Privacy Policy

Last Updated: December 2024

1. Introduction

CX365 Portal ("we", "our", or "the Portal") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you access our platform.

2. Data Hosting and Security

Australian Hosting: All data is hosted exclusively on servers located in Australia (Sydney region) through Supabase infrastructure. Your data never leaves Australian borders.

Security Measures: We implement industry-standard security measures including:

  • Encrypted data transmission (TLS/SSL)
  • Encrypted data at rest
  • Row-level security policies
  • Multi-factor authentication options
  • Regular security audits and monitoring

3. Information We Collect

We collect the following types of information:

  • Account Information: Email address, name, and authentication credentials
  • Microsoft 365 Data: User details, device information, security scores, mailbox configurations, and compliance data from your M365 tenant (with your explicit consent)
  • Device Information: Computer names, operating systems, warranty information, and compliance status
  • Usage Data: Login times, feature usage, and audit logs for security purposes
  • Integration Data: Information from connected services such as HaloPSA, NinjaRMM, and other authorized integrations

4. How We Use Your Information

We use collected information for the following purposes:

  • Service Delivery: To provide IT management, compliance monitoring, and support services
  • Security Monitoring: To track compliance with Essential 8, ACSC guidelines, and Microsoft security baselines
  • Support Services: To respond to support tickets and service requests
  • Communication: To send system notifications, security alerts, and service updates
  • Compliance Reporting: To generate reports on your organization's security posture and compliance status

5. Microsoft 365 Integration

When you connect your Microsoft 365 tenant to the Portal, we access specific data through Microsoft Graph API with your explicit administrative consent. This includes:

  • User and group information
  • Device management data
  • Security and compliance scores
  • Conditional access policies
  • Mailbox configurations and rules
  • License information

You can revoke this access at any time through the Microsoft Entra Admin Center. We only access data necessary to provide our services and never access the content of emails, documents, or personal files.

6. Data Sharing and Disclosure

We do not sell, rent, or share your data with third parties. Your information is only accessible to:

  • Your MSP (Managed Service Provider): The IT services company managing your account
  • Authorized Users: Users within your organization with appropriate permissions
  • Service Infrastructure: Supabase (hosting provider) under strict data processing agreements

We may disclose information if required by law or to protect the security and integrity of our services.

7. Third-Party Integrations

The Portal integrates with various third-party services at your MSP's discretion:

  • Microsoft 365 and Azure services
  • PSA platforms (HaloPSA, ConnectWise, etc.)
  • RMM tools (NinjaRMM, etc.)
  • Communication platforms (Teams, Slack)

Each integration requires explicit authorization and operates under its own privacy policy. We recommend reviewing the privacy policies of these third-party services.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Historical audit logs and compliance records may be retained for up to 7 years to meet regulatory requirements. You may request deletion of your data by contacting your MSP.

9. Your Rights

Under Australian Privacy Principles (APPs), you have the right to:

  • Access your personal information
  • Correct inaccurate or incomplete information
  • Request deletion of your data (subject to legal requirements)
  • Object to certain data processing activities
  • Receive a copy of your data in a portable format

To exercise these rights, please contact your MSP administrator.

10. Cookies and Tracking

We use essential cookies and local storage for authentication and session management. We do not use advertising cookies or third-party tracking scripts. You can control cookie preferences through your browser settings.

11. Children's Privacy

This Portal is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the Portal after changes constitutes acceptance of the updated policy.

13. Contact Information

For privacy-related questions or concerns, please contact your Managed Service Provider or reach out to:

CX IT Services
Email: support@cxitservices.com.au
Website: https://cxitservices.com.au

ACSC Partnership

CX IT Services is an official partner of the Australian Cyber Security Centre (ACSC). We follow ACSC guidelines and best practices for cybersecurity and data protection, including the Essential Eight framework.