Data Processing Agreement

1. Introduction

This Data Processing Agreement (Agreement) governs the processing of Personal Information and Sensitive Information by BNDRY Pty Ltd (Processor or BNDRY) on behalf of the customer that accepts it (Controller). The primary law governing this Agreement is the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles under that Act (APPs). Where, and only to the extent that, the EU General Data Protection Regulation (EU) 2016/679 (EU GDPR) or the United Kingdom’s retained version of that Regulation (UK GDPR) applies to a particular processing activity, the additional requirements of those laws apply as an overlay to this Agreement. Where the EU GDPR applies, this Agreement is intended to satisfy the written contract requirements of the EU GDPR. The services involve Sensitive Information, including biometric information, and in this Agreement a reference to Personal Information includes Sensitive Information unless stated otherwise.

Each party is, and remains, an APP entity that is directly bound by the APPs in respect of any Personal Information it holds. The descriptive labels “Controller” and “Processor” allocate responsibilities between the parties as a matter of contract. They do not limit, transfer or discharge either party’s own obligations under the Privacy Act, because the Privacy Act does not recognise a controller or processor distinction and does not provide a processor with a statutory exemption from the APPs.

BNDRY maintains an information security management system (ISMS) certified to ISO/IEC 27001:2022, and the technical and organisational measures in Annex II reflect that framework. Where BNDRY provides services to a Controller that is an entity regulated by the Australian Prudential Regulation Authority, BNDRY aligns its practices as a material service provider with APRA Prudential Standard CPS 234.

‍

2. Definitions

Applicable Data Protection Law means the Privacy Act and the APPs and, to the extent applicable to a particular processing activity, the EU GDPR, the UK GDPR, and any other law relating to privacy or the protection of Personal Information that applies to a party in respect of that activity.

Eligible Data Breach has the meaning given in the Privacy Act. The scheme for notifying eligible data breaches is commonly called the Notifiable Data Breaches scheme.

Personal Information has the meaning given in the Privacy Act and, in this Agreement, includes Sensitive Information unless stated otherwise. Where a processing activity is governed by the EU GDPR or UK GDPR, the equivalent concepts of “personal data” and “special categories of personal data” under those laws apply to that activity.

Sensitive Information is a subset of Personal Information and has the meaning given in the Privacy Act. It includes information or an opinion about an individual’s health, racial or ethnic origin, religious beliefs, sexual orientation or criminal record that is also Personal Information, as well as biometric information that is to be used for automated biometric verification or biometric identification, and biometric templates. A requirement in this Agreement that applies specifically to Sensitive Information, such as the consent requirement in clause 4, applies in addition to the requirements that apply to Personal Information generally.

Security Incident means any actual or reasonably suspected unauthorised access to, or loss, misuse, interference, modification or disclosure of, Personal Information processed under this Agreement.

Sub-processor means any third party engaged by BNDRY to process Personal Information on behalf of the Controller under this Agreement.

Other terms drawn from a particular data protection regime are interpreted in accordance with the closest equivalent concept under the Applicable Data Protection Law that governs the relevant activity. Use of a term originating in one regime does not import obligations from that regime into another.

Where a term is defined in both this Agreement and the Terms and Conditions, the definition in this Agreement applies for the purposes of interpreting this Agreement. A reference in this Agreement to the Agreement is to this Data Processing Agreement, not to the Agreement as defined in the Terms and Conditions.

‍

3. Relationship of the parties, roles and precedence

3.1 Roles

The Controller determines the purposes and means of processing Personal Information. BNDRY acts as the Controller’s processor and processes Personal Information only on the Controller’s documented instructions. BNDRY does not process that Personal Information for its own purposes, except that BNDRY may create anonymised or de-identified data from Personal Information and use that anonymised or de-identified data for its own purposes, provided the data is anonymised or de-identified so that individuals are no longer reasonably identifiable.

This Agreement governs BNDRY’s processing, as processor, of the Personal Information that the Controller controls, which is typically the Personal Information of the Controller’s own customers and other individuals whose information the Controller collects. BNDRY’s handling of the Controller’s own business information, where BNDRY acts on its own account, is governed by BNDRY’s privacy statement and privacy policy and the Terms and Conditions, and is not the subject of this Agreement.

3.2 Precedence

This Agreement forms part of, and is to be read with, the Terms and Conditions under which the Controller uses BNDRY’s services. This Agreement governs the processing of the Controller’s Personal Information by BNDRY as processor. BNDRY’s privacy statement, BNDRY’s privacy policy and any Data Sharing Agreement are separate documents and are addressed below.

BNDRY’s privacy statement covers BNDRY’s handling of personal information collected through its website and social media. BNDRY’s privacy policy covers everything within its scope. Neither governs the Personal Information processed under this Agreement, which is governed by this Agreement. This Agreement and the Terms and Conditions are kept strictly separate: this Agreement governs the processing and protection of the Controller’s Personal Information, while the Terms and Conditions govern the commercial relationship between the parties. Where there is a conflict between them, the Terms and Conditions prevail.

A Data Sharing Agreement governs specific data sharing involving BNDRY, the Controller and, where applicable, a third party. Where there is a conflict between this Agreement and a Data Sharing Agreement, the Data Sharing Agreement prevails for the data sharing it governs.

3.3 No unilateral variation of data protection terms

BNDRY may update operational and non-material parts of this Agreement by notice through the service. A change that materially reduces the protections for Personal Information, or that materially increases the Controller’s obligations, is not effective unless agreed by the parties in writing.

4. Controller Obligations

The Controller must:

ensure it has a valid basis under Applicable Data Protection Law for all processing of Personal Information, including any disclosure to BNDRY, and including consent or another lawful basis under the APPs for any Sensitive Information (such as biometric information) before that information is provided to or processed by BNDRY;
provide documented instructions to BNDRY for all processing under this Agreement;
not instruct BNDRY to process Personal Information in a way that would breach Applicable Data Protection Law;
inform BNDRY promptly of any change in the processing that may affect BNDRY’s compliance obligations;
be responsible for the accuracy, quality and lawfulness of the Personal Information it provides and the means by which it obtained that information;
implement and maintain reasonable administrative and technical safeguards to preserve the integrity of Personal Information before it is transmitted to BNDRY, and take reasonable steps to ensure that information is free from material error, corruption or malicious code;
respond to requests from individuals and inquiries from regulators, with assistance from BNDRY as set out in this Agreement; and
provide accurate contact details for BNDRY to escalate security, privacy or regulatory matters, and notify BNDRY without undue delay of any Security Incident affecting BNDRY’s services of which it becomes aware.

5. Processor Obligations

BNDRY must:

process Personal Information only on the Controller’s documented instructions, except where required by law (in which case BNDRY will inform the Controller of that requirement before processing, unless the law prohibits it);
ensure that personnel authorised to process Personal Information are bound by binding obligations of confidentiality;
implement and maintain the technical and organisational measures in Annex II to ensure a level of security appropriate to the risk, consistent with the APPs (and the EU GDPR where it applies);
apply privacy by design when defining or significantly changing systems that collect or process Personal Information, and process Personal Information in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality;
assist the Controller, by appropriate technical and organisational measures, to respond to requests by individuals to exercise their rights (including rights of access and correction under the APPs), within the timeframes that apply to the Controller, and provide the Controller with the tools needed to access, amend and delete Personal Information;
assist the Controller with privacy impact assessments and data protection impact assessments, and with consultations with a regulator, where required;
assist the Controller, on request, with the information it reasonably needs about any automated processing carried out by BNDRY, including the kinds of Personal Information used and the kind of output produced, so the Controller can meet its own transparency obligations for automated decision-making;
maintain records of its processing activities under this Agreement;
notify the Controller of any Security Incident in accordance with clause 7;
inform the Controller if BNDRY is legally compelled to disclose the Controller’s Personal Information, unless the law prohibits it, and maintain a record of all such disclosures;
return or delete Personal Information in accordance with clause 12;
not respond to a request from an individual directly, unless instructed by the Controller or required by law; and
not communicate with a regulator or third party about the Controller’s obligations or the Controller’s end-customers, except where lawfully compelled, where clause 7 permits, or where immediate action is required to protect Personal Information.

6. Sub-Processing

BNDRY may engage Sub-processors to support the delivery of its services, provided that:

BNDRY maintains an up-to-date list of authorised Sub-processors at trust.bndry.net;
each Sub-processor is bound by written terms that impose data protection obligations no less protective than those in this Agreement;
BNDRY gives the Controller prior notice of any new or replacement Sub-processor that will process the Controller’s Personal Information, and the Controller is taken to have authorised it unless the Controller raises a reasonable data protection objection in writing within 15 calendar days of the notice;
if the Controller raises a valid objection that BNDRY cannot reasonably accommodate, the Controller may suspend the affected processing or terminate the affected part of the services by written notice and without penalty.

For clarity, the notice and objection rights in this clause are not a blanket requirement. BNDRY does not need to notify the Controller of, and the Controller has no objection right over, a change to BNDRY’s Sub-processors or supplier arrangements that does not affect the processing of the Controller’s Personal Information.

7. Security and breach notification

BNDRY must maintain an information security program consistent with ISO/IEC 27001:2022 and the APPs, and the measures set out in Annex II.

7.1 Notification to the Controller

BNDRY must notify the Controller without undue delay after becoming aware of a Security Incident affecting the Controller’s Personal Information, and in any event within 48 hours. Where full information is not available within that period, BNDRY may provide an initial notification followed by further detail as it becomes available. A notification must include the known nature, scope and likely impact of the incident and the steps taken or planned to mitigate it.

Communications about a Security Incident or a notifiable data breach are not made through BNDRY’s public service status page. They are managed by BNDRY’s Data Protection Officer and directed to the privacy, legal, risk or compliance contact nominated by the Controller.

7.2 Cooperation and the Notifiable Data Breaches scheme

BNDRY must provide reasonable assistance to the Controller in investigating and responding to a Security Incident, including cooperating in any joint assessment and providing a post-incident report on request. The parties must cooperate to determine whether either of them has an obligation to notify an Eligible Data Breach under the Privacy Act (the Notifiable Data Breaches scheme) or any other law, and to coordinate the content and timing of any notification to the Office of the Australian Information Commissioner or affected individuals. As the entity that holds the relevant Personal Information, BNDRY remains responsible for meeting its own regulatory reporting obligations, including under the Privacy Act and any other applicable law.

7.3 No notification by BNDRY without instruction

BNDRY must not notify a regulator, affected individuals or any third party of a Security Incident without the Controller’s prior written instruction, unless the Controller fails to respond within a reasonable time, notification is required by law or exigent circumstances, or BNDRY is seeking guidance from a regulator in good faith.

8. Cross-border disclosure

This clause gives effect to the cross-border disclosure requirements of the APPs.

BNDRY remains accountable under the APPs for any act or practice of an overseas recipient of Personal Information in relation to that information as if BNDRY had done the act or engaged in the practice, except to the extent an exception under the APPs applies.
BNDRY must not disclose Personal Information to an overseas recipient unless the disclosure is necessary to deliver the services, the Controller has been notified in writing of the destination jurisdiction and the reason before the disclosure, and BNDRY has taken reasonable steps to ensure the recipient handles the information consistently with the APPs, or another exception under the APPs applies.
Where Personal Information is accessed from outside Australia under a standing arrangement by an authorised Sub-processor, that Sub-processor is identified in BNDRY’s sub-processor list at trust.bndry.net, including the location and the purpose of the access. That listing constitutes the prior written notice of destination and reason required under this clause for the arrangement, and BNDRY applies the confidentiality obligations in clause 5 and the security measures in Annex II to that access.
BNDRY will identify the countries in which Personal Information may be processed where it is practicable to do so, and will maintain records of its transfer arrangements and make them available to the Controller on reasonable request.
Where, and only to the extent that, the EU GDPR or UK GDPR applies to a transfer, BNDRY will implement an approved transfer mechanism (such as the EU Standard Contractual Clauses or the UK International Data Transfer Agreement or Addendum) and conduct a transfer impact assessment where required. Any onward transfer by a Sub-processor is subject to equivalent safeguards.
Any system used for identity verification is accessed and used only within jurisdictions approved for that purpose.

9. Digital identity verification

This clause applies where the services involve verifying the identity of individuals. Identity is verified by checking an individual’s details against records held by the relevant Official Document Holder, through systems operated by BNDRY on behalf of the Controller. Identity verification is subject to strict conditions on access, use and disclosure under applicable law. The information given to individuals about how their details are checked, the legal obligations involved, their rights, the consequences of declining, the express consent required, and how to make a complaint, is set out at https://www.bndry.net/legals/identity-verification. BNDRY maintains that page and complies with it, and the Controller ensures its own collection notices and consent flow are consistent with it. The parties use only functional descriptions of that verification in public-facing and customer-facing materials, and must not make public statements about its use without the authorisation required by law.

Identity verification is carried out solely in support of a lawful and legitimate business function or legal obligation, and not for profiling or behaviour tracking, offering goods or services, advertising, enabling third-party advertising, or market research.
Informed and express consent is obtained from the individual before an identity verification request is initiated, in the manner set out on the page referred to above. Where verification is not available or consent is not given, an alternative method of verification is offered where one exists.
Complete, accurate and verifiable records of consent and associated disclosures are maintained, including the purpose of collection, any involvement of third-party systems, and any cross-border data flows.
Government-related identifiers are used or disclosed only when necessary for identity verification or where required or authorised by law, are not adopted as BNDRY’s own identifier, and otherwise consistent with the APPs. Identity document numbers (such as passport or driver licence numbers) are treated with equivalent restraint.
Match results and verification records are logged and retained in a manner that supports auditability. While BNDRY provides the services, it holds these records on the Controller’s behalf for no less than seven years; on termination or expiry they are returned or deleted in accordance with clause 12, after which the Controller is responsible for any further retention.
Verification match results are not disclosed to any third party, including the Controller’s clients. Access to match results is limited to authorised personnel for internal use. Where BNDRY or the Controller provides an opinion on identity, that opinion is based on multiple factors and does not state a match result.
All information provided for identity verification is accurate, complete and not misleading, and identity verification is implemented in accordance with the operational and technical guidance of the relevant Official Document Holder or system operator, including the guidance published at idmatch.gov.au.
Controls are implemented to detect and prevent unauthorised access to, or misuse of, the systems used for identity verification.

10. Anti-money laundering and counter-terrorism financing

This clause applies where the Controller is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act).

As the reporting entity, the Controller must keep records that are reasonably necessary to demonstrate customer due diligence for seven years after the end of its relationship with the relevant customer, as required by the AML/CTF Act. While BNDRY provides the services, it retains these records on the Controller’s behalf to support the Controller in meeting this obligation, and does not retain them on its own account after the services end.
From 31 March 2026, full copies of identity documents are not retained for AML/CTF purposes unless another law requires it. Where full identity document copies have been collected, they are destroyed or de-identified under a documented transitional roadmap, consistent with the APPs and current guidance of the Office of the Australian Information Commissioner. The seven-year retention obligation applies to records of the due diligence performed and the identifying information presented, not to copies of the documents themselves.
Collection is limited to what is reasonably necessary for the Controller’s AML/CTF obligations, consistent with the APPs and applicable regulatory guidance.
Any handling of Personal Information, including a notification to an individual or a regulator and any response to a request for access, is conducted in a way that does not contravene the tipping-off prohibition in the AML/CTF Act.

11. Audit rights

BNDRY must make available to the Controller, on request, the information reasonably necessary to demonstrate compliance with this Agreement, including summaries of relevant independent audit reports (such as ISO/IEC 27001 or SOC 2) and certifications. The Controller may not conduct its own audit or inspection of BNDRY’s facilities or systems unless a regulator requires it, or BNDRY has experienced a material Security Incident affecting the Controller’s Personal Information and the information BNDRY has provided is insufficient to confirm compliance. Any audit must be limited in scope, agreed in advance, conducted under confidentiality, and carried out so as to minimise disruption.

12. Return or deletion of data

On termination or expiry of the services, BNDRY must, at the Controller’s choice, delete or return all Personal Information in its possession, within 30 days. The seven-year retention obligations referred to in clauses 9 and 10 rest with the Controller as the reporting entity, not with BNDRY; once the Personal Information has been returned, the Controller is responsible for meeting them. BNDRY does not continue to hold the Personal Information after termination or expiry, except to the extent the Controller instructs BNDRY in writing to retain it under a continued storage arrangement, or BNDRY is itself independently required by law to retain it. Where BNDRY retains Personal Information on either basis, or where deletion is not feasible, BNDRY must continue to protect it in accordance with this Agreement and must not process it except as required by law or the Controller’s written instructions.

13. Governing law and jurisdiction

This Agreement is governed by the laws of New South Wales, Australia, and the parties submit to the courts of New South Wales. Disputes are otherwise resolved in accordance with the dispute resolution provisions of the Terms and Conditions. Where the EU GDPR or UK GDPR applies, nothing in this clause overrides any mandatory jurisdiction those laws require for the complaints of individuals or for regulatory enforcement.

14. Severability

If any provision of this Agreement is found to be invalid or unenforceable, that provision is severed and the remaining provisions continue in full force and effect.

15. Term and termination

This Agreement commences when the Terms and Conditions are accepted, and terminates automatically when those Terms and Conditions expire or are terminated. Any obligations that by their nature are intended to survive termination, including those relating to retention and deletion, continue until fulfilled.

Annex I. Processing details

This Annex describes the processing of Personal Information under this Agreement. It applies to all Controllers and is not specific to any one Controller.

Categories of individuals. Individuals whose identity the Controller verifies, or whose Personal Information the Controller otherwise processes through the services, including the Controller’s patrons, members, guests and staff.

Categories of Personal Information. Identity and contact details, identity document details (such as passport, driver licence or proof-of-age document data), and records of identity verification and related transactions.

Categories of Sensitive Information. Where the services involve it, biometric information collected for the purpose of verifying identity.

Nature and purpose of processing. Verifying the identity of individuals, and collecting, recording, storing and making Personal Information available to support the Controller’s regulatory and compliance obligations, including its anti-money laundering and counter-terrorism financing obligations.

Duration of processing. For the term of this Agreement. On termination or expiry, Personal Information is returned or deleted in accordance with clause 12. The Controller, as the reporting entity, is responsible for any retention required by law, including the seven-year AML/CTF retention period.

Locations of storage, processing and access. Personal Information is processed in Australia. Where a Sub-processor accesses Personal Information from outside Australia under a standing arrangement, that Sub-processor, and the location and purpose of the access, are identified in BNDRY’s sub-processor list at trust.bndry.net.

Annex II. Technical and organisational security measures

BNDRY is certified to ISO/IEC 27001:2022 and implements its Annex A control set. The measures below summarise, at a high level, how BNDRY protects Personal Information processed under this Agreement, across the four control themes. They operate as set out in BNDRY’s information security management system.

Organisational controls. Board-approved security policies; defined security roles and segregation of duties; asset inventory and information classification; supplier and Sub-processor security management, including binding Sub-processors to obligations no less protective than this Agreement; incident management aligned with the breach notification obligations in clause 7; business continuity; and compliance with legal and regulatory requirements, including the Privacy Act and the APPs.

People controls. Personnel are screened before engagement, bound by confidentiality obligations, trained in information security and the handling of Personal Information, subject to a disciplinary process, and governed by secure remote-working rules.

Physical controls. Facilities and equipment are protected through secure perimeters, entry controls, monitoring, environmental protection and secure disposal of media. These controls are met by BNDRY together with its certified hosting providers, which BNDRY oversees.

Technological controls. Access is granted on a least-privilege, need-to-know basis with secure, multi-factor authentication; Personal Information is encrypted in transit and at rest; networks are segregated and monitored; logging, malware protection, vulnerability and patch management, backups and redundancy are maintained; secure development, change management and separation of environments apply; and information is deleted when no longer required, supporting the return or deletion obligations in clause 12.

A full mapping to the individual ISO/IEC 27001:2022 Annex A controls is maintained in BNDRY’s Statement of Applicability and is available to the Controller on request. BNDRY also provides a written summary of penetration test results on request; full reports may be withheld where sensitive, but a non-sensitive summary is made available.

‍

Legal