top of page
PinkDigital- 02.png

Security Policy

Effective Date: Jan 2021
Last Updated: July 2025

 

1. Purpose

This Security Policy outlines how Pink Digital Marketing protects the confidentiality, integrity, and availability of data in its possession, particularly client, consumer, and internal business information. It is designed to comply with New Zealand and Australian privacy laws, as well as relevant client obligations.

2. Scope

This policy applies to all employees, contractors, and third-party service providers who access, store, or process data on behalf of Pink Digital Marketing.

3. Cloud and Infrastructure Security

  • All company data and systems are hosted in Google Cloud Platform (GCP).

  • Access to cloud environments is controlled using role-based access controls (RBAC) and multi-factor authentication (MFA).

  • All data is encrypted in transit (TLS/SSL) and at rest using GCP’s default encryption (AES-256).

  • Network security is maintained via GCP firewalls and security groups.

4. Endpoint and Device Security

  • All corporate devices are protected with Trend Micro antivirus/EDR software.

  • Operating systems and applications are kept up to date through automated patching or manual updates within 2 weeks of release.

  • Administrative privileges are limited and reviewed regularly.

5. Software Development Lifecycle (SDLC)

  • Pink Digital Marketing follows an Agile development process with secure coding practices.

  • All code undergoes peer review and security testing prior to deployment.

  • Deployment is managed via CI/CD pipelines, with version control in place.

  • Testing includes both functional and basic security checks.

6. Data Breach Notification

  • In the event of a confirmed or suspected data breach, clients will be notified promptly in accordance with the NZ Privacy Act 2020 and Australia’s Notifiable Data Breaches scheme.

  • Breach incidents are documented, investigated, and stored in internal records, including actions taken and outcomes.

7. Access Control

  • Access to systems and data is granted on a least-privilege basis.

  • All employee access is reviewed at onboarding, offboarding, and at regular intervals.

  • Shared credentials are prohibited; individual user accounts are required.

8. Backup and Disaster Recovery

  • Critical business data is backed up daily using encrypted storage.

  • Backups are tested regularly and stored securely with limited access.

  • Recovery procedures are reviewed quarterly to ensure operational continuity.

9. Secure Disposal of Data

  • Consumer and client data is securely deleted when no longer required.

  • Digital data is erased using secure methods; cloud data is purged following GCP’s secure deletion protocols.

  • Temporary files and old project data are reviewed regularly and purged per retention schedules.

10. Web and Application Security

  • A Web Application Firewall (WAF) is used via Google Cloud Armor or Cloudflare to block malicious traffic.

  • MFA is enabled for all admin logins and cloud service access.

  • Logs are monitored and anomalies investigated promptly.

11. Compliance and Governance

Pink Digital Marketing aligns its security practices with:

  • The Essential Eight Maturity Model (Level 1–2)

  • ISO 27001 principles for information security

  • Privacy Act 2020 (NZ) and Privacy Act 1988 (AU)

  • Industry standards such as SOC 2 and PCI DSS (as required by clients)

12. Employee Responsibilities and Training

  • All employees undergo onboarding training that includes data handling, password security, and phishing awareness.

  • Staff are expected to report suspected breaches or suspicious activity immediately.

  • Annual reviews and refresher sessions are provided.

13. Policy Review

This policy is reviewed annually or in response to changes in law, technology, or business practices. Updates are communicated to all staff and stakeholders.

For security-related inquiries or to make a data request, please contact:

Privacy Officer
ryan@pinkdigital.agency

bottom of page