Security FAQs

Our Commitment to Your Security

At ComplyMate, we understand that the security and confidentiality of your data are paramount. Our platform is built on a foundation of robust security protocols and practices to ensure your information is protected at all times. As an ATO-registered Digital Service Provider (DSP), we adhere to the strict security standards set by the Australian Taxation Office (ATO), providing you with a platform you can trust.

This page outlines our core security measures, data handling policies, and operational procedures, giving you full transparency into how we protect your data.

Data and Infrastructure Security

Where is ComplyMate’s data hosted?

Data is securely hosted within the AWS (Amazon Web Services) Asia Pacific (Sydney) Region, specifically ap-southeast-2.

What security protocols are used for data?

We employ a multi-layered approach to data security, using industry-standard technologies and strict internal controls:

  • Encryption: Data is protected both in transit and at rest using industry-standard encryption protocols. We use AWS Key Management Service (KMS) to manage the encryption keys, adding an extra layer of protection.
  • Access Control: Access to all data is restricted on a need-to-know basis. User access is limited to a user’s specific domain, and internal access to personal information is restricted where practicable.
  • Regular Monitoring: We continuously monitor and review our practices to ensure they align with our internal policies and exceed industry best practices.
  • Third-Party Security: We require all third-party partners to meet equivalent security and confidentiality standards.

What are your data retention and deletion policies?

We retain data only for as long as necessary to fulfill the purpose for which it was collected, and to meet legal, accounting, or reporting requirements.

At the end of the retention period, your data is either permanently deleted or anonymised for non-identifiable statistical analysis and business planning. You can also request the deletion of your data in certain circumstances.

What are your data backup arrangements?

We use Amazon RDS with AWS Backup configured to provide continuous backup and point-in-time recovery (PITR). Backups are retained for a minimum period of 30 days.

What is your policy regarding data loss?

Data loss is classified as a critical incident under our Incident Management policy. In the unlikely event of data loss, our incident response plan is immediately activated. Critical incidents are evaluated and addressed within one hour of classification to ensure a rapid response and mitigation.

Account and User Security

How do I access the ComplyMate application?

ComplyMate uses a secure authentication model to protect your account:

  • Mandatory Two-Factor Authentication (2FA): All accounts are required to use 2FA via a Time-based One-Time Password (TOTP), providing an essential extra layer of security beyond your password.
  • Domain-based Access: Authentication is restricted to authorised email domains.
  • Password Policy: We enforce minimum password requirements to ensure strong password hygiene.
  • Single Sign-On (SSO): SSO integration can be considered upon request for enterprise clients.

Who owns the data on ComplyMate’s systems?

You, the customer, retain full ownership of your data. You grant ComplyMate a non-exclusive license to use, reproduce, and process the data only to the extent required to provide the product and its services. Your data is your property, and we are simply the secure custodian.

What is the exit policy for customer data?

Upon the termination of your subscription, you will no longer have access to your data on the ComplyMate platform. We strongly advise that you download all necessary information in Excel format prior to this date. Special data packaging requests can be discussed at the time of contract completion. Regarding personal data, we will either delete or return all of your data to you, unless legally required to retain it.

Compliance and Support

What certifications does ComplyMate have?

ComplyMate is an officially registered ATO Digital Service Provider (DSP). You can find ComplyMate on the ATO’s Product Register.

What is your application support model?

Our dedicated support team is comprised of experienced Tax and IT professionals based in Australia. Support is available remotely during New South Wales business hours, Monday to Friday, from 9:00 am to 5:30 pm (excluding public holidays and weekends).

Support Channels:

  • Knowledge Base: Comprehensive user guides and FAQs are available for self-service support.
  • Help Desk: You can raise a support request by emailing support@complymate.com.au.

Important Note: ComplyMate provides software-related support only. We are not a registered tax agent and cannot provide tax advice. For queries requiring the services of a tax agent, we will refer you to our affiliate, Tax Thru Technology Pty Ltd (Registered Agent #26099826).

How do you handle maintenance and updates?

We are committed to continuous improvement to ensure ComplyMate aligns with best practices and evolving threats:

  • Regular Software Updates: We deploy enhancements, bug fixes, and new features regularly.
  • Security Patches: We apply critical security patches to protect against emerging cybersecurity threats.
  • Performance Optimisation: We consistently work on improving the application’s speed and efficiency.