Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between Maintn Pty Ltd (“Maintn”, the “Processor”) and the customer that has agreed to the Terms of Service (the “Customer”, the “Controller”). It applies where Maintn processes personal information on the Customer’s behalf — for example, where an operator enters tenant, owner or agency-contact information into the platform.

1. Roles and scope

• The Customer is the Controller of the personal information it submits (“Customer Data”).
• Maintn is the Processor, processing Customer Data only on the Customer’s documented instructions (including via use of the Services), except where required by law.
• This DPA does not apply to information for which Maintn is itself the Controller (for example, account and billing data) — that is governed by the Privacy Policy.
• Both parties will comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

2. Details of processing

Maintn processes Customer Data to host, store, transmit, display and process it in order to deliver the Services (jobs, quotes, invoicing, voice answering, scheduling, and any analytics the Customer enables), for the term of the agreement plus any retention period. Categories of data subjects include the Customer’s staff, tenants, property owners, agency contacts and callers.

3. Maintn’s obligations

• process Customer Data only on documented instructions;
• ensure authorised persons are bound by confidentiality;
• implement the technical and organisational security measures in section 8;
• engage sub-processors only under section 5;
• assist the Customer with data-subject access/correction requests, security and breach notification; and
• delete or return Customer Data at the end of the agreement, subject to legal retention.

4. Customer’s obligations

The Customer warrants it has a lawful basis and any required notice or consent to provide the Customer Data (including third-party personal information such as tenant details) and that its instructions will not cause Maintn to breach applicable law.

5. Sub-processors

The Customer provides general authorisation for Maintn to engage the sub-processors listed on our Sub-processors page. Maintn imposes data-protection obligations on each sub-processor no less protective than this DPA, gives notice before adding or replacing a sub-processor, and remains liable for its sub-processors’ performance. The Customer may object on reasonable data-protection grounds.

6. Cross-border transfers

Some sub-processors are located outside Australia. Maintn takes reasonable steps to ensure overseas recipients handle Customer Data consistently with APP 8, including Standard Contractual Clauses or equivalent contractual protections.

7. Audit rights

On reasonable prior notice, no more than once per 12 months (unless required by a regulator or following a material breach), and subject to confidentiality, Maintn will make available evidence of compliance, including third-party certifications or reports (such as SOC 2 or ISO 27001) where available.

8. Breach notification and security

Maintn will notify the Customer without undue delay, and in any case within 72 hours, of becoming aware of a breach affecting Customer Data, and will assist the Customer to meet its obligations (including under the Notifiable Data Breaches scheme). Security measures include row-level-security tenant isolation, encryption in transit and at rest, least-privilege access, audit logging, and AU data residency (AWS ap-southeast-2, Sydney). See our Data Residency Assurance.

9. Return and deletion

On termination, at the Customer’s election, Maintn will return or delete Customer Data within 30 days, except to the extent retention is required by law (for example, tax records), in which case the data remains protected by this DPA until deleted.

10. Contact

To execute a DPA or ask a question, contact privacy@maintn.com.au.