Arcnode IT · Legal

Information Security Summary

A plain-English overview of how we protect the data and systems entrusted to us, informed by the ACSC Essential Eight.

Version 1.0 · Effective May 2026

About this summary

Arcnode IT takes the security of customer information and systems seriously. This summary describes, in plain language, the practices we use to protect the data and systems entrusted to us.

This is a customer-facing overview. It is intended to help customers and prospective customers understand our approach to security. It is not a complete description of our internal controls, and it does not form part of any contract unless expressly incorporated by a signed agreement.

Our approach

Our security program is informed by the Australian Cyber Security Centre's Essential Eight, a set of baseline mitigation strategies recommended for Australian organisations. We apply these strategies to our own systems and we help our customers apply them to theirs.

The areas below describe the practices we maintain.

Access control and authentication

  • We use multi-factor authentication (MFA) on the systems we use to operate our business and on the remote-access paths into systems we manage.
  • We follow the principle of least privilege, so people and systems are given only the access they need to do their work.
  • Access to customer systems is granted on a need-to-know basis and is reviewed periodically.

Protecting devices and systems

  • Endpoint protection (anti-malware) is deployed on the devices we use, and updated regularly.
  • We keep operating systems and applications patched, prioritising security updates.
  • We harden the configuration of the systems we operate, disabling unnecessary features and services.

Protecting data

  • Data is encrypted in transit using current encryption standards.
  • We limit the personal information we access to what is reasonably necessary to provide the services.
  • We do not sell customer data, and we do not use it for purposes beyond providing the services or as required by law.

Backups and recovery

  • Critical data is backed up regularly.
  • Backups are stored separately from the systems they protect.
  • We test our ability to recover from backups.

Monitoring and logging

  • We log activity on the systems we operate, to support troubleshooting, security monitoring, and incident investigation.
  • We monitor for signs of unauthorised access or unusual activity.

Responding to incidents

  • We have procedures to identify, contain, assess, and respond to security incidents.
  • Where a security incident affects a customer's data, we notify the customer and cooperate with their response, in accordance with our Terms of Trade.
  • Where a data breach is likely to result in serious harm and meets the threshold for notification under the Privacy Act, we respond in accordance with the Notifiable Data Breaches scheme.

People and training

  • Our personnel are bound by confidentiality obligations.
  • We train our personnel in security awareness and in the procedures relevant to their roles, including how to recognise and respond to phishing and payment-fraud attempts.

Suppliers

  • We use reputable third-party providers for hosting, payments, accounting, and software.
  • We take reasonable steps to ensure our providers handle data securely and consistently with our obligations.

Protecting against payment fraud

To protect against payment fraud:

  • We will never change our bank account details by email alone without giving you a way to verify the change.
  • If you receive a message that appears to be from us asking you to pay into a different account, do not act on it until you have verified it by telephoning us on our published contact number, not a number contained in the message itself.
  • When you ask us to change your payment details, we will verify the request by telephoning you on a known number before acting on it. This protects you as much as it protects us.

These steps are set out in more detail in our Terms of Trade. They are an important part of keeping both of us safe.

What we ask of our customers

Security is most effective when customers and providers work together. We recommend that all customers:

  • use multi-factor authentication on email, banking, and important business applications;
  • keep their own devices and software up to date;
  • maintain backups of important data (we can help with this as a contracted service);
  • be cautious of unexpected emails, especially those asking for payment or for a change to payment details;
  • verify any change to payment details by telephone before acting on it;
  • tell us promptly if they notice anything unusual about the systems we manage.

We are always happy to discuss how to improve your security. If you would like a review of your current security posture, please get in touch.

More information

This summary describes our general approach. If you have specific security questions, for example as part of a vendor due-diligence process, please contact us and we will do our best to assist.

For more information about the Essential Eight, see the Australian Cyber Security Centre at cyber.gov.au.

Contact us

Arcnode IT Pty Ltd

Email: legal@arcnode.com.au

Web: arcnode.com.au

Melbourne, Victoria, Australia

Information Security Summary version 1.0. May 2026.

This is a customer-facing overview, not a complete description of internal controls. Published by Arcnode IT Pty Ltd.