Data Security in BPO Process Outsourcing

Data Protection

We enforce strict protocols on how data is collected, accessed, handled, and disposed of.

Lawful Collection and Limited Use

Felcorp only collects data that is:

• Relevant to the service provided

• Authorised by the client
• Collected through secure channels, including:
  • Encrypted email
  • Approved file transfer platforms
  • Client-approved software environments
  • Phone or video calls with a lodged Third Party Authority Form

Clients are always informed of:

• The purpose of data collection

• Where and how data will be stored

• Who will have access

Felcorp abides by data minimisation principles, collecting only the information necessary to perform the work.

Storage and Access Controls

• All client files are stored:
  • On the Felcorp App, our internal secure platform
  • Or on the client’s designated cloud system, per engagement agreement
• Access is restricted to:
  • The dedicated staff member assigned to the client
  • Their division manager
  • The HR, IT Manager, and Company Directors as needed

Our internal systems enforce:

• Role-based access (least privilege)

• Audit logs and activity reviews

• Scheduled access reviews when staff change roles or leave

Secure Handling Practices

Felcorp applies strict operational controls to reduce handling risk:

• No printing or local downloads of client data unless explicitly authorised

• Workspaces must remain clear of physical or digital exposure of client data

• Manual screen locking is mandatory whenever staff leave their desks

• All devices enforce automatic screensaver lock after 3 minutes of inactivity, with password protection required to resume work

• Screen content must never be visible to unauthorised individuals in the office

• No mobile phones, cameras or any image recording devices are permitted around the workspace area of the allocated staff
• All data is encrypted:
  • In transit (TLS protocols)
  • At rest, through secured cloud environments and Microsoft policy enforcement

These policies are actively managed through Microsoft Intune and supported by staff training and device configuration policies.

Archiving and Disposal Protocols

• Data that has not been accessed for 3 months is archived or transferred to the client’s environment
• Upon termination:
  • Data is securely returned within 60 days
  • After confirmation, all data is permanently deleted from Felcorp systems

Cyber

We employ industry-grade technology and policies to defend against external threats.

Felcorp’s cybersecurity ecosystem is anchored by Microsoft Defender, Microsoft Intune, and Microsoft Purview—delivering enterprise-grade threat protection, compliance monitoring, and data governance.

Endpoint Security and Threat Monitoring

All Felcorp-managed devices are protected using:

• Microsoft Defender for Endpoint, which delivers:
  • Advanced anti-malware and ransomware protection
  • Cloud-based behavioural analytics
  • Real-time threat response
• Microsoft Intune, used to:
  • Enforce device compliance policies
  • Restrict installation of unapproved software
  • Block high-risk websites
  • Configure USB restrictions and screen timeout rules
• Microsoft Purview, employed for:
  • Data loss prevention (DLP)
  • Insider risk detection
  • Monitoring policy violations and sensitive file movement

Personal Device Restrictions (BYOD)

Personal devices are not permitted under any circumstances unless express written approval is granted by HR. This includes mobile phones, tablets, and laptops.

If approved:

• Devices must meet Felcorp’s security requirements

• They must only be used on-site, during work hours

• They must connect only to Felcorp’s secure network

All staff are required to:

• Lock their screens manually when away

• Use password protection and antivirus software

• Avoid tethering, VPNs, or unsecured Wi-Fi networks for work

Software Access and AI Controls

• Only pre-approved software may be installed

• Client files may never be shared or stored on public cloud platforms
• Microsoft Copilot is the only permitted generative AI platform for operational staff
  • Used in secure internal environments
  • No data is shared externally or processed outside Felcorp’s environment

• Open-source AI (e.g., ChatGPT, Gemini, Bard) is strictly prohibited

Cyber Breach Protocol

A cyber breach includes any unauthorised:

• System access

• Disclosure or loss of confidential information

• Malware, phishing, or endpoint compromise

All breaches are handled under our Data Breach Response Plan, which includes:

1. Immediate containment (account lockdown, isolation)

1. Impact assessment (what data, who is affected, regulatory implications)

1. Client and regulator notification, where applicable (e.g., under the Notifiable Data Breach Scheme)

1. Recovery and system validation

Clients are notified through:

• Direct contact (email or phone)

• In-app alerts (Felcorp App)

• Formal post-incident report

Confidentiality

We maintain strict confidentiality of all data accessed by staff.

Confidential Information Scope

Confidential information includes:

• Client financials, strategic data, and documents

• Software access credentials

• Employee, supplier, and internal HR data

• Internal workflows and operational methods

All Felcorp employees are:

• Bound by our Confidentiality and Non-Disclosure Policy

• Covered by their employment agreement and Code of Conduct

• Trained on appropriate information classification and protection practices

Internal Disclosure Controls

• Data is shared on a strict need-to-know basis
• Conversations about client data must not occur:
  • In open areas or public spaces
  • On messaging platforms not authorised by Felcorp

• No external sharing is allowed without written consent from the client

Communication Channels

Felcorp clients are provided:

• Official Felcorp email addresses for each staff member

• Access to the Felcorp App for secure messaging and file delivery

• Optional setup of custom email domains tied to client systems

All communication is subject to audit and logging.

Training and Awareness

All staff complete:

• Confidentiality training at onboarding

• Policy refreshers every 6 months

• Simulated scenarios (e.g., phishing drills)

• Ad hoc performance reviews tied to compliance behaviours

Managers oversee:

• Reinforcement of secure behaviours

• Escalation of any non-compliant actions

• Support for ethical decision-making under pressure

Enforcement and Breach Management

All internal systems (emails, apps, file access) are monitored. Breaches of confidentiality are classified as:

• General misconduct – recorded and followed by internal remediation

• Serious misconduct – may result in immediate suspension or dismissal

• Willful breach – may result in legal action and termination

Breaches must be reported immediately to a:

• Team Manager

• HR Officer

• IT Security Contact

Policy Maintenance and Review

Felcorp’s data protection policies are reviewed at least once per year, or sooner if:

• Legislation changes

• System upgrades or risks emerge

• Client-specific compliance requirements arise

We maintain audit-readiness for:

• Regulator reviews (ASIC, OAIC, APRA)

• Client security audits

• Third-party compliance assessments