Privacy Policy

Last updated: April 10, 2026

1. Introduction

ControlDesk ("we", "our", "us"), operated by Deteqted Pty Ltd (ABN pending), is committed to protecting the privacy of our users and their data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our GRC (Governance, Risk, and Compliance) platform.

2. Information We Collect

We collect information in the following categories:

  • Account Information: Name, email address, organisation name, and role when you register or are invited to the platform.
  • Assessment Data: Vendor assessment responses, risk ratings, compliance data, and related documents uploaded to the platform.
  • Usage Data: Log data including IP addresses, browser type, pages visited, and actions taken within the platform.
  • Communication Data: Information provided when you contact us for support or enquiries.

3. How We Use Your Information

  • To provide, maintain, and improve the ControlDesk platform
  • To process vendor assessments and generate risk analyses
  • To send notifications related to your assessments and compliance deadlines
  • To provide customer support and respond to enquiries
  • To ensure the security and integrity of our platform
  • To comply with legal obligations

4. Data Storage and Security

All data is stored in AWS Sydney region (ap-southeast-2) to ensure Australian data sovereignty. We implement industry-standard security measures including:

  • 256-bit AES encryption at rest and TLS 1.3 encryption in transit
  • Multi-tenant data isolation with row-level security
  • Regular security audits and penetration testing
  • Comprehensive audit logging of all data access

5. Data Sharing

We do not sell your personal information. We may share data with:

  • Service Providers: AWS (infrastructure), SES (email delivery), and AI analysis services for assessment processing.
  • Your Organisation: Data is accessible to authorised users within your tenant based on role-based access controls.
  • Legal Requirements: When required by law, regulation, or legal process.

6. AI Processing

ControlDesk uses artificial intelligence to analyse vendor assessments and identify risks. AI-generated insights are presented for human review and are not used to make automated decisions without human oversight. Assessment data processed by AI is not used to train AI models.

7. Your Rights

Under the Australian Privacy Act 1988, the GDPR, and other applicable privacy laws, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information
  • Object to or restrict processing of your data
  • Data portability (receive your data in a structured format)
  • Lodge a complaint with the relevant data protection authority

8. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Assessment and compliance data is retained according to your organisation's configured retention policies. Upon account termination, data is securely deleted within 90 days unless retention is required by law.

9. Cookies

We use essential cookies required for platform functionality (session management, CSRF protection). We do not use third-party tracking cookies or advertising cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or platform notification. Continued use of the platform after changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related enquiries or to exercise your rights, contact us at:

ControlDesk Privacy Team
Email: privacy@controldesk.com.au
Operated by Deteqted Pty Ltd
Sydney, Australia