CyberSecurity and Data Governance Overview

Redfox approaches information security as part of its broader digital operating model.
Security is integrated into platform, access, delivery, and governance systems to ensure
data protection scales alongside performance and infrastructure.

Privacy Policy URL

Redfox maintains a publicly accessible Privacy Policy outlining how personal information is
collected, used, stored, and protected.

Privacy Policy:

https://www.redfox.digital/privacy-policy/

Data Retention

Redfox applies a structured data retention approach aligned to operational and security requirements.

System logs are retained for 12 months to support auditability and incident investigation.
Backups are maintained based on system-level backup policies aligned to business risk and recovery requirements.
Deleted pages and content may remain within backup systems for the duration of the backup lifecycle before permanent deletion.

Retention is defined at the system level based on risk, recovery needs, and compliance obligations.

Compliance Certifications and Security Alignment

Redfox operates with a structured information security posture aligned to recognised standards.

CyberGRX Tier Level 2 Certified
Aligned to ISO/IEC 27001 principles
Aligned to the Australian Privacy Principles, including APP 11
Aligned to the Australian Signals Directorate Essential Eight

Governance & Documentation

Redfox maintains a formal Information Security Risk Management Plan and Policy that defines controls, access management, incident response, and system governance.

Due to the operational nature of this document, it is not published publicly. A copy can be made available to clients and partners upon request, subject to appropriate confidentiality arrangements.

Insurance

Redfox does not rely on surface-level certification alone. Our approach is architecture-led, with security controls embedded across systems access, platform management, and delivery operations.

Redfox maintains appropriate insurance coverage to support its operational and
security responsibilities.

Technology Professional Indemnity and Cyber Liability Insurance
Public and Products Liability Insurance

Certificates of currency can be provided upon request.

Termination of Data Use

Redfox has defined processes for secure data handling upon termination of services.

Client offboarding triggers an information security incident process to ensure controlled handling of data.
Customer data is reviewed, removed from active systems, and securely destroyed where required.
Data destruction actions are logged, reported, and governed through Redfox’s information security management process.

Termination is handled as a controlled security event with auditability, not as an informal manual step.

Data Breach Policy

Redfox maintains a structured Incident Management Framework to manage any actual or suspected data breach.

Detection and Reporting

Any suspected or actual incident must be escalated immediately.
Notification is made to the CISO and the InfoSec Administration Officer.

Triage and Risk Assessment

Incidents are formally assessed for data exposure risk, system impact, and customer impact.
The incident is documented and triaged to determine required actions and owners.

Response Management

A defined response plan is established and managed through to remediation.
Containment, corrective action, and follow-up activities are assigned and tracked.

Communication

Internal reporting is provided to the InfoSec Risk Management Committee.
External or customer reporting is undertaken where required.

Post-Incident Review

Each incident is reviewed to identify lessons and improvements.
Policies, systems, and controls are updated where needed to strengthen the overall security posture.

Summary

Redfox treats security as part of a broader, structured operating model. This ensures privacy, backup retention, breach response, and data termination are managed with clear governance, documented controls, and operational accountability.