Agreement

Data Processing Agreement

Processor obligations, security measures, subprocessors, and breach handling for personal information processed on your behalf.

Last updated · 16 July 2026

Parties and roles

ControllerClient
The client organisation that determines the purposes and means of processing personal information contained in client data.
ProcessorBusiness Avengers
Business Avengers, providing Becide as a processor acting on documented instructions from the Controller.
SubprocessorApproved third party
Third parties engaged to help deliver the Service — primarily hosting, authentication, and approved AI providers, contractually bound to equivalent obligations.
Personal informationAs defined
Given the meaning in the Privacy Act 1988 (Cth) unless otherwise defined in the main agreement.

3. Processing instructions

We process personal information only on documented instructions from the Controller, including configuration of the Service, connector authorisation, and documented support requests. If we are required by law to process personal information otherwise, we will inform the Controller unless prohibited by law.

4. Confidentiality

Personnel with access to personal information are bound by confidentiality obligations. Access is limited to those who need it to perform the Service.

5. Security measures

We implement technical and organisational measures appropriate to the risk.

  • AES-256 at rest

    Per-client dedicated encryption keys. Becide never stores key material.

  • TLS in transit

    TLS 1.2 or higher for every request.

  • Tenant isolation

    Scope enforced by organisation across storage, search, and encryption references.

  • Secure credential storage

    Connector credentials stored in a dedicated secrets vault.

  • Audit logging in Australia

    AI runs and administrative actions are logged onshore.

  • Access review

    Regular review of access controls and incident response procedures.

6. Subprocessors

The Controller authorises use of subprocessors necessary to deliver the Service. Primary subprocessors include Amazon Web Services (Australia) for hosting and storage, our authentication service, and approved AI providers.

We maintain a subprocessor register available on request. We will notify Controllers of material subprocessor changes where required by agreement. We impose data protection obligations on subprocessors through contract.

7–9. Transfers, requests, breaches

Personal information is primarily stored in Australia. Where processing occurs outside Australia, we take reasonable steps to ensure APP 8 compliance, including contractual safeguards.

We assist the Controller in responding to requests from individuals to access, correct, or delete personal information, within reasonable timeframes and subject to the Controller's instructions.

We will notify the Controller without undue delay after becoming aware of a personal information breach affecting the Controller's data, providing information reasonably available to support the Controller's assessment and notification obligations under the Privacy Act.

10–13. Deletion, audits, liability, term

On termination or at the Controller's instruction, we delete or return personal information per the exit process: export on request, deletion from all layers, and scheduling encryption key destruction so ciphertext is unreadable.

We make available information reasonably necessary to demonstrate compliance with this DPA. Enterprise Controllers may request security questionnaires or architecture summaries subject to confidentiality. On-site audits may be arranged for enterprise agreements, subject to reasonable notice, scope limits, and confidentiality.

Liability under this DPA is subject to the limitation of liability in the main agreement. Each party remains responsible for its obligations under the Privacy Act. This DPA remains in effect while we process personal information on behalf of the Controller. If inconsistent with the main agreement, this DPA prevails on data protection matters.

Request a countersigned DPA

Enterprise controllers can request a countersigned PDF, security questionnaire, or subprocessor register.