Data Processing Agreement

Last updated: 19 April 2026

1. Parties and Purpose

This Data Processing Agreement (“DPA”) is entered into between Merit Vision Pty Ltd (“Processor”) and you, the subscriber organisation (“Controller”). It governs the processing of personal data carried out by us on your behalf when you use the MERIT Lumina.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person, as defined under the Privacy Act 1988 (Cth)
  • Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion
  • NDIS Participant Data: Personal data of National Disability Insurance Scheme participants processed through the Platform

3. Scope of Processing

We process personal data only to the extent necessary to provide the Platform services described in the Terms of Service and as instructed by you. We do not process your data for our own purposes or disclose it to third parties except as required to deliver the service or as mandated by law.

4. Data Location

All personal data is stored and processed on servers physically located in Australia. We do not transfer personal data outside Australia without your express written consent, except where required by Australian law.

5. Security Measures

We implement the following technical and organisational measures to protect personal data:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls restricting data access to authorised personnel
  • Comprehensive audit logging of all data access and modifications
  • Regular security assessments and vulnerability scanning
  • Staff training on privacy and data security obligations
  • Incident response procedures including breach notification

6. Sub-processors

We may engage sub-processors to assist in delivering the Platform. All sub-processors are bound by equivalent data protection obligations. Current sub-processors include cloud infrastructure providers operating within Australia. We will notify you of any significant changes to sub-processors with reasonable advance notice.

7. Data Retention and Deletion

We retain personal data for the duration of your subscription and for up to 90 days after termination, after which it is securely deleted or anonymised. You may request early deletion of your data via our contact page. Retention may be extended where required by law (e.g. NDIS record-keeping obligations).

8. Breach Notification

In the event of a data breach that is likely to result in serious harm, we will notify you within 72 hours of becoming aware of the breach, and will cooperate with you in meeting any notification obligations under the Notifiable Data Breaches scheme.

9. Audit Rights

You may request reasonable evidence of our compliance with this DPA once per calendar year. We will respond to audit requests within 30 business days.

10. Contact

For data processing enquiries, please use our contact page.