Data Processing Agreement

Last updated: March 2026

1. Scope

This Data Processing Agreement ("DPA") supplements the IDProva Cloud Terms of Service and applies to the processing of personal data and service data by Tech Blaze Consulting Pty Ltd ("Processor") on behalf of the customer ("Controller").

2. Definitions

  • Service Data: Agent Identity Documents (AIDs), Delegation Attestation Tokens (DATs), action receipts, and associated metadata stored through IDProva Cloud.
  • Personal Data: Any data that identifies or can identify a natural person, as defined under the Privacy Act 1988.

3. Processing Purpose

The Processor will process data solely for the purpose of providing the IDProva Cloud service as described in the Terms of Service.

4. Data Residency

Where AU-only data residency is selected (Government tier), all Service Data will be processed and stored exclusively within Australian territory.

5. Sub-Processors

The Processor maintains a list of sub-processors used to deliver the service. Changes to sub-processors will be notified 30 days in advance. Current sub-processors are available upon request.

6. Security Measures

The Processor implements appropriate technical and organizational measures, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Access control and authentication for all systems
  • Regular security assessments
  • Incident response procedures
  • Audit logging of all administrative actions

7. Data Breach Notification

The Processor will notify the Controller of any data breach within 72 hours of becoming aware, including the nature of the breach, data affected, and remediation steps.

8. Data Subject Rights

The Processor will assist the Controller in responding to data subject access requests, rectification requests, and deletion requests as required by applicable law.

9. Data Return and Deletion

Upon termination, the Processor will make Service Data available for export for 30 days. After this period, all Service Data will be permanently deleted within 90 days, with written confirmation provided upon request.

10. Audit Rights

The Controller may audit the Processor's compliance with this DPA upon 30 days' written notice, subject to reasonable confidentiality obligations.

11. Contact

Data processing inquiries: dpa@techblaze.com.au