Parties and roles
- Controller
- The client organisation that determines the purposes and means of processing personal information contained in client data.
- Processor
- Business Avengers, providing Becide as a processor acting on documented instructions from the Controller.
- Subprocessor
- Third parties engaged to help deliver the Service — primarily hosting, authentication, and approved AI providers, contractually bound to equivalent obligations.
- Personal information
- Given the meaning in the Privacy Act 1988 (Cth) unless otherwise defined in the main agreement.
3. Processing instructions
We process personal information only on documented instructions from the Controller, including configuration of the Service, connector authorisation, and documented support requests. If we are required by law to process personal information otherwise, we will inform the Controller unless prohibited by law.
4. Confidentiality
Personnel with access to personal information are bound by confidentiality obligations. Access is limited to those who need it to perform the Service.
5. Security measures
We implement technical and organisational measures appropriate to the risk.
- AES-256 at rest
Per-client dedicated encryption keys. Becide never stores key material.
- TLS in transit
TLS 1.2 or higher for every request.
- Tenant isolation
Scope enforced by organisation across storage, search, and encryption references.
- Secure credential storage
Connector credentials stored in a dedicated secrets vault.
- Audit logging in Australia
AI runs and administrative actions are logged onshore.
- Access review
Regular review of access controls and incident response procedures.
6. Subprocessors
The Controller authorises use of subprocessors necessary to deliver the Service. Primary subprocessors include Amazon Web Services (Australia) for hosting and storage, our authentication service, and approved AI providers.
We maintain a subprocessor register available on request. We will notify Controllers of material subprocessor changes where required by agreement. We impose data protection obligations on subprocessors through contract.
7–9. Transfers, requests, breaches
Personal information is primarily stored in Australia. Where processing occurs outside Australia, we take reasonable steps to ensure APP 8 compliance, including contractual safeguards.
We assist the Controller in responding to requests from individuals to access, correct, or delete personal information, within reasonable timeframes and subject to the Controller's instructions.
We will notify the Controller without undue delay after becoming aware of a personal information breach affecting the Controller's data, providing information reasonably available to support the Controller's assessment and notification obligations under the Privacy Act.
10–13. Deletion, audits, liability, term
On termination or at the Controller's instruction, we delete or return personal information per the exit process: export on request, deletion from all layers, and scheduling encryption key destruction so ciphertext is unreadable.
We make available information reasonably necessary to demonstrate compliance with this DPA. Enterprise Controllers may request security questionnaires or architecture summaries subject to confidentiality. On-site audits may be arranged for enterprise agreements, subject to reasonable notice, scope limits, and confidentiality.
Liability under this DPA is subject to the limitation of liability in the main agreement. Each party remains responsible for its obligations under the Privacy Act. This DPA remains in effect while we process personal information on behalf of the Controller. If inconsistent with the main agreement, this DPA prevails on data protection matters.
Enterprise controllers can request a countersigned PDF, security questionnaire, or subprocessor register.