TenPod
Data Management & Security Policy

Last updated: 9 September 2025
Controller/APP entity: TenPod Pty Ltd (ACN 687 438 526)
Contact: legal@tenpod.com.au | 470 St Pauls Terrace, Fortitude Valley QLD 4006

1. Scope and roles

This Policy covers TenPod’s handling of Customer Data processed in Recruitment, HR and Payroll workflows. TenPod acts as a service provider processing on Customer instructions. Customers own Customer Data; TenPod is the custodian.

2. Data classification

  • Restricted: personal information, identity attributes, verification artifacts, payroll identifiers.
  • Confidential: Customer business records, workflow configs.
  • Internal: telemetry and analytics.
  • Public: published marketing content.

3. Lifecycle controls

  • Collection: data minimisation; input validation; audit trails.
  • Use/Disclosure: limited to providing the Service, security, support and government work‑rights validation you authorise. Immigration and citizenship Website
  • Retention: default equals subscription term; deletion may occur after 180 days of unpaid debt; backups follow rolling schedules; deleted data expires from backups with rotation.
  • Destruction/De‑identification: when no longer required, TenPod takes reasonable steps to destroy or de‑identify personal information (APP 11.2). OAIC

4. Security program (aligned to APP 11)

  • Governance: risk management, policies, vendor due diligence.
  • Access: RBAC, least privilege, MFA for privileged roles, quarterly access reviews.
  • Encryption: TLS in transit; encryption at rest for storage/backups.
  • Network & infra: environment segregation; vulnerability management; logging & monitoring.
  • AppSec: secure SDLC, code review, dependency scanning, secrets management.
  • BC/DR: disaster recovery plans; tested restore procedures.
  • Personnel: confidentiality obligations; training; background checks where lawful. OAIC

5. Incident response & NDB

We maintain incident runbooks (detect, triage, contain, eradicate, recover, learn). Where an eligible data breach is likely to cause serious harm, we will notify affected individuals and OAIC under the NDB scheme. OAIC

6. Cross‑border handling

Where Customer authorises, or support requires, personal information may be disclosed to overseas recipients. TenPod will take reasonable steps to ensure compliance with APP 8 and recognises potential accountability under s 16C. OAIC

7. Government work‑rights checks

The Service may transmit minimal necessary identifiers to the official visa entitlement verification service to confirm work‑rights status. Customers must ensure lawful authority/consent and compliance with employer obligations. Immigration and citizenship Website

8. Data subject requests

TenPod supports access and correction requests and will assist Customers to respond to individual requests consistent with APP 12/13. OAIC

9. Direct marketing compliance

If you use the platform to send commercial electronic messages, you must comply with the Spam Act (consent and functional unsubscribe within required timeframes). ACMA

10. Customer responsibilities

Configure permissions appropriately; supply lawful and accurate data; obtain any consents/authority for identity and work‑rights checks; maintain your own records retention; pay invoices when due to avoid suspension and deletion after 180 days of non‑payment.