Data Processing Agreement

The parties agree that, in respect of Customer Personal Information:

• The Customer is the data controller (or, in Australian Privacy Act terms, the APP entity that determines the purposes and means of processing)
• We are the data processor, processing Customer Personal Information only on the Customer's documented instructions

• Hosting Customer Data
• Providing user authentication and access control
• Generating compliance evidence (sign-offs, audit logs, certificates)
• Recording, categorizing, and managing incidents and corrective actions
• Managing optional attachments to incidents (photos, documents, and other files)
• Sending transactional emails (sign-off reminders, account notifications)
• Providing AI-assisted features (where the Customer's plan includes them)
• Providing customer support
• Securing the Service and detecting fraud or abuse

• The Customer's administrators
• The Customer's staff and other Authorised Users
• Other third parties whose Personal Information is included in Customer Data uploaded by the Customer (subject to the AUP — the Customer must minimise such information). In particular, when incident records are created, they may involve or relate to the Customer's clients, patients, service recipients, or other vulnerable individuals; the Customer remains responsible for ensuring it has a lawful basis and appropriate consent for recording and processing such information.

• Identifiers (name, email address)
• Workplace role and tenant assignment
• Activity records (sign-in times, sign-off events, IP addresses, user-agents)
• Incident records (including: incident title, date of occurrence, type, severity, status, owner, service context, triage notes, and AI-generated provenance metadata)
• External reporting details for incidents (authority/regulator, reference numbers, dates, notes)
• Optional incident attachments (photos, documents, and other files)
• Other information the Customer chooses to include in Customer Data

Notwithstanding our security obligations, the Customer is responsible for:

• The security of credentials issued to its Authorised Users
• Configuring access controls within the Service appropriately for its risk profile
• Promptly notifying us of any compromised credentials or suspected unauthorised access
• Determining whether the Service's security measures are appropriate for the Customer's specific use case

If we receive a request from a Data Subject in connection with Customer Personal Information, we will (without responding to the request beyond an acknowledgement):

• Promptly notify the Customer
• Direct the Data Subject to the Customer

We will notify the Customer of any Personal Information Breach affecting Customer Personal Information without undue delay, and in any event within 72 hours of becoming aware of the breach. Notification will include, to the extent then known:

• The nature of the breach, including the categories and approximate number of Data Subjects and records concerned
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects
• Contact details for further information

The Customer may, on reasonable advance written notice (not less than 30 days, except in the case of an actual or suspected Personal Information Breach), request an audit of our compliance with this DPA. Audits are subject to the following conditions:

• Audits are limited to no more than once per 12-month period, except in the case of an actual or suspected Personal Information Breach
• Audits must be conducted during business hours, in a manner that does not unreasonably disrupt our operations
• Audits must not require disclosure of information that would compromise the security of other customers' data, our intellectual property, or our confidential information
• The auditor must be subject to confidentiality obligations no less protective than those in this DPA

We may transfer Customer Personal Information outside Australia where:

• Necessary to provide the Service via a Subprocessor identified in Annex B
• Necessary to comply with applicable law
• The Customer has given consent

Where transfers occur, we rely on the protections offered by the recipient's privacy programme, contractual safeguards, and applicable law.

On termination of the Customer's Subscription, we will, at the Customer's choice:

• Return Customer Personal Information to the Customer in a structured, machine-readable format (using the data export functionality provided in the Service)
• Delete Customer Personal Information in accordance with our deletion timelines

The Customer has 30 days from termination to make this choice and to extract Customer Personal Information through the Service.

• Customer Data is encrypted in transit using TLS 1.2 or higher between the Customer's browser, our application, and our Subprocessors
• Customer Data is encrypted at rest in our database (Supabase) and storage (Supabase Storage) using industry-standard encryption

• Multi-factor authentication is required for administrative access to the Service
• Service personnel access is granted on a least-privilege basis
• Authentication systems use industry-standard practices including password hashing and short-lived access tokens

• Customer Data is segregated using row-level security at the database layer; cross-tenant access is technically prevented, not just policy-prevented
• Storage paths are tenant-scoped and access is governed by row-level security policies

• Application traffic is delivered exclusively over HTTPS
• Application-layer firewalls and rate limiting are in place
• Service infrastructure is hosted on cloud providers with established security certifications

• Application errors and security events are logged and monitored
• Customer-facing audit logs record administrative actions, sign-offs, and other compliance-relevant events
• Operational logs are retained for periods stated in our Privacy Policy

• Customer database is backed up daily, retained for 7 days
• Backups are encrypted at rest

• We maintain a written Incident Response Plan describing our procedures for detection, containment, communication, and resolution of security incidents
• Personnel are trained on the plan
• The plan is reviewed at least annually and after any material incident

• Personnel with access to Customer Data are subject to confidentiality obligations
• Access is revoked when personnel cease to require it for their role

• Code changes are reviewed before deployment
• Production deployments are subject to type-check and build verification
• Vulnerability scanning of dependencies is performed regularly