ONE ENGAGEMENT · DONE WITH YOU

No tiers. No PDF-only option. One done-with-you engagement where we apply the changes together on a 90-minute working call — and stay with you for 12 months of regulatory briefings and quarterly re-scans.

DONE WITH YOU

Privacy Act + Essential Eight Compliance — Done With You

AU$5,997one-time + AU$199/mo monitoring

Everything you need to demonstrate “reasonable steps” under the Privacy Act and Essential Eight ML1, applied together with you in a single working call — then maintained for 12 months.

13-section evidence pack (~17pp)
External scan with you-vs-host split
90-minute implementation working call where we apply the changes together
DNS hygiene + M365/Google Workspace hardening done with you
Privacy policy + ADM disclosure deployed
NDB runbook integrated
30-day review call
Signed compliance attestation letter
Quarterly re-scan + delta report
12 months of industry-specific regulatory update briefings

BUY DONE-WITH-YOU · AU$5,997 › BOOK A 15-MIN FIRST

WHAT’S COMING · FOUR DEADLINES

Four legal pressure points stack between now and 11 December 2026. The compliance pack covers them all in one pass.

10 JUNE 2025 · LIVE

Statutory tort for serious privacy invasions

Already in effect. Individuals can sue directly for serious invasions of privacy — no need to wait for the OAIC.

4 MARCH 2026 · LIVE

Mandatory IoT security standards take effect

Connected-device makers and importers face baseline security requirements. Cascades to any business reselling or operating IoT.

2 AUGUST 2026

EU AI Act enforcement begins

Applies to AU companies with EU customers. Transparency, risk-classification, and conformity obligations.

11 DECEMBER 2026 · THE ONE

ADM disclosure required in all privacy policies

Automated Decision-Making used in any business process must be disclosed in your privacy policy with affected-decision categories, types of personal information used, and process explanation. Penalties up to AU$50M.

TRANCHE 2 · COMING

Small-business exemption removal

Pulls ~2.3M additional AU SMBs into Privacy Act scope. The current AU$3M turnover exemption is expected to be repealed in the second reform tranche.

WHAT THE ENGAGEMENT LOOKS LIKE

Six steps from scan to signed attestation. No PDF-only deliverable, no opaque hand-offs.

YOU REQUEST A SCAN

We map your external attack surface and feed the findings into the engagement pack.

EVIDENCE PACK

We send your evidence pack (~17pp, 13 sections) for your records — a regulator-ready artifact.

III

90-MIN IMPLEMENTATION CALL

We apply the changes together: DNS hygiene, M365/Workspace hardening, privacy policy + ADM disclosure deployed, NDB runbook integrated.

QUARTERLY RE-SCAN + DELTA

Every 90 days we re-scan and send a delta report. New exposures get flagged; remediated items get logged.

30-DAY REVIEW CALL

We audit what shipped, confirm policy changes are live in customer-facing surfaces, and tune the runbook.

ATTESTATION + 12 MO BRIEFINGS

Signed compliance attestation letter plus 12 months of industry-specific regulatory briefings.

YOU CONTROL SOME · YOUR HOST CONTROLS THE REST

Your hosting service controls some things. We tell you what to ask them to fix, and document the rest as “reasonable steps taken.”

YOU CONTROL

We apply these together on the working call.

Privacy policy content + ADM disclosure
DNS hygiene (SPF, DKIM, DMARC, CAA records)
Microsoft 365 / Google Workspace security defaults
MFA enablement across team
Breach response process documentation
Vendor risk register
Essential Eight ML1 self-attestation
Staff access management

YOUR HOSTING PROVIDER CONTROLS

We tell you exactly how to escalate.

TLS/SSL certificate management on hosted sites
HSTS headers on Squarespace / Shopify / Wix
Server-side security configurations
DDoS protection on hosted infrastructure
Database security on SaaS like Xero, Cliniko, Vend

QUESTIONS WE GET

How the working call works

A single 90-minute video call where we apply the changes together. You share screen for your DNS, your Microsoft 365 or Google Workspace admin console, and your website CMS. We walk you through each change as you make it — no opaque hand-offs, no "we'll send you instructions and check back next week." By the end of the call, the privacy policy is deployed, the ADM disclosure is live, the M365/Workspace hardening is applied, the DNS records are corrected, and the NDB runbook is integrated. You see every change happen and have a record of why each one was made.

What access you need to grant

For the working call, you remain logged into your own admin consoles — we never receive credentials. You'll need owner or admin access to: your DNS provider (registrar or DNS host), your Microsoft 365 or Google Workspace tenant, your website CMS for privacy policy deployment, and (optionally) your customer-record systems for the vendor risk register. If you don't have direct admin access, schedule the call when your IT person can join. We do not need read access to your data or your customer records — the diagnostic is external-only and runs before the call.

What we do vs what you do on the call

We do: the diagnostic, the policy drafting, the specific Essential Eight setting list, the DNS record values, the M365/Workspace hardening checklist, the NDB runbook, the attestation letter, and the explanation of why each change is needed. You do: the actual clicks inside your own admin consoles, the privacy policy publish, and the staff communication once changes are live. You leave the call with a record of every change made, the evidence pack, and the signed attestation letter — ready for an insurer, an auditor, or a procurement vendor review.

I’m too small for this to matter

Tranche 2 reforms are positioned to remove the AU$3M small-business turnover exemption, pulling roughly 2.3M additional SMBs into Privacy Act scope. Penalties already reach AU$50M for serious or repeated interference with privacy. The bigger SMB risk is reputational — a single breach notification triggers commercial and customer fallout regardless of OAIC fine.

Our website is on Squarespace — can you even help?

Yes. The audit works on any hosting provider. We document what you control (privacy policy, DNS records, account-level MFA, vendor register) versus what Squarespace controls (TLS, HSTS, server config), and give you the exact escalation language for the bits they own.

We use Microsoft 365 — do you cover that?

Yes. The pack includes a Microsoft 365 hardening guide with 8 admin-console changes that satisfy most Essential Eight ML1 requirements. We apply these together with you on the 90-minute working call — typically a 15-minute admin sequence covering MFA, conditional access, and audit logging.

What’s the difference between this and Vanta or Drata?

Vanta and Drata are US$10–15K/yr enterprise compliance tools shaped for SOC 2. We’re an AU$5,997 one-time + AU$199/mo engagement shaped for AU SMBs facing Privacy Act + Essential Eight. Different buyer, different price, different geography, different framework. If you’re selling into US enterprise and need SOC 2, you want Vanta. If you’re an AU SMB facing the 11 December 2026 deadline, you want this.

What if my hosting provider won’t fix what you find?

We give you the exact escalation language. If they refuse, you have documented evidence of having taken “reasonable steps” — the standard the OAIC actually assesses against. A regulator wants to see the request, the response, and your follow-up plan; we hand you all three.

Can you guarantee I’ll be compliant?

No vendor honestly can — compliance is determined by the regulator on the facts of a specific incident. What we give you is the evidence pack regulators expect to see when assessing whether you took “reasonable steps.” That is the actual standard the Act applies.

How fast can we get this done?

External scan within 48 hours of purchase. Working call scheduled inside 7 days. 30-day review call scheduled at the working call. Quarterly re-scans recur for the life of the monitoring subscription.

Australian Privacy Act Compliance for SMBs