Data Processing Agreement
Version 1.0 - March 2026 | Governed by the laws of New South Wales, Australia
How to complete this agreement:
- Click Print / Save as PDF above (or use your browser's Print → Save as PDF).
- Fill in your business details and tick the applicable use cases in Section 1.2.
- Sign the signature block on the last page.
- Scan or photograph the signed pages and email them to support@chatnexus.cloud with subject line DPA Request - [Your Business Name].
- Our team will countersign and return a copy to you, then enable your account within 2 business days.
Reference Number
DPA-______-______
Date
____________________
Parties
Data Controller ("Customer")
Business Name:
ABN:
Address:
Contact Name:
Contact Email:
Data Processor ("Provider")
ChatNexus, operated by CHISTY DIGITAL FORGE (ABN: 25 864 140 160), a sole trader based in Sydney, NSW, Australia
Contact: support@chatnexus.cloud
1. Background
1.1 The Customer wishes to use the ChatNexus platform to create and deploy AI agents that will process personal information on behalf of the Customer.
1.2 The nature of the Customer's use case involves one or more of the following (tick all that apply):
- Health data or medical information
- Tenant histories or tenancy screening data
- Financial credentials or bank/card numbers
- Processing by an entity subject to privacy regulation (health provider, government contractor, tenancy DB operator, or similar)
- Other (describe):
1.3 This Agreement sets out the terms on which the Provider will process personal information on behalf of the Customer.
2. Definitions
"Personal Information" has the meaning given in the Australian Privacy Act 1988 (Cth).
"Processing" means any operation or set of operations performed on personal information, including collection, storage, use, disclosure, or deletion.
"Sub-processor" means any third-party processor engaged by the Provider to process personal information on the Customer's behalf.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal information.
3. Customer Obligations (Controller)
3.1 The Customer warrants that:
- It has a lawful basis under the Australian Privacy Act 1988 (and any other applicable law) to collect and process the personal information it intends to submit to the Platform.
- It has provided appropriate privacy notices to end-users and obtained all necessary consents before submitting personal information to the Platform.
- It has disclosed in its own privacy policy that ChatNexus and the applicable LLM provider(s) act as data processors for the Customer.
- The use case described in clause 1.2 is accurate and complete. The Customer will notify the Provider promptly if the use case changes materially.
3.2 The Customer indemnifies the Provider against any claim, loss, liability, or expense arising from the Customer's failure to comply with clause 3.1.
4. Provider Obligations (Processor)
4.1 The Provider will process personal information only on the documented instructions of the Customer, except where required to do so by applicable law.
4.2 The Provider will ensure that persons authorised to process personal information are bound by confidentiality obligations.
4.3 The Provider will implement appropriate technical and organisational security measures, including:
- Encryption in transit (TLS 1.2+)
- Encryption at rest for stored data
- Role-based access controls
- Audit logging of compliance events
- Application-level encryption for API keys (AES-256-CBC)
4.4 The Provider will not engage a new Sub-processor without notifying the Customer. Current Sub-processors are listed in Schedule 1.
4.5 The Provider will assist the Customer in responding to requests from individuals exercising their rights under the Australian Privacy Act 1988 (access, correction, deletion).
4.6 The Provider will delete or return all personal information to the Customer upon termination of the agreement, unless retention is required by law.
5. Sub-processors
5.1 The Customer authorises the Provider to engage the Sub-processors listed in Schedule 1.
5.2 The Provider will flow down equivalent data protection obligations to each Sub-processor.
6. International Transfers
6.1 Personal information may be transferred to and processed in the United States by the Sub-processors listed in Schedule 1.
6.2 The Provider maintains contractual safeguards (standard contractual clauses or equivalent measures) with each Sub-processor.
7. Security Incidents
7.1 The Provider will notify the Customer without undue delay (and within 72 hours where feasible) after becoming aware of a Security Incident involving the Customer's personal information.
7.2 The notification will include, to the extent known at the time:
- The nature of the Security Incident
- Categories and approximate number of individuals and records affected
- Likely consequences of the incident
- Measures taken or proposed to address the incident
7.3 The Customer remains responsible for its own breach notification obligations to affected individuals and the Office of the Australian Information Commissioner (OAIC).
8. Data Retention and Deletion
8.1 The Provider retains personal information for as long as the Customer's account is active or as needed to provide the service.
8.2 Upon the Customer's written request, the Provider will delete primary account data within 30 days. Backups containing deleted data are purged within 90 days.
8.3 Billing records are retained for up to 7 years as required by Australian tax law.
9. Audit Rights
9.1 The Provider maintains an immutable audit log of compliance events (questionnaire submissions, consent records, blocked submissions, and DPA clearances).
9.2 The Customer may request a summary of audit events relating to its account by contacting support@chatnexus.cloud. The Provider will respond within 14 days.
10. Liability
10.1 The Provider's liability under this Agreement is limited to the amount paid by the Customer in the 12 months preceding the event giving rise to the claim.
10.2 Nothing in this Agreement excludes liability for fraud or death/personal injury caused by negligence.
11. Term and Termination
11.1 This Agreement commences on the date of signing and continues until the Customer's subscription to ChatNexus is terminated.
11.2 Either party may terminate this Agreement with 30 days' written notice.
11.3 Termination does not affect accrued rights or obligations.
12. Governing Law
This Agreement is governed by the laws of New South Wales, Australia.
Schedule 1 - Approved Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| OpenAI (OpenAI LLC) | LLM inference - generates AI responses | United States |
| Groq (Groq Inc.) | LLM inference - generates AI responses | United States |
| Google LLC (Gemini) | LLM inference - generates AI responses | United States |
| xAI (Grok) | LLM inference - generates AI responses | United States |
| Neon Inc. | PostgreSQL database hosting | United States |
| Render Inc. | Application hosting and deployment | United States |
| Resend Inc. | Transactional email delivery | United States |
| Stripe Inc. | Payment processing (no card data touches ChatNexus servers) | United States |
Signatures
On behalf of the Customer (Data Controller)
Name
Title / Role
Signature
Date
On behalf of ChatNexus (Data Processor)
Name
Title / Role
Signature
Date
Once signed, email the completed document to:
support@chatnexus.cloudUse subject line: DPA Request - [Your Business Name]