Brand Promise

We take the security of our customers data very seriously. If you believe you've discovered a potential security vulnerability within one of our services or products, we strongly encourage you disclose it to us as quickly as possible and in a responsible manner.

We appreciate the assistance and patience of security researchers and are committed to reviewing all reports that are disclosed to us. We will do our best to address each issue in a timely fashion, and request that you provide us with a reasonable timeframe to address the issue before public disclosure.

Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from us.

Policy Scope

We encourage you to conduct responsible security research on our products and services. We allow you to conduct vulnerability research and testing only on our services and products to which you have authorised access.

The following types of research are strictly prohibited:

• Accessing or attempting to access accounts or data that does not belong to you
• Any attempt to modify or destroy any data
• Executing or attempting to execute a denial of service (DoS) attack
• Sending or attempting to send unsolicited or unauthorised email, spam or any other form of unsolicited messages
• Conducting social engineering (including phishing) of "OCR Labs" employees, contractors or customers or any other party
• Any physical attempts against our property or data centres, including (but not limited to) distribution facilities, offices
• Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products or customers or any other party
• Testing third party websites, applications or services that integrate with our services or products
• Any activity that violates any law

The following vulnerability types are excluded from this Responsible Disclosure Program:

• Descriptive error messages such as stack traces, application or server errorsHTTP 404 codes or pages, or other HTTP non-200 codes or pages
• Fingerprinting or banner disclosure on common and public services
• Disclosure of known public files or directories, such as robots.txt
• Clickjacking and other issues only exploitable through clickjacking
• CSRF on forms that are available to anonymous users, such as contact, login and logout forms
• Content spoofing
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
• Lack of Secure or HTTPOnly flags on non-sensitive cookies
• Login or Forgot Password page brute force and account lockout not enforced
• OPTIONS HTTP method enabled
• Missing HTTP security headers, such as Strict Transport Security, X-Frame-Options, X-SSS-Protection, etc.
• HTTP or DNS cache poisoning
• Weak or insecure SSL cipher suites
• Self-XSS
• Safe Harbour

To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability. This is provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible Disclosure Program. In the event of any non-compliance, we reserve all of our legal rights.

If in doubt, please contact the "OCR Labs" Security Team by sending an email to security@ocrlabs.com.

Communication Process - How to Report a Potential Security Vulnerability

You can responsibly disclose potential security vulnerabilities to the "OCR Labs" Security Team by emailing security@ocrlabs.com. Ensure that you include details of the potential security vulnerability and exploit with enough information to enable the Security Team to reproduce your steps.

• An explanation of the potential security vulnerability;
• A list of products and services that may be affected (where possible);
• Steps to reproduce the vulnerability;
• Proof-of-concept code (where applicable);
• The names of any test accounts you have created (where applicable); and
• Your contact information.

What happens next?

Once you have reported a potential security vulnerability, we will contact you within 72 hours with an initial response. Going forward, we will keep you informed on our progress towards addressing the potential security vulnerability and will also notify you when the matter has been addressed.

We ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, remediated or mitigated the potential security vulnerability.

Please note that we do not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities. Any requests for monetary or other compensation will be deemed in violation of this Responsible Disclosure Program.

In this Privacy Policy, 'us' 'we' or 'our' means OCR Labs Pty Ltd (ABN 20 603 823 276) .We are committed to respecting your privacy.

Our Privacy Policy sets out how we collect, use, store and disclose your personal information.By providing personal information to us, you consent to our collection, use and disclosure of your

personal information in accordance with this Privacy Policy and any other arrangements that apply between us.We may change our Privacy Policy from time to time by publishing changes to it on our website.

We encourage you to check our website periodically to ensure that you are aware of our current Privacy Policy.Personal information includes information or an opinion about an individual that is reasonably identifiable.

For example, this may include your name, age, gender, postcode and contact details.

What personal information do we collect?

We may collect the following types of personal information and sensitive information:

• name;
• mailing or street address;
• email address;
• telephone number and other contact details;
• age or date of birth;
• government related identifiers, such as your licence number and class, Medicare number, state or national ID card number, passport number, and birth or marriage certificate number;
• other information identifiable from scanned ID documents you provide, such as your organ donor status or photographs of your face;
• biometric information, such as video footage or photographs of your face;
• information obtained from fraud-prevention services and document verification services;
• your device ID, device type, geo-location information, computer and connection information, IP address and standard web log information;
• any additional information relating to you that you provide to us directly through our website or app or indirectly through your use of our website or app or online presence or through other websites or accounts from which you permit us to collect information;
• information you provide to us through customer surveys; or
• any other personal information that may be required in order to facilitate your dealings with us.

We may collect these types of personal information either directly from you, or from third parties. We may collect this information when you:

• utilise one of our verification services, either through our app or web-based portal;
• communicate with us through correspondence, chats, email or otherwise through our website; or

We may also receive personal or anonymised information about you from our customers where they make use of our services. This information may include a customer ID that identifies you in the third party’s database, as well as the categories of information set out above.

In addition, when you apply for a job or position with us we may collect certain information from you (including your name, contact details, working history and relevant records checks) from any recruitment consultant, your previous employers and others who may be able to provide information to us to assist in our decision on whether or not to make you an offer of employment or engage you under a contract.

This Privacy Policy does not apply to acts and practices in relation to employee records of our current and former employees, which are exempt from the Privacy Act

Why do we collect, use and disclose personal information?

We may collect, hold, use and disclose your personal information for the following purposes:

• to enable you to access and use our website or app;
• to provide verification services to our customers, where you are seeking to access one of their products or services;
• to operate, protect, improve and optimise our website or app, business and our customers' and users’ experience, such as to perform analytics, conduct research and create new products, and conduct training;
• to send you service, support and administrative messages, reminders, technical notices, updates, security alerts in connection with our verification services, and information requested by you;
• to comply with our legal obligations, resolve any disputes that we may have with any of our customers or users, and enforce our agreements with third parties; and
• where relevant, to consider your employment application

We may also use de-identified, aggregate information to share insights about users of our verification services, such as by publishing a report on trends in the usage of such services.

Do we use your personal information for direct marketing?

If we have collected your personal information because you are a representative of one of our current or prospective customers, we may send you direct marketing communications and information about our services and products.

This may take the form of emails, SMS, mail or other forms of communication, in accordance with the Spam Act and the Privacy Act.

You may opt-out of receiving marketing materials from us by contacting us using the details set out below or by using the opt-out facilities provided (eg an unsubscribe link).

To whom do we disclose your personal information?

We may disclose personal information for the purposes described in this Privacy Policy to:

• our customers, where you are seeking to access their products and/or services and are required to verify your identity in order to do so;
• our employees and contractors, for the purposes of managing our products and systems and providing our services;
• third party suppliers and service providers (including providers of document verification services to help us verify the validity of identity documents you disclose to us, and other providers for the operation of our websites and/or our business or in connection with providing our products and services to you);
• professional advisers, dealers and agents;
• our existing or potential agents, business partners or partners;
• anyone to whom our assets or businesses (or any part of them) are transferred;
• specific third parties authorised by you to receive information held by us; and/or
• other persons, including government agencies, regulatory bodies and law enforcement agencies, or as required, authorised or permitted by law.

Disclosure of personal information outside Australia

We may disclose personal information to countries outside of Australia, including (among others) New Zealand, Singapore and Dubai, in order to conduct training for our contractors.

When you provide your personal information to us, you consent to the disclosure of your information outside of Australia and acknowledge that we are not required to ensure that overseas recipients handle that personal information in compliance with Australian Privacy Law.

We will, however, take reasonable steps to ensure that any overseas recipient will deal with such personal information in a way that is consistent with the Australian Privacy Principles.

Using our website and cookies

When you use our verification services, we automatically receive and record certain information from your computer (or other device) and/or your web browser.

This may include such information as the third-party website or application into which the services are integrated, the date and time that you use the services, your IP address and domain name, your software and hardware attributes (including operating system, device model, and hashed device fingerprint information), and your general geographic location (e.g., your city, state, or metropolitan region).

To obtain such information, we may use web logs or applications that recognize your computer and gather information about its online activity.

What are cookies? Cookies are small files that are stored on your computer or other device by your web browser.

A cookie allows OCR Labs to recognize whether you have used our services before and may store user preferences and other information.

How are cookies used? For example, cookies can be used to collect information about your use of our services during your current session and over time, your computer or other device’s operating system and browser type, your Internet service provider, your domain name and IP address, and your general geographic location.

How do you avoid cookies? If you are concerned about having cookies on your computer or device, you can set your browser to refuse all cookies or to indicate when a cookie is being set, allowing you to decide whether to accept it.

You can also delete cookies from your computer.

However, if you choose to block or delete cookies, certain features of our services may not operate correctly.

Security

We take reasonable physical, electronic, and procedural safeguards to protect your personal information against loss or unauthorized access, use, modification, or deletion.

Among other things, OCR Labs encrypts personal information both in transit and at rest.

OCR Labs is ISO 27001 compliant and regularly conducts security audits, vulnerability scans, and penetration tests to ensure compliance with security best practices and standards.

However, we cannot guarantee the safety of your personal information.

Links

Our website or app may contain links to websites operated by third parties. Those links are provided for convenience and may not remain current or be maintained.

Unless expressly stated otherwise, we are not responsible for the privacy practices of, or any content on, those linked websites, and have no control over or rights in those linked websites.

The privacy policies that apply to those other websites may differ substantially from our Privacy Policy, so we encourage individuals to read them before using those websites.

Accessing and correcting your information

You can access the personal information we hold about you by contacting us using the information below.

Sometimes, we may not be able to provide you with access to all of your personal information and, where this is the case, we will tell you why. We may also need to verify your identity when you request your personal information.

We note that we may not store your personal information where it was collected by us to perform verification services and such services have been completed.

If you think that any personal information we hold about you is inaccurate, please contact us and we will take reasonable steps to ensure that it is corrected.

Making a complaint

If you think we have breached the Privacy Act, or you wish to make a complaint about the way we have handled your personal information, you can contact us using the details set out below.

Please include your name, email address and/or telephone number and clearly describe your complaint.

We will acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time.

If you think that we have failed to resolve the complaint satisfactorily, we will provide you with information about the further steps you can take.

Contact us

For further information about our Privacy Policy or practices, or to access or correct your personal information, or make a complaint, please contact us using the details set out below:

Effective date:1st November, 2018