1. Purpose
This statement explains how Etcher Solutions aims to manage data protection, privacy, security, operational governance and compliance risk across our public website, Etcher Task Hub (our private authorised-user workflow platform) and private client-facing workflows.
It is intended as a reference for Etcher Solutions personnel, authorised contractors and approved client representatives.
2. Compliance Framework
Etcher Solutions aims to operate in accordance with:
- Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
- Notifiable Data Breaches (NDB) scheme
- Spam Act 2003 (Cth)
- Australian Consumer Law
- Contractual confidentiality obligations and client-specific requirements
- Reasonable cyber security, operational governance and records management practices
3. Data Inventory
| Data category | Examples | Sensitivity |
|---|
| Identity data | Name, role, company | Medium |
| Contact data | Email, phone, address | Medium |
| Account data | Login credentials, roles, permissions, audit logs | High |
| Business data | Tasks, projects, workflows, notes | Medium–High |
| Client data | Client names, enquiries, project details | Medium–High |
| Email content | Forwarded emails, metadata, attachments | High |
| Documents | PDFs, spreadsheets, compliance files | High |
| Technical data | IP address, device type, browser, logs | Medium |
| AI-generated data | Summaries, classifications, task suggestions | Medium |
| Payment data | Billing records, invoices (if introduced) | High |
4. Data Minimisation
Etcher Solutions collects only information that is reasonably necessary. In practice this means:
- Avoiding unnecessary form fields
- Reducing duplicate storage of the same information
- Archiving or deleting outdated records in line with retention schedules
- Limiting access to information on a need-to-know basis
5. Collection Notices
Collection notices should appear near all data collection points including:
- Contact, quote, newsletter and task creation forms
- Account invitations and onboarding flows
- File upload interfaces
- Email intake instructions and task forms
Suggested collection notice:
"By submitting this form, you agree that Etcher Solutions may use the information provided to respond to your enquiry, provide services, manage records and improve operations in accordance with our
Privacy Policy."
6. Access Controls
- No public self-registration unless deliberately and explicitly enabled
- Etcher Task Hub access by approved-user invitation only
- Individual user accounts — no shared admin logins
- Role-based access control (restricted / staff / admin)
- Least-privilege permissions applied by default
- Admin-only access to settings, staff management and client notes
- Multi-factor authentication (MFA) where available
- Quarterly review of active users and admin-level access
- Immediate removal of access for users who no longer require it
- Audit logs for task creation, task changes, email intake processing and document access
7. Search Engine and Public Exposure Controls
- Authentication enforced on all private dashboard routes
- Server-side access checks for all private data responses
- No confidential files placed in public static directories
- No private task URLs included in
sitemap.xml
robots.txt disallow rules for private routes where appropriate- No client documents served from public paths
- No API responses containing private data without valid authentication
- No secrets, private configuration or internal URLs in browser-served JavaScript
8. Environment Variables and Secrets
Secrets must never be committed to GitHub, public repositories or browser-served files. This includes:
- API keys, database URLs and OAuth secrets
- Microsoft Graph credentials (TENANT_ID, CLIENT_ID, CLIENT_SECRET)
- AI API keys, webhook secrets, email credentials, payment processor secrets
Use approved secret management approaches:
- Vercel Environment Variables (for hosted deployments)
- Azure Key Vault (for server-side services)
- GitHub Actions Secrets (for CI/CD pipelines)
- Local
.env file (excluded from Git via .gitignore)
9. Email Intake Controls
- Authorised sender lists and domain allowlists enforced at processing stage
- Spam filtering and malware scanning applied to incoming emails
- Suspicious emails quarantined rather than automatically processed
- Attachment size limits and file type restrictions enforced
- Processing events logged with timestamps
- Task conversion events traceable to originating email
- Processed emails archived to a dedicated folder
- Duplicate detection to prevent repeated task creation
- Original email traceability preserved for audit purposes
- Manual review required before AI-generated summaries are sent externally or to clients
10. AI Processing Controls
- Human review required before acting on AI-generated outputs
- AI-generated content labelled with a warning within the platform
- Logs of AI processing events retained where appropriate
- Restrictions on submitting sensitive personal or health information to AI providers
- AI vendor privacy and data handling policies reviewed before enabling
- Opt-out options provided where feasible
- AI use cases documented and reviewed annually
- Client data will not be used to train public AI models unless expressly agreed in writing
11. Data Storage and Providers
| Provider | Purpose | Status |
|---|
| Vercel | Website and app delivery | Known |
| Microsoft 365 | Email communication and intake | Known |
| SharePoint / OneDrive | Document storage (optional) | Expected |
| GitHub | Source code and deployment | Known |
| Supabase | Task and user data (app database) | Confirmed |
| AI service | AI-assisted processing | Confirm before launch |
| Vercel Analytics | Website analytics | Confirmed |
12. Security Measures
- HTTPS/TLS encryption for all data in transit
- Secure authentication with encrypted password hashing
- Role-based access control (RBAC) with least-privilege defaults
- Secure file storage with restricted access
- Regular backups with tested recovery processes
- Dependency updates and vulnerability monitoring
- Logging and alerting for security events
- Malware protection where applicable
- Incident response procedures (see Section 14)
- Secure disposal, deletion or de-identification of data no longer required
13. Data Retention and Disposal
| Data type | Retention period |
|---|
| Contact form enquiries | 24 months |
| Client service records | 7 years |
| Tax and invoice records | 7 years |
| Task records | Active relationship + 24 months unless required longer |
| Email intake records | 24 months unless required longer |
| Uploaded documents | Project term + agreed retention period |
| Security logs | 6–24 months |
| Marketing consent records | Until withdrawn + evidence period |
| Deleted account data | 30–90 days backup retention unless legally required longer |
14. Data Breach Response Plan
- Identify and contain the incident — isolate affected systems if necessary
- Preserve evidence for investigation purposes
- Assess what information was affected and how it was accessed
- Identify affected individuals and organisations
- Assess whether serious harm to affected individuals is likely
- Remediate the vulnerability that led to the breach
- Notify affected individuals and the OAIC if required under the NDB scheme
- Document all actions taken and decisions made
- Review and improve controls to prevent recurrence
Contact: info@etchersolutions.com to report a suspected incident.
15. Backup and Recovery
Backups should be:
- Access controlled and encrypted where possible
- Tested periodically to confirm they can be restored
- Retained only as long as necessary in line with retention schedules
- Restorable within reasonable timeframes in the event of data loss
16. Vendor and Processor Governance
Before engaging a new data processor or vendor, Etcher Solutions should review:
- Privacy policy and data processing terms
- Security certifications and assessments
- Data hosting locations
- Breach notification commitments
- Subcontractor and sub-processor arrangements
- Data deletion and export functionality
- AI training practices (if applicable)
- Contractual protections available
17. Marketing Compliance
Marketing communications must:
- Be sent only where consent or another lawful basis exists under the Spam Act 2003 (Cth)
- Clearly identify Etcher Solutions as the sender
- Include current contact details
- Include a functional unsubscribe mechanism
- Have unsubscribe requests actioned promptly
Do not use purchased or scraped contact lists unless consent has been independently verified. Consent records must be retained.
18. Intellectual Property and Asset Compliance
Etcher Solutions should maintain a register of assets used in the website and platform, including:
- Logos, icons, fonts, stock images and video assets
- Website templates, code libraries and third-party packages
- AI-generated images and adapted text
- Brand names and trade marks
Recommended file: ASSET_LICENSES.md in the project root.
19. Open Source and Third-Party Code
- Maintain accurate package lock files
- Review licences for compatibility before use
- Satisfy attribution requirements for applicable licences
- Avoid licences incompatible with commercial use
- Update packages with known security vulnerabilities promptly
- Remove unused packages from the project
20. Public Data Exposure Checks
- No private API keys or secrets in frontend JavaScript
- No
.env files publicly accessible
- No database credentials committed to GitHub
- No confidential files in public static folders
- No private task data indexed by search engines
- No admin routes accessible without login
- No uploaded files publicly accessible unless intended
robots.txt and sitemap.xml reviewed to exclude private routes
21. Review Schedule
| Review item | Frequency |
|---|
| Privacy Policy and Terms of Use | Annually |
| Data retention schedules | Annually |
| Vendor and processor review | Annually |
| Security access review | Quarterly |
| Admin user review | Quarterly |
| Backup and recovery test | Annually |
| Incident response drill | Annually |
| Asset licence review | Annually |
| AI processing review | Annually or when tools change |
22. User Responsibilities
- Use strong, unique credentials for your account
- Keep access credentials confidential
- Avoid uploading or forwarding information without appropriate authority
- Avoid forwarding sensitive third-party information without the consent of relevant parties
- Review AI-generated outputs before acting on them or sharing externally
- Ensure data entered into the platform is accurate
- Report security, privacy or data incidents promptly to info@etchersolutions.com
- Comply with workplace, client and legal obligations when using the platform
23. Complaints and Escalation
To raise a data protection or compliance concern:
- Email info@etchersolutions.com
- We will acknowledge within 5 business days
- If unresolved, you may escalate to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au
24. Document Control
| Field | Detail |
|---|
| Document owner | Etcher Solutions |
| Review frequency | Annual |
| Next review date | 27 June 2027 |
| Approved by | Samantha Wignall, Director |
| Lawyer reviewed | Not yet externally reviewed. This document has been prepared in accordance with applicable requirements and will be reviewed as needed. |
| Version | 1.0 |