Data Processing Agreement

"Controller" means the entity that determines the purposes and means of processing personal data. "Processor" means FormaOS Pty Ltd, which processes data on behalf of the Controller. "Sub-processor" means any third party engaged by FormaOS to assist in processing.

FormaOS processes organizational compliance data, user account information, evidence artifacts, and audit trail records necessary to deliver the compliance management platform service.

• Account and authentication data
• Organization and team membership data
• Compliance evidence and policy documents
• Audit logs and activity records
• Communication and notification preferences

A current list of sub-processors is maintained at formaos.com.au/trust/subprocessors. We provide 30 days advance notice before engaging new sub-processors.

FormaOS supports Controllers in fulfilling data subject rights including access, rectification, erasure, portability, and restriction of processing. Requests can be submitted via the platform or by contacting privacy@formaos.com.au.

Data retention periods are configurable and may be tailored to your specific regulatory obligations (e.g., 7-year ASIC record retention, NDIS evidence retention requirements). Upon termination or plan cancellation, customers have 30 days to export all compliance data, evidence artifacts, and audit trail records in portable formats (CSV, JSON, ZIP). After the export window, data is securely deleted and written confirmation is available on request. No lock-in penalty applies to data portability.

In the event of a personal data breach, FormaOS will notify the Controller in accordance with applicable law and contractual notification terms, providing details of the breach, likely consequences, and mitigation measures taken.

Data is primarily processed within Australia. Where international transfers occur (e.g., through sub-processors), they are governed by Standard Contractual Clauses or equivalent safeguards.