This Data Processing Agreement (DPA) forms part of the agreement between Neuva Pty Ltd (Neuva) and the customer (Customer) for the Customer’s use of the Neuva platform (Service). It records how Neuva handles Personal Information on the Customer’s behalf. Terms defined in the Neuva Terms of Service have the same meaning in this DPA.
1. Definitions
APPs means the Australian Privacy Principles in the Privacy Act.
Privacy Act means the Privacy Act 1988 (Cth).
Personal Information has the meaning given in the Privacy Act.
Customer Personal Information means Personal Information that Neuva processes on the Customer’s behalf through the Service, including Worker Personal Information.
Worker means an individual worker, contractor or candidate whose information the Customer manages in the Service.
Process (and Processing) means any operation performed on Personal Information, including collecting, storing, using, disclosing and deleting it.
Sub-processor means a third party engaged by Neuva to process Customer Personal Information.
Data Breach means unauthorised access to, unauthorised disclosure of, or loss of, Customer Personal Information.
Eligible Data Breach has the meaning given in Part IIIC of the Privacy Act (the Notifiable Data Breaches scheme).
2. Roles of the parties
2.1 The Customer is the entity with the primary relationship to its Workers and determines the purposes for which Customer Personal Information is processed in the Service.
2.2 Neuva processes Customer Personal Information on the Customer’s behalf and on its documented instructions, as the Customer’s service provider. Neuva is an APP entity in its own right in respect of Personal Information it collects as controller of its own business, such as account contact and billing information, which is dealt with in Neuva’s Privacy Policy rather than this DPA.
2.3 The Customer’s instructions are set out in the Terms of Service, this DPA (including its Schedules), and the Customer’s configuration and use of the Service.
3. Scope and purpose of processing
3.1 Neuva will process Customer Personal Information only to provide, support, secure and improve the Service, as described in Schedule 1, and as otherwise instructed by the Customer or required by law. If required by law to process beyond the Customer’s instructions, Neuva will, where lawful, inform the Customer first.
3.2 The details of processing, including the categories of individuals and Personal Information, are set out in Schedule 1.
4. Customer obligations
4.1 The Customer must ensure it has a lawful basis to collect Worker Personal Information and to have Neuva process it, and that it has given Workers any notices and obtained any consents required under the Privacy Act.
4.2 The Customer must not provide Neuva with Personal Information that is not reasonably necessary for the Service. Consistent with data minimisation, the Service is not designed to hold financial identifiers such as tax file numbers or bank account details, and the Customer must not upload them.
4.3 The Customer is responsible for the accuracy of the Customer Personal Information it provides.
5. Neuva obligations
5.1 Neuva will:
- process Customer Personal Information only as set out in clause 3;
- implement the security measures in Schedule 2;
- ensure personnel authorised to process Customer Personal Information are bound by confidentiality;
- not sell Customer Personal Information; and
- assist the Customer as set out in this DPA.
6. Security
6.1 Neuva will maintain appropriate technical and organisational measures to protect Customer Personal Information against misuse, interference, loss, and unauthorised access, modification or disclosure, having regard to the nature of the information and the risks involved. Current measures are described in Schedule 2.
7. Sub-processors
7.1 The Customer authorises Neuva to engage the Sub-processors listed in Schedule 3 to process Customer Personal Information for the purposes described.
7.2 Neuva will impose data protection obligations on each Sub-processor that are substantially consistent with this DPA, and remains responsible for each Sub-processor’s performance.
7.3 Neuva will give the Customer reasonable notice of any intended addition or replacement of a Sub-processor, and the Customer may object on reasonable grounds.
8. Overseas disclosure
8.1 The Service is hosted in Australia. Where Customer Personal Information is disclosed to, or accessible from, a recipient outside Australia (for example, a Sub-processor’s email delivery or support function), Neuva will take reasonable steps to ensure the recipient handles it consistently with the APPs, in accordance with APP 8. Overseas locations, if any, are noted in Schedule 3.
9. Data breach notification
9.1 Neuva will notify the Customer without undue delay, and in any case within 48 hours, after becoming aware of a Data Breach affecting Customer Personal Information.
9.2 Neuva will provide the Customer with the information reasonably required to assess the breach and to meet the Customer’s obligations under the Notifiable Data Breaches scheme, and will cooperate with the Customer’s response.
9.3 The Customer is responsible for making any assessment and notification to the Office of the Australian Information Commissioner and to affected individuals in respect of an Eligible Data Breach, unless the parties agree otherwise.
10. Assistance with individual rights
10.1 Taking into account the nature of the processing, Neuva will provide reasonable assistance to help the Customer respond to requests from individuals to access or correct their Personal Information under APP 12 and APP 13.
10.2 If Neuva receives such a request directly, it will refer the individual to the Customer, unless the Customer directs otherwise.
11. Artificial intelligence
11.1 The Service uses automated and artificial intelligence features, for example to read and extract information from uploaded compliance documents and to support workforce readiness and matching. These features operate on Customer Personal Information to provide the Service, as described in Neuva’s Privacy Policy.
11.2 Neuva does not use Customer Personal Information to train generative AI models for use outside the Customer’s own tenant, and does not permit its Sub-processors to do so.
12. Return and deletion
12.1 On expiry or termination, and on the Customer’s request within 30 days, Neuva will make Customer Personal Information available for export in a common electronic format.
12.2 After that period, Neuva will delete or de-identify Customer Personal Information within a reasonable time, except to the extent it is required by law to retain it, in which case the retained information remains subject to this DPA.
13. Audit and information
13.1 On reasonable written request, and no more than once a year unless required by a regulator or following a Data Breach, Neuva will provide the Customer with the information reasonably necessary to demonstrate compliance with this DPA. The parties will treat any such information as confidential.
14. Liability
14.1 Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service.
15. Term
15.1 This DPA applies for as long as Neuva processes Customer Personal Information and, in respect of surviving obligations, after that.
16. Governing law
16.1 This DPA is governed by the laws of Western Australia and is otherwise subject to the Terms of Service.
Schedule 1 — Details of processing
Nature and purpose: coordinating a labour-hire and field workforce, including tracking compliance documents and worker readiness, mobilisation and scheduling, timesheets and invoicing, and providing related support and security.
Duration: the Subscription Term and any post-termination export period.
Categories of individuals: the Customer’s Workers (workers, contractors and candidates); and the Customer’s Authorised Users (staff, coordinators and administrators).
Categories of Personal Information: identity and contact details; role, competency and employment details; compliance and readiness records such as licences, tickets, inductions and qualification status; work rights and availability; location information used for mobilisation and site attendance; timesheet and work records; and account and usage information for Authorised Users.
Excluded information: the Service is not designed to hold financial identifiers such as tax file numbers or bank account details.
Sensitive information: only to the extent the Customer chooses to record readiness-related information. The Customer is responsible for any consents required.
Schedule 2 — Security measures
- Hosting in Australian data centre regions.
- Encryption of data in transit and at rest.
- Role-based access controls and tenant isolation within a multi-tenant architecture.
- Authentication controls for Authorised Users.
- Logging and monitoring of access and activity.
- Regular backups and tested restoration processes.
- Confidentiality obligations and need-to-know access for personnel.
- Vendor management and review of Sub-processors.
Schedule 3 — Approved sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication and file storage hosting | Australia (Sydney region) |
| Vercel | Application hosting and content delivery | Primary hosting configured for Australia where available; global content delivery network |
| Resend | Transactional and notification email delivery | United States (email content in transit) |
Sub-processors located or reachable outside Australia are treated as overseas disclosures, and Neuva takes reasonable steps under APP 8 in respect of them.