Data Processing Agreement (DPA)
1. Purpose
This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Terms of Service or any agreement between Quality Group Pty Ltd (“Processor”, “we”) and the Client (“Controller”, “you”).
This DPA applies where Quality Group processes personal data on behalf of the Client in connection with services provided by Quality Group (“Service”).
2. Roles of the Parties
- The Client is the data controller (or equivalent under applicable law).
- Quality Group acts as a data processor.
The Client determines the purposes and means of processing personal data. Quality Group processes personal data solely on behalf of the Client.
3. Nature and Purpose of Processing
Processing is limited to what is necessary to provide the Service, including:
- analysis of uploaded reports and materials
- generation of structured outputs
- storage, transmission, and deletion of data
Processing is carried out only in accordance with the Client’s instructions as set out in this DPA and the main agreement.
4. Types of Personal Data
Personal data processed may include:
- information contained within client reports and materials
- professional or business-related personal information
- any other personal data submitted by the Client
Quality Group does not control the categories of personal data submitted.
5. Obligations of the Processor
Quality Group will:
- process personal data only on documented instructions from the Client
- ensure personnel with access to personal data are subject to confidentiality obligations
- implement appropriate technical and organisational measures to protect personal data
- not use personal data for its own purposes
Quality Group will not use client data to train shared models or improve systems across organisations unless expressly agreed.
6. Security Measures
Quality Group implements reasonable security measures, including:
- encryption in transit and at rest
- access controls and authentication mechanisms
- system monitoring and safeguards
Security measures are designed to protect against unauthorised access, disclosure, alteration, or destruction of personal data.
7. Subprocessors
Quality Group may engage third-party subprocessors to support delivery of the Service. Our primary subprocessor is Amazon Web Services (AWS), which provides cloud infrastructure and AI model inference services via AWS Bedrock.
Quality Group will:
- ensure subprocessors are bound by data protection obligations no less protective than those in this DPA
- remain responsible for their performance
- provide the Client with at least 14 days’ prior written notice of any intended change to subprocessors
8. International Data Transfers
Personal data is currently processed in the AWS London region (eu-west-2) within the United Kingdom. Quality Group may support additional regions in future to meet specific client requirements, subject to appropriate data transfer mechanisms.
9. Assistance to the Client
Taking into account the nature of processing, Quality Group will provide reasonable assistance to the Client to:
- respond to data subject requests
- comply with applicable data protection obligations
10. Data Breach Notification
Quality Group will notify the Client without undue delay upon becoming aware of a data breach affecting personal data processed under this DPA.
Notification will include available information to assist the Client in meeting its obligations.
11. Data Retention and Deletion
Personal data is retained while the Client account is active.
Upon termination of the Service:
- personal data will be deleted within 30 days
- unless retention is required by law or agreed otherwise
12. Audit and Information Rights
Quality Group will make available information reasonably necessary to demonstrate compliance with this DPA.
Any audit must:
- be conducted no more than once in any 12-month period
- be subject to reasonable prior notice
- be limited to what is necessary and proportionate
- not unreasonably interfere with Quality Group’s operations or other clients
13. Liability
Liability arising under this DPA is subject to the limitations set out in the Terms of Service or applicable agreement.
14. Governing Law
This DPA is governed by the laws of Victoria, Australia, except that:
- where the Client is established in the European Economic Area, the data protection obligations in this DPA shall be interpreted in accordance with applicable EU law, including the GDPR; and
- where the Client is established in the United Kingdom, the data protection obligations in this DPA shall be interpreted in accordance with UK data protection law, including the UK GDPR and the Data Protection Act 2018.
In the event of any conflict between Victorian law and applicable EU or UK data protection law in relation to data protection obligations, the applicable EU or UK data protection law prevails.