Our Approach Services AI Assessment Penetration Testing Compliance Contact Talk to an Expert
← Back to home
Legal — Data

Data Processing & Sovereignty Statement

🇦🇺 All data is processed and stored exclusively within Australia. QTech Cyber complies with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Security of Critical Infrastructure Act 2018. No personal or client data is transferred offshore.

1. Australian Data Sovereignty Commitment

QTech Cyber Pty Ltd is unconditionally committed to Australian data sovereignty. We believe that organisations providing cybersecurity services have a heightened obligation to practise what they preach in relation to data protection. All personal information, client data, engagement findings, and business records are stored, processed, and retained exclusively within Australia. This commitment is not merely a policy position — it is embedded into our technology procurement, contractual arrangements, and operational procedures.

🇦🇺 All data processing occurs within Australia. We do not use offshore cloud regions, foreign sub-processors, cross-border data transfers, or overseas data replication for any personal or client data under any circumstances.

2. Legal Frameworks Governing Our Data Processing

Our data processing activities are governed by and comply with the following Australian legislation and frameworks:

  • Privacy Act 1988 (Cth) — including all thirteen Australian Privacy Principles (APPs) and the Notifiable Data Breaches (NDB) scheme under Part IIIC
  • Security of Critical Infrastructure Act 2018 (Cth) — including obligations applicable to cybersecurity service providers to critical infrastructure sectors
  • Australian Government Information Security Manual (ISM) — controls applied to our own systems and infrastructure
  • Protective Security Policy Framework (PSPF) — security practices aligned with Australian Government security requirements
  • Telecommunications (Interception and Access) Act 1979 (Cth) — access to communications data is only undertaken under lawful authority and client authorisation
  • My Health Records Act 2012 (Cth) — applicable where health sector clients are engaged and health records may be in scope
  • Australian Privacy Act Credit Reporting provisions (Part IIIA) — applicable where financial sector clients engage us to assess systems handling credit information
  • Spam Act 2003 (Cth) — all electronic communications we send comply with Australian anti-spam legislation
  • Do Not Call Register Act 2006 (Cth) — outbound communications comply with applicable restrictions

3. Infrastructure and Processing Location

All QTech Cyber systems, storage, and processing infrastructure are located in Australian data centres. Our primary operations utilise facilities in Sydney and Melbourne, with no replication to overseas regions. Infrastructure and cloud service providers engaged by QTech Cyber are contractually required to process and store all data within Australia and to notify us immediately of any request by a foreign government or court to access data we hold. In the event of such a request, we will seek legal advice and, where permitted, notify affected clients before complying.

4. Data Classification and Handling

We classify all data handled during engagements in accordance with the Australian Government's information classification scheme:

  • OFFICIAL: General business information — standard access controls apply
  • OFFICIAL: Sensitive: Client system details, vulnerability findings, personal information — encrypted storage, restricted access, audit logging
  • PROTECTED (equivalent): Highly sensitive findings, critical infrastructure data — additional encryption, strict need-to-know access, enhanced audit trails

All data is handled at the classification level appropriate to its sensitivity. Client data is never commingled with data from other engagements.

5. Data Minimisation and Purpose Limitation

We collect and retain only the minimum data necessary for the defined purpose of each engagement. Data collected during a penetration test or security assessment is used solely to produce the agreed deliverables for that engagement. We do not retain raw vulnerability data, system configuration data, or personal information discovered during testing beyond the engagement period without explicit written client consent. Where we encounter personal information incidentally during an engagement, we handle it with the same level of care as other sensitive data and report its existence to the client without retaining or examining it further than necessary.

6. Data Retention and Destruction

Retention periods are agreed with each client in the Statement of Work. In the absence of a specific agreement, the following default retention periods apply:

  • Website enquiry data (email addresses): Maximum 12 months from date of collection or resolution of enquiry, whichever comes first
  • Engagement reports and deliverables: 7 years from engagement close (to meet professional indemnity insurance and legal obligations), after which they are securely destroyed
  • Financial and invoicing records: 7 years from transaction date, as required by Australian taxation law
  • Raw testing data and artefacts: Securely destroyed within 30 days of engagement close unless otherwise agreed

All data destruction follows the processes specified in the Australian Signals Directorate (ASD) Information Security Manual and NIST SP 800-88 Guidelines for Media Sanitisation, including secure overwriting, degaussing, or physical destruction as appropriate to the media type.

7. Sub-Processors and Third Parties

QTech Cyber does not engage overseas sub-processors for any personal or client data. Any subcontractors or third-party specialists engaged to assist with service delivery are:

  • Based in Australia and subject to Australian law
  • Required to execute confidentiality and data handling agreements before receiving any client data
  • Subject to the same data sovereignty and security requirements as QTech Cyber staff
  • Prohibited from further sub-contracting without QTech Cyber's written consent

The only third-party resource used by this website is Google Fonts (font file delivery). No personal information about website visitors is transmitted to Google in connection with font loading.

8. Your Rights as a Data Subject

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, individuals whose personal information we hold have the right to:

  • Request access to their personal information (APP 12) — we will respond within 30 days
  • Request correction of inaccurate or incomplete personal information (APP 13)
  • Request deletion of personal information we are not legally required to retain
  • Lodge a complaint about our handling of their personal information
  • Seek a review of our decision to refuse access or correction through the OAIC

To exercise any of these rights, contact our Privacy Officer at privacy@qtechcyber.ai. We will acknowledge your request within 5 business days and respond substantively within 30 days. Where we are unable to provide access or make a requested correction, we will provide written reasons.