> ⚠️ **TEMPLATE — Not legal advice. Requires AU fintech/SaaS lawyer review before production use. Last updated: 2026-06-16.**
>
> Working draft to accelerate legal review. Do not execute or rely on until an Australian SaaS/privacy lawyer has signed off. Placeholders in **[square brackets]** must be completed.

# Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the agreement between **Maintn Pty Ltd** (ABN **[to be inserted]**) ("**Maintn**", "**Processor**") and the customer that has agreed to the [Terms of Service](./terms-of-service.md) ("**Customer**", "**Controller**") (together, the "**parties**") for the provision of the Maintn platform (the "**Services**").

It applies where Maintn processes **Personal Information** on the Customer's behalf — for example, where an operator (or an agency/operator processing on behalf of others) enters tenant, owner, agency-contact or end-customer information into the platform.

## 1. Roles and scope

- The **Customer is the Controller** (or processor for its own principals) of the Personal Information it submits to the Services ("**Customer Data**").
- **Maintn is the Processor**, processing Customer Data only on the Customer's documented instructions (including via configuration and use of the Services), except where required by law (in which case Maintn will notify the Customer unless legally prohibited).
- This DPA does **not** apply to information for which Maintn is itself the Controller (e.g. account and billing data) — that is governed by the [Privacy Policy](./privacy-policy.md).
- Both parties will comply with the *Privacy Act 1988* (Cth) and the Australian Privacy Principles.

## 2. Subject matter and details of processing

- **Subject matter:** provision of the Maintn property-maintenance platform.
- **Duration:** the term of the agreement, plus any retention period in clause 9.
- **Nature and purpose:** hosting, storage, transmission, display and processing of Customer Data to deliver the Services (jobs, quotes, invoicing, voice answering, scheduling, analytics the Customer enables).
- **Types of Personal Information:** names, contact details, addresses, access instructions, job notes, photos (which may contain EXIF/location), call recordings and transcripts, and other data the Customer chooses to enter.
- **Categories of data subjects:** the Customer's staff, tenants, property owners, agency contacts, and callers.

## 3. Maintn's obligations

Maintn will:

1. process Customer Data only on documented instructions;
2. ensure persons authorised to process Customer Data are under confidentiality obligations;
3. implement the technical and organisational security measures in **Annex B**;
4. respect the conditions in clause 5 for engaging sub-processors;
5. assist the Customer (taking into account the nature of processing) to respond to data-subject requests for access and correction;
6. assist the Customer with security, breach notification, and (where applicable) impact assessments;
7. at the Customer's choice, delete or return Customer Data at the end of the agreement, subject to legal retention; and
8. make available information reasonably necessary to demonstrate compliance, and allow for audits per clause 7.

## 4. Customer's obligations

The Customer warrants that it has a lawful basis and any required notice/consent to provide the Customer Data (including third-party personal information such as tenant details) and that its instructions will not cause Maintn to breach applicable law.

## 5. Sub-processors

- The Customer **provides general authorisation** for Maintn to engage the sub-processors listed in [sub-processors.md](./sub-processors.md) (and at **[/subprocessors](https://maintn.com.au/subprocessors)**).
- Maintn will impose data-protection obligations on each sub-processor that are no less protective than this DPA.
- Maintn will give the Customer notice (via the sub-processors page and/or email) **before** adding or replacing a sub-processor, and the Customer may object on reasonable data-protection grounds within **[14 days]**; the parties will work in good faith to resolve the objection.
- Maintn remains liable for its sub-processors' performance of data-protection obligations.

## 6. Cross-border transfers

Some sub-processors are located outside Australia (see [sub-processors.md](./sub-processors.md)). Maintn will take reasonable steps to ensure overseas recipients handle Customer Data consistently with APP 8, including **Standard Contractual Clauses or equivalent contractual protections** with each overseas sub-processor.

## 7. Audit rights

On reasonable prior written notice (at least **[30 days]**), no more than **once per 12 months** (unless required by a regulator or following a material breach), and subject to confidentiality, Maintn will make available evidence of compliance — including third-party certifications/reports (e.g. SOC 2, ISO 27001) where available — and respond to a reasonable security questionnaire. On-site audits, if required, will be at the Customer's cost and scheduled to minimise disruption.

## 8. Personal Information breach notification

Maintn will notify the Customer **without undue delay, and in any case within 72 hours**, of becoming aware of a breach affecting Customer Data, and will provide information reasonably available to help the Customer meet its obligations (including under the NDB scheme). The parties will cooperate in good faith on remediation and any required notifications.

## 9. Return and deletion

On termination or expiry, and at the Customer's election, Maintn will return or delete Customer Data within **[30 days]**, except to the extent retention is required by law (e.g. tax records), in which case the data remains protected by this DPA until deleted.

## 10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the [Terms of Service](./terms-of-service.md).

## 11. Order of precedence

If there is a conflict between this DPA and the Terms of Service regarding the processing of Customer Data, this DPA prevails.

---

## Annex A — Sub-processors

See [sub-processors.md](./sub-processors.md) — the maintained, versioned list of all sub-processors, their regions, purposes and certifications.

## Annex B — Technical and organisational measures

- **Tenant isolation:** PostgreSQL **row-level security (RLS)** scoping every query to the authenticated organisation; `organization_id` resolved server-side per session, never from client input.
- **Encryption:** TLS 1.2+ in transit; encryption at rest at the database and storage layers; selected high-sensitivity fields (e.g. sub-contractor bank numbers) encrypted at the application layer (AES-256-GCM).
- **Access control:** role-based, least-privilege access; service-role keys restricted to server-side, never exposed to clients; platform-admin actions audit-logged.
- **Data residency:** primary database and object storage in AWS `ap-southeast-2` (Sydney). See [data-residency-assurance.md](./data-residency-assurance.md).
- **Monitoring and logging:** application error monitoring (Sentry), audit logging of administrative actions, and webhook idempotency/auditing.
- **Resilience:** managed database backups and point-in-time recovery via the hosting provider.
- **Secure development:** code review and automated security review on changes; secrets kept out of source control.

---

### Open items for legal review

1. Confirm general vs specific sub-processor authorisation and the objection window (currently **[14 days]**).
2. Confirm 72-hour breach-notification SLA is achievable operationally and contractually backed by sub-processors.
3. Confirm audit-rights scope (documentation-first vs on-site) is acceptable to target agency customers.
4. Confirm Annex B measures match the as-built system before signing.
5. Confirm interaction with any agency procurement DPAs the Customer may require Maintn to counter-sign.