1. Introduction

First Contact Pty Ltd, referred to as First Contact, Company, We, Us, or Our, is committed to protecting user data, preventing cyber threats, and ensuring a swift response  in the event of a security breach.

This policy outlines our cybersecurity measures, data protection practices, and incident response protocols  to safeguard our digital infrastructure, customer information, and business operations.

If you suspect a security issue or breach, contact security@firstcontact.group immediately.

---

2. Cybersecurity Measures

We implement a multi-layered security approach  to protect First Contact’s website, digital services, and customer data.

2.1 Data Encryption & Security

• All personal and payment data is encrypted using industry-standard encryption protocols  (AES-256).
• SSL/TLS is used for secure data transmission across our website.
• User passwords are hashed and stored securely, with no plain-text storage.

2.2 Access Controls & Authentication

• Multi-Factor Authentication (MFA)  is required for admin and privileged accounts.
• Role-Based Access Control (RBAC)  ensures employees access only the data necessary for their roles.
• Regular review and revocation of access permissions  for departing staff.

2.3 Malware & Threat Protection

• Web applications are protected by firewalls, intrusion detection systems (IDS), and anti-malware software .
• Regular security patches and software updates are applied to prevent vulnerabilities.
• AI-based monitoring systems detect and mitigate potential cyber threats.

2.4 Employee Security Training

• Mandatory cybersecurity awareness training for all employees.
• Simulated phishing attack exercises  to educate staff on social engineering threats.
• Secure remote work policies to protect access to business systems.

2.5 Third-Party Risk Management

• Security vetting of third-party service providers  that handle customer data.
• Contracts with data protection agreements to ensure compliance.
• Regular security audits and vulnerability testing  of third-party integrations.

---

3. Data Breach Response Plan

Despite robust security measures, cyber incidents may occur. This section details our incident response process to handle breaches effectively.

3.1 What is Considered a Data Breach?

A data breach  is any unauthorized:

• Access, disclosure, modification, or destruction of personal, financial, or business data.
• Compromise of user accounts or website functionality.
• Cyberattack affecting website operations, databases, or third-party integrations .

3.2 Breach Detection & Investigation

• Security teams conduct real-time monitoring to detect suspicious activity.
• A forensic investigation  is launched immediately upon breach detection.
• The root cause and scope  of the breach are determined within 24 hours.

3.3 Containment & Mitigation

• Immediate lockdown  of compromised systems to prevent further impact.
• Revocation of unauthorized access  and forced password resets.
• Security patches and emergency updates applied within 48 hours .
• Coordination with third-party service providers  to contain external risks.

3.4 Notification & Regulatory Compliance

If a breach exposes personal data , First Contact will:

• Notify affected users within 72 hours via email.
• Provide details on what data was compromised and recommended security actions .
• Notify the Australian Information Commissioner  and other relevant regulators  in compliance with Australian Privacy Act (1988) and GDPR .

3.5 User Guidance After a Breach

If your account or data is affected by a breach, we recommend:

• Changing passwords immediately  and enabling Multi-Factor Authentication (MFA).
• Monitoring your accounts  for suspicious activity.
• Reporting any unauthorized transactions or emails  impersonating First Contact.

---

4. Cyber Incident Escalation Process

For urgent security matters , email security@firstcontact.group with "Security Incident – Urgent" in the subject line.

---

5. Compliance with Cybersecurity Standards

First Contact follows industry best practices and regulatory guidelines  for cybersecurity and data protection, including:

• Australian Cyber Security Centre (ACSC) Essential Eight Framework
• General Data Protection Regulation (GDPR – EU)
• California Consumer Privacy Act (CCPA – US)
• ISO 27001: Information Security Management Systems (ISMS) Guidelines

We undergo annual security audits and penetration testing  to maintain compliance.

---

6. Security Responsibilities of Users

While we maintain strict security standards, users must also take steps  to protect their accounts and data.

6.1 User Responsibilities

Users agree to:

• Keep login credentials confidential and not share accounts.
• Use strong, unique passwords for their accounts.
• Report any suspicious activity immediately to First Contact.

6.2 Prohibited Activities

Users must not:

• Attempt to hack, modify, or disrupt First Contact’s systems .
• Use automated tools to scrape data or overload website servers.
• Engage in fraudulent transactions or payment bypass techniques .

Violating these terms may result in account suspension, legal action, or reporting to law enforcement .

---

7. Updates to This Policy

We continuously monitor evolving cyber threats and may update this policy accordingly. Any significant changes will be communicated to users.

Last Updated: 26th February 2025

---

8. Contact Information

For cybersecurity concerns, breach reports, or security-related inquiries, contact:

Email: security@firstcontact.group
Registered Office:  Level 8, 488 Bourke Street, Melbourne, Victoria 3000, Australia