Data Processing Agreement

Governs the processing of personal information during consulting engagements with Vitals Cybersecurity.

Last updated: 25 February 2026

This document is for clients of Vitals Cybersecurity. It supplements, and is incorporated into, your services engagement agreement.

This Data Processing Agreement ("Agreement") is entered into between Vitals Cybersecurity (ABN 73 695 437 846) ("Processor") and the client identified in the applicable services engagement agreement ("Controller"). It applies where Vitals Cybersecurity processes personal information on behalf of the Controller in the course of providing cybersecurity consulting services.

1. Definitions

Controller: The client identified in the services engagement agreement — the entity that determines the purposes and means of processing personal information.

Processor: Vitals Cybersecurity — the entity that processes personal information on behalf of the Controller.

Personal Information: Has the meaning given in the Privacy Act 1988 (Cth) — information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Processing: Any operation or set of operations performed on personal information, including collection, storage, use, disclosure, and deletion.

Engagement: The cybersecurity consulting services described in the applicable services agreement.

Sub-processor: A third party engaged by the Processor to process personal information in connection with the Engagement.

Privacy Act: The Privacy Act 1988 (Cth), as amended from time to time.

APPs: The Australian Privacy Principles set out in Schedule 1 of the Privacy Act.

OAIC: The Office of the Australian Information Commissioner.

2. Scope and nature of processing

The Processor will process personal information only as necessary to perform the Engagement described in the services agreement. The scope of processing typically includes:

  • Reviewing documentation, policies, and procedures that may reference staff or patient information
  • Conducting assessment sessions that may involve discussing information about staff, patients, or third parties
  • Accessing system configuration information that may include usernames or identifiers
  • Receiving incident details or logs that may contain personal information

The Controller should minimise the personal information shared with the Processor to what is strictly necessary for the Engagement. Where possible, data should be de-identified or anonymised before sharing.

3. Processor obligations

The Processor agrees to:

Process only on documented instructions

Process personal information only in accordance with the Controller's documented instructions and for the purposes of the Engagement.

Comply with the Privacy Act and APPs

Handle all personal information in accordance with the Privacy Act 1988 and the Australian Privacy Principles.

Confidentiality

Ensure that all personnel with access to the Controller's personal information are bound by confidentiality obligations.

Notify of incompatible instructions

Promptly inform the Controller if, in the Processor's view, an instruction would breach the Privacy Act or any other applicable law.

Assist with Controller obligations

Provide reasonable assistance to the Controller in meeting its obligations under the Privacy Act, including in relation to individual access and correction requests.

Return or delete data

At the end of the Engagement, return or securely delete personal information as directed by the Controller, subject to clause 7.

4. Controller obligations

The Controller agrees to:

  • Ensure it has a lawful basis for sharing personal information with the Processor
  • Provide clear written instructions for any processing required beyond the scope of the Engagement
  • Minimise the personal information shared with the Processor to what is reasonably necessary
  • Notify the Processor promptly of any change in instructions that would affect the scope of processing
  • Comply with all obligations applicable to it as Controller under the Privacy Act and APPs
  • Ensure individuals whose personal information is shared have been notified of such sharing to the extent required by law

5. Security measures

The Processor implements reasonable technical and organisational measures to protect personal information against misuse, interference, loss, and unauthorised access, modification, or disclosure. These measures include:

Encryption in transit

All data transferred electronically is encrypted using TLS.

Encryption at rest

Files stored on Processor devices use full-disk encryption.

Access controls

Personal information is accessible only to personnel involved in the Engagement.

Secure communications

Business communications handled via Microsoft 365, which applies enterprise security controls.

Device security

Processor devices run up-to-date operating systems with endpoint protection.

Secure disposal

Personal information is securely deleted at the end of the retention period using approved methods.

6. Sub-processors

The Processor uses the following sub-processors in connection with service delivery. The Controller provides general authorisation for their use by entering into an engagement with the Processor.

Microsoft 365

Purpose: Email communications and document storage

Location: Australia and overseas (Microsoft data centres)

Privacy policy: microsoft.com/privacy

Cloudflare

Purpose: Website delivery (does not process client personal data in engagements)

Location: Global

Privacy policy: cloudflare.com/privacypolicy

The Processor will notify the Controller of any intended change to sub-processors and provide the Controller a reasonable opportunity to object before the change takes effect.

7. Data retention and return

Upon completion or termination of the Engagement:

  • The Processor will, at the Controller's written request, return or securely delete all personal information provided by the Controller.
  • Where no written request is received within 30 days of Engagement completion, the Processor will retain personal information for 7 years to meet standard business record-keeping obligations, then securely delete it.
  • The Processor may retain personal information where required to do so by law, for the period required by that law.
  • The Processor will certify deletion in writing upon request.

8. Data breach notification

If the Processor becomes aware of a data breach affecting personal information held on behalf of the Controller, the Processor will:

1

Notify promptly

Notify the Controller without undue delay and, in any case, within 72 hours of becoming aware of the breach.

2

Provide details

Provide the Controller with all reasonably available information about the breach, including its nature, scope, the personal information affected, and the likely consequences.

3

Contain and remediate

Take reasonable steps to contain the breach and prevent further compromise.

4

Assist with notification

Assist the Controller in meeting its notification obligations to the OAIC and affected individuals under the Notifiable Data Breaches scheme, as applicable.

The obligation to notify does not require the Processor to make notifications directly to the OAIC or affected individuals — that remains the Controller's responsibility unless otherwise agreed in writing.

9. Compliance with the Privacy Act

The Processor maintains its own privacy obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Where the Processor collects personal information on behalf of the Controller, the Processor will handle that information in accordance with:

  • The Privacy Act 1988 (Cth) and Australian Privacy Principles
  • The Privacy & Other Legislation Amendment Act 2024 (Cth)
  • Any specific obligations applicable to the nature of the Engagement
  • This Agreement

10. Audit rights

The Controller may, on reasonable written notice (at least 14 days), request that the Processor:

  • Provide documentation evidencing compliance with this Agreement
  • Respond to reasonable written questions about its data handling practices
  • Facilitate a review of relevant security and privacy practices

Audit activities must be conducted in a way that minimises disruption to the Processor's operations. The Controller bears the costs of any audit it requests. Audits are limited to once per year unless there are reasonable grounds to believe a breach has occurred.

11. Liability and indemnification

Each party is liable to the other for any loss or damage caused by its breach of this Agreement or the Privacy Act, subject to the limitations set out in the services engagement agreement.

The Processor will not be liable for any loss or damage arising from:

  • Processing carried out in accordance with the Controller's documented instructions
  • Failures or breaches attributable to the Controller's own systems or actions
  • Events beyond the Processor's reasonable control

Nothing in this clause limits either party's liability for fraud, wilful misconduct, or any liability that cannot be excluded by law.

12. Term and termination

This Agreement commences on the date the parties enter into the services engagement agreement and continues until all personal information shared under the Engagement has been returned or deleted in accordance with clause 7.

Termination of the services engagement agreement does not affect the obligations under this Agreement in respect of personal information already processed.

13. Governing law

This Agreement is governed by the laws of South Australia and the Commonwealth of Australia. Any disputes are subject to the exclusive jurisdiction of the courts of South Australia.

14. Contact

For questions about this Agreement or data processing matters, contact the Processor:

Vitals Cybersecurity

Email: contact@vitalscyber.com.au

Location: Adelaide, South Australia

ABN: 73 695 437 846

Related pages

Privacy Policy Website Terms of Use