Legal

Data Processing Addendum.

The contractual basis on which ZooYak processes personal data on behalf of customers.Last updated: 2026-07-05

definitions

1. Definitions.

Terms used in this Data Processing Agreement ('DPA') have the meanings given in applicable data protection law, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) and, where relevant, the EU General Data Protection Regulation (GDPR). 'Agreement' means the subscription agreement or terms of service between customer and ZooYak. 'Customer personal data' means personal data processed by ZooYak on behalf of the customer in the course of providing the service, including the guard identity, contact, location, and payroll-related data described in section 3.

roles

2. Roles of the parties.

Customer is the data controller for customer personal data; ZooYak is the data processor. ZooYak processes customer personal data only on the customer's documented instructions, including as set out in the agreement and this DPA, except where processing is required by law, in which case ZooYak will inform the customer of that legal requirement before processing, unless prohibited from doing so.

scope

3. Scope and duration of processing.

ZooYak processes customer personal data for the duration of the subscription term, for the sole purpose of providing the service in accordance with the agreement. Categories of data subjects include guards, client-organisation users, and, where applicable, guards' emergency contacts. Categories of personal data include identity and contact details, security licence numbers, shift GPS location, biometric-verification outcomes (a true/false result only; no biometric templates are processed by ZooYak), incident reports, time and attendance records, and payroll-related data.

instructions

4. Processing on instructions.

ZooYak will process customer personal data only in accordance with the customer's documented instructions, unless required to do otherwise by law. If ZooYak believes an instruction infringes applicable data protection law, it will notify the customer promptly.

confidentiality

5. Confidentiality of personnel.

ZooYak ensures that personnel authorised to process customer personal data have committed to confidentiality obligations, or are under an appropriate statutory obligation of confidentiality, and access customer personal data only to the extent necessary to perform their duties.

security

6. Security measures.

ZooYak implements technical and organisational measures appropriate to the risk, including encryption of personal data in transit and at rest, role-based access controls, audit logging of access to guard location and welfare data, network segmentation, and personnel security training. ZooYak reviews these measures periodically and updates them to address emerging risks.

subprocessors

7. Subprocessors.

ZooYak engages the following subprocessors: Amazon Web Services (hosting), Stripe (payment processing), Amazon Simple Email Service (email delivery), and Amazon Cognito (authentication). Where the customer connects the optional Xero payroll-export integration, Xero processes data as a provider engaged, and instructed, by the customer directly, and is outside ZooYak's subprocessor list. ZooYak notifies the customer at least 30 days before appointing a new subprocessor or replacing an existing one; the customer may object on reasonable data-protection grounds by terminating the affected service for cause.

data subject rights

8. Assistance with data subject requests.

Taking into account the nature of processing, ZooYak provides reasonable assistance to the customer, by appropriate technical and organisational measures, to respond to requests from data subjects, including guards, to exercise their rights under applicable data protection law, including access, correction, deletion, and portability requests.

breach

9. Personal data breach notification.

ZooYak notifies the customer without undue delay, and in any event within 72 hours of becoming aware, of a personal data breach affecting customer personal data, providing information reasonably available to ZooYak to enable the customer to meet its own notification obligations, and takes reasonable steps to mitigate the effects of the breach.

transfers

10. International data transfers.

Customer personal data is hosted in Australia. Where customer personal data is transferred outside Australia or the EEA, ZooYak ensures appropriate safeguards are in place, such as standard contractual clauses or an equivalent transfer mechanism recognised under the GDPR, and complies with APP 8 for cross-border disclosures.

audit

11. Audit rights.

On reasonable prior written notice, and no more than once per year unless required by a regulator or following a personal data breach, ZooYak will make available information reasonably necessary to demonstrate compliance with this DPA, including audit summaries and responses to a reasonable written questionnaire, and will permit and contribute to audits conducted by the customer or an independent auditor mandated by the customer, subject to confidentiality obligations and reasonable scheduling.

termination

12. Return and deletion of data on termination.

On termination of the subscription, ZooYak makes an export of customer personal data available to the customer on request, in a portable format. Following export (or the expiry of the export window) or a written deletion request, ZooYak deletes customer personal data from production systems within 7 days and from backups within 30 days, including cryptographic erasure of associated key material, unless retention is required by applicable law.

liability

13. Liability.

Each party's liability arising under this DPA is subject to the limitations and exclusions of liability set out in the agreement. Nothing in this DPA relieves either party of liability it would otherwise have under applicable data protection law.

term

14. Term of this DPA.

This DPA takes effect on the date the customer accepts the agreement and remains in effect for as long as ZooYak processes customer personal data on the customer's behalf. Sections that by their nature should survive termination, including confidentiality, security, and deletion obligations, survive termination of this DPA.

law

15. Governing law.

This DPA is governed by the laws of [OWNER: confirm governing state or territory, suggested: New South Wales], Australia, without prejudice to any mandatory provisions of the GDPR that apply to the processing of personal data of data subjects in the European Economic Area.