Data Processing Agreement
Effective date: 27 March 2026
Who this applies to
This DPA applies automatically to all Organisation plan subscribers. By subscribing to the Organisation plan, the organisation administrator accepts this DPA on behalf of the organisation.
1. Definitions
"Controller" means the organisation that has subscribed to the Organisation plan and determines the purposes and means of processing. "Processor" means StrataCheckAI Pty Ltd (695 730 404), which processes personal information on behalf of the Controller. "Personal information" has the meaning given in the Privacy Act 1988 (Cth). "Sub-processor" means any third party engaged by the Processor to carry out processing on behalf of the Controller.
2. Scope and nature of processing
The Processor processes personal information on behalf of the Controller for the following purposes: analysing strata documents uploaded by authorised users; generating structured analysis reports; providing AI-assisted chat functionality; maintaining legally required audit and evidence records; and providing account management, authentication, and billing services.
3. Controller's obligations
The Controller confirms it has a lawful basis for providing personal information contained in uploaded documents to the Processor; will ensure individuals whose personal information appears in uploaded documents are made aware of the processing; will only upload documents relevant to the strata property being analysed; and ensures all authorised users comply with the Terms of Service.
4. Processor's obligations
The Processor will: process personal information only for the purposes described in this DPA; implement appropriate technical and organisational security measures; ensure personnel with access are bound by confidentiality obligations; notify the Controller without undue delay upon becoming aware of a personal information breach; and assist the Controller in responding to individual rights requests.
6. Retention and deletion
Original uploaded documents are automatically deleted within 48 hours of report generation. Evidence bundles are retained for 7 years in write-protected storage and cannot be deleted earlier. User account data is deleted within 30 days of account closure, subject to legal retention obligations. The Controller acknowledges that evidence bundles cannot be deleted before the 7-year retention period expires due to WORM storage configuration.
7. Security measures
The Processor implements: encryption of all data in transit (TLS 1.2+) and at rest; WORM storage for evidence bundles; IP address hashing — raw IP addresses are never stored; automatic deletion of source documents within 48 hours; role-based access controls; and SHA-256 hashing of report content to enable integrity verification.
8. Data breach notification
In the event of a personal information breach involving the Controller's data, the Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
9. Governing law
This DPA is governed by the laws of New South Wales, Australia. Contact for queries: legal@stratacheckai.com.au
5. Sub-processors
The Controller authorises engagement of the following sub-processors:
| Sub-processor | Processing activity | Location |
|---|---|---|
| Anthropic PBC | AI processing of document content | USA |
| Amazon Web Services | Cloud storage (documents, evidence bundles) | Australia |
| Supabase Inc. | Database hosting | USA |
| Clerk Inc. | User authentication | USA |
| Stripe Inc. | Payment processing | USA |
| Resend Inc. | Transactional email delivery | USA |