Data Handling & Security Policy

Protecting the confidential financial data entrusted to us by Australian accounting firms is our highest operational priority. This page explains exactly how we handle, store, transfer, and secure your client data — and answers the questions most commonly raised during onboarding.

Download our one-page Data Security Summary PDF for a concise reference you can file during onboarding.

1. How We Work With Your Files

This section answers the most common onboarding question: how does client data actually move between your firm and ours?

1.1 File Transfer — Google Drive Shared Folders

We do not use email attachments to transfer client files. All files are shared and returned via dedicated Google Drive shared folders — one folder per client firm, structured by financial year and service type.

How it works:

• We create a dedicated shared Google Drive folder for your firm before engagement begins
• You upload source documents (bank statements, SMSF records, tax documents) directly to the shared folder
• Our team accesses only your folder — no cross-client access is possible
• Completed work is returned to the same folder
• Access is revoked on engagement end and all data is retained or deleted per Section 6

Google Drive is part of Google Workspace, which provides AES-256 encryption at rest and TLS encryption in transit for all files.

1.2 Who Handles Your Files

Only authorised BlueCrest staff with a specific need-to-know can access your files:

• Preparers access only the files assigned to their workload
• Senior reviewers and the CA-qualified Founder have broader access for quality control and sign-off
• No staff member accesses files outside their assigned scope

All staff are employees of BlueCrest Accounting Solutions LLP (India) and sign a Confidentiality and Non-Disclosure Agreement as a condition of employment, covering non-disclosure, authorised-systems-only use, and prohibition on personal device or personal account use.

1.3 Tools Used to Process Your Data

Your data may be processed within the following authorised platforms, as required by the engagement:

• Google Workspace (Drive, Gmail) — file storage, transfer, and communication
• BGL360 / Class Super / Mclowd — SMSF accounting and administration
• Cloudoffis / SMSF Auditomation / MyWorkpapers / Evolv / Online SMSF Audit — SMSF audit support
• Xero / MYOB / QuickBooks — bookkeeping and accounts finalisation

We do not introduce additional tools to your data without notifying you.

2. Encryption and Infrastructure

3. Access Control and Authentication

• Two-factor authentication (2FA) is mandatory for all staff on all BlueCrest-authorised accounts — passwords alone are not sufficient for access
• Role-based access control — staff access only the files and systems relevant to their assigned role
• Password reset is enforced upon any suspected compromise
• Automatic logout after inactivity on all systems
• Access credentials are personal and non-transferable — no credential sharing

4. Staff Confidentiality and NDA

All employees of BlueCrest Accounting Solutions LLP sign a Confidentiality and Non-Disclosure Agreement before commencing work. The agreement covers:

• prohibition on disclosing client data to any third party
• authorised-systems-only use — no personal devices, personal email, or personal cloud accounts
• immediate reporting obligation for any suspected data incident
• return and deletion of all client data on termination of employment

Staff work in a supervised, access-controlled delivery environment in Ahmedabad, India.

5. Incident Response

To report a suspected security issue: compliance@bluecrestaccounting.com.au  |  +61 2 8006 6770

6. Data Retention and Disposal

• Client files are retained for 7 years post-engagement completion, as required by ATO record-keeping obligations
• You may request deletion of your data at any time — we will securely delete within 10 business days, subject to any mandatory legal retention requirements
• On engagement end, your shared Google Drive folder access is revoked and data is retained in accordance with the above schedule
• Data is used only for the purpose for which it was provided — no secondary use, no data mining, no marketing use

7. Cross-Border Data Transfer

Our delivery team is based in Ahmedabad, India. Data provided by Australian client firms is transferred to and processed in India. Safeguards include:

• All staff sign NDAs covering client data protection
• Google Workspace infrastructure handles all file storage and transfer with encryption at rest and in transit
• Role-based access ensures only assigned staff access your files
• Processing is aligned with APP 8 (Australian Privacy Principles) cross-border disclosure obligations

8. Regulatory and Professional Compliance

• Australian Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
• APP 8 — cross-border disclosure
• India Digital Personal Data Protection Act 2023 (DPDP Act)
• ATO record-keeping and confidentiality requirements
• ASIC regulatory guidelines
• CA ANZ and CPA Australia professional standards on confidentiality
• Google Workspace — SOC 2 certified (independently audited annually)

9. Your Responsibilities

To protect your data and your clients’ data:

• Do not share Google Drive folder access with unauthorised individuals
• Notify us immediately if you suspect unauthorised access or a security incident
• Ensure files you share with us are free from malware before upload
• Keep us informed of changes to authorised contacts for your firm

10. Questions or Concerns

For any questions about how we handle your data, or to report a concern:

Effective Date: 12 June 2026  |  Last Updated: 12 June 2026