1. Definitions
This Data Processing Addendum ("DPA") forms part of the Terms of Service between FirstAidLog Pty Ltd ("Processor", "we", "us") and the organisation subscribing to FirstAidLog ("Controller", "you", "Customer").
- Controller: The Customer organisation that determines the purposes and means of processing personal data via the Service
- Processor: FirstAidLog Pty Ltd, which processes personal data on behalf of the Controller
- Personal Data: Any information relating to an identified or identifiable individual, as defined in the Privacy Act 1988 (Cth)
- Health Information: Sensitive information as defined in s6(1) of the Privacy Act 1988, including patient details, injury records, and treatment information
- Sub-processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller
2. Scope of Processing
2.1 Subject Matter
The Processor processes Personal Data solely to provide the FirstAidLog service as described in the Terms of Service, including storage, retrieval, display, and transmission of workplace health and safety records.
2.2 Categories of Data Subjects
- Customer employees and administrators
- First aiders and safety officers
- Patients and injured persons (as recorded in incident reports)
- Witnesses to workplace incidents
2.3 Types of Personal Data
| Category | Data Types | Protection |
|---|---|---|
| Account data | Name, email, role, organisation | RLS, TLS, bcrypt |
| Health information | Patient details, injury nature, treatment, psychological harm | AES-256-GCM field-level encryption |
| WHS records | First aider details, witness statements, incident locations | AES-256-GCM field-level encryption |
| Operational data | Kit inventories, inspections, training records | RLS, TLS |
| Financial data | Stripe customer ID (no card numbers stored) | PCI-DSS (Stripe) |
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by Australian law
- Ensure that persons authorised to process Personal Data have committed to confidentiality
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- AES-256-GCM field-level encryption for health information
- AES-256-GCM encryption for OAuth tokens at rest
- TLS 1.2+ for all data in transit (enforced via HSTS)
- Row-Level Security policies on all database tables
- Role-based access control with principle of least privilege
- Comprehensive audit logging (including read events)
- Not engage another processor without prior written authorisation from the Controller (see Section 5)
- Assist the Controller in responding to requests from data subjects exercising their rights under APPs 12 and 13
- Assist the Controller in ensuring compliance with their obligations regarding data security, breach notification, and privacy impact assessments
- At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, subject to legal retention requirements (WHS Act 2011 s274(d))
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
4. Controller Obligations
The Controller shall:
- Ensure that it has a lawful basis for providing Personal Data to the Processor
- Obtain any required consents from data subjects before entering Personal Data (particularly health information) into the Service
- Provide the Processor with written instructions regarding the processing of Personal Data
- Comply with Australian Privacy Principles when collecting, using, and disclosing personal information via the Service
5. Sub-processors
The Controller authorises the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | Sydney, Australia |
| Vercel Inc. | Application hosting, API, CDN | Sydney, AU (primary); global edge |
| Functional Software Inc. (Sentry) | Error monitoring (no PII) | United States |
| Zoho Corporation | Transactional email delivery | Australia |
| Stripe Inc. | Payment processing | United States / Australia |
| Xero Limited | Accounting integration (if enabled) | Australia / New Zealand |
| Intuit Inc. (QuickBooks, coming soon) | Planned accounting integration if enabled in future | United States / Australia |
The Processor will notify the Controller at least 14 days before adding or replacing a sub-processor. If the Controller objects, they may terminate the affected service component.
6. Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller within 24 hours of becoming aware of the breach
- Provide sufficient information for the Controller to meet their obligations under the Notifiable Data Breaches (NDB) scheme of the Privacy Act 1988
- Cooperate with the Controller and take reasonable steps to contain, investigate, and remediate the breach
- Not notify affected individuals or the OAIC directly without prior consultation with the Controller, unless required by law
The notification shall include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
7. Data Retention & Deletion
Upon termination of the Service agreement:
- The Controller may export all data via in-app CSV/PDF export features before termination
- The Processor will delete all Personal Data within 30 days of termination, except where retention is required by law
- Incident reports involving serious injury will be retained for up to 30 years in anonymised form as required by the WHS Act 2011 s274(d)
- Financial records will be retained for 7 years as required by Australian tax law
- The Processor will provide written confirmation of deletion upon request
8. International Transfers
Where Personal Data is transferred to a sub-processor outside Australia (see Section 5), the Processor ensures that:
- The recipient is subject to a law or binding scheme that provides comparable protections to the APPs (APP 8.2(a))
- The Controller has consented to the transfer after being informed of the protections (APP 8.2(b))
- Appropriate contractual safeguards (including data processing agreements) are in place
Primary data storage remains in Australia (Supabase Sydney region, ap-southeast-2).
9. Audits
The Processor shall make available to the Controller, on reasonable request, information necessary to demonstrate compliance with this DPA. The Controller may conduct or commission an audit (at their own cost) with reasonable notice, during business hours, and subject to confidentiality obligations.
10. Governing Law
This DPA is governed by the laws of Queensland, Australia. The parties submit to the exclusive jurisdiction of the courts of Queensland.
11. Contact
For DPA-related enquiries:
Privacy Officer
FirstAidLog Pty Ltd
Email: support@firstaidlog.com
Queensland, Australia