Handover HQHandover HQ

Data Processing Agreement

Effective Date: 25 March 2026 · Document Ref: HHQ-DPA-001

ABN 34 689 167 477 · ACN 689 167 477

Data Processing Agreement

Terms governing the processing of personal data on behalf of subscribing organisations

Effective Date: 25 March 2026

Document Reference: HHQ-DPA-001

Classification: PUBLIC

Review Cycle: Annual (or upon material change)

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between Handover HQ Pty Ltd (ABN 34 689 167 477 · ACN 689 167 477) (“Processor”, “we”, “us”) and the organisation subscribing to the Handover HQ Service (“Controller”, “you”, “Customer”).

This DPA sets out the terms on which the Processor processes Personal Data on behalf of the Controller in connection with the provision of the Handover HQ platform and related services (the “Service”). It is designed to meet the requirements of the Australian Privacy Act 1988 (Cth), the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and other applicable data protection legislation.

This DPA shall prevail over any conflicting terms in the Agreement to the extent of any inconsistency relating to the processing of Personal Data.

2. Definitions

In this DPA, capitalised terms not defined herein have the meanings given to them in the Agreement. The following terms have the meanings set out below:

“Controller” means the Customer who determines the purposes and means of processing Personal Data through the Service.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“Handover Content” means all information submitted during the employee knowledge capture and transfer process, including questionnaire responses, uploaded documents, interview recordings and transcriptions, and AI-generated outputs.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.

“Processing” means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, restriction, erasure, or destruction.

“Processor” means Handover HQ Pty Ltd, which processes Personal Data on behalf of the Controller.

“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

“Data Protection Laws” means the Privacy Act 1988 (Cth), GDPR, UK GDPR, CCPA/CPRA, and any other applicable privacy or data protection legislation.

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor processes Personal Data solely to provide the Service to the Controller, including structured employee offboarding, AI-powered knowledge capture interviews, document management, analytics, and reporting.

3.2 Duration

Processing shall continue for the duration of the Agreement. Upon termination, the provisions of Section 10 (Data Deletion and Return) apply.

3.3 Nature and Purpose

Processing includes the collection, storage, organisation, retrieval, use, and deletion of Personal Data for the purpose of facilitating employee handovers, generating AI-powered summaries and insights, providing analytics and reporting, and enabling integrations with the Controller’s systems.

3.4 Categories of Data Subjects

  • Departing employees of the Controller whose knowledge is being captured.
  • Managers, reviewers, and approvers involved in the handover process.
  • Authorised users of the Controller’s Handover HQ account.
  • 3.5 Types of Personal Data

  • Identity data: name, email address, job title, department, employee identifiers.
  • Employment data: role type, seniority level, start date, end date, employment type.
  • Handover Content: questionnaire responses, interview transcripts, uploaded documents, AI-generated summaries, sentiment analysis, and quality scores.
  • Technical data: IP addresses, browser/device information, session logs (collected automatically).
  • 4. Controller Obligations

    The Controller shall:

  • (a) ensure that it has a valid lawful basis under applicable Data Protection Laws for the processing of Personal Data by the Processor;
  • (b) provide all necessary privacy notices to Data Subjects and obtain any required consents prior to submitting Personal Data to the Service;
  • (c) ensure that its instructions to the Processor comply with applicable Data Protection Laws;
  • (d) be responsible for the accuracy of Personal Data submitted to the Service.
  • 5. Processor Obligations

    The Processor shall:

  • (a) process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited from doing so by law);
  • (b) ensure that all personnel authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • (c) implement appropriate technical and organisational security measures as described in Section 7;
  • (d) not engage a Sub-processor without complying with the requirements of Section 6;
  • (e) assist the Controller, taking into account the nature of the processing, in responding to Data Subject requests under applicable Data Protection Laws;
  • (f) assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities;
  • (g) at the Controller’s choice, delete or return all Personal Data upon termination of the Agreement, and delete existing copies unless applicable law requires retention;
  • (h) make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws;
  • (i) not use Personal Data for any purpose other than providing the Service, and specifically shall not use Handover Content for general AI model training unless the Controller has provided explicit, separate, written consent.
  • 6. Sub-processors

    6.1 General Authorisation

    The Controller provides general written authorisation for the Processor to engage Sub-processors to assist in providing the Service, subject to the requirements of this Section 6.

    6.2 Current Sub-processors

    The following Sub-processors are authorised as at the Effective Date:

    Sub-processorPurposeData ProcessedLocation
    Supabase Inc.Managed PostgreSQL database, authentication, row-level securityAll Personal Data stored in the ServiceAustralia (AWS ap-southeast-2, Sydney)
    OpenAI Inc.AI interview evaluation, summarisation, sentiment analysis (GPT-4o / GPT-4o-mini)Interview question text and transcribed answers (transient processing only — not retained or used for training by OpenAI)United States
    ElevenLabs Inc.Text-to-speech for the voice AI interviewInterview question text only — no answers transmittedUnited States
    Resend Inc.Transactional and lifecycle email deliveryRecipient email addresses, names, handover status notificationsUnited States
    Sentry (Functional Software, Inc.)Error monitoring and observabilityException stack traces, request paths, user identifiers (no Personal Data payloads)United States / European Union
    Vercel Inc.Frontend hosting and edge deliveryTechnical data (IP, headers); no Personal Data stored at restGlobal edge network (Sydney POP)
    Fly.io, Inc..NET API hostingPersonal Data in transit during API requestsAustralia (Sydney region)

    6.3 Notification of Changes

    The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of a Sub-processor, providing the name, processing activities, and location of the proposed Sub-processor. The Controller may object to the change in writing within 15 days of notification. If the Controller objects on reasonable data protection grounds and the parties cannot resolve the objection, the Controller may terminate the Agreement without penalty.

    6.4 Sub-processor Obligations

    The Processor shall ensure that each Sub-processor is bound by a written agreement imposing data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor’s obligations.

    7. Security Measures

    The Processor shall implement and maintain technical and organisational measures appropriate to the risk, including:

  • Encryption: TLS 1.2+ for all data in transit; AES-256 encryption for all data at rest, including database storage and backups.
  • Access control: Role-based access control (RBAC), multi-tenant isolation via organisation-scoped JWT claims, principle of least privilege.
  • Authentication: Supabase Auth with support for email/password, Google SSO, and Microsoft SSO. Multi-factor authentication supported.
  • Row-Level Security (RLS): PostgreSQL RLS policies ensure each organisation can only access its own data at the database level.
  • Security headers: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy enforced on all responses.
  • Rate limiting: Fixed-window rate limiting on all API endpoints to prevent abuse.
  • Monitoring and logging: Structured logging (Serilog), request timing, and audit trails for all data access.
  • Personnel: All personnel with access to Personal Data are bound by confidentiality obligations and receive data protection training.
  • The Processor shall regularly review and update its security measures to ensure they remain appropriate to the risk.

    8. Data Breach Notification

    8.1 Notification Timeline

    The Processor shall notify the Controller of any Personal Data breach without undue delay and in any event within 48 hours of becoming aware of the breach. This timeline is designed to enable the Controller to meet its own regulatory notification obligations (72 hours under GDPR; 30 days under the Australian NDB scheme).

    8.2 Notification Content

    Breach notifications shall include, to the extent known at the time of notification:

  • (a) the nature of the breach, including the categories and approximate number of Data Subjects and records affected;
  • (b) the name and contact details of the Processor’s point of contact;
  • (c) a description of the likely consequences of the breach;
  • (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects.
  • 8.3 Cooperation

    The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall provide supplementary information as it becomes available.

    9. Audit Rights

    9.1 Information and Reports

    The Processor shall make available to the Controller, on request, copies of relevant third-party audit reports and certifications (including SOC 2 Type II reports, when available) to demonstrate compliance with this DPA.

    9.2 Controller Audit

    The Controller (or its authorised independent auditor) may conduct an audit of the Processor’s processing activities and facilities upon 30 days’ written notice, at the Controller’s expense, provided that:

  • (a) audits shall not occur more than once per 12-month period, unless required by a supervisory authority or triggered by a data breach;
  • (b) the auditor shall be bound by confidentiality obligations;
  • (c) audits shall be conducted during normal business hours with minimal disruption.
  • 10. Data Return and Deletion

    Upon termination of the Agreement, the Processor shall, at the Controller’s written election:

  • (a) return all Personal Data to the Controller in a structured, commonly used, machine-readable format (CSV or JSON); or
  • (b) permanently delete all Personal Data, including all copies in backup systems, within 90 days of termination.
  • The Processor shall certify deletion in writing upon the Controller’s request. The Processor may retain Personal Data to the extent required by applicable law, provided that such retention is limited to the extent and duration required by law, and the data remains subject to the protections of this DPA.

    11. International Data Transfers

    Personal Data may be transferred to and processed in jurisdictions outside the Controller’s country of establishment, including the United States, as set out in the Sub-processor table in Section 6.2.

    Where Personal Data originating from the EEA, UK, or Switzerland is transferred to a country that has not received an adequacy decision, the Processor shall ensure that appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (2021 version), Module 2 (Controller to Processor) or Module 3 (Processor to Processor) as appropriate;
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as applicable;
  • Transfer Impact Assessments and supplementary technical measures (encryption, pseudonymisation) where required.
  • The SCCs are incorporated by reference into this DPA. Where there is any conflict between this DPA and the SCCs, the SCCs shall prevail.

    12. AI-Specific Data Processing Provisions

    12.1 No Model Training on Controller Data

    The Processor shall not use the Controller’s Personal Data or Handover Content to train, fine-tune, or improve general-purpose AI models unless the Controller has provided explicit, separate, written consent.

    12.2 Transient AI Processing

    Where third-party AI model providers (currently OpenAI) are used, the Controller’s data is processed transiently. OpenAI’s API data usage policy confirms that API inputs and outputs are not used for model training. Data is not retained by the AI provider beyond the processing session.

    12.3 Data Isolation

    Each organisation’s data is logically isolated. One Controller’s Handover Content is never used to generate outputs for another Controller.

    12.4 Human Oversight

    AI-generated outputs (summaries, sentiment scores, quality assessments) are provided as informational tools. The Controller is responsible for ensuring that no employment decisions are made solely on the basis of automated processing without human review.

    13. Data Subject Requests

    Where the Processor receives a request directly from a Data Subject exercising their rights under applicable Data Protection Laws, the Processor shall promptly redirect the request to the Controller, unless the Processor is legally required to respond directly.

    The Processor shall assist the Controller in fulfilling Data Subject requests by providing relevant information and technical capabilities, including the ability to export, correct, and delete Personal Data within the Service.

    14. GDPR and UK GDPR-Specific Provisions

    To the extent that the GDPR or UK GDPR applies to the processing:

  • (a) the Processor shall assist the Controller in conducting Data Protection Impact Assessments (DPIAs) where required;
  • (b) the Processor shall maintain records of processing activities as required by Article 30(2) GDPR;
  • (c) if the Processor determines that an instruction from the Controller infringes the GDPR or applicable Data Protection Laws, the Processor shall immediately inform the Controller.
  • 15. CCPA/CPRA-Specific Provisions

    To the extent that the CCPA/CPRA applies to the processing:

  • (a) the Processor acts as a “Service Provider” as defined in the CCPA and shall not sell or share Personal Data, retain or use it for any purpose other than performing the Service, or combine it with data from other sources except as permitted by the CCPA;
  • (b) the Processor certifies that it understands and will comply with the restrictions in this DPA and the CCPA/CPRA.
  • 16. Liability

    The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not limit either party’s liability for breaches of Data Protection Laws where such limitation would be unlawful.

    17. Term and Termination

    This DPA shall take effect on the Effective Date and remain in force for the duration of the Agreement. Sections 7 (Security Measures), 8 (Data Breach Notification), 10 (Data Return and Deletion), and 16 (Liability) shall survive termination.

    18. Contact

    For questions or requests relating to this DPA, please contact:

    Privacy Officer — Handover HQ Pty Ltd

    Email: privacy@handoverhq.com / privacy@handoverhq.ai

    Security: security@handoverhq.com / security@handoverhq.ai

    Websites: handoverhq.com and handoverhq.ai

    Sub-processor register: handoverhq.com/legal/sub-processors (or handoverhq.ai/legal/sub-processors)