Data Processing Agreement

Controller means the customer (individual or organisation) that determines the purposes and means of processing personal data through the AxionSite Service. Processor means Protocol Labs (ABN 49 634 013 629), trading as AxionSite, which processes personal data on behalf of the Controller. Personal Data means any information relating to an identified or identifiable natural person, as defined under the Privacy Act 1988 (Cth) and, where applicable, the GDPR. Processing means any operation performed on personal data (collection, storage, use, disclosure, etc.). Service means the AxionSite platform, website, APIs, and related services described in the Terms of Service.

This DPA applies to all Processing of Personal Data by the Processor in connection with the Service. It forms part of the agreement between the parties (including the Terms of Service and Privacy Policy). The duration of Processing is the term of the Service agreement. Upon termination, the Processor will return or delete Personal Data in accordance with Section 10.

The Processor shall: (a) process Personal Data only on documented instructions from the Controller, unless required by law; (b) ensure that persons authorised to process Personal Data are bound by confidentiality obligations; (c) implement appropriate technical and organisational measures to protect Personal Data (see Section 6); (d) assist the Controller in responding to data subject requests and regulatory enquiries (see Section 8); (e) notify the Controller without undue delay of any Personal Data breach (see Section 9); (f) assist the Controller with privacy impact assessments where required by law; and (g) delete or return Personal Data upon termination as requested (see Section 10). The Processor shall not engage another processor (subprocessor) without the Controller's prior authorisation or general written authorisation as set out in Section 5.

The Processor uses the following subprocessors to provide the Service. The Controller provides general authorisation for the Processor to engage these subprocessors, subject to the Processor ensuring that each subprocessor is bound by data protection obligations substantially similar to those in this DPA.

The Processor will notify the Controller of any intended changes to subprocessors (additions or replacements) via email or in-app notice at least 30 days in advance. The Controller may object on reasonable grounds relating to data protection. If the parties cannot resolve the objection, the Controller may terminate the affected part of the Service without penalty.

The Processor implements technical and organisational measures appropriate to the risk, including: (a) encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256); (b) access controls and role-based permissions; (c) secure development practices and vulnerability management; (d) incident response procedures aligned with the Notifiable Data Breaches scheme; (e) regular backups with point-in-time recovery; and (f) physical and logical security of infrastructure (Google Cloud / Firebase, Vercel). Further details are set out in our Security & Compliance page.

Primary processing occurs in Australia (Firebase / Google Cloud Australian regions). Where Personal Data is transferred to subprocessors outside Australia (e.g. OpenAI, Resend), the Processor ensures appropriate safeguards: (a) for transfers subject to the GDPR, Standard Contractual Clauses approved by the European Commission or equivalent mechanisms; (b) for Australian Privacy Act compliance, we require subprocessors to comply with the APPs or equivalent protections. The Controller acknowledges that use of AI features may involve transient transfer of data to OpenAI (US) for processing; such processing is necessary for the Service and is governed by OpenAI's data processing terms.

The Processor will assist the Controller in fulfilling requests from data subjects (access, correction, deletion, portability, objection, restriction) to the extent reasonably possible and within the capabilities of the Service. The Controller is responsible for verifying the identity of data subjects and for responding to requests. The Processor will provide such assistance within 30 days of the Controller's written request, unless a longer period is required by law. The Processor may charge reasonable fees for assistance that is manifestly unfounded or excessive.

The Processor will notify the Controller without undue delay (and in any event within 72 hours where feasible) after becoming aware of a Personal Data breach affecting the Controller's data. The notification will include, to the extent known: the nature of the breach; the categories and approximate number of data subjects and records concerned; the likely consequences; and the measures taken or proposed to address the breach. The Processor will cooperate with the Controller in meeting any regulatory notification obligations (e.g. OAIC under the NDB scheme, supervisory authority under the GDPR).

Upon termination or expiry of the Service, and upon the Controller's written request, the Processor will return or delete all Personal Data processed on behalf of the Controller, except where the Processor is required to retain data by law. Deletion will be completed within 90 days of the request. The Controller may request a certificate of deletion. Export of data prior to deletion is available through the Service's export functionality.

The Processor will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable written notice (at least 30 days), and no more than once per year, the Controller may conduct an audit or inspection, or engage an independent auditor, subject to confidentiality obligations and the Processor's reasonable security and operational requirements. The Processor will provide responses to written security questionnaires (e.g. SIG, CAIQ) within 15 business days where possible. Requests should be submitted via our contact form.

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA excludes or limits either party's liability for fraud, gross negligence, or any liability that cannot be excluded or limited under applicable law.

For questions about this DPA, data protection, or to exercise rights, use our contact form or the details in our Privacy Policy.