Privacy & Confidentiality Policy

 

What Data Do We Collect?

We collect data required to provide the agreed services and support our free consultations. The categories of data we collect include:
  • Contact Information: Name, email address, phone number, and company name for relationship management and logistical purposes.
  • System Information: Details about your systems, processes, and tools to facilitate scoping, service delivery, and compliance audits.
  • Business Information and Documentation: Records such as policies, procedures, contracts, and operational documentation necessary for conducting audits and verifying compliance.
  • Additional Information Provided by You: Any other documentation or details you voluntarily share during an active audit engagement.

We collect this information solely for legitimate purposes and treat all data in strict confidence. The more specific data types, sources and retention periods are tracked in AssuranceLab's Data Register for monitoring and governance.

How Do We Use Your Data?
The data collected is used to:
  • Deliver tailored services and accurate quotations.
  • Facilitate audit engagements and related compliance activities.
  • Maintain contact and manage our relationship with you.
  • Ensure the quality and accuracy of our services.

We restrict the use of your data to AssuranceLab and only share it with partners, regulators, industry bodies, or other related parties, where there is a legitimate interest in supporting you or ensuring quality assurance of our work. This quality assurance may relate to our peer review program, compliance and governance requirements, our firms accreditations and credentials, or related to a potential business deal involving sale or transfer of all of part of our business or assets. We do not sell or share your data for any other purposes. Further details of the handling practices are detailed in AssuranceLab's data handling policies.

Where does your data go?
We may use the data collected in following systems, depending on the stage and requirements of the support we are providing you: 

  • AWS: Hosts Pillar, an internal application and suite of tools responsible for storing audit information. Additionally, AWS powers integrations with other audit systems mentioned below.
  • Checkbox.ai: the platform used for our free tools, automated SOC 2 assessments and workflows. Checkbox.ai have completed a SOC 2 Type II report issued by a Big4 firm.
  • Google Workspace: Google Business products used for our client communications. We secure these systems with multi-factor authentication and Google Business grade security practices. Google issues SOC 1, SOC 2 and SOC 3 reports at least annually.
  • Gong: revenue intelligence platform used for note taking and analysis of sales calls to provide effective and tailored support pre-sales.
  • Hubspot: Our customer relationship (CRM) system used for marketing emails, account tracking, and hosting of our website content management system (CMS). Hubspot issues SOC 2 Type II reports annually.
  • OpenAI: Artificial intelligence used with API access to run AI models to conduct audit reviews. We apply enterprise security settings, restricting training on the data or access by OpenAI without permission. OpenAI issues SOC 2 Type II reports.
  • Pillar: Our in-house developed platform for managing audits and supporting our clients compliance program. We conduct annual SOC 2 audits & penetration tests.
  • Retool: No-code development platform that we use to pull client documents for our AI audit models review and to product the results for our auditors to review.
  • Trello: Used for some clients, when preferred, for tracking your requirements and assurance reporting steps. Atlassian issues SOC 2 Type II reports for Trello.
  • Xero: A cloud-based application used for company accounting and invoicing. Xero issues SOC 2 Type II reports.
  • Monday.com: Our platform for managing audits and supporting our client's compliance program. Monday.com issues SOC 2 Type 2 reports and is ISO 27001 certified. For more details, refer to their Trust Centre.

In each of the above, we minimise the data stored in each location based on what is required to effectively support our services to you.

Data Retention and Disposal
We retain all data collected until deletion is requested, in order to ensure we can effectively provide our services and tailor our support based on the history of your interactions with us. You may request deletion of your data at any stage by contacting us on info@assurancelab.com.au. Based on our own compliance requirements, we retain audit files for seven (7) years. This includes all audit documentation shared with us to verify your compliance. We encourage our clients to sanitise, mask or otherwise reduce the sensitivity of documentation shared with us.

AssuranceLab Tools
Our free tools, assessments and applications are built in Checkbox.ai and our platform, Pillar. They collect data from your responses to questions to provide automated and tailored outputs like readiness reports, policy automation and system descriptions that help you prepare for and support your compliance goals using our services.

We use the data for providing you with our services. We may also use that data at an anonymised and statistical level to provide guidance and benchmarking to our clients, partners and associates. We avoid the use of any statistics that would compromise confidentiality, including any 0% or 100% stats or with specifics that may be used to identify attributes of an individual customer or user. The raw data is stored in Checkbox.ai or Pillar, hosted in the Amazon Web Services (AWS) environment. We do not export any data from this environment, except in the output reports sent to you, or after it has been anonymised for statistical analysis.

If you have any concerns over security, privacy or confidentiality, we support the use of an alias contact and company name to prevent your data from being identifiable. This requires the use of a non-business email address and contacting us separately to advise of the alias so we can send the report to the correct person and in a secure manner

What are your rights?
We support all rights under the EU GDPR, the Australian Privacy Act, Californian Consumer Protection Act and any other reasonable requests related to your private data. For any requests related to your data please email info@assurancelab.com.au, or call +61 (0) 490 086 000.