PRECISION

COMPLIANCE SOLUTIONS

Cyber Protection and Data Breach Policy

Updated: 30 October 2025

About this Document

At Precision Compliance Solutions (PCS), safeguarding digital assets, protecting sensitive data, and ensuring the security of our systems are top priorities. This Cyber Protection Policy outlines the rules and best practices that all employees and stakeholders must follow to uphold the integrity of our information and systems.

Objectives

The purpose of this policy is to mitigate cybersecurity risks, ensure compliance with relevant regulations, and protect PCS and its clients from cyber threats, including unauthorised access, data breaches, and malware attacks.

Scope

Applies to all employees, contractors, and third-party service providers who access or use company systems, networks, or data.

Policy Guidelines

Access Control

・Only authorised personnel may access sensitive data or systems.

・Multi-factor authentication (MFA) is mandatory for all critical systems.

・Strong, unique passwords must be used and updated regularly.

・Administrative privileges are restricted to specific tasks only.

Data Protection

・Confidential data must be encrypted during transmission and storage (AES-256 minimum).

・Independent, encrypted, off-site backups must be performed daily and retained for at least three months.

・All backups and primary cloud data are hosted in Microsoft Azure Australia East/West regions under Australian data-residency controls.

・Sensitive information must never be shared externally without written authorisation.

・All client records and deliverables are retained for a minimum of five (5) years in secure OneDrive/SharePoint storage in accordance with TPB record-keeping obligations.

Network & Device Security

・Firewalls and intrusion-detection systems must be deployed and maintained.

・Company devices must be patched, encrypted, and enrolled in Intune or equivalent.

・Lost or stolen devices must be reported immediately.

Training & Awareness

・All staff (including offshore) must complete Cyber Wardens training annually.

・Phishing simulations and awareness campaigns are conducted periodically.

Incident Response

Incidents are handled following the PCS Incident Response Plan.

・Staff must report any suspected breach immediately.

・The Managing Director (Incident Lead) coordinates response and notifications.

Communication & Notification

・PCS will notify affected clients, the OAIC, or the TPB where required by the Notifiable Data Breaches Scheme.

・Where an incident involves any AI system or automation platform, response will follow both this policy and the PCS AI Security & Privacy Policy.

Document Sharing & IT Policy

About this Document

At Precision Compliance Solutions, we have seen firsthand how devastating financial fraud can be to businesses, which is why we've implemented robust security measures to protect your sensitive information from day one of our partnership.

Objective

Our objective is protecting your business and private information in today’s digital reality. Financial fraud increased 30% last year, with 68% of cases targeting small businesses through intercepted emails. Right now, Australian small businesses are losing an average of $88,000 per data breach incident. These aren't distant corporate concerns - they're everyday realities for local businesses.

Our secure sharing protocols aren't just procedural - they're practical safeguards for your business's financial health and your personal privacy.

Document Sharing Guidelines

DO NOT email bank statements, financial documents, employee information, pretty much anything... Instead, please use our secure sharing options:

Upload to our shared OneDrive folder:

Document Types: Bank Statements, Financial Statements, Employee Agreements, Shared reports, anything you need to share

· You'll receive an email, via Microsoft advising you that we have shared a Folder with you

· You'll need a Microsoft profile to access this folder

· You can create one for free using your existing email address (including a Gmail address)

· The email must match the primary contact email we have on file

· If you need to use a different email, please notify us so we can update sharing permissions

· For first-time access, you'll be prompted to enter a verification code

Onboard Self-Service Employee Information

Document Types: Employee Details, Tax File Number Declarations, SuperChoice forms

We manage employee information via the accounting software your use (MYOB, QBO, Xero)

All employee onboarding must be completed by the employee via the link sent from the software.

Any changes to employee personal information must be entered by the employee’s access.

This ensures data protection compliance and streamlines Payroll information

Security Reminders

NEVER send bank statements, tax documents, financial records or employee details via email

ALWAYS use our secure platforms for sharing sensitive information

NOTIFY US if you need to change your primary contact email

REPORT any suspicious communications claiming to be from our firm immediately by calling our office.

These measures help us maintain the highest standards of privacy and security while providing you with efficient service.

A Small Effort for Significant Protection

We understand these security measures may initially seem like extra steps in your busy day. However, the few minutes spent using these secure methods can save you countless hours, significant financial loss, and immeasurable stress that would result from a security breach. This small investment of time provides substantial protection for what matters most - your business's financial wellbeing and your peace of mind.

Outsourcing and Offshoring Policy

Updated: 30 October 2025

Purpose

To ensure that any outsourced or offshore work is performed competently, securely, and under adequate supervision, consistent with the TPB Code of Professional Conduct.

Client Consent

・Client permission must be obtained before disclosing information to any third party or offshore staff.

・Engagement letters include clear reference to these arrangements.

Supervision & Competence

・PCS retains full responsibility for quality and compliance of outsourced work.

・Supervisory logs are maintained quarterly.

Cybersecurity Requirements

・Offshore staff must comply with PCS Cyber Protection and Data Breach Policy.

・Access to client systems only through secure, MFA-protected channels (Practice Protect / M365).

・No client data is stored locally outside PCS-approved systems. All processing and storage occur within Microsoft 365 and Azure Australia regions where technically feasible. Where offshore platforms are used, PCS ensures equivalent encryption and confidentiality standards.

Record Keeping & Retention

・All supervisory records, review logs, and client work papers are retained for a minimum of five (5) years in secure OneDrive/SharePoint storage.

Integration with AI Systems

・Where offshore or automated processes utilise AI tools, PCS applies the PCS AI Security & Privacy Policy to ensure that any AI use is secure, transparent, and limited to de-identified data.

Review

・Annual or sooner if operations or legislation change.

AI Security & Privacy Policy

Version 1.0 – 30 October 2025

1. Purpose

This policy outlines how Precision Compliance Solutions (PCS) uses Artificial Intelligence (AI) technologies responsibly to maintain data security, client confidentiality, and compliance with Australian privacy and professional-conduct requirements.

2. Scope

Applies to all PCS staff, contractors, and systems using AI tools—including, but not limited to, Microsoft Copilot, Azure OpenAI Service, ChatGPT Business/Enterprise, Power Automate, or similar automation or analysis platforms.

3. Guiding Principles

PCS is committed to:

・Confidentiality – Client and personal information is never intentionally entered into public or unapproved AI systems.

・Integrity – Only de-identified or consented data is processed.

・Transparency – Clients are informed where AI tools are used in service delivery.

・Compliance – All AI use aligns with the Privacy Act 1988 (APPs) and TPB Code item 6 (confidentiality of client affairs).

・Accountability – PCS remains responsible for all work produced, regardless of AI assistance.

4. Approved AI Use

・AI may be used only for:

・Drafting or summarising internal documents, policies, or general templates.

・Analysing de-identified financial data for advisory insights.

・Generating educational, procedural, or marketing content.

Use must always occur through PCS-approved accounts under Microsoft 365 or OpenAI Business/Enterprise with encryption and Australian data-residency enabled.

5. Prohibited Use

Staff and contractors must not:

・Input client names, ABNs, TFNs, addresses, payroll details, or other identifiers into public or free AI platforms.

・Use personal logins or consumer accounts for PCS work.

・Connect unapproved apps or plug-ins to PCS data sources.

Any uncertainty must be escalated to the Managing Director before proceeding.

6. Data Residency & Security

All PCS AI processing occurs in secure cloud environments compliant with ISO 27001 and SOC 2.
Where available, data is stored within Microsoft Azure Australia East/West or other Australian regions under encryption (AES-256 at rest, TLS in transit).
Outputs containing client information are saved only to OneDrive/SharePoint within the PCS Microsoft 365 tenant.

7. Client Consent

PCS obtains client consent through its engagement letters and Outsourcing & Offshoring Policy before using any AI system that may store or process information externally.
Clients may request Australia-only data processing where technically feasible.

8. Training & Supervision

All staff, including offshore team members, receive annual training covering:

・Secure use of AI systems

・Redaction and de-identification techniques

・Privacy Act and TPB obligations
Usage logs and supervision checks are reviewed quarterly by the Managing Director.

9. Record Keeping & Retention

AI outputs forming part of client deliverables are retained in PCS OneDrive for a minimum of five years in accordance with TPB record-keeping requirements.
Temporary working data and AI chats are deleted once the final document is approved.

10. Incident Management

Any suspected data exposure or AI-system breach must be reported immediately to the Managing Director.
Incidents are handled under the PCS Cyber Protection & Data Breach Policy, including notification under the Notifiable Data Breaches scheme.

11. Review

This policy is reviewed annually or sooner if legislation, AI technology, or PCS operations change.