Data Processing Agreement
Last updated: December 20, 2024
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Council DA Pty Ltd ("we", "us", or "Council DA") and you ("Customer") and governs the processing of personal data in connection with our services.
This DPA applies to the extent that we process personal data on behalf of the Customer in providing our API services. We act as a data processor when processing personal data on your behalf.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- "Data Controller" means the entity that determines the purposes and means of processing personal data.
- "Data Processor" means the entity that processes personal data on behalf of the data controller.
- "Sub-processor" means any third party engaged by Council DA to process personal data.
3. Scope of Processing
We process personal data only as necessary to provide our services, which includes:
- Aggregating publicly available development application data from Australian council websites
- Storing and indexing this data for API access
- Providing search and filtering capabilities
- Delivering webhook notifications to your specified endpoints
- Maintaining logs for security and debugging purposes
4. Nature of Data
The personal data processed through our services primarily consists of:
- Names of applicants and property owners (as publicly disclosed in DA records)
- Property addresses
- Contact information where publicly available in council records
- Details of development applications
This data is sourced from publicly available council websites and records. We do not collect or process sensitive personal data or special categories of data.
5. Our Obligations
As a data processor, we commit to:
- Process personal data only in accordance with your documented instructions
- Ensure that personnel processing personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject access requests
- Notify you without undue delay upon becoming aware of a personal data breach
- Delete or return all personal data upon termination of our services, at your choice
- Make available information necessary to demonstrate compliance with this DPA
6. Security Measures
We implement and maintain appropriate technical and organizational measures, including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication mechanisms
- Regular security assessments and penetration testing
- Incident response and disaster recovery procedures
- Employee security training and background checks
- Physical security of data center facilities
7. Sub-processors
We use the following sub-processors to provide our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud Infrastructure | Sydney, Australia |
| Supabase | Database Hosting | Sydney, Australia |
| Stripe | Payment Processing | United States |
| Render | Application Hosting | United States |
We will notify you of any intended changes to sub-processors, giving you the opportunity to object to such changes.
8. Data Retention
We retain personal data only for as long as necessary to provide our services and comply with legal obligations. Development application data is retained in accordance with public records retention requirements. Upon termination of your account, we will delete your API keys, webhook configurations, and usage data within 30 days.
9. Data Subject Rights
We will assist you in responding to requests from data subjects exercising their rights under applicable data protection laws. This includes requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing.
10. Data Breach Notification
In the event of a personal data breach affecting your data, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. Our notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.
11. International Transfers
Where personal data is transferred outside of Australia, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by relevant authorities and adequacy assessments of the receiving jurisdiction's data protection laws.
12. Contact Information
For questions about this Data Processing Agreement, please contact:
Council DA Pty Ltd
Data Protection Officer
Email: privacy@councilda.com.au
Address: Sydney, NSW, Australia