Security & Data Handling
Last updated: 02 May 2026
Introduction
At Chase Risk & Compliance (CRC), we understand that payroll and workforce data is sensitive and requires careful handling.
CRC is designed as a controlled consultancy workflow focused on payroll diagnostics, governance review, and operational risk analysis. We take a conservative approach to data handling, access control, and operational security practices appropriate to the nature of the services we provide.
Our goal is to maintain practical, disciplined, and transparent handling practices that help clients engage with confidence.
Operational Security Approach
CRC follows a practical security-focused approach designed around controlled workflows, limited access, and responsible handling of client information.
Our operational practices are intended to minimise unnecessary exposure to sensitive data, maintain clear separation between client engagements, and support secure handling throughout the lifecycle of an engagement. CRC continues to review and improve operational processes as the business evolves.
Access Controls
Access to client information is restricted to authorised personnel involved in the delivery of CRC services.
CRC applies a least-access approach wherever practical and aims to minimise unnecessary exposure to payroll or workforce-related information. Administrative accounts, operational systems, and supporting services are protected using password management practices and multi-factor authentication where supported.
CRC does not provide unrestricted third-party access to client datasets.
Secure Storage & Encryption
Client information is stored using controlled environments with encryption and access controls enabled where applicable.
CRC aims to maintain segregated client workspaces, minimise unnecessary duplication of sensitive information, and utilise secure storage platforms and encrypted devices wherever practical. Reasonable steps are taken to reduce the risk of unauthorised access, accidental disclosure, or data loss.
Secure File Transfer
CRC encourages the use of secure transfer methods when sharing payroll or workforce-related information.
Where practical, secure cloud-sharing platforms, controlled-access links, or encrypted archives may be used to reduce unnecessary exposure of sensitive files during transfer. CRC also encourages clients to limit shared datasets to information reasonably required for the engagement.
Client Data Segregation
CRC maintains logical separation between client engagements to help reduce operational and governance risk.
Client datasets, deliverables, and supporting materials are organised within dedicated client workspaces and engagement folders. CRC aims to maintain clear separation of working materials throughout the engagement lifecycle and minimise the risk of unintended cross-client exposure.
AI-Assisted Workflow Governance
CRC may utilise AI-assisted tooling in limited operational workflows such as document drafting, research assistance, summarisation support, and productivity enhancement.
CRC takes a cautious approach to AI usage involving sensitive information. Wherever practical, sensitive payroll information is minimised, anonymised, or excluded from public AI systems prior to AI-assisted processing. AI-generated outputs are subject to human review before use, and AI systems are not relied upon autonomously for payroll, governance, or compliance conclusions.
CRC continues to review evolving AI governance and operational practices as part of its broader governance maturity approach.
Data Retention & Secure Deletion
CRC retains client information only for as long as reasonably necessary to deliver services, maintain engagement records, or meet applicable legal or operational obligations.
Retention periods may vary depending on the nature of the engagement. CRC aims to minimise long-term retention of raw payroll datasets and securely remove temporary or working files when no longer required. Deliverables or supporting materials may be archived where operationally necessary or contractually required.
CRC will also respond to reasonable client deletion requests where appropriate.
Incident Response Approach
While no environment can be guaranteed completely risk-free, CRC aims to maintain practical operational controls designed to reduce the likelihood and impact of security or data handling incidents.
If CRC becomes aware of a material issue affecting client information, reasonable steps will be taken to investigate the matter, assess operational impact, and communicate appropriately with affected parties where required. CRC continues to improve operational resilience and security practices over time.
Third-Party Services
CRC may utilise selected third-party platforms and providers to support operational activities such as hosting, storage, communication, analytics, or productivity workflows.
Where practical, CRC aims to use reputable providers that support modern security practices including encryption, authentication controls, and access management. CRC does not sell client information or provide unrestricted third-party access to client datasets.
Security Questions
CRC understands that organisations may require additional comfort around operational governance, data handling practices, and security controls before sharing payroll or workforce-related information.
Clients with specific operational, governance, or security questions are welcome to contact CRC directly to discuss engagement requirements and data handling practices further.