Last updated: 13 June 2026 · Version: 2.0 Forms part of the AuditCore Terms of Service. Between NOTION TECH PTY LTD (ACN 698 318 124), operating AuditCore ("AuditCore") and the Customer (the NDIS provider).
This DPA governs AuditCore's handling of personal information (including sensitive and health information about Participants and workers) that the Customer places in the Service. It is written to help NDIS providers meet their Privacy Act (APP) and NDIS Practice Standards obligations to bind their service providers.
1. Roles
- The **Customer** is the organisation responsible for the Participant/worker personal information it collects and for its lawful basis (including any consents).
- **AuditCore** handles that information **on the Customer's documented instructions** to provide the Service, and also has its own APP obligations as a holder of health information.
2. AuditCore's commitments
AuditCore will:
- 1process Customer personal information only to provide, secure and support the Service, or as required by law;
- 2not sell it, and not use Participant health information for its own marketing or (via sub-processors) for AI model training;
- 3keep it confidential and ensure personnel are bound by confidentiality;
- 4apply appropriate technical and organisational security (encryption in transit (TLS); encryption at rest with AES-256 application-layer encryption for designated sensitive fields; role-based access controls; multi-tenant isolation; audit logging; rate limiting) — see the **Security** page;
- 5maintain a **Data Breach Response Plan** and, on confirming an eligible data breach affecting the Customer's data, notify the Customer **without undue delay and within 48 hours**, and cooperate so the parties can meet the **Notifiable Data Breaches scheme** obligation to notify the **OAIC and affected individuals as soon as practicable**;
- 6assist the Customer, so far as reasonable, with access/correction requests, breach assessment, and regulator enquiries (including the OAIC and the **NDIS Quality and Safeguards Commission**);
- 7use only the sub-processors in Schedule 1, under contracts with equivalent protections;
- 8keep Customer primary data **onshore in Australia (Sydney)** and not relocate primary storage overseas without reasonable prior notice;
- 9on termination, make Customer data available for **export for 30 days** (in machine-readable JSON, and Excel/CSV/Word/PDF where those features exist) then delete or de-identify it, except where law (including NDIS record-keeping) requires retention.
3. Customer's commitments
The Customer will:
- 1ensure it has the **consents and lawful basis** to collect the Participant/worker information (including sensitive/health information) and to have AuditCore process it;
- 2keep its access credentials secure and manage its own users' permissions;
- 3respond to Participant access/correction/complaint requests as the responsible provider;
- 4not upload information it is not permitted to.
4. Sub-processors and change / objection rights
AuditCore uses the sub-processors listed in Schedule 1. AuditCore will give the Customer reasonable prior notice (at least 30 days where practicable) before adding or replacing a sub-processor that will process Customer personal information. The Customer may object on reasonable data-protection grounds within that notice period. If the parties cannot resolve the objection, the Customer may terminate the affected part of the Service without penalty and receive a pro-rata refund of pre-paid fees for the unused period.
5. Cross-border disclosure (APP 8)
The Customer acknowledges and consents that, while primary data is stored onshore in Australia, certain features disclose data to overseas sub-processors (including in the United States) per Schedule 1. AuditCore remains accountable under APP 8 and takes reasonable steps to ensure APP-consistent handling.
6. Data breach cooperation
On an eligible data breach, the parties will cooperate to assess, contain, and (where required) notify the OAIC and affected individuals under the NDB scheme, and the NDIS Commission where relevant. See the Data Breach Response Plan.
7. Audit and assurance rights
On reasonable written request (up to once per year, or more often following a confirmed breach or a regulator's requirement), AuditCore will provide reasonable information and documentation about its security and privacy controls to help the Customer meet its own compliance and NDIS Commission audit obligations. Where a physical or third-party audit is genuinely required by a regulator, the parties will cooperate in good faith on reasonable, confidential arrangements.
8. Data portability
The Customer may export its complete data at any time from Account Settings (machine-readable JSON), and individual registers as Excel/CSV and Word/PDF where provided, supporting portability and continuity of care.
9. Precedence
If this DPA conflicts with the Terms on data-protection matters, this DPA prevails.
Schedule 1 — Sub-processors
| Sub-processor | Purpose | Location | Data types | |---|---|---|---| | Anthropic, PBC (Claude) | AI document/analysis generation | United States | Record text, may include health info (not used for training) | | Stripe | Payment processing | United States / global | Billing contact, tokenised payment | | Resend / email provider | Transactional email | United States | Names, emails | | Google LLC (Drive API) — optional | Optional policy-document analysis | United States / global | Provider policy files | | Managed PostgreSQL host | Primary data hosting | Sydney, Australia (onshore) | All Customer data |
*Current as at 13 June 2026. Updated with prior notice per §4.*
Ready to stay audit-ready?
Join Australian NDIS providers using AuditCore to manage compliance and pass every audit.
Book a Free Demo