**4. Data Security & Information Handling Policy **

This Data Security & Information Handling Policy forms part of Ezyiah’s Terms and Conditions and Privacy Policy and outlines how Ezyiah collects, stores, protects, processes, and manages user and client information.

Ezyiah is committed to implementing commercially reasonable administrative, technical, and physical safeguards designed to protect data against unauthorised access, misuse, interference, loss, corruption, alteration, disclosure, or destruction in accordance with applicable Australian laws and industry security standards.

This policy is intended to assist Ezyiah in complying with obligations under, including but not limited to:

• the Privacy Act 1988 (Cth);
• the Australian Privacy Principles (“APPs”);
• the Notifiable Data Breaches Scheme;
• the Electronic Transactions Act 1999 (Cth); and
• applicable taxation, accounting, and cybersecurity obligations under Australian law.

**4.1 Purpose ** The purpose of this policy is to:

• protect client and user data from unauthorised access, disclosure, misuse, alteration, or destruction;
• maintain the confidentiality, integrity, and availability of information stored on the Ezyiah platform;
• establish security obligations for users, staff, contractors, and authorised third parties;
• support regulatory compliance and cybersecurity best practices; and
• minimise risks associated with cyber threats, data breaches, fraud, and system compromise.

4.2 Security Measures

Ezyiah implements layered security controls and commercially reasonable safeguards designed to protect data throughout its lifecycle.

Security measures may include, without limitation:

• Encryption & Secure Transmission
• Encryption of data at rest and in transit using industry-standard encryption protocols;
• Secure HTTPS/TLS encrypted communications;
• Encrypted cloud storage and backup systems;
• Secure API authentication and transmission methods.

**Access Controls & Authentication ** Role-based access controls limiting access to authorised personnel only; Multi-factor authentication (“MFA”) and secure credential management; Password protection and authentication protocols; Session management and account monitoring controls.

**System Monitoring & Threat Detection ** Continuous monitoring of systems, infrastructure, and platform activity; Automated detection tools for suspicious or malicious activity; Security logging and audit trail monitoring; Intrusion detection and incident response procedures.

**Security Testing & Maintenance ** Regular internal security reviews and vulnerability assessments; Independent penetration testing and external security assessments where appropriate; Timely deployment of software patches and security updates; Ongoing maintenance of infrastructure and cybersecurity controls.

**Data Handling & Storage ** Segregation of sensitive data where appropriate; Controlled access to production environments; Secure storage and backup management procedures; Data minimisation and retention controls.

Ezyiah reserves the right to modify or enhance security measures at any time to address evolving cybersecurity threats or operational requirements.

4.3 User Responsibilities

Users acknowledge and agree that maintaining security is a shared responsibility.

Users must:

• maintain secure passwords and account credentials;
• enable multi-factor authentication where available;
• ensure exported or downloaded records are securely stored;
• restrict unauthorised access to their devices and accounts;
• immediately notify Ezyiah of any suspected unauthorised access, security incident, phishing attempt, or data breach;
• ensure information uploaded to the platform does not contain malicious code, viruses, or unlawful material; and
• comply with all reasonable security procedures and instructions issued by Ezyiah.

Users are solely responsible for activities conducted through their accounts where caused by failure to maintain adequate account security.

4.4 Information Handling

Ezyiah handles information in accordance with applicable privacy obligations and internal security practices. Information may be:

• collected and processed for the provision of platform services;
• stored in secure cloud-based or hosted environments;
• retained for legal, compliance, backup, operational, and audit purposes;
• accessed by authorised personnel, contractors, or service providers strictly on a need-to-know basis; and
• disclosed where required by law, court order, regulatory obligation, or lawful authority.

Ezyiah takes reasonable steps to ensure that personal information is accurate, up to date, and protected against misuse, interference, and loss.

4.5 Security Commitments

Ezyiah is committed to maintaining strong cybersecurity and information protection practices, including:

• alignment with ISO 27001 security principles and controls where commercially appropriate;
• compliance with applicable Australian privacy and data protection laws;
• regular internal security reviews and annual penetration testing where applicable;
• ongoing monitoring and incident response capabilities;
• secure encryption standards for stored and transmitted information; and
• compliance with applicable breach notification obligations.

4.6 Data Breach & Incident Response

Ezyiah maintains incident response procedures designed to identify, investigate, contain, document, and remediate suspected cybersecurity incidents or data breaches.

In the event of a suspected or confirmed security incident, Ezyiah may:

• investigate the nature and scope of the incident;
• isolate affected systems or accounts;
• engage cybersecurity specialists, forensic investigators, or legal advisers;
• notify affected users where required by law;
• report eligible breaches to regulatory authorities in accordance with the Notifiable Data Breaches Scheme under the Privacy Act 1988 (Cth); and
• implement remediation measures to reduce the risk of recurrence.

Users must promptly report any suspected security incidents or unauthorised access involving their account or information.