Data Processing Agreement

1. Parties and scope

This Data Processing Agreement ("DPA") is entered into between Checkbase Pty Ltd (ABN 23 697 668 330) ("Checkbase") and the provider organisation that has signed up for a Checkbase subscription ("Customer"). It applies to all personal information (as defined in the Privacy Act 1988 (Cth)) that Customer or its authorised users upload, generate, or transmit through the Checkbase service.

This DPA forms part of the Terms of Service and prevails over any conflicting term in the Terms in respect of personal information handling.

2. Roles

Customer is the APP entity / controller for personal information about its workers and participants. Customer is responsible for ensuring it has the lawful basis (typically consent, or statutory authority) to collect that information and disclose it to Checkbase for processing.

Checkbase is Customer's contracted handler / processor. We process personal information only on Customer's documented instructions, which for these purposes are the configuration choices Customer makes in the product and the documented features of the service.

3. Purpose limitation

Checkbase processes personal information only to provide, maintain, secure, and improve the Checkbase service for the Customer. We do not use Customer personal information for our own marketing, profile-building, ad-targeting, or AI/ML model training, and we do not disclose it to third parties for those purposes.

4. Categories of data and data subjects

• Account-holders (Customer's admin and staff users): name, email, role, login activity.
• Workers (Customer's employees and contractors): name, contact details, employment dates, role, uploaded compliance documents (which may include sensitive information such as health checks, criminal-history screening, and immigration status).
• Participants (the people Customer supports): name, NDIS number, date of birth, contact details, address, service type, uploaded files (which routinely contain sensitive health and disability information).
• SIL houses and dwellings (where applicable): address, capacity, dwelling-specific compliance documents.

5. Security

Checkbase implements the technical and organisational measures described on the Trust page, including (without limitation): encryption at rest and in transit (TLS 1.2+); application-level Row Level Security to isolate Customers' data; least-privilege staff access controls; full audit logging on document views and downloads; vulnerability monitoring; and routine backups in the same Australian region.

Checkbase will not materially weaken these measures during the term of the subscription.

6. Sub-processors

Checkbase uses the sub-processors listed on the Trust page. Each sub-processor is bound by a written agreement that imposes equivalent or stricter obligations than this DPA.

Before engaging a new sub-processor that will process Customer personal information, Checkbase will give Customer at least 30 days' notice (via email to the account-holder and an update to the Trust page). Customer may object on reasonable, privacy-related grounds; if Checkbase cannot accommodate the objection, Customer's remedy is to terminate the subscription for that reason within the notice period, with a pro-rata refund of pre-paid fees.

7. Cross-border disclosure (APP 8)

Routine application data remains in Australia (Supabase, Sydney region). Email and payment processing may be handled outside Australia by the sub-processors identified on the Trust page. Checkbase takes reasonable steps to ensure each overseas recipient handles personal information in a manner consistent with the Australian Privacy Principles, including via contractual terms.

8. Data breach notification

If Checkbase becomes aware of a confirmed or suspected unauthorised access to, disclosure of, or loss of Customer personal information, Checkbase will notify Customer without undue delay and in any event within 72 hours of awareness. Notification will include the information then known: nature of the incident, categories and approximate number of records affected, likely consequences, and measures taken or proposed.

Checkbase will cooperate with Customer in any assessment under Part IIIC of the Privacy Act (the Notifiable Data Breaches scheme), and will not unilaterally notify affected individuals on Customer's behalf unless Customer has expressly requested it.

9. Customer-directed access, correction and deletion

Customer may at any time access, export, correct or delete personal information through the Checkbase application. Where individual rights requests reach Checkbase directly (under APP 12 / APP 13, or equivalent state health-records legislation), Checkbase will route them to Customer without responding to the substance, except to confirm receipt to the requester.

Checkbase will assist Customer (at no additional cost) to respond to such requests by providing the relevant data within reasonable timeframes.

10. Return and deletion on termination

On termination of the subscription, Customer has a 30-day export window during which it may extract its data using the in-app export tooling. After the export window closes, Checkbase will delete or de-identify Customer personal information from active systems within a further 30 days. Backups containing residual copies are overwritten on a rolling schedule, in any event within 90 days of termination, after which no Customer personal information remains in the backup set.

Where Checkbase is required by Australian law to retain specific records (for example, financial records under tax law), it will retain only that subset and only for the minimum period required.

11. Audit and assurance

Customer may, no more than once per twelve-month period and on reasonable prior notice (not less than 30 days), request a written summary of Checkbase's security practices and any third-party assurance reports then available, and may submit a reasonable security questionnaire which Checkbase will respond to within 30 days.

Where Customer has a regulatory obligation to perform an on-site or technical audit, the parties will negotiate in good faith on scope and reasonable cost recovery.

12. Subcontracted staff

Checkbase staff and any subcontractors with access to Customer personal information are bound by written confidentiality obligations and undergo onboarding that covers the Australian Privacy Principles, the Notifiable Data Breaches scheme, and Checkbase's acceptable-use rules for production access.

13. Liability

Each party's liability under or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service, including the resupply-remedy cap permitted under section 64A of the Australian Consumer Law for services not of a kind ordinarily acquired for personal use.

14. Governing law

This DPA is governed by the law in force in New South Wales, Australia. Each party submits to the non-exclusive jurisdiction of the courts of New South Wales.

15. Changes

Checkbase may update this DPA from time to time. Material changes will be communicated by email to account-holders at least 30 days before they take effect. The version date at the top of this page always reflects the current revision.