← Back to Legal

Data Processing Agreement

Last Updated: January 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Adam McVeigh trading as TapHead.co ("Processor") and the Customer ("Controller") for the provision of the HeadOS platform services.

This DPA reflects the parties' agreement regarding the processing of Personal Data in accordance with applicable Data Protection Laws, including the Australian Privacy Act 1988, the EU General Data Protection Regulation (GDPR), and the UK GDPR.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

"Data Subject" means the individual to whom Personal Data relates.

"Sub-processor" means any third party engaged by the Processor to process Personal Data.

3. Scope of Processing

3.1 Subject Matter

The Processor will process Personal Data as necessary to provide the HeadOS platform services as described in the Terms and Conditions.

3.2 Categories of Data Subjects

  • Customer employees and authorised users
  • Customer's clients and contacts
  • Suppliers and business partners of the Customer

3.3 Types of Personal Data

  • Contact information (names, email addresses, phone numbers)
  • Business information (company names, addresses, job titles)
  • Transaction data (invoices, orders, payment references)
  • Communication records stored in the Service

4. Processor Obligations

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Assist the Controller with Data Subject requests
  • Notify the Controller of data breaches without undue delay
  • Delete or return Personal Data upon termination of services
  • Make available information to demonstrate compliance

5. Security Measures

The Processor implements the following security measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Logging and monitoring of access
  • Business continuity and disaster recovery procedures
  • Employee security awareness training

6. Sub-processors

The Controller authorises the Processor to engage Sub-processors. Current Sub-processors include:

  • Cloudflare, Inc. (USA) - Hosting and content delivery
  • Stripe, Inc. (USA) - Payment processing
  • Resend (USA) - Email delivery
  • Integration partners as directed by Controller (QuickBooks, Xero, etc.)

The Processor will notify the Controller before adding new Sub-processors, providing an opportunity to object. Sub-processors are bound by equivalent data protection obligations.

7. International Transfers

Personal Data may be transferred to countries outside Australia, the EEA, or the UK. Such transfers are protected by appropriate safeguards including Standard Contractual Clauses approved by the European Commission and adequacy decisions where applicable.

8. Data Subject Rights

The Processor will assist the Controller in responding to Data Subject requests including access, rectification, erasure, restriction, portability, and objection. The Processor will notify the Controller of any requests received directly from Data Subjects.

9. Data Breach Notification

The Processor will notify the Controller of any Personal Data breach without undue delay, and in any event within 72 hours of becoming aware. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken.

10. Audit Rights

The Controller may audit the Processor's compliance with this DPA upon reasonable notice. The Processor will provide necessary information and access to demonstrate compliance. The Controller bears the cost of audits unless a material breach is discovered.

11. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, the Processor will delete or return all Personal Data within 30 days, unless retention is required by law.

12. Contact

Data Protection Contact:
Adam McVeigh trading as TapHead.co
Email: info@taphead.co