Privacy Policy


XETA complies and works in accordance to the Australian Privacy Principles and the Privacy Act 1988. XETA is committed to ensure the safekeeping and collection of personal information.


The information is collected by XETA.

The information we are provided includes:

  • Names, Address, DOB and POB

  • ABN’s, TFN’s and Employment details

  • Personal health and insurance information

  • Financial information – such as income, expenses, superannuation and investment details.

Use of Personal Information

The collection and use of personal information is only to facilitate the services we provide to your firm as requested by you.

Only uses personal information for the purpose(s) for which it was given to us and for directly related purposes (unless otherwise required by or authorised by law) or as consented to by you or your firm.

Disclosure of Personal Information

XETA will only provide the information to their staff and associated providers that relate specifically to the tasks requested by your firm.

The information will not be provided or sold to other institutions. If there is a legal situation, the information may be provided in accordance to the law.

Access to Personal Information

Your business and staff can access the personal information that you provide. XETA will take the necessary steps to identify you as a client of XETA before they provide the information to you.

Storage and Data Security

We have taken the necessary measures to ensure our data integrity is not compromised. The data is stored for 10 years for compliance, auditing purposes and removed thereafter.

Our secure delivery centre is equipped with the latest technology, infrastructure and dedicated technical staff to ensure our working environment has complete reliability and security for our clients’ data.

We are an ISO 27001-certified company, this means our offices and systems are on par with international best practice for information security management. We do not use third party contractors to complete any work.

Biometric scanners and access cards are required to enter our offices. Only authorised personnel are allowed to enter the office and processing centre. Physical documents, books and other devices are prohibited in the processing centre. The entire office is monitored by CCTV. All PC’s are desktops running a ‘dumb terminal system’. The ability to save and store data on a PC is disabled. There are no CDROMs or other drives (USB). Access to physical/removable drives (external hard drives) have been disabled. Printers and scanners are also not available within the processing centre. Staff are required to keep personal belongings including bags, books or mobile devices in secure lockers provided outside the main processing centre.

Internet activity is heavily controlled with websites required to be added to a “whitelist” before they can be accessed. Staff are unable to access personal emails from the office and work emails are unable to send data outside the office. Our intranet, internal portals, software and sites have IP Authentication in place so that no one can access these records outside our office premises. Access to our internal software is password protected with strength measurement. Passwords are also required to be updated on a regular basis. All terminals include screen snapshots and are regularly audited to ensure staff are following security guidelines.

All our terminals and servers are installed with firewalls, antivirus software, intrusion detection software and prevention systems to minimise any exploits or attacks. Our security software is kept updated at all times and when required. All PC’s within our organisation have an auto-lock feature to ensure PC’s are not kept unlocked. Wireless connections are prohibited within our back-office in India and Australia.

Reporting of data breach

If there is a data breach that is likely to result in serious harm, we will take the following action:

  • Contain the information leak and asses the actual damage caused by the breach.

  • Prepare a statement detailing the breach.

  • Immediately after providing the statement, notify each individual to whom the information relates to, or who are at risk.

  • If this is not possible, then we will:

    • Publish a copy of the statement on the website and

    • Take reasonable steps to publicise the contents of the statement.

  • Review and change our systems and processes to ensure they are further secured against future breaches.