Security Policy

Security Policy

1. Introduction

At Smartmates, we take the security and privacy of our clients’ data seriously. This policy describes how we access, handle, and protect client data in the course of delivering our services. It has been written to accurately reflect our actual day-to-day practices.

Smartmates operates as a Zoho and HubSpot implementation and consulting partner. Our engineering team is based in Bali, Indonesia (PT Smartmates Software Engineering), delivering services to clients primarily in Australia and New Zealand.

2. Scope

This policy applies to all Smartmates staff, contractors, and subcontractors who access client systems or handle client data in the course of providing our services. It covers activities including consulting, implementation, support, and maintenance.

3. Platforms We Use

Smartmates does not operate proprietary data infrastructure. All work is always conducted through industry-leading, enterprise-grade platforms. The security of client data is primarily governed by the security frameworks of these platforms.

3.1 Google Workspace

All internal communications, file storage, and video conferencing are conducted through Google Workspace, covering:

• Email (Gmail)
• File storage and document sharing (Google Drive)
• Video meetings (Google Meet)

Google Workspace provides enterprise-grade security including end-to-end encryption (TLS and AES-256), advanced threat protection, and compliance with SOC 2, ISO 27001, ISO 27018, and GDPR.

Full details:

https://workspace.google.com/security/

3.2 Zoho

All client-facing project work is delivered through Zoho and HubSpot’s platform. Zoho and HubSpot provide robust security including SSL encryption, role-based access control, geographically redundant data backups, and compliance with international data protection standards.

Full details:

https://www.zoho.com/security.html

https://legal.hubspot.com/security

3.3 Zoho Vault (Password Management)

All Smartmates staff use Zoho Vault as our company-wide password manager. Client credentials are stored securely in Zoho Vault and are never shared via email, chat, or any unsecured channel. Access to credentials is limited to staff assigned to the relevant project.

4. How We Access Client Systems

Smartmates staff access client Zoho environments by logging in directly to the client’s account using credentials arranged with the client. For HubSpot, Client must invite Smartmates to their environment using the available Partner Seat. The following practices govern this access.

4.1 Dedicated Chrome Profiles

Every Smartmates staff member is required to use a dedicated Google Chrome browser profile for each client they work with. This is an enforced, company-wide practice. Dedicated profiles ensure that:

• Client sessions are fully isolated from one another
• No cross-contamination of cookies, cached credentials, or browsing data can occur between clients
• Client data is not inadvertently accessible outside the relevant profile

4.2 Need-to-Know Access

Access to client systems is limited to staff members directly assigned to that client’s project. These credentials are shared only with the relevant team members.

4.3 Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is used across all core systems where applicable to provide an additional layer of account security. OTP (one-time password) requests may be required during the course of accessing client systems.

5. Data Handling Practices

5.1 Data Access

Our team accesses client data strictly to deliver the services agreed in the project scope. We do not access, copy, or retain client data beyond what is necessary for project delivery.

5.2 No Proprietary Data Storage

Smartmates does not store client business data on our own servers or infrastructure. Smartmates accesses client systems remotely; all client data remains hosted within the client’s own system environment and is subject to those platforms’ respective data hosting and security frameworks. This approach is consistent with applicable Australian laws, especially the Victorian legislation. Files shared with Smartmates for project purposes are used solely for that purpose.

5.3 No Third-Party Data Sharing

We do not share or disclose client data to third parties except where required to deliver agreed services or comply with legal obligations.

5.4 Communication Security

All client communication is conducted through Google Workspace (Gmail and Google Meet), which provides enterprise-grade encryption in transit and at rest.

5.5 Client Responsibility and Access Control

Clients retain full control and responsibility over user access within their own systems. This includes managing user permissions, access rights, and password policies within their Zoho and HubSpot environment or other platforms where required. Smartmates does not manage or administer client-side user access controls.

6. Staff Practices & Responsibilities

All Smartmates staff are required to:

• Use a dedicated Chrome profile per client — mandatory and enforced company-wide
• Store and access all client credentials through Zoho Vault
• Never share client credentials via unsecured channel
• Never download or copy client data to personal devices or unsanctioned storage
• Report any suspected security incident to management immediately

7. Incident Response

In the event of a suspected or confirmed security incident affecting client data, Smartmates will:

• Take immediate steps to contain and assess the impact
• Cooperate with the client and relevant authorities as required
• Document the incident and take corrective action to prevent recurrence

Smartmates will comply with applicable Australian data protection notification obligations under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme.

8. Data Retention

Smartmates does not operate proprietary storage for client business data. Any files temporarily shared with Smartmates for project purposes will be deleted upon project completion or earlier request by the client. Google Meet recordings of client sessions are retained for a maximum of 90 days, in line with our Terms of Service, after which they are permanently deleted.

9. Client Rights

Clients may at any time:

• Request information about what data Smartmates has access to on their behalf
• Request deletion of any files shared with Smartmates
• Update credentials or permissions within their own Zoho or HubSpot environment
• Raise a data privacy concern by contacting us at the details below

10. Policy Review

This policy is maintained and reviewed by the Smartmates Management Team to ensure it remains accurate and aligned with current operational practices. It will be updated as our practices evolve. The current version is always available on request.