Data Processing Agreement
Last updated: 31 March 2026
1. Parties
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Acera Labs Pty Ltd ("Processor") and the entity agreeing to these terms ("Controller").
2. Definitions
- Personal Data — any information relating to an identified or identifiable individual
- Processing — any operation performed on Personal Data, including collection, storage, analysis, and deletion
- Sub-processor — a third party engaged by the Processor to process Personal Data
3. Scope of Processing
The Processor will process Personal Data solely for the purpose of providing the Platform services, including:
- Storing customer records uploaded by the Controller
- Running AI models on customer data (segmentation, propensity, CLV)
- Generating reports and insights from uploaded data
- Providing data export and activation features
4. Controller Obligations
The Controller warrants that:
- It has a lawful basis for processing the Personal Data
- It has provided appropriate privacy notices to data subjects
- It has obtained necessary consents where required
- The data uploaded does not violate any applicable law
5. Processor Obligations
The Processor will:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorised to process data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Not engage sub-processors without prior written consent of the Controller
- Assist the Controller in responding to data subject requests
- Delete or return all Personal Data upon termination of services
- Make available information necessary to demonstrate compliance
6. Security Measures
The Processor implements the following security measures:
- AES-256-GCM encryption at rest with tenant-specific keys
- TLS 1.3 encryption in transit
- PostgreSQL Row-Level Security for tenant data isolation
- RS256 JWT authentication with httpOnly cookies
- Rate limiting and abuse detection
- Complete audit trail of all data access
- PBKDF2 key derivation with 100,000 iterations for encryption keys
7. Sub-processors
The following sub-processors are currently authorised:
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Infrastructure hosting | US (Oregon) |
| Anthropic | AI agent reasoning (API only) | US |
| Sentry | Error monitoring (no PII) | US |
8. Data Breach Notification
The Processor will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach, providing:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9. Data Transfers
Where Personal Data is transferred outside Australia, the Processor will ensure appropriate safeguards are in place as required by the Privacy Act 1988 (APP 8).
10. Audit Rights
The Controller may audit the Processor's compliance with this DPA upon reasonable notice (no more than once per year), at the Controller's expense.
11. Term and Termination
This DPA is effective for the duration of the Terms of Service. Upon termination, the Processor will delete all Personal Data within 30 days unless retention is required by law.
12. Contact
Data Protection enquiries: privacy@aceralabs.com.au