Data Security Guidelines
A&O take the handling of your data files very seriously. These guidelines outline how we process your Personally Identifiable Information (PII) during the completion of your job.
In order to handle your sensitive information, we require all A&O team members to understand and comply with our Cyber Security Policy.
Data at rest
We store your files securely on Australia-based cloud services in order to complete the processing required for your campaign.
Data at rest is encrypted using 256-bit SSL (Secure Sockets Layer) and held in secure, SSAE 16 audited data centres in Australia.
Where possible, files are retained on our cloud storage device and edited remotely.
In some cases, it may be necessary to replicate files on server or local environments for processing. Employees are trained to ensure duplications of any documents that need to be downloaded to physical devices are destroyed after editing and resaving in Sharefile.
Data in Transit
The primary concern of data in transit is when you share data files with A&O. There are many different ways that businesses can exchange files. They can be summarised as:
The default transmission method is Citrix Sharefile cloud storage, which provides enterprise-grade cloud protection for your files. It has the security features that you would expect using SFTP whilst offering improved user experience, both when you upload files to us and when our production team works on the files, since they will usually not need to download them out of Citrix Sharefile at all, to carry out processing.
Data in transit is protected by encrypted connections (HTTPS, SSL, TLS, FTPS).
Using a custom file sharing service/method of your choice.
Our team can be flexible to meet the needs of your business. If you wish to transmit files through alternative means, we will not accept liability for the security or integrity of your files during transit. We may need to agree on additional costs with you for any provision of additional infrastructure, professional services or staff training that pertains to adopting your preferred method of file transfer.
We do not recommend sharing data files containing Personally Identifiable Information (PII) with us via email transmission. Sharing your data files with us via email is not considered safe, as is performed at your own risk. Our staff will never ask you to share files that could be considered PII via email for this reason. All email information including sender, subject, body and attachments will be handled via our email provider (Google) and therefore will be liable to their usual storage protocols.
Data in use
During the course of preparing your campaign, we will need to process the files you have shared with us.
A&O may share your data with 3rd party suppliers or software vendors for purposes of processing and completing your job. These include:
Amazon Web Services (AWS)
We may use proprietary and 3rd party infrastructure and software hosted on AWS to generate PDF documents and audit logs of mail articles generated. All infrastructure and data are retained in Australian data centres and maintained by ICT Professionals.
Place of processing: Australia.
We connect our Sharefile instance and AWS Virtual Private Cloud to our on-premises Local Area Network (LAN) to exchange files with our plant machinery and local devices. Data is not retained on-premises after use and cloud data is inaccessible from any device without secure multi-factor authentication via our shared password management system. We do not permit any but critical support staff to take devices away from our work premises that have access to PII.
Place of processing: Australia.
Zapier is a workflow automation service provided by Zapier, Inc. that automates the movement of Data between (third-party) services. We may use Zapier to connect with your 3rd party applications or ad-hoc workflows and automation that handle your data files. Use of this tool is optional, and we will always disclose the use of this tool if it is required.
Place of processing: United States.
There are different types of data that we collect and handle on your behalf throughout our partnership.
Data Retention for uploaded data files and replications
Unless otherwise advised, A&O will retain your uploaded data and any replications within our cloud storage platform for a period of 30 days after processing your campaign, before deleting them permanently. If you require a different retention period, please inform a member of our team before your campaign is processed.
Analytics and campaign reports
To provide reporting and billing intelligence, A&O may retain metadata, generated by our own software or from 3rd parties such as Australia Post pertaining to each article we process on your behalf. The data may include a document ID, number of pages/sheets, printing method, post method and tracking information. It is not considered PII. If you would prefer not to retain any records for these purposes, please let a member of our team know before your campaign is processed.
Communications, billing and website analytics