DV3 Holdings Pty Ltd trading as Assurance Bureau ("Assurance Bureau", "we", "us", "our") is committed to handling personal information responsibly and transparently. This policy explains how we collect, use, store, and disclose personal information in the course of providing assurance, auditing, consulting, and advisory services, and sets out our voluntary alignment with the Australian Privacy Principles (APPs).

Our Position Under the Privacy Act

The Privacy Act 1988 (Cth) applies to Australian Government agencies and to private sector organisations that meet specific eligibility criteria — principally an annual turnover exceeding $3 million, or operation in certain regulated sectors such as health services, credit reporting, or as a contracted service provider to the Commonwealth. Assurance Bureau does not currently meet those criteria and is not required to comply with the Privacy Act or the Australian Privacy Principles (APPs) as an APP entity.

It is also possible for a small business to voluntarily elect to be treated as an APP entity under section 6EA of the Privacy Act, by notifying the Office of the Australian Information Commissioner. Assurance Bureau has not made that election. We note that many businesses represent themselves as being bound by the Privacy Act without meeting the eligibility criteria or making a formal section 6EA election — a common but technically inaccurate position. Information about the opt-in mechanism is available from the OAIC here.

Notwithstanding the above, we have chosen to voluntarily align our personal information handling practices with the APPs as a matter of professional commitment and good practice, informed by our background in information security, governance, risk, and compliance. References to specific APPs throughout this policy reflect that voluntary alignment rather than a legal obligation. Our privacy practices are also informed by ISO 27701 (Privacy Information Management) as a recognised international privacy framework, reflecting our professional engagement with that standard in the course of our audit and consulting work.

The Privacy Act will apply to Assurance Bureau's handling of personal information in the following circumstances:

• Where we are directly engaged by a Commonwealth Government agency under a contract involving the handling of personal information, in accordance with the contracted service provider provisions of the Act.

• Where we are engaged by any client — government or private — whose contract requires us to comply with the Privacy Act or the APPs in respect of personal information handled under that engagement.

• Where flow-down privacy obligations from a prime contractor's government engagement require us to handle personal information consistently with the Act.

In those circumstances, our voluntary alignment means no material change to how we handle information in practice — our standards already meet or exceed the APPs.

Open and Transparent Management (APP 1)

This policy sets out how Assurance Bureau handles personal information, consistent with our voluntary alignment with Australian Privacy Principle 1. We make this policy publicly available and review it at least annually and following any material change to our services or technology tools. Active clients will be notified directly of material changes.

We handle two distinct categories of information:

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not, as defined in the Privacy Act 1988 (Cth).

Confidential corporate information is information provided by clients in the course of an engagement that is not publicly known and relates to the client's systems, operations, security posture, or business. This includes audit evidence, ISMS documentation, assessment artefacts, system architectures, and similar engagement materials. The handling of confidential corporate information is governed primarily by our Engagement Terms, available at assurancebureau.org/engagement-terms. This policy applies to personal information only.

Collection of Personal Information (APP 3)

Consistent with Australian Privacy Principle 3, we collect only personal information that is reasonably necessary for our functions and activities.

We may collect personal information such as:

• Contact details (name, email address, phone number)

• Business and role information

• Information provided as part of audit, IRAP assessment, or consulting engagements

• Information submitted via forms, email, or phone

• Email addresses collected through our website or social media pages for marketing communications, where you have opted in to receive them

• Information collected from publicly available sources, including LinkedIn, company websites, and public registries, in the course of pre-engagement research, audit scoping, or marketing activities

• Information provided through referrals or introductions from third parties such as partners or industry contacts

• Information collected in the context of government panel or tender processes, including personnel details, credentials, and clearance information where required

• Website usage data (analytics, device information, IP address)

We do not knowingly collect sensitive information unless required for lawful or engagement-related purposes.

Where we collect personal information from publicly available sources or third parties, we will only use it for purposes that would be reasonably expected given the context of collection, consistent with APP 3.

How We Use Personal Information (APP 6)

Consistent with Australian Privacy Principle 6, we use personal information collected under this policy only for the primary purpose for which it was collected, or a directly related secondary purpose that individuals would reasonably expect.

We use personal information to:

• Deliver audit, IRAP assessment, consulting or advisory services

• Communicate with clients, certification bodies, the Australian Signals Directorate, and other relevant stakeholders

• Operate, maintain and improve our website and services

• Meet contractual, legal, audit-scheme or IRAP program requirements

• Manage our business operations and records

• Send service updates or marketing communications where you have opted in — you may withdraw consent and opt out at any time using the unsubscribe link in any communication or by contacting us via the privacy contact form on our website

We do not sell personal information.

Disclosure of Personal Information (APP 6)

Consistent with Australian Privacy Principle 6, we disclose personal information only where authorised or required. We may disclose personal information to:

• Certification bodies where work is performed under their authority

• The Australian Signals Directorate (ASD) where required in connection with IRAP assessment activities

• Legal or regulatory authorities where required by law

• Parties authorised by the individual or organisation providing the information

• Technology and cloud service providers used to operate our business systems, as described in section 10

We do not engage human subcontractors or associates who access client personal data in the course of delivering services on our behalf. Where this changes in the future, any such parties will be subject to confidentiality obligations and required to handle personal information consistently with this policy and the APPs. Where we engage third-party technology or service providers who handle personal information, we require that they hold ISO 27001 certification or an equivalent recognised security standard at a minimum, and we review independent third-party assurance artifacts (such as ISO 27001 certificates, SOC 2 reports, IRAP assessments, or equivalent) as part of our supplier evaluation.

Overseas Disclosure (APP 8)

Consistent with Australian Privacy Principle 8, we take reasonable steps to ensure that personal information disclosed to overseas recipients is handled in a manner consistent with the APPs.

Email, calendar, and contacts are managed through a privacy-focused provider operating under EU jurisdiction and subject to GDPR. Document and file storage is managed through a zero-knowledge encrypted platform headquartered in Switzerland with EU data residency, also subject to GDPR. Both services provide strong data protection frameworks that are broadly consistent with Australian privacy standards.

For further details of our technology providers and their assurance basis, please contact us via the privacy contact form on our website.

Confidential Corporate Information

The handling of confidential corporate information is governed by our Engagement Terms, available at assurancebureau.org/engagement-terms. Key commitments under those terms include:

• Confidential information is used only to deliver the engagement, meet legal obligations, or comply with audit-scheme requirements

• Confidential information is not shared with third parties without consent, unless required by law or scheme rules

• Assurance Bureau personnel hold appropriate security clearances where required

• Client information is handled consistently with the Australian Privacy Principles where it contains personal information

• At the conclusion of an engagement, client corporate information is returned or destroyed at the client's request, with written confirmation provided

Where Assurance Bureau delivers services through a certification body or white label arrangement and operates within that organisation's technology environment, personal information processed in that environment is subject to the CB's or principal's privacy policy and data handling practices. This policy applies to information handled within Assurance Bureau's own systems only.

IRAP Assessments and Government Engagements

Information handled in the context of IRAP assessments or Australian Government engagements may be subject to additional confidentiality and handling obligations under ASD program requirements, the Protective Security Policy Framework (PSPF), or agency-specific agreements. Where applicable, those obligations take precedence over the general terms of this policy and our Engagement Terms.

Assurance Bureau personnel hold appropriate security clearances where required for the handling of sensitive information. All personnel are subject to background verification and criminal history checks. Client information provided for assessment purposes is used solely for that purpose and is not retained beyond engagement requirements.

Security of Information (APP 11)

As practitioners in information security, GRC, and ISO 27001 auditing, we apply the same frameworks we use to assess our clients to our own operations. Our security controls are informed by ISO 27001 and ISO 27701, ensuring our practices reflect recognised international standards rather than a minimum compliance threshold.

Consistent with Australian Privacy Principle 11, we take reasonable steps — including technical and organisational measures — to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. These controls apply to all information we hold, including personal information and confidential corporate information.

Our controls include:

• Endpoint security and threat protection: All devices used for business purposes are protected by an enterprise endpoint detection and response (EDR) platform providing threat intelligence and real-time protection. Full disk encryption is enabled across all business devices, and automated patching is maintained across operating systems and applications.

• Identity and access: Strong authentication is enforced across all business accounts. Access is provisioned on a least privilege basis, with administrative access segregated from standard user access.

• Credential management: Business credentials are managed using an open-source, zero-knowledge password manager with MFA enforcement, ensuring unique and strong credentials across all systems and services.

• Data protection: Engagement and business data is stored in a zero-knowledge encrypted cloud environment with EU data residency, and within a separately maintained cloud environment with Australian data residency for applicable workloads. Data is encrypted in transit and at rest. Retention and deletion are managed through policy controls.

• Device loss or theft: Remote wipe capability is available across all business devices — via our EDR platform for Windows devices and Apple Find My for Mac and iPhone — ensuring data is not accessible without authentication if a device is lost or stolen.

• Personnel security: All Assurance Bureau personnel hold current background verification and criminal history checks, and appropriate security clearances where required.

• Security awareness: We maintain ongoing awareness of the Australian cyber threat landscape, supported by professional certifications across information security, governance, and assurance disciplines.

Where clients have specific requirements for secure transfer of engagement materials, we can accommodate client-specified methods and controls on request.

Data Breach Notification

Assurance Bureau is not subject to the Notifiable Data Breaches (NDB) scheme as a small business operator not currently covered by the Privacy Act 1988 (Cth). However, we are committed to handling any breach of personal information responsibly and transparently.

Where we become aware of a data breach involving personal information we hold that is likely to result in serious harm to any affected individual, we will:

• Notify affected individuals as soon as practicable, with details of the nature of the breach, the information affected, steps taken to contain it, and any recommended actions

• Where the breach involves information held in connection with a client engagement, notify the relevant client organisation promptly as the primary point of contact

• Take immediate steps to contain the breach and prevent further unauthorised access or disclosure

• Review the circumstances and implement measures to reduce the likelihood of recurrence

We will not delay notification unreasonably where it is clear that serious harm is likely.

Where we are subject to the Privacy Act in accordance with the circumstances described in the preamble of this policy, we will comply with the NDB scheme requirements for any eligible data breach.

Technology Tools and Third-Party Services

We use cloud and technology services to operate our business, including platforms for email, calendar and contacts, document storage and file transfer, endpoint protection, accounting, website hosting, payment processing, and AI-assisted drafting.

All third-party providers are selected on the basis of demonstrated independent assurance. We require that providers hold ISO 27001 certification or an equivalent recognised security standard at a minimum, and where available we review independent assurance reports — such as SOC 2 Type II, IRAP assessments etc — as part of our supplier evaluation. Providers handling personal information are engaged under commercial agreements that include appropriate data processing, security, and confidentiality obligations.

Our controls across these platforms include:

• Email, calendar, and contacts are managed through a privacy-focused provider operating under EU jurisdiction and subject to GDPR, with no advertising and ISO 27001 certification.

• Documents and engagement files are stored and transferred using a zero-knowledge encrypted platform with EU data residency and ISO 27001 certification. This is our primary mechanism for sharing materials with clients unless a client prefers an alternative.

• Endpoint protection is provided by an enterprise EDR platform with SOC 2 Type II and ISO 27001 certification, supplementing full disk encryption enabled across all business devices.

• Business credentials are managed using an open-source, zero-knowledge password manager with MFA enforcement.

• AI-assisted drafting tools are used with de-identified inputs only. We do not input identifiable client information or non-public client data into any AI platform. Training is disabled where configurable, and conversation history is periodically deleted. Clients may request that no AI tools be used in connection with their engagement at any time.

• Accounting, invoicing, payment processing, and website hosting are managed through providers holding ISO 27001 and SOC 2 Type II certification with formal data processing agreements in place.

For further information about the specific platforms we use and the assurance basis for each, please contact us via the privacy contact form on our website.

Data Retention and Destruction (APP 11.2)

Consistent with Australian Privacy Principle 11.2, we retain personal information only for as long as required for the purpose of collection, or as required by law, contract, or audit-scheme obligations.

Engagement records and all associated correspondence — 7 years from engagement completion, or as required by applicable legal, contractual, or audit-scheme obligations, whichever is longer. Records are reviewed periodically and deleted when no continuing obligation applies.

Marketing subscriber records — Retained in suppressed form following unsubscribe; deleted on request via the privacy contact form.

AI tool conversation history — Subject to provider retention periods of up to 30 days; periodically deleted from our account where controls permit.

Personal information may be deleted earlier than the periods above on request, where no legal or contractual obligation requires its continued retention. Requests can be submitted using the privacy contact form on our website.

Where a client requests the return or destruction of their corporate information at the conclusion of an engagement, we will action that request promptly and confirm completion in writing.

Website Cookies and Analytics

We maintain a presence on various social media platforms. Visitors to our pages and individuals who interact with our content are subject to the privacy policies of those respective platforms. Personal information received via direct messages or enquiries on social media is handled consistently with this policy. We do not embed social media tracking widgets on our website.

Our website uses cookieless analytics. No analytics cookies are placed on visitors' browsers and no personally identifiable visitor information is collected for analytics purposes.

Necessary cookies are placed by our website platform to support core website functionality. These do not require consent.

Our website may integrate with third-party services to load business information. Where this occurs, no additional cookies are placed on visitors' browsers as a result.

We do not use advertising, marketing, or social media tracking cookies. We do not embed social media widgets. If this changes, this policy will be updated and consent sought accordingly.

Our cookie banner provides options to accept, manage, or decline all non-essential cookies. In practice, the only cookies currently set are necessary cookies, which are unaffected by consent preferences.

Third-Party Links

Our website may contain links to external sites. We are not responsible for the privacy practices or content of those sites and encourage you to review their privacy policies before providing personal information.

Access and Correction (APP 12 and APP 13)

Consistent with Australian Privacy Principles 12 and 13, you may request access to personal information we hold about you, or request correction of information that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond within 30 days. Requests can be submitted using the privacy contact form on our website. We may ask you to verify your identity before processing a request.

Access rights apply to personal information only. Confidential corporate information is not subject to third-party access requests and will only be disclosed to the client organisation or their authorised representatives.

Privacy Complaints

If you believe we have handled your personal information in a way that does not align with our commitments under this policy, you may submit a complaint using the privacy contact form on our website. We will acknowledge promptly and respond within 30 days.

As Assurance Bureau is not currently an APP entity, the OAIC does not have jurisdiction to investigate complaints about our personal information handling in most circumstances. However, if you wish to seek independent guidance:

• Website: oaic.gov.au

• Phone: 1300 363 992

• Post: GPO Box 5218, Sydney NSW 2001

Where we are subject to the Privacy Act in accordance with the circumstances described in the preamble, individuals may also direct complaints to the OAIC in the usual manner.

Changes to This Policy

We review this policy at least annually and following any material change to our services or technology tools. Active clients will be notified directly of material changes.

Last Updated: 29 April 2026