Data Processing Agreement
Last updated: 10 June 2026.
Forms part of the Taxy Cloud Service Agreement; published at taxy.au/legal/dpa and incorporated into the Standard Terms by Section 3.1 (Personal Data).
This Data Processing Agreement (“DPA”) forms part of the Taxy Cloud Service Agreement Standard Terms and the Agreement between the Customer and Taxy Pty Ltd (ABN 33 666 815 890, Level 7, 88 Phillip Street, Sydney NSW 2000) (“Provider”), as referenced in Section 3.1 (Personal Data) of the Standard Terms. It is deemed executed on execution of the Agreement. Capitalised terms not defined in this DPA have the meaning given in the Agreement.
Part A — General data protection terms
Part A applies whenever Provider Processes Customer Personal Data as a Processor (or Sub-processor) on behalf of the Customer. Provider and the Customer must always comply with Part A. Certain additional region-specific terms in Part B also apply where the law of that region applies to the Processing. To the extent of any conflict: (a) between this DPA and the rest of the Agreement, this DPA prevails on Personal Data matters; and (b) between Part A and Part B, Part B prevails.
1. Definitions
1.1 “Applicable Data Protection Laws” has the meaning given in the Agreement and includes, in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), together with any other privacy or data protection laws that apply to the Processing of Personal Data under the Agreement and this DPA.
1.2 “Controller”, “Processor”, “Sub-processor” and “Data Subject” each have the meaning given to that term — or to the substantially similar concept (such as “APP entity”) — under Applicable Data Protection Laws.
1.3 “Customer Personal Data” means Personal Data within Customer Content that the Customer or its Users provide to the Cloud Service and that is governed by this DPA.
1.4 “Personal Data” means information about a Data Subject that is “personal information”, “personal data” or a substantially similar concept under Applicable Data Protection Laws.
1.5 “Processing” / “Process” means any operation performed on Personal Data, whether or not by automated means.
1.6 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
1.7 “Sub-processor List” means Provider’s list of approved Sub-processors, available at taxy.au/legal/subprocessors.
2. Roles of the parties
2.1 Provider as Processor. Where the Customer is a Controller of the Customer Personal Data, Provider is a Processor Processing on the Customer’s behalf.
2.2 Provider as Sub-processor. Where the Customer is itself a Processor of the Customer Personal Data on behalf of a third-party Controller (for example, where the Customer is an accounting firm Processing its own clients’ Personal Data), Provider is a Sub-processor. In that case the Customer will ensure its instructions to Provider align with the instructions of, and its obligations to, that third-party Controller.
2.3 Each party will comply with the obligations that apply to it under Applicable Data Protection Laws.
3. Processing of Customer Personal Data
3.1 Instructions. Provider will Process Customer Personal Data only: (a) to provide and maintain the Cloud Service; (b) as further specified by the Customer’s use of the Cloud Service; (c) as documented in the Agreement and this DPA; and (d) per other written instructions the Customer gives and Provider acknowledges. Provider will inform the Customer if it cannot follow an instruction, and will not Process Customer Personal Data for any other purpose unless required by Applicable Laws. The subject matter, nature, purpose and duration of the Processing, and the categories of data and Data Subjects, are set out in Annex B.
3.2 Customer responsibilities. The Customer warrants that it (or, where it is a Processor, the relevant third-party Controller) has provided all required notices and has all necessary rights, consents and authority under Applicable Data Protection Laws for Provider to Process the Customer Personal Data for these purposes.
3.3 Service updates. If Provider updates the Cloud Service in a way that changes the categories of Personal Data or Data Subjects or the nature of the Processing, Provider will notify the Customer and update Annex B accordingly.
4. Confidentiality
Provider will ensure that personnel authorised to Process Customer Personal Data are subject to a duty of confidence consistent with Provider’s confidentiality obligations under the Agreement.
5. Security
5.1 Provider will maintain appropriate technical and organisational measures to protect Customer Personal Data against a Security Incident, as described in Annex A.
5.2 Provider may update its security measures from time to time as it considers necessary in light of evolving practices and threats, provided the updates do not materially reduce the overall security of the Customer Personal Data.
5.3 The Customer is responsible for its own security measures for the data it Processes and instructs Provider to Process, including securing the access credentials it uses for the Cloud Service.
5.4 Where Customer Personal Data includes tax file numbers, Provider will collect, use, store and handle them only as necessary to provide the Cloud Service and in accordance with the Privacy (Tax File Number) Rule 2015.
6. Sub-processors
6.1 The Customer authorises Provider to engage the Sub-processors on the Sub-processor List to Process Customer Personal Data, provided that Provider: (a) gives the Customer at least 30 days’ advance notice of any addition or replacement by updating the Sub-processor List; (b) imposes written data-protection terms on each Sub-processor at least as protective as this DPA; and (c) remains liable for its Sub-processors’ acts and omissions.
6.2 The Customer may object to a new or replacement Sub-processor on reasonable data-protection grounds within 30 days of notice. The parties will cooperate in good faith to resolve the objection. If it cannot be resolved, either party may terminate the affected Order Form on written notice in accordance with Section 5 (Term & Termination) of the Standard Terms, without prejudice to fees already incurred.
7. Cooperation and Data Subject requests
7.1 Provider will provide the Customer with reasonable assistance (at the Customer’s expense where material) to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Laws — including access, correction and deletion requests — to the extent the Customer cannot fulfil them using the Cloud Service’s existing functionality.
7.2 If Provider receives a request directly from a Data Subject, regulator or other third party about the Processing of Customer Personal Data, Provider will not respond (other than to direct the requester to the Customer) without the Customer’s prior consent, unless required by Applicable Laws, and will promptly inform the Customer with full details unless prohibited.
8. Data protection impact assessments
If required by Applicable Data Protection Laws, Provider will reasonably assist the Customer with any privacy or data protection impact assessment and any consultation with a supervisory authority, taking into account the nature of the Processing and the information available to Provider.
9. Security Incidents
If Provider becomes aware of a Security Incident, Provider will: (a) notify the Customer without undue delay; (b) provide reasonable information and cooperation to enable the Customer to meet any obligations it may have, including under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988 (Cth)); and (c) take reasonable steps to contain, investigate and mitigate the Security Incident. Provider’s notification is not an acknowledgement of fault or liability.
10. Deletion and return
10.1 On request. On the Customer’s request, Provider will delete Customer Personal Data within 60 days, except to the extent retention is required by Applicable Laws (consistent with Section 5.5 of the Standard Terms).
10.2 On termination. On expiry or termination of the Agreement, Provider will, on the Customer’s instruction, return or delete Customer Personal Data within 60 days, except where retention is required or authorised by Applicable Laws. The Customer is responsible for exporting any Customer Content it wishes to retain before access ends (Section 5.5 of the Standard Terms). Where return or deletion is impracticable or prohibited by law, Provider will continue to protect the data and prevent further Processing.
11. International data transfers
11.1 Provider primarily stores Customer Personal Data in Australia. Backups of Customer Personal Data are replicated to the United States. Some Customer Personal Data may also be Processed outside Australia by the Sub-processors on the Sub-processor List.
11.2 To the extent Provider discloses Customer Personal Data outside Australia, Provider will comply with its obligations under Applicable Data Protection Laws — including Australian Privacy Principle 8 (cross-border disclosure) — and take reasonable steps to ensure the overseas recipient handles the data consistently with those laws. Where European Data Protection Law applies to a transfer, Part B also applies.
12. Audit and reports
12.1 Provider will, on the Customer’s reasonable written request (no more than once a year, made to privacy@taxy.au), provide information reasonably necessary to demonstrate its compliance with this DPA, including reasonable responses to security and due-diligence questionnaires and information about its information security program.
12.2 Provider maintains an Information Security Management System (ISMS) based on the ISO/IEC 27001 and SOC 2 frameworks. If Provider obtains third-party audit reports or certifications, it will, on the Customer’s written request, make summaries available on a confidential basis.
12.3 Provider will keep records of its compliance with this DPA for the term and for a reasonable period after.
13. Liability
Each party’s liability arising out of or related to this DPA is subject to the limitations, exclusions and waivers in the Agreement (Section 8 of the Standard Terms). This DPA does not limit any liability a party owes directly to an individual under Applicable Data Protection Laws.
14. Conflicts
This DPA supplements the Agreement. On any inconsistency about Personal Data, the control order is: (1) Part B (where it applies), (2) Part A, then (3) the rest of the Agreement.
15. Term
This DPA starts on execution of the Agreement and continues until the Agreement ends and Provider has stopped Processing Customer Personal Data.
Part B — Additional region-specific terms
Part B applies only where, and to the extent that, the law of the relevant region applies to the Customer Personal Data Provider Processes. On a wholly-Australian engagement it stays dormant. Part B is additional to Part A.
B1. United Kingdom, Switzerland and EEA
This clause B1 applies where and to the extent European Data Protection Law applies to the Processing.
B1.1 Definitions. In this clause B1:
- “European Data Protection Law” means the EU GDPR, the UK GDPR and the Swiss DPA, in each case to the extent applicable.
- “EU GDPR” means Regulation (EU) 2016/679.
- “UK GDPR” means the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018 (UK).
- “Swiss DPA” means the Swiss Federal Act on Data Protection of 25 September 2020 and its ordinances.
- “EU SCCs” means the standard contractual clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018.
- “Restricted Transfer” means a transfer of Customer Personal Data subject to European Data Protection Law to a country or recipient not covered by an adequacy decision under that law.
B1.2 Restricted Transfers to Provider. To the extent a transfer of Customer Personal Data from the Customer to Provider is a Restricted Transfer, the following apply and are incorporated by reference:
(a) EU transfers — the EU SCCs apply, completed as follows: (i) Module Two (Controller to Processor) applies where the Customer is a Controller, and Module Three (Processor to Sub-processor) applies where the Customer is a Processor; (ii) in Clause 7, the docking clause does not apply; (iii) in Clause 9, Option 2 (general written authorisation) applies, with the minimum notice period for Sub-processor changes set at 30 days per Section 6.1; (iv) in Clause 11, the optional language does not apply; (v) in Clause 17, Option 1 applies and the EU SCCs are governed by the law of Ireland; (vi) in Clause 18(b), disputes are resolved before the courts of Ireland; and (vii) Annex I and Annex III are completed with the information in Annex B of this DPA, and Annex II is completed with the information in Annex A of this DPA.
(b) UK transfers — the UK Addendum applies and modifies the EU SCCs completed as above. Tables 1 to 3 of the UK Addendum are completed with the corresponding information from the EU SCCs and Annexes A and B of this DPA; in Table 4, both “Importer” and “Exporter” may end the Addendum. The start date is the date of the Agreement.
(c) Swiss transfers — the EU SCCs apply as above, with: references to the GDPR read as references to the Swiss DPA; the competent authority being the Swiss Federal Data Protection and Information Commissioner; and Data Subjects in Switzerland able to enforce their rights in Switzerland.
B1.3 Restricted Transfers by Provider. Provider will not make an onward Restricted Transfer of Customer Personal Data except in compliance with European Data Protection Law (whether by adequacy, the EU SCCs or UK Addendum, or another lawful transfer mechanism).
B1.4 Conflict. Where the EU SCCs or the UK Addendum apply, they prevail over the rest of this DPA to the extent of any conflict.
No dedicated United States / CCPA section is required — the generic “Applicable Data Protection Laws” definition in Part A §1.1 absorbs US state privacy laws automatically.
Annex A — Security measures
The technical and organisational measures Provider maintains to protect Customer Personal Data are set out in Provider’s Information Security Management System (ISMS), which is based on the ISO/IEC 27001 and SOC 2 frameworks, and are summarised on Provider’s security page at taxy.au/security. They include encryption of Customer Personal Data in transit and at rest, role-based and least-privilege access controls, and infrastructure operated with active-active redundancy across multiple failure zones in Australia. Further detail is available to the Customer on request.
Annex B — Data processing schedule
| Data exporter / Controller | The Customer (or, where the Customer is a Processor, its third-party Controller). Details are in the Agreement / the Customer’s account. |
| Data importer / Processor | Taxy Pty Ltd, ABN 33 666 815 890, Level 7, 88 Phillip Street, Sydney NSW 2000. Role: Processor (or Sub-processor per Section 2.2). |
| Categories of Data Subjects | The Customer’s clients (the taxpayers and entities whose information the Customer submits to app.taxy.au), and the Customer’s own personnel, contractors and contacts. |
| Categories of Personal Data | Names; contact details; tax file numbers and other government identifiers; financial and tax information; identity-document details; and other Personal Data the Customer submits to the Cloud Service. |
| Special / sensitive categories | Not requested by the Cloud Service; may be present only if the Customer chooses to submit it. |
| Nature and purpose | Providing the app.taxy.au tax workflow service described in the Agreement (collecting client information and documents, and tracking progress). |
| Frequency | Continuous, for the duration of the Agreement. |
| Duration / retention | The term of the Agreement, plus up to 60 days after for deletion (Section 10), unless longer retention is required by Applicable Laws. |
| Sub-processors | As listed on the Sub-processor List (taxy.au/legal/subprocessors). |