Introduction
Vidette Pty Ltd (ABN 11 643 851 843) (Vidette, we, us, our) is committed to protecting the security of personal information and data collected through our website and partner application processes.
This Security Policy is a public statement of Vidette's security commitments in relation to the operation of our website and the handling of personal information submitted through it. It applies to all information collected through contact and enquiry forms and prospective partner applications.
This Policy should be read together with our Privacy Policy, which describes how personal information is collected, used, and disclosed.
1. Scope
This Security Policy applies to:
- Personal information collected through the Vidette website, including contact enquiry and partner application submissions
- Systems and infrastructure used to receive, process, and store information submitted through this website
- Third-party service providers engaged by Vidette to process information collected through this website
This Policy does not govern the security arrangements of individual Vidette framework members in respect of client service delivery engagements. Security obligations applicable to service delivery are addressed separately under the engagement and subcontracting agreements binding those members.
2. Security governance
Vidette maintains a security governance framework informed by recognised industry standards, including:
- The ASD Essential Eight Maturity Model (Australian Signals Directorate / Australian Cyber Security Centre)
- ISO/IEC 27001 Information Security Management principles
A nominated Privacy and Security Officer within Vidette holds responsibility for:
- Maintaining and reviewing this Security Policy
- Overseeing the implementation and ongoing effectiveness of security controls
- Managing security incidents and coordinating applicable breach notification obligations
- Liaising with the Office of the Australian Information Commissioner (OAIC), the New Zealand Privacy Commissioner, the Singapore Personal Data Protection Commission (PDPC), and other regulatory bodies as required
3. Data protection measures
3.1 Encryption
- All data transmitted to and from this website is encrypted using Transport Layer Security (TLS) version 1.2 or higher
- Personal information held in Vidette's systems is encrypted at rest using industry-standard encryption
3.2 Access controls
- Access to systems holding personal information collected through this website is restricted to authorised Vidette personnel on a need-to-know basis
- Multi-factor authentication (MFA) is required for access to systems holding personal information
- Access rights are reviewed periodically and revoked promptly upon cessation of a personnel role or change of responsibilities
- Administrative access is governed by a least-privilege principle, consistent with ASD Essential Eight Restrict Administrative Privileges guidance
3.3 Data retention and disposal
- Personal information is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law or regulation
- When personal information is no longer required and there is no legal obligation to retain it, it is securely destroyed or de-identified
- Retention periods are reviewed periodically as part of Vidette's security governance cycle
4. Website security
Vidette implements the following security measures in relation to this website and its supporting infrastructure:
- Regular application and system patching and updates, consistent with ASD Essential Eight Patch Applications and Patch Operating Systems guidance
- Web application firewall and network-level controls
- Regular vulnerability assessments of website and supporting infrastructure
- Secure configuration and hardening of web server and application infrastructure
- Monitoring and logging of access and activity, with log retention consistent with security governance requirements
- Email security controls for inbound enquiry and application submissions
5. Third-party service providers
Where Vidette engages third-party service providers to host or process personal information collected through this website, Vidette:
- Conducts security assessments of prospective providers prior to engagement, including review of security certifications, controls, and privacy practices
- Requires contractual data processing commitments, including obligations to maintain appropriate security controls and to comply with applicable privacy legislation
- Gives preference to providers that hold recognised security certifications (such as ISO/IEC 27001) or demonstrate equivalent security maturity
- Monitors third-party compliance with contractual security and privacy obligations during the engagement
Details of Vidette's primary website infrastructure and hosting providers are available on request, subject to applicable security and commercial confidentiality constraints.
6. Incident management and notification
6.1 Internal response
In the event of a security incident affecting personal information collected through this website, Vidette will:
- Contain the incident and limit further exposure as promptly as practicable
- Assess the nature, scope, and potential harm of the incident
- Document the incident, its root cause, the data and individuals affected, and all remediation actions taken
- Review and improve controls to prevent recurrence
6.2 Regulatory notification
Vidette will notify relevant regulators as required by applicable law, including:
- The Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme (Part IIIC, Privacy Act 1988 (Cth)), where a breach is likely to result in serious harm to any individual whose information is involved
- The New Zealand Privacy Commissioner under the mandatory notification provisions of Part 7 of the Privacy Act 2020 (NZ), where the breach is a notifiable privacy breach likely to cause serious harm to any New Zealand individual whose information is involved
- The Personal Data Protection Commission (PDPC) in Singapore under Part VIA of the Personal Data Protection Act 2012 (Singapore), where the breach involves personal data of individuals in Singapore and meets the applicable notification threshold
6.3 Individual notification
Where required by applicable law, Vidette will notify affected individuals of a data breach, providing:
- A description of the breach and the kinds of information involved
- The likely consequences of the breach
- The steps Vidette has taken or proposes to take in response
- Contact details for further enquiries
7. Your responsibilities
When interacting with this website, you are responsible for:
- Not including passwords, credentials, or authentication tokens in any website form submission — our forms are not designed to collect this type of information
- Ensuring that personal information you submit does not include information belonging to third parties without appropriate authority to provide it to us
- Maintaining the security of any credentials or access details associated with communications with Vidette
- Reporting any suspected security vulnerabilities or security-related concerns affecting this website to Vidette promptly using the contact details in Section 9
Vidette supports responsible disclosure of security vulnerabilities. If you identify a potential security issue affecting this website or our related systems, we ask that you contact us before any public disclosure to allow us to investigate and remediate the issue.
8. Review and maintenance
This Security Policy is reviewed at a minimum annually, or following:
- A material security incident
- A significant change to Vidette's website infrastructure, data handling practices, or third-party service providers
- A material change in applicable legal or regulatory requirements
The current version of this Security Policy, with the date of last review, is published on our website.
9. Contact
Security enquiries, incident reports, and responsible disclosure notifications should be directed to:
Privacy and Security Officer
Vidette Pty Ltd
Suite 30, Level 1, Tower A, 888 Pittwater Road, Dee Why NSW 2099, Australia
PO Box 50, Dee Why NSW 2099, Australia
Email: [email protected]
For general privacy enquiries, please refer to our Privacy Policy published on this website.