Privacy Act compliant by 11 December 2026 — or face up to AU$50M in penalties.
One done-with-you engagement. Evidence pack, scan, 90-minute working call, 12 months of monitoring. AU$5,997.
We do the diagnostic, give you the evidence pack, and apply the changes together on a 90-minute working call. Built for Australian SMBs on Squarespace, WordPress, Microsoft 365, and Google Workspace.
14-day refund if no deliverable has been issued. Monitoring cancellable any time. Read full terms ›
Stripe checkout · 14-day refund if no work delivered · Kyle responds personally within 1 business day
ABN 34 318 502 254 · Australian-owned · 3,600+ unique AU/NZ/SG businesses in our scan corpus · Methodology
FOUR DEADLINES TO KNOW
Four legal pressure points stack between now and 11 December 2026. The compliance pack covers them all in one pass.
10 JUNE 2025 · LIVE
Statutory tort for serious privacy invasions
Already in effect. Individuals can sue directly for serious invasions of privacy — no need to wait for the OAIC.
4 MARCH 2026 · LIVE
Mandatory IoT security standards take effect
Connected-device makers and importers face baseline security requirements. Cascades to any business reselling or operating IoT.
2 AUGUST 2026
EU AI Act enforcement begins
Applies to AU companies with EU customers. Transparency, risk-classification, and conformity obligations.
11 DECEMBER 2026 · THE ONE
ADM disclosure required in all privacy policies
Automated Decision-Making used in any business process must be disclosed in your privacy policy with affected-decision categories, types of personal information used, and process explanation. Penalties up to AU$50M.
TRANCHE 2 · COMING
Small-business exemption removal
Pulls ~2.3M additional AU SMBs into Privacy Act scope. The current AU$3M turnover exemption is expected to be repealed in the second reform tranche.
WHAT THE ENGAGEMENT LOOKS LIKE
Six steps from scan to signed attestation. No PDF-only deliverable, no opaque hand-offs.
I
INTAKE + EXTERNAL SCAN
You complete a 10-minute intake form (company, hosting, identity provider, MFA + backup state, what's driving compliance). We run an external attack-surface scan on your domain — nmap banner, TLS posture, public DNS, CVE matching. Output: scan JSON plus a documented record of what you affirmed about internal posture.
II
EVIDENCE PACK
Within 3 business days we send your evidence pack (~17pp, 13 sections) — your privacy policy + ADM disclosure draft, NDB breach-response runbook, vendor risk register, scan findings split by what we directly verified vs what you affirmed. Regulator-ready as a single PDF.
III
90-MIN IMPLEMENTATION CALL
Screen-shared working session. We apply changes live: SPF / DKIM / DMARC / CAA records, M365 or Google Workspace security defaults, MFA enabled across team, privacy policy + ADM disclosure deployed to your live site, breach-response runbook saved to your shared drive. You keep admin access throughout — every change is yours.
IV
WHAT YOU CONTROL VS YOUR HOST
Some controls live on Squarespace / Shopify / Xero / Cliniko — not in your hands. We give you a one-page escalation list: exactly what to ask your host to fix, with template wording. Anything they decline gets documented as 'reasonable steps taken' for your attestation.
V
30-DAY REVIEW CALL + ATTESTATION
We audit what shipped: policy is live, MFA is enforced, runbook is shared. Anything that drifted gets re-applied. You receive a signed Essential Eight ML1 self-attestation letter plus a Privacy Act compliance posture letter — both regulator-ready.
VI
MONTHS 4-12 · $199/MO MONITORING
Quarterly re-scan (months 4, 7, 10) with delta report. Monthly regulatory-update briefing tailored to your industry. Ad-hoc questions answered within 1 business day. Cancellable any time.
YOU CONTROL SOME · YOUR HOST CONTROLS THE REST
Your hosting service controls some things. We tell you what to ask them to fix, and document the rest as “reasonable steps taken.”
YOU CONTROL
We apply these together on the working call.
✓Privacy policy content + ADM disclosure
✓DNS hygiene (SPF, DKIM, DMARC, CAA records)
✓Microsoft 365 / Google Workspace security defaults
✓MFA enablement across team
✓Breach response process documentation
✓Vendor risk register
✓Essential Eight ML1 self-attestation
✓Staff access management
YOUR HOSTING PROVIDER CONTROLS
We tell you exactly how to escalate.
→TLS/SSL certificate management on hosted sites
→HSTS headers on Squarespace / Shopify / Wix
→Server-side security configurations
→DDoS protection on hosted infrastructure
→Database security on SaaS like Xero, Cliniko, Vend
ONE ENGAGEMENT · DONE WITH YOU
No tiers. No PDF-only option. One done-with-you engagement where we apply the changes together on a 90-minute working call — and stay with you for 12 months of regulatory briefings and quarterly re-scans.
DONE WITH YOU
Privacy Act + Essential Eight Compliance — Done With You
Comparable Vanta + DPO contractor: ~AU$18,000+ in year 1
AU$5,997one-time + AU$199/mo monitoring
Everything you need to demonstrate “reasonable steps” under the Privacy Act and Essential Eight Maturity Level 1 (ML1), applied together with you in a single working call — then maintained for 12 months.
✓13-section evidence pack (~17pp)
✓External scan with you-vs-host split
✓90-minute implementation working call where we apply the changes together
✓DNS hygiene + M365/Google Workspace hardening done with you
✓Privacy policy + ADM disclosure deployed
✓NDB runbook integrated
✓30-day review call
✓Signed compliance attestation letter
✓Quarterly re-scan + delta report
✓12 months of industry-specific regulatory update briefings
14-day refund if no deliverable has been issued. Monitoring cancellable any time. Read full terms ›
Stripe checkout · 14-day refund if no work delivered · Kyle responds personally within 1 business day
QUESTIONS WE GET
A single 90-minute video call where we apply the changes together. You share screen for your DNS, your Microsoft 365 or Google Workspace admin console, and your website CMS. We walk you through each change as you make it — no opaque hand-offs, no “we’ll send you instructions and check back next week.” By the end of the call, the privacy policy is deployed, the ADM disclosure is live, the M365/Workspace hardening is applied, the DNS records are corrected, and the NDB runbook is integrated.
For the working call, you remain logged into your own admin consoles — we never receive credentials. You’ll need owner or admin access to: your DNS provider, your Microsoft 365 or Google Workspace tenant, your website CMS for privacy policy deployment, and (optionally) your customer-record systems for the vendor risk register.
We do: the diagnostic, the policy drafting, the specific Essential Eight setting list, the DNS record values, the M365/Workspace hardening checklist, the NDB runbook, the attestation letter, and the explanation of why each change is needed. You do: the actual clicks inside your own admin consoles, the privacy policy publish, and the staff communication once changes are live.
Tranche 2 reforms are positioned to remove the AU$3M small-business turnover exemption, pulling roughly 2.3M additional SMBs into Privacy Act scope. Penalties already reach AU$50M for serious or repeated interference with privacy.
Yes. The audit works on any hosting provider. We document what you control (privacy policy, DNS records, account-level MFA, vendor register) versus what Squarespace controls (TLS, HSTS, server config), and give you the exact escalation language for the bits they own.
Yes. The pack includes a Microsoft 365 hardening guide with 8 admin-console changes that satisfy most Essential Eight ML1 requirements. We apply these together with you on the 90-minute working call — typically a 15-minute admin sequence covering MFA, conditional access, and audit logging.
Vanta and Drata are US$10–15K/yr enterprise compliance tools shaped for SOC 2. We’re an AU$5,997 one-time + AU$199/mo engagement shaped for AU SMBs facing Privacy Act + Essential Eight. Different buyer, different price, different geography, different framework.
We give you the exact escalation language. If they refuse, you have documented evidence of having taken “reasonable steps” — the standard the OAIC actually assesses against.
No vendor honestly can — compliance is determined by the regulator on the facts of a specific incident. What we give you is the evidence pack regulators expect to see when assessing whether you took “reasonable steps.”
External scan within 48 hours of purchase. Working call scheduled inside 7 days. 30-day review call scheduled at the working call. Quarterly re-scans recur for the life of the monitoring subscription.
Want to see your current security exposure first? Free scan →
One engagement, one outcome: an evidence pack a regulator accepts as “reasonable steps,” with the changes already applied together on the working call.