Data Processing Agreement
Effective Date: 25 March 2026 · Document Ref: HHQ-DPA-001
ABN 34 689 167 477 · ACN 689 167 477
Data Processing Agreement
Terms governing the processing of personal data on behalf of subscribing organisations
Effective Date: 25 March 2026
Document Reference: HHQ-DPA-001
Classification: PUBLIC
Review Cycle: Annual (or upon material change)
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between Handover HQ Pty Ltd (ABN 34 689 167 477 · ACN 689 167 477) (“Processor”, “we”, “us”) and the organisation subscribing to the Handover HQ Service (“Controller”, “you”, “Customer”).
This DPA sets out the terms on which the Processor processes Personal Data on behalf of the Controller in connection with the provision of the Handover HQ platform and related services (the “Service”). It is designed to meet the requirements of the Australian Privacy Act 1988 (Cth), the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and other applicable data protection legislation.
This DPA shall prevail over any conflicting terms in the Agreement to the extent of any inconsistency relating to the processing of Personal Data.
2. Definitions
In this DPA, capitalised terms not defined herein have the meanings given to them in the Agreement. The following terms have the meanings set out below:
“Controller” means the Customer who determines the purposes and means of processing Personal Data through the Service.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“Handover Content” means all information submitted during the employee knowledge capture and transfer process, including questionnaire responses, uploaded documents, interview recordings and transcriptions, and AI-generated outputs.
“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
“Processing” means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, restriction, erasure, or destruction.
“Processor” means Handover HQ Pty Ltd, which processes Personal Data on behalf of the Controller.
“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
“Data Protection Laws” means the Privacy Act 1988 (Cth), GDPR, UK GDPR, CCPA/CPRA, and any other applicable privacy or data protection legislation.
3. Scope and Purpose of Processing
3.1 Subject Matter
The Processor processes Personal Data solely to provide the Service to the Controller, including structured employee offboarding, AI-powered knowledge capture interviews, document management, analytics, and reporting.
3.2 Duration
Processing shall continue for the duration of the Agreement. Upon termination, the provisions of Section 10 (Data Deletion and Return) apply.
3.3 Nature and Purpose
Processing includes the collection, storage, organisation, retrieval, use, and deletion of Personal Data for the purpose of facilitating employee handovers, generating AI-powered summaries and insights, providing analytics and reporting, and enabling integrations with the Controller’s systems.
3.4 Categories of Data Subjects
3.5 Types of Personal Data
4. Controller Obligations
The Controller shall:
5. Processor Obligations
The Processor shall:
6. Sub-processors
6.1 General Authorisation
The Controller provides general written authorisation for the Processor to engage Sub-processors to assist in providing the Service, subject to the requirements of this Section 6.
6.2 Current Sub-processors
The following Sub-processors are authorised as at the Effective Date:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase Inc. | Managed PostgreSQL database, authentication, row-level security | All Personal Data stored in the Service | Australia (AWS ap-southeast-2, Sydney) |
| OpenAI Inc. | AI interview evaluation, summarisation, sentiment analysis (GPT-4o / GPT-4o-mini) | Interview question text and transcribed answers (transient processing only — not retained or used for training by OpenAI) | United States |
| ElevenLabs Inc. | Text-to-speech for the voice AI interview | Interview question text only — no answers transmitted | United States |
| Resend Inc. | Transactional and lifecycle email delivery | Recipient email addresses, names, handover status notifications | United States |
| Sentry (Functional Software, Inc.) | Error monitoring and observability | Exception stack traces, request paths, user identifiers (no Personal Data payloads) | United States / European Union |
| Vercel Inc. | Frontend hosting and edge delivery | Technical data (IP, headers); no Personal Data stored at rest | Global edge network (Sydney POP) |
| Fly.io, Inc. | .NET API hosting | Personal Data in transit during API requests | Australia (Sydney region) |
6.3 Notification of Changes
The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of a Sub-processor, providing the name, processing activities, and location of the proposed Sub-processor. The Controller may object to the change in writing within 15 days of notification. If the Controller objects on reasonable data protection grounds and the parties cannot resolve the objection, the Controller may terminate the Agreement without penalty.
6.4 Sub-processor Obligations
The Processor shall ensure that each Sub-processor is bound by a written agreement imposing data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor’s obligations.
7. Security Measures
The Processor shall implement and maintain technical and organisational measures appropriate to the risk, including:
The Processor shall regularly review and update its security measures to ensure they remain appropriate to the risk.
8. Data Breach Notification
8.1 Notification Timeline
The Processor shall notify the Controller of any Personal Data breach without undue delay and in any event within 48 hours of becoming aware of the breach. This timeline is designed to enable the Controller to meet its own regulatory notification obligations (72 hours under GDPR; 30 days under the Australian NDB scheme).
8.2 Notification Content
Breach notifications shall include, to the extent known at the time of notification:
8.3 Cooperation
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall provide supplementary information as it becomes available.
9. Audit Rights
9.1 Information and Reports
The Processor shall make available to the Controller, on request, copies of relevant third-party audit reports and certifications (including SOC 2 Type II reports, when available) to demonstrate compliance with this DPA.
9.2 Controller Audit
The Controller (or its authorised independent auditor) may conduct an audit of the Processor’s processing activities and facilities upon 30 days’ written notice, at the Controller’s expense, provided that:
10. Data Return and Deletion
Upon termination of the Agreement, the Processor shall, at the Controller’s written election:
The Processor shall certify deletion in writing upon the Controller’s request. The Processor may retain Personal Data to the extent required by applicable law, provided that such retention is limited to the extent and duration required by law, and the data remains subject to the protections of this DPA.
11. International Data Transfers
Personal Data may be transferred to and processed in jurisdictions outside the Controller’s country of establishment, including the United States, as set out in the Sub-processor table in Section 6.2.
Where Personal Data originating from the EEA, UK, or Switzerland is transferred to a country that has not received an adequacy decision, the Processor shall ensure that appropriate safeguards are in place, including:
The SCCs are incorporated by reference into this DPA. Where there is any conflict between this DPA and the SCCs, the SCCs shall prevail.
12. AI-Specific Data Processing Provisions
12.1 No Model Training on Controller Data
The Processor shall not use the Controller’s Personal Data or Handover Content to train, fine-tune, or improve general-purpose AI models unless the Controller has provided explicit, separate, written consent.
12.2 Transient AI Processing
Where third-party AI model providers (currently OpenAI) are used, the Controller’s data is processed transiently. OpenAI’s API data usage policy confirms that API inputs and outputs are not used for model training. Data is not retained by the AI provider beyond the processing session.
12.3 Data Isolation
Each organisation’s data is logically isolated. One Controller’s Handover Content is never used to generate outputs for another Controller.
12.4 Human Oversight
AI-generated outputs (summaries, sentiment scores, quality assessments) are provided as informational tools. The Controller is responsible for ensuring that no employment decisions are made solely on the basis of automated processing without human review.
13. Data Subject Requests
Where the Processor receives a request directly from a Data Subject exercising their rights under applicable Data Protection Laws, the Processor shall promptly redirect the request to the Controller, unless the Processor is legally required to respond directly.
The Processor shall assist the Controller in fulfilling Data Subject requests by providing relevant information and technical capabilities, including the ability to export, correct, and delete Personal Data within the Service.
14. GDPR and UK GDPR-Specific Provisions
To the extent that the GDPR or UK GDPR applies to the processing:
15. CCPA/CPRA-Specific Provisions
To the extent that the CCPA/CPRA applies to the processing:
16. Liability
The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not limit either party’s liability for breaches of Data Protection Laws where such limitation would be unlawful.
17. Term and Termination
This DPA shall take effect on the Effective Date and remain in force for the duration of the Agreement. Sections 7 (Security Measures), 8 (Data Breach Notification), 10 (Data Return and Deletion), and 16 (Liability) shall survive termination.
18. Contact
For questions or requests relating to this DPA, please contact:
Privacy Officer — Handover HQ Pty Ltd
Email: privacy@handoverhq.com / privacy@handoverhq.ai
Security: security@handoverhq.com / security@handoverhq.ai
Websites: handoverhq.com and handoverhq.ai
Sub-processor register: handoverhq.com/legal/sub-processors (or handoverhq.ai/legal/sub-processors)