Edgeview Finance Logo Edgeview Finance - Home

Data Security Policy

Protecting your financial information through enterprise-grade security

Zero-Trust
MFA Protected
AU Storage
Data Sovereignty
24/7 Monitoring
Continuous

AT A GLANCE

Your sensitive information is protected by:

Scope Principles Data Location Access Controls Device Security Data Protection Monitoring & Testing Third-Party Management AI Usage Incident Response Data Retention Your Role Contact Us

1. Scope

This security summary applies to personal and business information we handle in connection with our services, our websites, and our Microsoft 365 collaboration environment.

COVERAGE INCLUDES:

  • Our people and staff access
  • All company devices and systems
  • Approved service providers
  • Client data and communications

This policy complements our Privacy Policy and provides transparency about our security controls. We believe you have the right to understand exactly how we protect your sensitive financial information.

2. Our Security Principles

Our approach to protecting your information is built on five core principles that guide every security decision we make:

PRIVACY BY DESIGN

We align controls with Australian Privacy Principles from the ground up, not as an afterthought.

CONTINUOUS IMPROVEMENT

We monitor, test and uplift controls over time. Security isn't a destination – it's an ongoing commitment.

COMPLIANCE FIRST

Meeting or exceeding all Australian privacy standards and regulations.

PROACTIVE DEFENCE

Multiple layers of security work round the clock to protect your information.

COMPLETE TRANSPARENCY

Clear policies on exactly what we collect, why we need it, and how it's protected.

These aren't just policies on paper. They're the foundation of how we operate every day to keep your financial information secure.

3. Data Location

AUSTRALIAN DATA RESIDENCY

Your information is stored in Microsoft 365 data centres located in Australia

We primarily use Microsoft 365 services including:

  • Exchange Online (email)
  • OneDrive (file storage)
  • SharePoint (collaboration)
  • Teams (communication)

Some Microsoft supporting services may process data within the Asia Pacific region for anti-spam, anti-malware and collaboration features.

Where we use other providers, we take reasonable steps and use contractual safeguards to ensure protection to standards comparable to the Australian Privacy Principles.

Where possible, your data stays in Australia, protected by world-class infrastructure and Australian privacy laws.

4. Access Controls

MULTI-FACTOR AUTHENTICATION

Required for all accounts accessing company resources

CONDITIONAL ACCESS

Access policies evaluate user, device and session risk before permitting access

We use the same enterprise-grade security that major Australian banks rely on:

  • Single Sign-On (SSO) via Microsoft Entra ID
  • Restricted and monitored privileged access
  • Regular access reviews and updates
  • Role-based permissions

Every attempt to access your information is verified, logged, and monitored.

5. Device Security

MANAGED DEVICES

Company devices enrolled in Microsoft Intune with security baselines and encryption

BYOD CONTROLS

Mobile devices use app protection policies (PIN/biometric, no local save, selective wipe)

Company device security includes:

  • Antivirus and endpoint detection & response
  • Full disk encryption
  • Automatic security patching
  • Security baseline configurations

Access to company data from unmanaged or non-compliant devices is limited or blocked. If a device doesn't meet our security standards, it can't access your information. It's that simple.

6. Data Protection

DATA CLASSIFICATION

Information classified as Public, Internal, Confidential, or Highly Confidential

ENCRYPTION EVERYWHERE

Data encrypted in transit and at rest within Microsoft 365

Microsoft Purview provides:

  • Sensitivity labels for data classification
  • Data Loss Prevention (DLP) policies
  • Unauthorised sharing prevention
  • Retention labels (7 years and 3 years)

External sharing controls include secure links, expiration dates, and guest access policies.

When information is no longer required, we securely delete or de-identify it according to our retention schedule.

Your information isn't just stored securely – it's classified, encrypted, and monitored at every step.

7. Monitoring & Testing

SECURITY LOGGING & ALERTING

Critical systems generate audit logs for review and investigation

Email and collaboration threat protection:

  • Anti-phishing protection
  • Anti-malware scanning
  • Safe-link and safe-attachment policies
  • Advanced threat protection for Microsoft 365

Additional security measures:

  • Vulnerability management and patching
  • Configuration monitoring and drift detection
  • Backup and recovery processes
  • Business continuity planning

We don't just protect your data – we continuously monitor for threats and test our defences to stay ahead of emerging risks.

8. Third-Party Management

DUE DILIGENCE

We assess security and privacy controls of all service providers before use and on renewal

All service provider contracts include:

  • Confidentiality obligations
  • Data protection requirements
  • Security incident notification
  • Regular security assessments

OVERSEAS PROCESSING

Where overseas providers are involved, we take reasonable steps and use contractual safeguards to ensure APP-comparable protection

We remain responsible for personal information disclosed overseas under APP 8, where applicable.

We don't just trust our partners – we verify their security measures meet our exacting standards.

9. AI Usage

APPROVED TOOLS ONLY

We use only approved AI tools for defined business purposes

Our AI usage principles:

  • Data minimisation in AI tool inputs
  • Preference for de-identified information
  • No client personal information used to train third-party AI/LLM models
  • Clear guidelines for acceptable AI use

NO TRAINING WITH CLIENT DATA

Client personal information is never used to train, retrain or improve third-party AI models

Your information remains yours. We never use it to improve AI systems or train models for other companies.

10. Incident Response

24/7 INCIDENT RESPONSE

Identify, contain, investigate and remediate suspected security events

Our incident response process includes:

  • Immediate containment of security threats
  • Forensic investigation of incidents
  • Remediation and system recovery
  • Lessons learned and control improvements

BREACH NOTIFICATIONS

If an eligible data breach occurs (likely to result in serious harm), we will notify the OAIC and affected individuals as soon as practicable, unless an exception applies

We're prepared for the worst, but working every day to prevent it from happening.

11. Data Retention

RETENTION SCHEDULE

Records kept for the period needed to provide services and meet legal obligations

Standard retention periods:

  • Finance and complaint records: At least 7 years
  • General business records: 3 years
  • Other records: As required by law

SECURE DISPOSAL

When information is no longer required, we take reasonable steps to destroy or de-identify it, unless we must keep it by law

We keep your information only as long as necessary, then securely destroy it when it's no longer needed.

12. Your Role

SHARED RESPONSIBILITY

Security is most effective when we work together to protect your information

Please help us keep your data secure by:

Using the secure channels we provide for sharing documents
Avoiding emailing highly sensitive personal information unless we ask you to use encryption or a secure link
Telling us immediately if you suspect unauthorised access to your account or information
Keeping your contact information up to date
Reporting any suspicious communications claiming to be from Edgeview Finance

Security is a team effort. We'll do our part – we just need you to do yours.

13. Contact Us

PRIVACY & SECURITY CONTACT

Email: privacy@edgeviewfinance.com.au

Postal: PO BOX 9122, GCMC QLD 9726

Response time: Usually within 30 days

We aim to respond to all security and privacy enquiries within a reasonable timeframe.

OAIC COMPLAINTS

Website: oaic.gov.au

Phone: 1300 363 992

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

Your security questions matter to us. Don't hesitate to reach out if you need clarification on any aspect of how we protect your information.

Related Compliance Pages
Privacy Policy | Website Terms | Credit Guide
Return to Top