1. Purpose

This DPA sets out the terms under which AirDoc processes personal data on behalf of the Customer in connection with the Services.

2. Roles

• Customer is the Data Controller
• AirDoc is the Data Processor

Customer determines the purposes and means of processing.

AirDoc processes data solely on Customer instructions.

3. Scope of Processing

AirDoc processes data to provide invoice automation services, including:

• ingestion of invoice data from email (Microsoft 365)
• extraction and structuring of financial information
• transmission to accounting systems (e.g. Xero)
• storage for traceability and version control

Processing is limited to what is necessary to deliver the Services.

4. Types of Data

Data processed may include:

• invoice details
• supplier information
• financial transaction data
• business contact details
• metadata associated with documents

AirDoc does not intentionally collect sensitive personal information.

5. Duration

Data is processed in near real-time and retained for up to 3 months for traceability and version control, unless otherwise required by law or agreed with the Customer.

6. Processor Obligations

AirDoc agrees to:

• process data only on documented instructions from the Customer
• not use Customer data for any purpose other than providing the Services
• implement reasonable technical and organisational security measures
• ensure personnel handling data are bound by confidentiality obligations
• assist the Customer with reasonable requests relating to data protection

7. AI Processing

AirDoc uses AI technologies to process documents.

• AI is used solely to extract and structure data
• Customer data is not used to train public or shared AI models
• Processing is limited to delivering the Services

8. Subprocessors

AirDoc may use trusted subprocessors to deliver the Services, including:

• Google Cloud (hosting and AI processing)
• Microsoft 365 (email integration)
• Xero (accounting integration)
• Intercom (support services)

AirDoc ensures subprocessors are subject to appropriate data protection obligations.

9. Data Security

AirDoc implements reasonable security measures including:

• secure cloud infrastructure in Australia
• encrypted data transmission
• access controls and authentication
• logging and monitoring

AirDoc does not guarantee absolute security but takes commercially reasonable steps to protect data.

10. Data Breach Notification

In the event of a data breach affecting Customer data, AirDoc will:

• notify the Customer without undue delay
• provide reasonable information about the incident
• take appropriate steps to mitigate the impact

11. Data Subject Rights

To the extent applicable, AirDoc will assist the Customer with:

• access requests
• correction requests
• deletion requests

provided such requests are lawful and technically feasible.

12. Data Transfers

Data is primarily hosted in Australia.

Where data is processed by subprocessors outside Australia, AirDoc will take reasonable steps to ensure appropriate safeguards are in place.

13. Customer Responsibilities

The Customer agrees that:

• it has the right to provide data to AirDoc
• it complies with applicable privacy laws
• it is responsible for reviewing and validating all outputs
• it remains responsible for all decisions made using the Services

14. Deletion or Return of Data

Upon termination of the Services, Customer data will be:

• deleted or anonymised after the retention period, unless required by law
• returned where technically feasible upon request

15. Liability

To the maximum extent permitted by law:

• AirDoc’s liability is limited in accordance with the main service agreement
• AirDoc is not responsible for financial decisions made using processed data
• AirDoc is not liable for indirect or consequential loss

16. Audit

AirDoc may provide reasonable information about its data processing practices upon request.

Formal audits are subject to:

• reasonable notice
• confidentiality obligations
• cost considerations

17. Governing Law

This DPA is governed by the laws of South Australia, Australia.

18. Contact