Data Processing Agreement
Last updated: 3 April 2026 · Applies to: MERIT Lumina KPI Platform · Version: 2.0
1. Parties and Purpose
This Data Processing Agreement (“DPA”) is entered into between Merit Vision Pty Ltd (“Processor”) and the Client organisation (“Controller”) named in the relevant Engagement Document. It governs the processing of personal data carried out by us on the Client's behalf in connection with the MERIT Lumina platform (“the Platform”).
2. Definitions
- Personal Data — any information relating to an identified or identifiable natural person, as defined under the Privacy Act 1988 (Cth).
- Processing — any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
- NDIS Participant Data — personal data of National Disability Insurance Scheme participants processed through the Platform.
- Engagement Document — the written services agreement, statement of work, or order form between Merit Vision and the Client under which the Platform is delivered.
3. Scope of Processing
We process personal data only to the extent necessary to provide the Platform services described in the Terms of Service and the relevant Engagement Document, and as instructed by the Client. We do not process Client personal data for our own purposes, and we do not disclose it to third parties except as required to deliver the service or as mandated by law.
4. Cross-Border Data Transfers
We will not transfer the Client's personal data outside the jurisdiction agreed in the Engagement Document without the Client's express written consent, except where required by law. Where any cross-border processing arrangements apply, they are documented in the relevant Engagement Document.
5. Security Measures
We implement the following technical and organisational measures to protect personal data:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls restricting data access to authorised personnel
- Comprehensive audit logging of all data access and modifications
- Regular security assessments and vulnerability scanning
- Staff training on privacy and data security obligations
- Documented incident response procedures, including breach notification
6. Sub-processors
We may engage sub-processors to assist in delivering the Platform. All sub-processors are bound by data protection obligations equivalent to those in this DPA. Current sub-processors include cloud infrastructure providers and other service providers necessary to operate the Platform. We will give the Client reasonable advance notice of any material change to our sub-processor arrangements.
7. Data Retention and Deletion
We retain personal data for the duration of the Client's engagement and for up to 90 days after termination, after which it is securely deleted or anonymised. The Client may request earlier deletion of their data at any time. Retention periods may be extended where required by law (for example, NDIS record-keeping obligations) or where otherwise stated in the Engagement Document.
8. Breach Notification
In the event of a personal-data breach that is likely to result in serious harm, we will notify the Client without undue delay, and in any event within 72 hours of becoming aware of the breach. We will cooperate with the Client in meeting any notification obligations under the Notifiable Data Breaches scheme and applicable law.
9. Audit Rights
The Client may request reasonable evidence of our compliance with this DPA once per calendar year. We will respond to audit requests within 30 business days.
10. Relationship to Other Agreements
This DPA forms part of, and is to be read together with, the Terms of Service, the Privacy Policy, and the relevant Engagement Document. Where any inconsistency exists, the Engagement Document prevails to the extent of the inconsistency.
Related policies: Privacy Policy · Terms of Service · Data Usage · Acceptable Use Policy