prevent further unauthorised access or disclosure

• Review the circumstances and implement measures to reduce the likelihood of recurrence

We will not delay notification unreasonably where it is clear that serious harm is likely.

Where we are subject to the Privacy Act in accordance with the circumstances described in the preamble of this policy, we will comply with the NDB scheme requirements for any eligible data breach.

Technology Tools and Third-Party Services

We use cloud and technology services to operate our business. The following summarises the key services that handle personal information, along with their primary certifications and data handling basis.

• Microsoft 365 Business Premium — Email, documents, business operations. ISO 27001, ISO 27701, SOC 2 Type II, IRAP assessed. Automatic DPA; Australian data residency for core workloads. Further information: microsoft.com/en-us/trust-center

• Claude Pro (Anthropic) — AI drafting and analysis. Consumer terms only, no DPA. Training disabled; 30-day retention; de-identified inputs only. Further information: trust.anthropic.com

• Xero — Accounting and invoicing. ISO 27001, SOC 2 Type II. Automatic DPA; Australian and New Zealand data residency. Further information: xero.com/au/legal/privacy

• Stripe — Payment processing via Xero. PCI-DSS, ISO 27001, SOC 2 Type II. Formal DPA; payment data not stored by Assurance Bureau. Further information: stripe.com/legal/privacy-center

• Squarespace — Website hosting, mailing list. ISO 27001, SOC 2 Type II. GDPR-compliant DPA. Further information: squarespace.com/privacy

• Google Search Console and My Business — SEO and search visibility. No client data processed; no visitor cookies set. Further information: policies.google.com/privacy

• Bing Webmaster Tools — SEO and search visibility. No client data processed; no visitor cookies set. Further information: microsoft.com/en-us/trust-center

AI tool controls: We do not input identifiable client information or non-public client data into AI tools. Where client materials inform AI-assisted work, all personal information and client-identifying details are removed or anonymised prior to use. We periodically delete AI conversation history as an additional control. Clients who prefer that no AI tools be used in connection with their engagement may request this at any time and we will accommodate that preference.

Social media: We maintain a presence on various social media platforms. Visitors to our pages and individuals who interact with our content are subject to the privacy policies of those respective platforms. Personal information received via direct messages or enquiries on social media is handled consistently with this policy. We do not embed social media tracking widgets on our website.

Data Retention and Destruction (APP 11.2)

Consistent with Australian Privacy Principle 11.2, we retain personal information only for as long as required for the purpose of collection, or as required by law, contract, or audit-scheme obligations.

Engagement records and all associated correspondence — 7 years.

Marketing subscriber records — Retained in suppressed form following unsubscribe; deleted on request via the privacy contact form.

AI tool conversation history — Up to 30 days on Anthropic's systems; periodically deleted from our account.

Personal information may be deleted earlier than the periods above on request, where no legal or contractual obligation requires its continued retention. Requests can be submitted using the privacy contact form on our website.

Retention is enforced through automated policy controls across our Microsoft 365 environment. At the end of the applicable retention period, information is automatically deleted or de-identified unless a legal hold or continuing obligation applies.

Where a client requests the return or destruction of their corporate information at the conclusion of an engagement, we will action that request promptly and confirm completion in writing.

Website Cookies and Analytics

Our website uses Squarespace's native analytics in cookieless mode. No analytics cookies are placed on visitors' browsers and no personally identifiable visitor information is collected for analytics purposes.

Squarespace places necessary cookies to support core website functionality. These do not require consent.

Our website integrates with Google My Business, which may contact Google's servers to load business information. No Google cookies are placed on visitors' browsers as a result of this integration.

We do not use advertising, marketing, or social media tracking cookies. We do not embed social media widgets. If this changes, this policy will be updated and consent sought accordingly.

Our cookie banner provides options to accept, manage, or decline all non-essential cookies. In practice, the only cookies currently set are Squarespace's necessary cookies, which are unaffected by consent preferences.

Third-Party Links

Our website may contain links to external sites. We are not responsible for the privacy practices or content of those sites and encourage you to review their privacy policies before providing personal information.

Access and Correction (APP 12 and APP 13)

Consistent with Australian Privacy Principles 12 and 13, you may request access to personal information we hold about you, or request correction of information that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond within 30 days. Requests can be submitted using the privacy contact form on our website. We may ask you to verify your identity before processing a request.

Access rights apply to personal information only. Confidential corporate information is not subject to third-party access requests and will only be disclosed to the client organisation or their authorised representatives.

Privacy Complaints

If you believe we have handled your personal information in a way that does not align with our commitments under this policy, you may submit a complaint using the privacy contact form on our website. We will acknowledge promptly and respond within 30 days.

As Assurance Bureau is not currently an APP entity, the OAIC does not have jurisdiction to investigate complaints about our personal information handling in most circumstances. However, if you wish to seek independent guidance:

• Website: oaic.gov.au

• Phone: 1300 363 992

• Post: GPO Box 5218, Sydney NSW 2001

Where we are subject to the Privacy Act in accordance with the circumstances described in the preamble, individuals may also direct complaints to the OAIC in the usual manner.

Changes to This Policy

We review this policy at least annually and following any material change to our services or technology tools. Active clients will be notified directly of material changes.

Last Updated: 7 April 2026