Last updated: 21 March 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between ZooYak Pty Ltd, a company registered in New South Wales, Australia ("ZooYak", "Processor", "we", "us"), and the entity agreeing to the Agreement ("Customer", "Controller", "you", "your").
This DPA sets out the terms on which ZooYak processes Personal Information on behalf of the Customer in connection with the provision of the ZooYak platform. It is designed to assist both parties in complying with their respective obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs").
In this DPA, unless the context otherwise requires, the following terms have the meanings set out below. Capitalised terms not defined in this DPA have the meanings given to them in the Agreement.
ZooYak Processes Personal Information solely for the purpose of providing, maintaining, and improving the Service as described in the Agreement and in accordance with the Customer's documented instructions. ZooYak does not Process Personal Information for its own purposes or for any purpose other than those set out in this DPA and the Agreement.
The Data Subjects whose Personal Information may be Processed under this DPA include:
The following categories of Personal Information may be Processed through the Service:
ZooYak will Process Personal Information for the duration of the Agreement, plus the post-termination data retention period described in Section 8 of this DPA, unless otherwise required by Applicable Law.
ZooYak shall Process Personal Information only in accordance with the Customer's documented instructions, as set out in this DPA, the Agreement, and any subsequent written instructions provided by the Customer. If ZooYak believes that an instruction from the Customer infringes Applicable Law, ZooYak shall promptly notify the Customer and may suspend the relevant Processing until the Customer issues a revised instruction.
ZooYak shall ensure that all personnel authorised to Process Personal Information:
ZooYak shall implement and maintain appropriate technical and organisational measures to protect Personal Information against unauthorised or unlawful Processing, and against accidental loss, destruction, or damage. These measures are described in detail in Section 4 of this DPA.
ZooYak shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights under the Privacy Act 1988 (Cth), including requests for access to, correction of, or deletion of Personal Information. Where a Data Subject makes a request directly to ZooYak, ZooYak shall promptly redirect the request to the Customer unless prohibited by Applicable Law.
ZooYak shall assist the Customer in ensuring compliance with its obligations under Applicable Law in relation to security of Personal Information, notification of Data Breaches (see Section 6), and privacy impact assessments, taking into account the nature of Processing and the information available to ZooYak.
Upon termination or expiration of the Agreement, and subject to Section 8 of this DPA, ZooYak shall, at the Customer's election:
Where the Customer does not make an election within 30 days of termination, ZooYak shall delete the Personal Information in accordance with Section 8.
ZooYak shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA. Upon reasonable request and subject to appropriate confidentiality obligations, ZooYak shall permit and contribute to audits, including inspections, conducted by the Customer or a qualified independent auditor mandated by the Customer. Such audits shall be subject to the following conditions:
ZooYak has implemented, and will maintain throughout the term of the Agreement, the following technical and organisational security measures to protect Personal Information:
All guard Personal Information (including names, contact details, and government identifiers) is encrypted at rest using AES-256 envelope encryption. Each Customer organisation has a dedicated data encryption key managed through AWS Key Management Service (KMS), ensuring cryptographic isolation between tenants.
All data transmitted between clients (web browsers, mobile applications) and the Service is encrypted using TLS 1.2 or higher. Internal service-to-service communications within the infrastructure are also encrypted in transit.
ZooYak implements role-based access control (RBAC) with the principle of least privilege. The platform enforces multi-tenant isolation through automatic organisation-level query filters, ensuring that each Customer can only access its own data. Multi-factor authentication is available for all user accounts.
All access to Personal Information is logged, including the identity of the user, the action performed, the data accessed, and a timestamp. Audit logs are retained for a minimum of 12 months and are available to the Customer via the Service's audit log feature.
Customer Data (including Personal Information) is backed up automatically using AWS-managed database backups with a retention period of 7 days. Backups are encrypted using the same encryption standards as the primary data stores.
The Service is hosted on Amazon Web Services (AWS) infrastructure in the Sydney region (ap-southeast-2). AWS maintains a comprehensive set of security certifications, including SOC 2 Type II and ISO 27001. ZooYak leverages AWS security capabilities including Virtual Private Clouds (VPCs), security groups, and network access control lists.
ZooYak conducts annual security reviews of its platform, infrastructure, and processes. These reviews include code security assessments, infrastructure configuration reviews, and vulnerability analysis. ZooYak is committed to achieving SOC 2 Type II compliance.
The Customer provides general authorisation for ZooYak to engage the Sub-processors listed below to assist in the Processing of Personal Information. Each Sub-processor is engaged only to the extent necessary to provide the Service:
ZooYak shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA, by way of a written contract. ZooYak remains fully liable to the Customer for the acts and omissions of its Sub-processors in respect of the Processing of Personal Information.
ZooYak shall provide the Customer with at least 30 days' prior written notice before engaging a new Sub-processor or materially changing the scope of an existing Sub-processor's engagement. If the Customer has a reasonable objection to a new Sub-processor based on data protection grounds, the Customer may notify ZooYak in writing within 14 days of receiving notice. The parties shall then discuss the objection in good faith. If the parties are unable to resolve the objection within 30 days, the Customer may terminate the Agreement in accordance with the termination provisions of the Agreement.
ZooYak shall notify the Customer without undue delay, and in any event within 72 hours, of becoming aware of a Data Breach affecting Personal Information Processed on behalf of the Customer.
The notification shall include, to the extent reasonably available:
ZooYak shall cooperate with the Customer and provide all reasonable assistance in relation to the investigation, remediation, and mitigation of the Data Breach, and in meeting any obligations the Customer may have under the Privacy Act 1988 (Cth) to notify the Office of the Australian Information Commissioner (OAIC) and affected Data Subjects under the Notifiable Data Breaches (NDB) scheme.
ZooYak shall maintain a record of all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken. This record shall be made available to the Customer upon request.
All Personal Information Processed through the Service is stored and Processed primarily in Australia, in the AWS Sydney region (ap-southeast-2). ZooYak does not routinely transfer Personal Information outside Australia.
Certain Sub-processors (Stripe and Expo) are based in the United States and may Process limited categories of data as described in Section 5.1. Where Personal Information is disclosed to an overseas recipient, ZooYak shall take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information, in accordance with APP 8.
ZooYak shall notify the Customer before transferring Personal Information to any new country or jurisdiction not listed in this DPA. Such notice shall be provided in accordance with the Sub-processor change notification process described in Section 5.3.
Personal Information is retained in the Service for the duration of the Customer's active subscription. The Customer may delete or modify Personal Information at any time through the Service's administrative features, subject to any statutory record-keeping obligations that apply to the Customer.
Upon termination or expiration of the Agreement, ZooYak will retain Personal Information for a period of 30 days to allow the Customer to export its data (the "Export Period"). The Customer may request a data export in a commonly used, machine-readable format during this period.
Following the expiry of the 30-day Export Period, ZooYak shall permanently delete all Personal Information within 90 days, including from all active systems, backups, and disaster recovery systems. ZooYak shall provide written confirmation of deletion upon the Customer's request.
ZooYak may retain Personal Information beyond the periods described above only to the extent required by Applicable Law (for example, for tax, audit, or regulatory compliance purposes). Any such retained data shall continue to be protected in accordance with this DPA and shall be deleted as soon as the applicable retention requirement has been satisfied.
The Customer acknowledges that it may be subject to statutory record-keeping obligations (including under the Fair Work Act 2009 (Cth) and applicable taxation legislation) that require the retention of employment and payroll records for periods exceeding the post-termination Export Period. The Customer is solely responsible for exporting and retaining any data necessary to meet its own legal obligations prior to the expiry of the Export Period.
This DPA is governed by and construed in accordance with the laws of New South Wales, Australia. Each party irrevocably submits to the exclusive jurisdiction of the courts of New South Wales and courts of appeal therefrom.
This DPA is intended to assist the parties in complying with their respective obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches scheme.
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Information.
This DPA shall take effect on the date the Customer agrees to the Agreement and shall remain in effect for the duration of the Agreement and for so long as ZooYak retains any Personal Information Processed on behalf of the Customer.
ZooYak may update this DPA from time to time to reflect changes in law, regulatory guidance, or ZooYak's processing activities. Material changes will be notified to the Customer with at least 30 days' prior written notice.
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
For questions about this DPA, data protection inquiries, or to exercise any rights under this DPA, please contact:
For complaints about how ZooYak handles Personal Information, Data Subjects may also contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
This Data Processing Agreement was last updated on 21 March 2026. Previous versions are available upon request.