The terms applying when we handle data on your behalf.

For the purposes of this DPA: the client is the APP entity / data controller who determines the purposes and means of processing personal information. EiGENRA acts as a service provider / processor on the client's documented instructions in the engagement agreement.

The processing covered by this DPA is:

• Subject matter: personal information necessary to deliver the engagement (process scoping, AI configuration, training cohort administration, etc.)
• Duration: the term of the engagement, plus the retention periods set out below
• Nature and purpose: as described in the engagement agreement and the Practice methodology at /methodology
• Categories of data subjects: the client's employees, contractors, and (only where the engagement requires) customers, partners, or end-users
• Categories of personal information: typically identifiers, contact details, role and team information, workflow-related metadata. Sensitive information is out of scope unless expressly agreed

EiGENRA processes personal information only on the client's documented instructions, as set out in the engagement agreement, this DPA, and any subsequent written instructions given by the client. If we believe an instruction breaches the Privacy Act or another applicable law, we will notify the client without undue delay.

We ensure that personnel authorised to process the client's personal information are bound by contractual confidentiality obligations and have completed appropriate training before access is granted.

We implement technical and organisational security measures appropriate to the risk of processing, consistent with the Australian Privacy Principles and aligned to the Australian Signals Directorate's Essential Eight maturity framework. Specific measures include those published at /security, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access with least-privilege defaults and multi-factor authentication
• Just-in-time, audit-logged access for delivery
• Quarterly access reviews and immediate de-provisioning on personnel change
• Immutable audit trails on engagement-critical operations
• Documented incident response plan, rehearsed at least once per year

By default, personal information processed under this DPA is stored on Australian-region infrastructure — AWS Sydney (ap-southeast-2) or Microsoft Azure Australia East. Where the client requires non-Australian residency (for example, processing on the client's existing tenancy), this is documented in the engagement agreement.

Cross-border transit may transitorily occur where a sub-processor (for example, an AI inference provider) routes through non-Australian infrastructure. We assess each such transit against APP 8 reasonable-step requirements and maintain contractual safeguards equivalent to the Australian Privacy Principles.

We use a small set of sub-processors to deliver the engagement. The current list (provider, purpose, jurisdiction, security commitments) is maintained as an annex to the engagement agreement and is published in summary form below. We update the list when material changes occur and notify the client in advance for engagements with active processing.

Current sub-processor list (summary)

• Hosting and edge platform — application hosting, edge cache, and CDN; configurable Australian-region pinning where supported
• Object storage — generated PDFs and engagement artefacts; Australian-region storage by default
• Key-value and audit log store — lead pipeline, audit trail; Australian or near-region as appropriate, contractually committed to APP-equivalent terms
• AI inference providers — content generation for the lab tools and engagement deliverables; enterprise-grade data-handling commitments, no training on input by default, short retention windows for abuse monitoring
• Scheduling and calendar — booking management for discovery calls (configurable; can be replaced by manual email coordination)
• Email and transactional messaging — engagement communications, magic-link signing flows
• Payment provider — invoice payment rails (vendor-agnostic; client may direct otherwise)
• Accounting — invoice generation and tax compliance under Australian law

Specific provider names, jurisdictions, certifications (SOC 2, ISO 27001), and contracted terms are listed in the engagement-level annex — available under NDA on request.

We will assist the client (taking into account the nature of processing) in responding to requests from data subjects exercising their rights under the Privacy Act — access, correction, objection, deletion. Where a request is sent to us directly, we will forward it to the client and not respond substantively unless instructed.

We notify the client of any actual or reasonably suspected personal information breach affecting their data without undue delay, and in any event within seventy-two hours of becoming aware. The notification will include the information reasonably required for the client to meet their own obligations under the Notifiable Data Breaches scheme — including a description of the breach, categories and approximate numbers of affected data subjects, likely consequences, and remediation actions.

On reasonable written notice, and no more than once per twelve months unless an incident warrants more, the client may audit our compliance with this DPA — typically by submitting a written security questionnaire or by reviewing our published security statement and any attestation reports we hold. On-site audits are accommodated for mid-enterprise clients subject to reasonable scheduling and confidentiality terms.

At the choice of the client, on termination of the engagement we will either return all personal information to the client or delete it from our systems — except where retention is required by law (for example, retention of tax-related records for seven years under Australian taxation law). A written confirmation of return or deletion is provided on request.

Where the engagement uses AI inference to generate outputs from client data, we additionally commit:

• Not to use client data for training, fine-tuning, or evaluating any model
• Not to share client data with sub-processors for any purpose other than generating the agreed output
• To minimise input data — we use only what is needed for the task, and where possible we redact identifiers before inference
• To document model and provider choices in the engagement-level annex, with the client's right to require alternatives where reasonable

Liability under this DPA is governed by the engagement agreement and the Terms at /terms. The aggregate cap and exclusions in those terms apply to claims arising under this DPA, except for any liability that cannot be capped or excluded by Australian law.

Where this DPA conflicts with the engagement agreement, the engagement agreement prevails for that engagement (unless the client agrees a counter-signed DPA expressly overrides). We may update this DPA to reflect changes in law, infrastructure, or sub-processors; material changes are notified in writing for active engagements.

DPA enquiries and counter-signature requests: legal@eigenra.com. Privacy enquiries: privacy@eigenra.com.