# Data Processing Agreement (Template) **Version:** 1.0 **Date:** 2026-04-28 **Owner:** SymbioTeK Pty Ltd > **TEMPLATE — SUBJECT TO PER-CUSTOMER REVIEW.** This document is a starting point. Final terms are settled in writing between SymbioTeK Pty Ltd and the customer. SymbioTeK has not yet engaged an Australian privacy lawyer to review this template; that review is on the roadmap. Customers may submit redlines, but legal review may be required before signature. --- ## 1. Parties This Data Processing Agreement ("**DPA**") is entered into between: - **SymbioTeK Pty Ltd**, ACN 694 230 334, of Australia ("**SymbioTeK**", the "**Processor**"), and - **[Customer Legal Name]**, [ABN/ACN], of [Address] (the "**Controller**"), (together, the "**Parties**"). ## 2. Background The Controller has engaged the Processor to provide access to the MySafeSigns web application (the "**Service**") for the purpose of conducting safety-signage compliance audits in accordance with AS 1319-1994. In the course of providing the Service, the Processor processes personal information on behalf of the Controller. This DPA sets out the terms on which that processing takes place. This DPA is made under and forms part of the master agreement between the Parties (the "**Principal Agreement**"). In the event of conflict between this DPA and the Principal Agreement on matters of personal information handling, this DPA prevails. ## 3. Definitions Capitalised terms used in this DPA but not defined have the meanings given to them in the *Privacy Act 1988* (Cth) and the Australian Privacy Principles ("**APPs**"). For convenience: - "**Personal Information**" has the meaning given in s 6 of the Privacy Act. - "**Sensitive Information**" has the meaning given in s 6 of the Privacy Act. - "**Eligible Data Breach**" has the meaning given in Part IIIC of the Privacy Act. - "**Sub-processor**" means any third party engaged by the Processor to process Personal Information on behalf of the Controller in connection with the Service. - "**Personnel**" means employees, contractors and agents of a party. ## 4. Subject matter, duration, nature and purpose | Item | Specification | |---|---| | **Subject matter** | Personal Information processed in the course of safety-signage compliance auditing using the Service. | | **Duration** | The term of the Principal Agreement, plus any retention period required by Clause 13. | | **Nature** | Storage, transmission, indexing, and (when the Controller's user invokes AI detection) submission of sign photographs to the AI sub-processor for analysis. | | **Purpose** | Provision of the Service. | ## 5. Categories of data subjects - The Controller's auditors and personnel who use the Service. - Persons whose images may incidentally appear in sign photographs (for example, a person walking past a sign during capture). ## 6. Categories of Personal Information | Category | Provided by | Stored by SymbioTeK? | Notes | |---|---|---|---| | Account email | Controller's auditors | Yes (in Supabase, AWS Singapore) | Required for authentication | | Hashed password | Controller's auditors | Yes (in Supabase, AWS Singapore) | bcrypt or equivalent | | Credit balance / transaction log | Generated by Service | Yes (in Supabase, AWS Singapore) | Per-account | | Sign photographs | Controller's auditors | **No** — local to auditor's device only; transmitted to AI sub-processor only when AI detection is invoked | May incidentally include faces | | GPS coordinates | Controller's auditors | **No** — local to auditor's device only | Never transmitted to SymbioTeK | | Site, client, auditor names | Controller's auditors | **No** — local to auditor's device only | Never transmitted to SymbioTeK | | Compliance findings, notes | Controller's auditors | **No** — local to auditor's device only | Never transmitted to SymbioTeK | | Card / payment details | Controller's auditors | **No** — sent directly to Stripe | PCI-DSS scope is Stripe's | The Service is **not designed for and does not intentionally process Sensitive Information** as defined in the Privacy Act. The Controller agrees not to direct the Service to process Sensitive Information. ## 7. Processor obligations ### 7.1 Compliance with Controller instructions The Processor will only process Personal Information on documented instructions from the Controller, including those set out in this DPA and the Principal Agreement. If the Processor is required by Australian or other applicable law to process Personal Information otherwise, it will inform the Controller before doing so unless prohibited by that law. ### 7.2 Confidentiality The Processor will ensure that its Personnel authorised to process Personal Information are bound by confidentiality obligations no less protective than those in this DPA. ### 7.3 Security measures The Processor will implement and maintain the technical and organisational measures described in **Annex A (Security Measures)** to protect Personal Information against loss, misuse, unauthorised access, disclosure, alteration and destruction. The Processor will review and update those measures as appropriate. ### 7.4 Sub-processors The Processor may engage Sub-processors as listed in **Annex B (Sub-processors)**. The Processor will: - impose on each Sub-processor data-protection obligations no less protective than those in this DPA; - remain responsible for the acts and omissions of each Sub-processor as if they were its own; and - give the Controller at least **30 days' written notice** before adding or replacing any Sub-processor. The Controller may object on reasonable grounds within 14 days; if the Parties cannot agree, the Controller may terminate the affected Service component without penalty. ### 7.5 Data subject requests Where a person makes a request under the APPs (access, correction, erasure, complaint), the Processor will: - forward the request to the Controller without undue delay; and - assist the Controller to respond within statutory timelines, taking into account the nature of the processing. ### 7.6 Notifying the Controller of incidents If the Processor becomes aware of a data breach affecting Personal Information processed under this DPA, it will notify the Controller in writing **without undue delay and in any event within 72 hours** of becoming aware. The notice will include: - the nature of the breach; - the categories and approximate number of affected data subjects; - the categories and approximate number of affected records; - the likely consequences; - the measures taken or proposed to address the breach and mitigate its effects. The Processor will support the Controller in any obligation it has to notify affected data subjects or the Office of the Australian Information Commissioner (OAIC) under Part IIIC of the Privacy Act. ### 7.7 Records The Processor will maintain records of processing activities sufficient to demonstrate compliance with this DPA and will make those records available to the Controller on reasonable request. ### 7.8 Audit rights The Controller may, on reasonable written notice and not more than once per year (except where required by a regulator or following a confirmed breach), audit the Processor's compliance with this DPA. Audits will be at the Controller's cost, conducted during normal business hours, and respect the Processor's reasonable confidentiality requirements. The Processor may satisfy audit obligations by providing relevant third-party attestation reports (when available), the Security & Architecture White Paper, the Pre-filled CAIQ-Lite, and the Essential Eight Self-Assessment. ### 7.9 Cross-border disclosure (APP 8) The Controller acknowledges and consents to the cross-border disclosures described in Annex B. The Processor will take such steps as are reasonable in the circumstances to ensure that overseas recipients do not breach the APPs in relation to the Personal Information. ## 8. Controller obligations ### 8.1 Lawful basis The Controller warrants that it has a lawful basis under the Privacy Act and any other applicable law for the Personal Information disclosed to the Processor in connection with the Service. ### 8.2 Notices and consents The Controller is responsible for providing the data subjects with required collection notices and obtaining any required consents. ### 8.3 Use of the Service The Controller will use the Service in accordance with the Principal Agreement and will not direct the Processor to process Personal Information in a way that breaches the Privacy Act. ## 9. Liability The liability of each Party under this DPA is governed by the limitations and exclusions set out in the Principal Agreement, except that nothing in those limitations excludes liability that cannot be excluded by law (including liability for breach of the APPs). ## 10. Term and termination ### 10.1 Term This DPA takes effect on the date of last signature and continues for the term of the Principal Agreement, plus any retention period under Clause 13. ### 10.2 Effect of termination On termination of the Principal Agreement, the Processor will, at the Controller's election, return or delete Personal Information in its possession or control within 30 days, except to the extent that retention is required by law (in which case the Processor will continue to protect the information in accordance with this DPA for the duration of the legal retention requirement). ## 11. Order of precedence In the event of conflict, the order of precedence is: 1. This DPA; 2. The Principal Agreement; 3. The MySafeSigns End User Licence Agreement (EULA). ## 12. Governing law This DPA is governed by the laws of the State of [State, e.g. New South Wales] and Australia, and the Parties submit to the exclusive jurisdiction of those courts. ## 13. Retention after termination Even after termination, the Processor will retain the credit transaction log in pseudonymised form (UUID rather than email) for **7 years** to satisfy Australian record-keeping obligations applicable to financial transactions. No other Personal Information will be retained beyond the 30-day deletion window in Clause 10.2. --- # Annex A — Security Measures The Processor implements the following technical and organisational measures. The canonical statement of these measures is in the Processor's [Security & Architecture White Paper](/security/MySafeSigns-Security-Whitepaper-v1.md), which is incorporated by reference. As at the date of this DPA, the measures include: | # | Measure | Where described | |---|---|---| | A1 | TLS 1.2+ for all data in transit | White Paper §6 | | A2 | AES-256 encryption at rest for the Supabase database | White Paper §6 | | A3 | Supabase Row-Level Security (`ENABLE` and `FORCE`) on every user-data table | White Paper §5.2 | | A4 | Stripe webhook signature verification before any database write | White Paper §8 | | A5 | Origin-allowlisted CORS on Edge Functions | White Paper §4 | | A6 | HSTS, Content-Security-Policy, X-Frame-Options DENY, Referrer-Policy, Permissions-Policy on every HTML response | White Paper §7 | | A7 | Sub-resource integrity on third-party JavaScript | White Paper §7 | | A8 | Optional AES-256-GCM (PBKDF2-SHA256, 250,000 iterations) encryption for user-exported backups | White Paper §6 | | A9 | Operator MFA on Supabase, Stripe, Netlify, GitHub | White Paper §5.3 | | A10 | Documented incident response procedure | White Paper §9 | | A11 | Public disclosure file (RFC 9116) at `/.well-known/security.txt` | White Paper §9.1 | The Processor will review these measures at least annually and update them in line with industry good practice. --- # Annex B — Sub-processors As at 2026-04-28. The current canonical list is at . | Sub-processor | Country / region | Purpose | Data received | Compliance evidence | |---|---|---|---|---| | Anthropic, PBC | United States | AI vision model (Claude) for sign detection — invoked only on auditor request | Captured sign photograph only; not stored by SymbioTeK | SOC 2 Type II — | | Supabase, Inc. | DB: AWS Singapore (`ap-southeast-1`); Compute: AWS Sydney (`ap-southeast-2`) | Authentication, database, edge function runtime | Account email, hashed password, credit balance, transaction log | SOC 2 Type II — | | Stripe Payments Australia Pty Ltd | Australia | Payment processing | Card details, billing email | PCI-DSS Level 1 — | | Netlify, Inc. | Global edge CDN | Static asset delivery | HTTP request metadata | SOC 2 Type II — | The Processor will give the Controller at least 30 days' written notice before adding or replacing a Sub-processor. --- # Signatures **Processor — SymbioTeK Pty Ltd** Name: ________________________________________ Title: ________________________________________ Date: ________________________________________ Signature: ____________________________________ **Controller — [Customer Legal Name]** Name: ________________________________________ Title: ________________________________________ Date: ________________________________________ Signature: ____________________________________ --- *Document version 1.0. The current version of this template is at .*