Data Processing Agreement

In this DPA, the following definitions apply:

• "Data Controller" (or "Controller") means the Customer — the entity that determines the purposes and means of processing Personal Data.
• "Data Processor" (or "Processor") means RedRock Systems — the entity that processes Personal Data on behalf of the Controller.
• "Personal Data" means personal information as defined in the Privacy Act 1988 (Cth), including any information or opinion about an identified or reasonably identifiable individual.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, retrieval, and deletion.
• "Services" has the meaning given in the Terms of Service.
• "Sub-processor" means any third party engaged by RedRock Systems to process Personal Data on behalf of the Controller.
• "Security Incident" means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "OAIC" means the Office of the Australian Information Commissioner.
• "NDB Scheme" means the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).

RedRock Systems processes Personal Data as a Data Processor acting on documented instructions from the Customer. The nature, purpose, and subject matter of processing is as follows:

• Nature: storage, retrieval, display, transmission, backup, and deletion of Personal Data within the Services
• Purpose: delivery of the Services as described in the Terms of Service — including NDIS support coordination, practice management, AML/CTF compliance, and other platform features selected by the Customer
• Duration: for the term of the Customer's subscription plus the 30-day post-termination export window
• Categories of data subjects: the Customer's end users, clients, participants, and any individuals whose data the Customer uploads to the Services
• Categories of personal information: contact details, identity information, account credentials, service usage data, and any other personal information uploaded by the Customer

RedRock Systems will not process Personal Data for any purpose other than as instructed by the Customer in these Terms or in documented written instructions. If RedRockSystems is required by law to process Personal Data for another purpose, it will notify the Customer before doing so (unless prohibited by law).

RedRock Systems will, in its capacity as Data Processor:

• Process Personal Data only on documented instructions from the Controller, including with regard to cross-border transfers
• Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations
• Implement and maintain technical and organisational security measures as described at redrocksystems.com.au/trust
• Promptly notify the Controller if, in RedRock Systems' opinion, an instruction from the Controller would infringe the Privacy Act 1988 or other applicable law
• Not engage sub-processors without giving the Controller at least 30 days' prior notice, and ensure sub-processors are bound by equivalent obligations
• Assist the Controller in ensuring compliance with the Controller's own obligations under applicable privacy law, to the extent that such assistance is reasonably within the Processor's control

RedRock Systems maintains appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• AES-256 encryption at rest for all data stored in Supabase (AWS ap-southeast-2)
• TLS 1.3 encryption in transit for all data communicated to and from the Services
• Row-level security (RLS) enforced at the database layer — tenants are cryptographically isolated
• Multi-factor authentication (TOTP) available for all user accounts
• Role-based access control and principle of least privilege for internal system access
• Daily automated backups with point-in-time recovery

The full description of security measures is maintained at redrocksystems.com.au/trust. RedRock Systems will update these measures as technology and threats evolve.

The Customer authorises RedRock Systems to engage the sub-processors listed at redrocksystems.com.au/trust/sub-processors. RedRock Systems will:

• Notify the Customer at least 30 days before engaging any new sub-processor
• Ensure each sub-processor is bound by a Data Processing Agreement providing at least equivalent protections to this DPA
• Remain liable to the Customer for the acts and omissions of sub-processors to the same extent as if RedRock Systems had performed the processing itself

If the Customer reasonably objects to a new sub-processor within 30 days of notice, the parties will work in good faith to find a resolution. If no resolution is reached, the Customer may terminate the Services on written notice without penalty.

The Customer, as Data Controller, is responsible for responding to data subject access, correction, deletion, and other requests under the Privacy Act 1988 and Australian Privacy Principles. RedRock Systems will:

• Not respond directly to data subject requests unless instructed to do so by the Customer
• Promptly notify the Customer if RedRock Systems receives a request from a data subject that appears to relate to Personal Data processed under this DPA
• Provide reasonable technical assistance to help the Customer respond to data subject requests (e.g., data export, account deletion) — such assistance may be provided at RedRock Systems' standard professional service rates where it involves significant effort

In the event of a Security Incident affecting Personal Data processed under this DPA,RedRock Systems will:

• Notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the Security Incident
• Provide the Customer with sufficient information to assess the nature and scope of the incident, including (where known): the nature of the incident, the categories and approximate volume of personal information involved, the likely consequences, and the measures taken or proposed to address the incident
• Cooperate with the Customer and take reasonable steps to mitigate the effects of and remediate the incident

The Customer, as Data Controller and as a regulated entity under the NDB Scheme, is responsible for assessing whether the incident constitutes an eligible data breach and for notifying the OAIC and affected individuals in accordance with Part IIIC of the Privacy Act 1988. RedRock Systems will provide reasonable assistance with the assessment.

Upon termination or expiry of the Customer’s subscription, RedRock Systems will:

• Make available to the Customer a means to export all Customer Data for a period of 30 days from the termination effective date
• Delete all Customer Data from its systems after the 30-day export window, except where retention is required by law (e.g., AML/CTF records retained for 7 years under Part 10 of the AML/CTF Act 2006, billing records retained for 7 years under Australian tax law)
• Confirm in writing that deletion has been completed, on the Customer's request

The Customer may audit RedRockSystems’ compliance with this DPA subject to the following conditions:

• The Customer provides at least 30 days' prior written notice of an intended audit
• Audits are conducted no more than once per calendar year, unless a Security Incident has occurred
• The Customer uses a qualified independent auditor who has executed a confidentiality agreement acceptable to RedRock Systems
• The audit is conducted during normal business hours and in a manner that minimises disruption to RedRock Systems' operations
• The Customer bears all costs of the audit unless the audit reveals a material breach of this DPA by RedRock Systems

As an alternative to a direct audit, RedRock Systems may provide the Customer with a current third-party audit report (e.g., SOC 2 Type II) covering the relevant systems, which the Customer may treat as sufficient evidence of compliance unless specific concerns require further investigation.

The transfer of Personal Data to sub-processors located outside Australia is described in our Data Residency page. Cross-border transfers are limited to transactional sub-processors (Stripe for payment processing, Resend for email delivery) and occur on the basis of:

• Contractual arrangements with each overseas sub-processor providing APPs-equivalent protections
• The Customer's prior acknowledgement (on account creation) of cross-border flows as disclosed in the Privacy Policy
• APP 8 due diligence steps documented in the Data Residency page

Primary customer data — all participant records, compliance files, and customer-generated content — is stored exclusively in Supabase PostgreSQL in the AWS Sydney region (ap-southeast-2) and does not transit overseas as part of normal operations.

This DPA is co-terminous with the Customer’s agreement with RedRock Systems under the Terms of Service. It takes effect from the date the Customer first accepts the Terms of Service and continues until all Personal Data processed under this DPA has been returned or deleted in accordance with clause 8.

Provisions that by their nature should survive termination (including clause 8 — Data Return and Deletion, and clause 7 — Data Breach Notification) will continue in force after termination for the period necessary to give effect to those obligations.

Questions about this DPA or to request a countersigned copy for your records:

• Email: hello@redrocksystems.com.au (subject line: "DPA Request")
• Entity: REDROCK SYSTEMS PTY LTD
• ABN: 53 696 760 433 · ACN: 696 760 433
• Perth, Western Australia, Australia