Data Processing Addendum

Our commitments when processing personal information on behalf of customer organisations.

Last updated: 27 May 2026

This Data Processing Addendum (the "DPA") is between Kings AI Automation Pty Ltd (ACN 697 368 282, ABN 31 697 368 282) ("KAINDIS", "we") and the customer organisation that has accepted the KAINDIS Terms of Service (the "Customer"). It is incorporated into and forms part of the Terms of Service. This online DPA is the current and authoritative version and supersedes any earlier published DPA, including any earlier PDF.

1. Definitions

  • "Personal Information" has the meaning given in the Privacy Act 1988 (Cth) and includes "health information" as defined in the Health Records Act 2001 (Vic).
  • "Sensitive Information" has the meaning given in the Privacy Act 1988 (Cth) and includes information about an individual's health, disability and NDIS supports.
  • "Customer Data" means Personal Information processed by KAINDIS on behalf of the Customer through the platform.
  • "Eligible Data Breach" has the meaning given in Part IIIC of the Privacy Act 1988 (Cth).
  • "Personal Data Breach" means any unauthorised access to, unauthorised disclosure of, or loss of, Customer Data.
  • "Sub-processor" means any third party engaged by KAINDIS to process Customer Data, as listed at /legal/sub-processors.
  • "APPs" means the Australian Privacy Principles in Schedule 1 of the Privacy Act 1988 (Cth).
  • "HPPs" means the Health Privacy Principles in Schedule 1 of the Health Records Act 2001 (Vic).

2. Roles and scope

For Customer Data, the Customer is the APP entity (and, where applicable, the "organisation" under the HPPs) and determines the purposes and means of processing. KAINDIS is the service provider acting on the Customer's documented instructions. The Customer's instructions are evidenced by the Terms of Service, this DPA, and the Customer's use and configuration of the platform. KAINDIS will promptly notify the Customer if it considers that an instruction infringes the Privacy Act 1988 (Cth), the Health Records Act 2001 (Vic) or any other applicable law, and may decline to act on the instruction pending clarification.

3. Processing details

  • Subject matter: the provision of the KAINDIS NDIS booking and CRM platform.
  • Duration: the term of the Customer's subscription, plus the post-termination retention period set out in clause 9.
  • Categories of data subjects: NDIS participants supported by the Customer; the Customer's staff and contractors; family members, carers and nominees; the Customer's administrators and finance personnel.
  • Categories of Personal Information: identification details, contact details, NDIS numbers, health and disability information, plan and funding details, goals, care notes, incident reports, GPS clock-in/out coordinates, screening checks, employment data, and billing records — as described in the Privacy Policy.
  • Participant-payment metadata (where clause 12A is enabled): Stripe customer ids, session ids, payment intent ids, and director acknowledgment audit records (acknowledging director identity, timestamp, supplied note). These identifiers are Personal Information; they are not Sensitive Information.
  • Sensitive Information: we process sensitive information (including health and disability information) only on the Customer's instructions.

4. KAINDIS obligations

4.1 Confidentiality

We ensure that all personnel authorised to process Customer Data are bound by appropriate confidentiality obligations and have received privacy and information-security training.

4.2 Technical and organisational measures (TOMs)

We maintain a risk-appropriate program of TOMs, including:

  • AES-256-GCM encryption at rest for NDIS numbers, medical information, and authentication secrets; TLS 1.2+ in transit with HSTS.
  • PostgreSQL Row-Level Security enforcing tenant isolation on every database query.
  • Role-Based Access Control with least-privilege IAM, MFA on all administrative accounts, account lockout after repeated failed logins, and capped concurrent sessions.
  • Audit logging of all create/update/delete operations, including before/after snapshots; document access logging.
  • Sensitive-field redaction in error and audit logs at point of capture.
  • Hosting in Sydney, Australia (AWS ap-southeast-2). Disaster-recovery backups within ap-southeast-2.
  • Vulnerability management; periodic penetration testing; monitoring and alerting; documented incident response procedures aligned with the ACSC Essential Eight self-assessment.

4.3 Sub-processors

The Customer provides general authorisation for KAINDIS to engage the sub-processors listed at /legal/sub-processors. We will:

  • impose data-protection obligations on each sub-processor that are equivalent to those in this DPA, including obligations under APP 8.1 and HPP 9 where overseas transfers are involved;
  • provide at least 14 days' written notice (sent to the Customer's nominated privacy contact and published on the Sub-processor list) before engaging a new sub-processor or materially expanding the scope of an existing one; and
  • remain liable for the acts and omissions of sub-processors to the same extent as for our own acts and omissions.

If the Customer reasonably objects to a new sub-processor on data protection grounds during the notice period, the parties will discuss the objection in good faith. If we cannot accommodate the objection within 30 days, the Customer may terminate the affected subscription on written notice and we will refund any prepaid unused fees, as the Customer's sole remedy for that change.

4.4 Assistance with data-subject rights

Where an individual exercises a right under the Privacy Act 1988 (Cth) or the Health Records Act 2001 (Vic) (including access, correction, complaint or erasure), we will assist the Customer to respond, using the technical and organisational measures available in the platform (including participant-portal access controls, admin-side correction, deletion and the data export feature). We will not respond directly to data-subject requests about Customer Data without the Customer's written authorisation, except where required by law.

4.5 Personal Data Breach notification

We will notify the Customer of any Personal Data Breach involving Customer Data without undue delay after becoming aware of it, and in any event within 72 hours. The notification will include, to the extent then known:

  • the nature of the breach, including categories and approximate volumes of Customer Data and data subjects affected;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its effects; and
  • a contact point at KAINDIS for further information.

We will cooperate with the Customer's investigation and assist the Customer to meet any obligations under the Notifiable Data Breaches scheme. We will not notify the OAIC, the Health Complaints Commissioner (Vic) or affected individuals on the Customer's behalf without the Customer's prior written authorisation, except where required by law (including where we have an independent obligation to notify under Part IIIC of the Privacy Act 1988 (Cth) or the Health Records Act 2001 (Vic)).

4.6 Audit rights

On reasonable written notice (no less than 30 days), and no more than once every 12 months (except following a Personal Data Breach affecting the Customer), we will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. This includes, in order of preference:

  1. our most recent independent audit reports and security questionnaires (e.g. SIG-Lite, Essential Eight self-assessment, penetration test summary);
  2. written responses to the Customer's targeted questions; and
  3. where the foregoing is insufficient and the Customer has reasonable grounds, an on-site or remote audit conducted by the Customer or a qualified third-party auditor (under confidentiality, at the Customer's cost, during business hours, and without disrupting other customers' service).

4.7 Overseas disclosures (APP 8 / HPP 9)

Some sub-processors are based outside Australia. The Customer consents to the overseas disclosure of Customer Data to those sub-processors as listed in the Sub-processor list. Before any overseas disclosure we take the steps required by APP 8.1 (including written contractual obligations equivalent to the APPs) so that the recipient handles the information consistently with the APPs.

5. Customer obligations

The Customer represents, warrants and agrees that:

  • it has a lawful basis for collecting and uploading Customer Data, including obtaining all required consents from participants, staff, family members, carers and nominees;
  • it will provide each individual whose Personal Information it uploads with the notices required by APP 5 and HPP 1.5 (including by giving the individual access to our Privacy Policy where appropriate);
  • it will configure access controls so that only authorised users can access Customer Data, and will promptly disable accounts of departed personnel;
  • it will not instruct us to process Customer Data in a way that breaches the Privacy Act 1988 (Cth), the Health Records Act 2001 (Vic), the NDIS Act 2013 (Cth), the NDIS Code of Conduct, or any other applicable law; and
  • it remains the APP entity (and, where applicable, the relevant organisation under the HPPs) and is responsible for determining the lawful purposes for which Customer Data is processed.

6. AI features

Where the Customer enables AI features, Customer Data is processed by the AI sub-processors listed in the Sub-processor list (currently Anthropic for chat and suggestions; OpenAI as primary and Google as fallback for voice-to-text transcription). None of these providers train their models on Customer Data submitted via API. AI features may be disabled at the tenant level on Customer request.

7. International transfer mechanism

For any sub-processor outside Australia, we rely on contractually-imposed obligations equivalent to the APPs (APP 8.1) and equivalent to the HPPs (HPP 9). For transfers to the European Economic Area, the United Kingdom or other regulated jurisdictions relevant to a particular Customer, additional standard contractual clauses or transfer impact assessments may be negotiated with enterprise customers on request.

8. Term and survival

This DPA commences when the Customer accepts the Terms of Service and continues for the duration of the subscription. The following clauses survive termination for the period necessary for their performance — that is, for as long as KAINDIS retains any Customer Data, including in disaster-recovery backups undergoing rotation: clauses 4.1 (Confidentiality), 4.2 (Technical and organisational measures), 4.4 (Data-subject rights for in-flight requests), 4.5 (Personal Data Breach notification for breaches occurring during the term or relating to retained Customer Data), 4.7 (Overseas disclosures), and 9 (Return and deletion).

9. Return and deletion on termination

Within 30 days after termination or expiry of the Customer's subscription, the Customer may self-export Customer Data and request reactivation. After that 30-day period, we will permanently delete or render irrecoverable all Customer Data, including from disaster-recovery backups in line with the backup rotation cycle, except where law requires retention. We will confirm completion of deletion in writing on request.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service, except that nothing limits liability that cannot lawfully be limited (including liability for fraud, wilful misconduct or for breach of the Non-Excludable Rights under the Australian Consumer Law).

11. Governing law

This DPA is governed by the laws in force in Victoria, Australia, and the parties submit to the exclusive jurisdiction of the courts of Victoria.

12. Enterprise counter-signature

Customers with enterprise procurement requirements may request a counter-signed standalone DPA on substantially the same terms by contacting kaindis@kai-auto.com.

Data Processing Addendum · KAINDIS | KAINDIS