Protecting Your Data with Industry-Leading Security
Last Updated: November 2025
Our Commitment to Security
At ClearLedger, we understand that your financial data is among your most sensitive information. This Information Security Policy outlines our comprehensive approach to protecting your data through robust technical controls, rigorous operational procedures, and ongoing security improvements. We are committed to maintaining the highest standards of information security across all our bookkeeping and financial services.
1. Overview and Purpose
This Information Security Policy establishes Clear Ledger's commitment to protecting the confidentiality, integrity, and availability of all information assets entrusted to us by our clients, partners, and stakeholders.
Policy Objectives
Protect Client Data: Safeguard all financial and personal information from unauthorized access, disclosure, or destruction
Ensure Compliance: Meet all Australian regulatory requirements including the Privacy Act 1988, Australian Privacy Principles (APPs), and relevant financial services regulations
Maintain Trust: Build and maintain client confidence through transparent security practices
Business Continuity: Ensure operational resilience and data availability
Continuous Improvement: Regularly assess and enhance our security posture
Scope
This policy applies to:
All Clear Ledger employees, contractors, and authorized third parties
All information systems, networks, and data storage facilities
All client data, including financial records, personal information, and business documentation
Physical and digital assets used in service delivery
Cloud-based services and third-party integrations
2. Core Security Principles
Confidentiality
Information is accessible only to authorized individuals through strict access controls, encryption, and secure authentication protocols.
Integrity
Data accuracy and completeness are maintained through validation checks, audit trails, and protection against unauthorized modification.
Availability
Systems and data are accessible to authorized users when needed through redundancy, backup systems, and disaster recovery planning.
3. Data Protection Measures
3.1 Encryption Standards
We employ industry-standard encryption to protect your data:
Data in Transit: All data transmitted between your devices and our servers is encrypted using TLS 1.3 or higher protocols
Data at Rest: All stored data is encrypted using AES-256 encryption standards
Database Encryption: Database-level encryption for all client financial records
Backup Encryption: All backup data is encrypted before storage
3.2 Access Control
Strict access controls ensure only authorized personnel can access client data:
Multi-Factor Authentication (MFA): Required for all staff accessing client systems
Role-Based Access Control (RBAC): Staff access limited to information necessary for their role
Least Privilege Principle: Minimal access rights granted by default
Regular Access Reviews: Quarterly audits of user access privileges
Immediate Revocation: Access removed within 2 hours of employment termination
Public: Marketing materials, publicly available information
4. Network and Infrastructure Security
4.1 Network Protection
Firewalls: Next-generation firewalls protecting all network perimeters
Intrusion Detection/Prevention: 24/7 monitoring for suspicious network activity
Network Segmentation: Logical separation of client data and internal systems
VPN Requirements: Mandatory for remote access to internal systems
Wireless Security: WPA3 encryption for all wireless networks
4.2 Cloud Security
For cloud-based services and data storage:
Australian-based data centers with ISO 27001 certification
Geo-redundancy across multiple Australian availability zones
Regular security assessments of cloud service providers
Contractual data protection requirements for all cloud vendors
Data residency compliance ensuring data stays within Australia
4.3 Physical Security
Secure office premises with controlled access
CCTV surveillance of sensitive areas
Visitor logging and escort procedures
Secure disposal of physical documents (cross-cut shredding)
Clean desk policy for all workstations
Data Residency Commitment: All client data is stored exclusively within Australian data centers, ensuring compliance with Australian data sovereignty requirements and providing enhanced protection under Australian privacy laws.
5. Operational Security Procedures
5.1 Secure Development Practices
Secure coding standards and guidelines
Code review processes before deployment
Regular security testing and vulnerability assessments
Penetration testing by independent security experts annually
Secure software development lifecycle (SDLC)
5.2 Change Management
Formal change approval process for all system modifications
Security impact assessments for changes
Testing in non-production environments
Rollback procedures for all changes
Documentation of all system changes
5.3 Vulnerability Management
Weekly automated vulnerability scans
Patch management program with priority-based deployment
Critical security patches applied within 48 hours
Regular security updates for all systems and applications
Third-party security assessments
5.4 Logging and Monitoring
Comprehensive logging of system access and activities
Real-time security monitoring and alerting
Log retention for minimum 12 months
Regular log review and analysis
Security Information and Event Management (SIEM) system
6. Backup and Business Continuity
6.1 Backup Procedures
Daily Backups: Automated daily backups of all client data
Incremental Backups: Continuous incremental backups throughout the day
Multiple Locations: Backups stored in geographically separate Australian data centers
Backup Encryption: All backups encrypted at rest and in transit
Backup Testing: Monthly restoration tests to verify backup integrity
Retention Period: Minimum 7-year retention for financial records
6.2 Disaster Recovery
Documented disaster recovery plan tested annually
Recovery Time Objective (RTO): 4 hours for critical systems
Recovery Point Objective (RPO): Maximum 1 hour of data loss
Failover capabilities to backup systems
Alternative work arrangements for staff
6.3 Business Continuity
Comprehensive business continuity plan
Redundant systems and infrastructure
Alternative communication channels
Staff training on emergency procedures
Regular plan reviews and updates
7. Third-Party and Vendor Management
7.1 Vendor Security Assessment
Security due diligence for all new vendors
Review of vendor security certifications (ISO 27001, SOC 2)
Contractual security requirements
Regular vendor security audits
Vendor risk assessments and ratings
7.2 Third-Party Access
Minimal access principle for third-party vendors
Time-limited access credentials
Monitoring of third-party activities
Non-disclosure agreements (NDAs) required
Right to audit third-party security practices
7.3 Software and Tool Security
We carefully select and monitor third-party software:
Approved software list for business use
Security assessment of all new applications
Regular updates and patch management
License compliance monitoring
Prohibition of unauthorized shadow IT
8. Staff Security and Training
8.1 Security Awareness Training
Onboarding Training: Mandatory security training for all new employees
Annual Refresher: Yearly security awareness training
Phishing Simulations: Regular testing to identify vulnerabilities
Security Updates: Monthly security bulletins and updates
Incident Response Training: Procedures for reporting security concerns
8.2 Background Checks
Police checks for all staff with client data access
Reference verification
Professional qualification verification
Ongoing monitoring where appropriate
8.3 Acceptable Use Policy
Clear guidelines on acceptable use of company systems
We maintain a comprehensive incident response plan covering:
Detection: Monitoring systems for security incidents
Classification: Severity assessment and categorization
Containment: Immediate actions to limit impact
Investigation: Root cause analysis
Resolution: Remediation and recovery
Communication: Notification of affected parties
Post-Incident Review: Lessons learned and improvements
9.2 Incident Response Team
Designated incident response coordinator
24/7 security incident response capability
Escalation procedures for critical incidents
Contact information for emergency response
9.3 Data Breach Notification
In the event of a data breach:
Immediate assessment of breach scope and impact
Notification to affected clients within 72 hours
Notification to Office of the Australian Information Commissioner (OAIC) if required
Transparent communication about breach details
Remediation steps and support for affected clients
Post-breach security enhancements
Report Security Concerns: If you suspect a security incident or have concerns about the security of your data, please contact us immediately at [email protected] or call 1300 CLEAR 1 (1300 253 271).
10. Compliance and Regular Auditing
10.1 Regulatory Compliance
We maintain compliance with all relevant Australian regulations:
Privacy Act 1988: Australian Privacy Principles (APPs) compliance
Notifiable Data Breaches (NDB) Scheme: Breach notification requirements
Tax Agent Services Act 2009: Professional standards and obligations
We are committed to achieving and maintaining industry-recognized security certifications:
ISO 27001 Information Security Management (in progress)
Australian Privacy Principles compliance verification
SOC 2 Type II compliance (planned)
Regular certification renewals and updates
10.4 Documentation and Records
Comprehensive security documentation maintained
Security policy version control
Audit trail of all security-related activities
Incident records and response documentation
Training and awareness records
11. Client Security Responsibilities
While we implement robust security measures, effective information security requires partnership with our clients. We ask that you:
11.1 Account Security
Keep login credentials confidential and secure
Use strong, unique passwords for your ClearLedger account
Enable multi-factor authentication when available
Never share account access with unauthorized individuals
Report suspected unauthorized access immediately
Log out when using shared or public computers
11.2 Communication Security
Verify the authenticity of emails claiming to be from ClearLedger
Do not click on suspicious links or download unexpected attachments
Use secure methods when sharing sensitive information
Report phishing attempts or suspicious communications
11.3 Document Security
Securely store physical documents containing financial information
Properly dispose of sensitive documents (shredding)
Use encrypted transmission when sending documents electronically
Verify recipient details before sending sensitive information
11.4 Device Security
Keep devices used to access ClearLedger services updated
Install and maintain current antivirus software
Secure devices with passwords or biometric authentication
Avoid accessing ClearLedger from public Wi-Fi without VPN
Report lost or stolen devices that had access to your account
12. Your Privacy Rights
Under the Australian Privacy Principles, you have important rights regarding your personal information:
12.1 Access and Correction
Request access to your personal information we hold
Request correction of inaccurate or outdated information
Receive information in a structured, commonly used format
Response to access requests within 30 days
12.2 Data Portability
Request export of your data in common formats
Transfer data to another service provider
Receive copies of documents and records
12.3 Deletion and Retention
Request deletion of personal information (subject to legal obligations)
Understand our data retention policies
7-year minimum retention for financial records as required by Australian tax law
12.4 Marketing and Communications
Opt-out of marketing communications at any time
Update communication preferences
Receive only essential service communications if preferred
Exercise Your Rights: To exercise any of your privacy rights, please contact our Privacy Officer at [email protected] or use the contact details provided at the end of this policy.
13. Policy Review and Continuous Improvement
13.1 Regular Reviews
This Information Security Policy is reviewed and updated:
At least annually as part of our scheduled review cycle
Following significant security incidents
When regulatory requirements change
When business operations or technology significantly change
Based on emerging security threats and trends
13.2 Continuous Improvement
We are committed to continuously improving our security posture through:
Regular security assessments and risk analyses
Monitoring emerging security threats and vulnerabilities
Implementing industry best practices
Learning from security incidents and near-misses
Incorporating feedback from audits and assessments
Staying informed about regulatory changes
13.3 Version Control
Current Version: 2.1
Effective Date: November 1, 2025
Last Reviewed: November 2025
Next Review Date: November 2026
Document Owner: Chief Information Security Officer
13.4 Change Notification
When we make material changes to this policy, we will:
Notify clients via email of significant changes
Post updates on our website with change highlights
Maintain previous versions for reference
Allow reasonable time for review before implementation
14. Contact Information
Security and Privacy Contacts
General Security Inquiries
Email:[email protected] Phone: 1300 CLEAR 1 (1300 253 271) Response Time: Within 24 hours for non-urgent matters
Privacy Officer
Email:[email protected] Phone: 1300 CLEAR 1 (1300 253 271) Response Time: Within 5 business days
Acknowledgment: By using Clear Ledger's services, you acknowledge that you have read, understood, and agree to be bound by this Information Security Policy. We are committed to protecting your information and maintaining your trust through rigorous security practices and transparent communication.
