1. Purpose & Scope

This policy describes the security controls, practices and responsibilities designed to protect the confidentiality, integrity, and availability of personal information processed by Career Agent PTY (LTD). It applies to all systems, staff, contractors and third-party providers.

2. Governance & Roles

We assign responsibility for information security governance and incident response to senior management and an appointed Data Protection Officer or Privacy Lead. Roles include access management, security monitoring, and compliance oversight.

3. Technical Controls

• Encryption in transit (TLS/HTTPS) and at rest for sensitive data.
• Secure authentication: password policies, optional 2FA, session management and account lockout.
• Least-privilege access and role-based access control for staff and systems.
• Network protections: firewalls, segmentation, IDS/IPS and secure host configurations.
• Regular vulnerability scanning and penetration testing.
• Secure backup and disaster recovery procedures with encrypted backups and retention policies.

4. Operational Controls

• Security awareness and mandatory training for employees and contractors.
• Background checks for staff with access to personal data as appropriate.
• Change management and code review processes for production changes.
• Logging, monitoring and alerting of security events; logs retained per policy.
• Vendor security assessments and contractual security obligations for data processors.

5. Incident Response

We maintain an incident response plan to rapidly detect, contain and remediate security incidents. In the event of a breach involving personal information we will investigate, notify affected individuals and relevant authorities in accordance with POPIA and applicable law, and publish a remediation plan.

6. Data Minimisation & Retention

We collect the minimum personal information necessary for the stated purposes and retain it only as long as required to deliver the service, comply with legal obligations, or as otherwise permitted under POPIA.

7. Third-Party Vendors

We conduct due diligence and enter into data processing agreements that require vendors to implement security measures at least as protective as our own, and to allow audits or evidence of compliance when needed.

8. User Responsibilities

• Choose strong, unique passwords and enable 2FA where available.
• Keep your device secure and updated.
• Report suspicious emails, links or activity to our security team immediately.

9. Review & Continuous Improvement

We review security controls periodically and after incidents to update our protection measures in line with evolving threats and legal obligations.