SECURITY
How we protect enquiry and audit information.
TRUSTYCYBER uses a structured digital workflow for enquiries, qualification, engagement administration and evidence collection. Audit evidence is not collected through the public website or fit check.
Public website and fit check
The website does not store audit evidence. Contact and fit-check submissions contain only enquiry information. Evidence is requested only after the engagement scope and handling arrangements have been agreed.
Access controls
Named, authorised access only. Multi-factor authentication where available. Least-privilege access. Access removed when no longer required.
Audit evidence
Evidence is collected through approved Microsoft 365, OneDrive or SharePoint environments after scope is agreed. No audit evidence is accepted through the public contact form or fit check.
Storage and transfer
Agreed access-controlled channels. Encryption in transit and at rest where supported. No unnecessary local copies of client evidence.
AI-assisted analysis
Approved technology may assist with extracting, organising and initially analysing audit evidence. Its use remains subject to the engagement's agreed information-handling arrangements. AI-generated output is reviewed by an appropriately qualified auditor and does not determine conformity, findings or final audit conclusions.
Retention and deletion
Working evidence is retained only as needed for the engagement, quality obligations and agreed retention requirements. Unless otherwise agreed, source evidence and working copies are normally deleted within 90 days after the engagement is closed.
Incident management
Documented response and client-notification process. Notification consistent with contractual and legal obligations. To report a concern: [email protected]
AI-assisted evidence analysis
Approved AI services may assist with extracting, classifying, organising and summarising evidence, mapping material to assessment criteria, identifying possible gaps and preparing draft analysis.
AI-generated output is treated as unverified working material. It does not determine evidence sufficiency, conformity, findings or final audit conclusions.
Access to evidence is limited to the engagement and the authorised services and people required to perform it. Information-handling arrangements are confirmed before evidence is uploaded.
Suppliers
TRUSTYCYBER uses established service providers selected and managed based on the information they handle. Primary providers include Amazon Web Services (website hosting, CMS, CRM), Cloudflare (domain, CDN, security), Microsoft (Microsoft 365, email, evidence collection environments), Stripe (payment processing) and Xero (accounting).
Classified and sensitive information
TRUSTYCYBER does not accept Australian Government security-classified information through its public website, contact forms or fit check. Information marked OFFICIAL: Sensitive, subject to special contractual controls or requiring heightened handling arrangements must not be provided unless TRUSTYCYBER has expressly approved the proposed handling arrangements in writing.
If your engagement may involve classified or specially controlled information, please contact us before proceeding so that appropriate arrangements can be established.
Report a concern
If you believe information has been accessed, disclosed or handled improperly, please notify us promptly at [email protected].
Full privacy information is available in the TRUSTYCYBER Privacy Policy.
