Last updated: June 2nd, 2026

Data Processing Agreement

This Data Processing Agreement (DPA) governs how BNDRY Pty Ltd processes personal information on behalf of customers. It operates under Australia's Privacy Act 1988 (Cth) and Australian Privacy Principles, with additional EU GDPR and UK GDPR requirements where applicable.

1. Introduction

BNDRY Pty Ltd acts as a data processor for customers (controllers) handling personal and sensitive information. Each party remains directly bound by their own privacy obligations — BNDRY's processor role does not exempt it from its own responsibilities under applicable law.

BNDRY maintains ISO/IEC 27001:2022 certification and aligns with APRA Prudential Standard CPS 234 for regulated entities.

2. Key Definitions

  • Applicable Data Protection Law: Privacy Act 1988 (Cth) and APPs, plus EU/UK GDPR where relevant
  • Eligible Data Breach: As defined in the Privacy Act's Notifiable Data Breaches scheme
  • Personal Information: Includes sensitive categories — health data, biometric information, racial origin, religious beliefs, sexual orientation, and criminal records
  • Security Incident: Unauthorised access to, or loss, misuse, interference, modification, or disclosure of controlled information
  • Sub-processor: Third parties engaged by BNDRY to process information on the customer's behalf

3. Roles and Precedence

The customer determines processing purposes and means. BNDRY processes information only per documented customer instructions. BNDRY may create anonymised or de-identified data for its own purposes.

Document hierarchy: Terms & Conditions > Data Processing Agreement > Privacy Statement > Privacy Policy.

BNDRY may update non-material operational aspects via service notice. Changes materially reducing protections or increasing customer obligations require written agreement.

4. Customer Obligations

The customer must:

  • Possess a valid legal basis for all processing, including consent for sensitive information before disclosure to BNDRY
  • Provide documented processing instructions
  • Prevent instructions that breach applicable privacy laws
  • Promptly notify BNDRY of processing changes
  • Ensure information accuracy, quality, and lawful collection
  • Implement safeguards protecting data integrity before transmission
  • Respond to individual requests and regulator enquiries (with BNDRY assistance)
  • Provide escalation contacts and promptly report security incidents

5. BNDRY's Obligations

BNDRY must:

  • Process only per documented customer instructions (except where legally compelled)
  • Bind personnel to confidentiality obligations
  • Implement technical and organisational measures per Annex II
  • Apply privacy-by-design principles
  • Assist customers exercising individual rights (access, correction, deletion)
  • Support privacy and data protection impact assessments
  • Maintain processing activity records
  • Notify customers of security incidents within specified timeframes
  • Return or delete information per clause 12

6. Sub-Processing

BNDRY may engage sub-processors if:

  • An updated list is maintained at trust.bndry.net
  • Written terms impose protections equivalent to this agreement
  • Prior notice is given; customers may object within 15 calendar days

Valid objections allow customers to suspend or terminate affected services without penalty.

7. Security and Breach Notification

BNDRY must notify the customer without undue delay — and within 48 hours maximum — after becoming aware of a Security Incident, including the nature, scope, impact, and mitigation steps.

Notifications go to designated privacy, legal, or risk contacts, not public status pages.

BNDRY assists in incident investigation and cooperates in determining notification obligations under the Notifiable Data Breaches scheme. BNDRY cannot notify regulators, individuals, or third parties without customer instruction, except when required by law or in exigent circumstances.

8. Cross-Border Disclosure

BNDRY remains accountable under the APPs for overseas recipients' handling of information. Disclosures require written notification to the customer of destination jurisdiction and reason.

Standing arrangements with overseas sub-processors are listed at trust.bndry.net with location and purpose documented. Where EU/UK GDPR applies, approved transfer mechanisms (Standard Contractual Clauses, UK International Data Transfer Addendum) are implemented with transfer impact assessments.

9. Digital Identity Verification

Where services involve identity verification, the following conditions apply:

  • Verification supports lawful business functions or legal obligations only — not profiling, tracking, advertising, or market research
  • Informed, express consent is obtained before verification per guidance at bndry.net/legals/identity-verification
  • Match results are logged and retained for seven years
  • Verification results are not disclosed to third parties

10. AML/CTF Obligations

Where the customer is an AML/CTF Act 2006 (Cth) reporting entity:

  • The customer must retain due diligence records for seven years post-relationship
  • BNDRY retains these records on the customer's behalf during the service period
  • Collection is limited to AML/CTF necessity, consistent with OAIC guidance
  • All handling avoids contravening AML/CTF tipping-off prohibitions

11. Audit Rights

BNDRY must provide information reasonably necessary to demonstrate compliance, including independent audit summaries (ISO/IEC 27001, SOC 2) and certifications.

Customers may not conduct facility or system audits unless required by regulators or where material Security Incidents occur and provided information proves insufficient. Audits must be limited in scope, pre-agreed, confidential, and minimally disruptive.

12. Return or Deletion of Data

Upon service termination or expiry, within 30 days BNDRY must delete or return all personal information per customer choice. Seven-year retention obligations for identity verification and AML/CTF records remain the customer's responsibility post-termination.

13. Governing Law

New South Wales law governs this agreement. Disputes follow the Terms & Conditions resolution procedures. EU/UK GDPR mandatory jurisdiction for individual complaints or regulatory enforcement takes precedence where applicable.

Annex I: Processing Details

  • Individuals covered: Patrons, members, guests, staff whose identity BNDRY verifies or whose information the customer processes
  • Personal information categories: Identity and contact details, identity document details, verification records
  • Sensitive information: Biometric data for identity verification purposes
  • Processing purpose: Identity verification and information collection supporting regulatory and compliance obligations, including AML/CTF requirements
  • Processing duration: Agreement term; information returned or deleted upon termination per clause 12
  • Storage locations: Australia-based; overseas sub-processor access listed at trust.bndry.net

Annex II: Security Measures

BNDRY implements ISO/IEC 27001:2022 Annex A controls across four themes:

  • Organisational: Board-approved policies, defined roles, asset inventory, supplier management, incident management, business continuity, regulatory compliance
  • People: Pre-engagement screening, confidentiality obligations, information security training, disciplinary processes, secure remote-work rules
  • Physical: Perimeter security, entry controls, monitoring, environmental protection, secure media disposal via certified hosting providers
  • Technological: Least-privilege access with multi-factor authentication, encryption in transit and at rest, network segregation, monitoring, logging, malware protection, vulnerability management, secure development, change management, environment separation, data deletion

The Statement of Applicability mapping individual ISO controls and penetration test non-sensitive summaries are available upon customer request.