Cyber Security

This Cybersecurity Policy applies to all information and systems managed by Click Legal Pty Ltd (referred to as “we”, “us”, “our”, or “our practice”) to ensure the protection of our digital environment. We are committed to safeguarding data and ensuring the integrity and confidentiality of our operations in accordance with applicable laws and industry standards.

1. Intent and Scope

(a) This Cybersecurity Policy provides the basis of cybersecurity management within our practice.

(b) Effective protection of business information creates a competitive advantage, both in the ability to preserve the reputation of our practice and in reducing the risk of the occurrence of negative events and incidents.

(c) This Policy aims to balance the following priorities:

(i) Meeting the Australian legislative requirements that apply to our practice.
(ii) Keeping data and documents confidential as required by our practice, law cover and our clients.
(iii) Ensuring the integrity of our data and IT systems.
(iv) Upholding our practice reputation as a trusted firm.
(v) Maintaining storage and back‑up systems that meet the needs of our practice, law cover, our employees, clients, contractors and anyone else who may have any type of access to our systems, software, hardware, data and/or documents (collectively referred to as a “Participant”).

2. Responsibilities

(a) This policy applies to all Clients and Participants who interact with Click Legal’s systems, software, hardware, data and/or documents.

(b) All Participants are responsible for safeguarding the information and systems they use. Any doubts or concerns about cybersecurity should be promptly addressed with caution, and Participants must report potential risks to the Cybersecurity Officer at hello@clicklegal.com.au.

3. Authorisation and Access

(a) Access to our systems is strictly controlled based on the principle of least privilege.

(b) Managers should authorise access only on a need‑to‑know basis.

(c) Credentials for platforms and services are securely stored and restricted to authorised users and systems.

(d) Participants must follow proper authentication protocols when accessing our systems.

4. Cybersecurity Infrastructure

(a) Website & Systems

(i) Our public website is built on WordPress and hosted on cloud infrastructure provided by Hostinger.
(ii) Our online shop for templates and similar products is operated using WooCommerce on our WordPress website.
(iii) Access to the website administration area (including WooCommerce) is restricted to authorised personnel, protected by strong passwords and, where available, multi‑factor authentication.

(b) Platform for Secure Data

(i) Contact and lead information submitted via our website forms is captured and managed in our customer relationship management platform, HighLevel.
(ii) Website data (including contact form submissions and WooCommerce order data) is stored in WordPress databases hosted on Hostinger.
(iii) Payments for our services and for purchases made via our WooCommerce shop are processed securely using Stripe. We do not store card details; these are handled by Stripe in accordance with its security standards.
(iv) Transactional and notification emails (for example, order confirmations and form submission notifications) may be sent via our website or CRM and may be processed by trusted third‑party email service providers.

(c) Data Flow and Protection

(i) Information submitted through our website (for example, enquiries, contact forms and WooCommerce orders) is transmitted over encrypted connections (HTTPS) and stored in our WordPress installation (Hostinger) and/or synchronised with HighLevel.
(ii) Access to Hostinger, WordPress, WooCommerce, HighLevel and Stripe accounts is restricted to authorised users with role‑based permissions.
(iii) Strong authentication (including multi‑factor authentication where available) is enforced for administrator and other critical accounts.

5. Password and Authentication Requirements

(a) To prevent unauthorised access, the following best practices are enforced:

(i) Passwords must be uniquely generated and immediately changed upon first use.
(ii) Use at least 8 characters, including uppercase letters, lowercase letters, numbers, and symbols.
(iii) Multifactor authentication (MFA) tools are mandatory for critical systems.
(iv) Regular updates and changes to passwords are required.

6. Email and Device Security

Emails can contain malicious content and malware. To reduce harm, Participants should employ the following strategies:

(a) Email Security

(i) Avoid opening attachments or clicking links from unknown senders.
(ii) Verify the authenticity of email requests, especially those involving financial payments or login credentials.
(iii) Report suspicious emails to the Cybersecurity Officer immediately at hello@clicklegal.com.au.
(iv) Block junk, spam and scam emails.
(v) If an email requests financial payment, confirmation of a password, or prompts a login to our systems, extreme care should be taken to ensure that it is genuine, such as by calling the sender.

(b) Device Security

Personal devices such as mobile phones, tablets or laptops can put our data at risk and must be authenticated prior to accessing data for work and must follow these practices:

(a) Keep devices secure and password protected.
(b) Use two‑factor authentication.
(c) Use only secure networks for logging in.
(d) Regularly update security software and install updates.
(e) Segregate unauthorised IT devices from our systems.

7. Data Transfers and Remote Work

Your personal information will not be disclosed to recipients outside Australia unless expressly requested by you. If you request such a transfer, the overseas recipient will not be required to comply with the Australian Privacy Principles, and we will not be liable for any mishandling of your information.

(a) Data Transfers

(i) Share personal information only over authorised networks.
(ii) Destroy sensitive data when it is no longer needed in compliance with legal requirements.

(b) Remote Work

(i) All cybersecurity policies apply when working remotely.
(ii) Participants must ensure their devices are secure and their networks are trusted.

8. Incident Reporting and Training

(a) Incident Reporting

Participants must immediately report any cybersecurity breaches or suspicious activity to the Cybersecurity Officer.

(b) Training

(i) All new Participants will receive cybersecurity training during onboarding.
(ii) Regular updates and refresher training sessions are mandatory.

9. Policy Review and Disciplinary Actions

(a) Policy Review

This policy will be reviewed periodically to address new cybersecurity challenges and technologies. Updates will be communicated promptly.

(b) Disciplinary Actions

Breaches of this policy will result in disciplinary measures, ranging from warnings to termination of employment or services, depending on the severity of the breach.

10. Contact Us

If you have any questions regarding this policy or need to report a cybersecurity concern, please contact the Cybersecurity Officer at hello@clicklegal.com.au.