DocChase← Back to home

Data Processing Addendum

Last updated: 11 May 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between DocChase Pty Ltd and the customer.

1. Roles

The customer (practitioner) is the data controller of personal information about their end-clients. DocChase acts as a data processor when processing such information on the customer's behalf, and as a controller for practitioner account data.

2. Processing instructions

DocChase processes Customer Data only to:

  • Provide the document-collection service as configured by the customer
  • Comply with Australian law
  • Carry out the customer's reasonable documented instructions

3. Confidentiality

Personnel with access to Customer Data are bound by written confidentiality obligations.

4. Security measures

See the Security page. We implement industry-standard technical and organisational measures appropriate to the risk.

5. Subprocessors

We use the following subprocessors:

  • Supabase (hosting & database) — Australia (Sydney) — hosting, Postgres, file storage, auth
  • Resend — United States — transactional email delivery
  • Twilio — United States / Australia — SMS delivery (when enabled)
  • Stripe — Australia / United States — payment processing
  • Cloudflare — global edge — DDoS protection and CDN
  • Sentry — United States — error monitoring (PII scrubbed)

We will give 30 days' notice before adding or replacing a subprocessor. You may object on reasonable grounds.

6. International transfers

Where Customer Data is transferred outside Australia, we ensure recipients handle it consistently with APP 8 (cross-border disclosure) through contractual safeguards.

7. Notifiable data breaches

We will notify the customer without undue delay (and in any case within 72 hours) of becoming aware of a personal information breach affecting Customer Data, including the nature, scope, and remediation steps taken.

8. Assistance

We will reasonably assist the customer to respond to requests by their end-clients to access, correct, or delete personal information, and to meet the customer's obligations under the Privacy Act 1988 (Cth).

9. Audit

On reasonable written request and no more than once per year, we will make available current certifications and a summary of our most recent penetration test.

10. Return or deletion

On termination, the customer may export Customer Data for 30 days. After that, Customer Data is deleted or de-identified within 90 days, except where retention is required by law.

11. Liability

Liability under this DPA is subject to the limitations in the Terms of Service.

Questions about this policy?

Email legal@docchase.com.au or write to DocChase Pty Ltd, Level 1, 121 King Street, Melbourne VIC 3000, Australia.