Data Processing Agreement

In this DPA:

• Agreement means the Master Services Agreement, Order Form, or subscription terms accepted by the Customer when signing up for the Demiton platform.
• Controller means the entity that determines the purposes and means of processing Personal Data. In this context, the Customer is the Controller.
• Customer Data means all data, including Personal Data, submitted to or retrieved from the Demiton platform by or on behalf of the Customer.
• Demiton means Demiton Pty Ltd (ACN 681 756 879), a company incorporated in Queensland, Australia.
• Personal Data has the meaning given in the Privacy Act 1988 (Cth): information or an opinion about an identified individual, or an individual who is reasonably identifiable.
• Processor means the entity that processes Personal Data on behalf of the Controller. In this context, Demiton is the Processor.
• Processing means any operation performed on Personal Data, including collection, storage, retrieval, transformation, transmission, and deletion.
• Security Incident means any unauthorised access to, disclosure of, loss of, or destruction of Customer Data.
• Sub-processor means any third party engaged by Demiton to process Customer Data on its behalf.

The Customer is the Controller of Personal Data uploaded to or retrieved through the Demiton platform. Demiton acts as a Processor of that data and processes it only on the Customer's documented instructions, as set out in the Agreement and this DPA.

Demiton does not determine the purposes for which Personal Data is processed and does not use Customer Data for its own commercial purposes, including training AI models, benchmarking, or sale to third parties.

Demiton processes Customer Data to provide the services described in the Agreement, including:

• Connecting to and retrieving data from the Customer's nominated enterprise systems (ERP, payroll, workforce management, document storage) via the Demiton adapter layer.
• Storing structured operational data in the Demiton platform database to support workflow execution and AI-assisted queries.
• Executing Customer-directed workflows that transform, route, or deliver data between connected systems.
• Providing an AI query interface (Studio) that grounds responses in Customer Data retrieved from connected systems.
• Maintaining an audit trail of all data movements and workflow executions for the Customer's governance purposes.

Processing occurs for the duration of the Agreement and ceases on termination, subject to the retention obligations set out in clause 8.

Demiton processes the following categories of Personal Data on the Customer's behalf:

Workforce and HR Data

• Worker names, roles, employment status, and qualifications sourced from connected workforce management systems.
• Timesheet entries, leave requests, and payroll records sourced from connected payroll systems.
• Induction completions, certifications, and site-access compliance records.

Project and Financial Data

• Project financial records, cost codes, budgets, and variance data sourced from connected ERP systems.
• Vendor names, ABN records, procurement history, and purchase order data.
• Scheduling, allocation, and resource demand records.

Platform User Data

• Name, email address, and organisational role of the Customer's authorised platform users.
• Microsoft Entra ID identity tokens (object identifier and tenant identifier). Passwords are never stored by Demiton.

AI Interaction Data

• Prompts and responses generated within the AI Studio interface, where retained as Memory Records at the Customer's direction.
• Memory Records are scoped to the Customer's organisation and are not shared with other customers or used to train Demiton's models.

Demiton will, in its capacity as Processor:

• Process only on instruction. Process Personal Data only in accordance with the Customer's documented instructions, unless required to do so by Australian law.
• Confidentiality. Ensure that personnel authorised to process Customer Data are bound by confidentiality obligations.
• No data sales or model training. Never sell, licence, or otherwise transfer Customer Data to third parties for their own purposes, and never use Customer Data to train, fine-tune, or benchmark public AI models.
• Security incident notification. Notify the Customer without undue delay (and in any case within 72 hours of becoming aware) of a confirmed Security Incident affecting Customer Data, and provide sufficient detail to allow the Customer to meet its own notification obligations under the Notifiable Data Breaches scheme (Privacy Act 1988, Part IIIC).
• Data subject assistance. Provide reasonable assistance to the Customer in responding to requests from individuals exercising rights under the Australian Privacy Principles, including access, correction, and complaint requests.

Demiton uses the following categories of Sub-processors to deliver the service. All Sub-processors are bound by contractual obligations materially equivalent to those in this DPA.

Demiton will provide reasonable advance notice of any material changes to this Sub-processor list. Customers who object to a new Sub-processor may notify Demiton in writing; if the parties cannot resolve the objection, the Customer may terminate the Agreement on 30 days' notice without penalty.

Demiton implements technical and organisational measures appropriate to the risk, including:

• Encryption at rest. All Customer Data stored in the Demiton database is encrypted at rest using AES-256.
• Encryption in transit. All data in transit is encrypted via TLS 1.2 or higher.
• Credential handling (Ghost Protocol). API keys, OAuth tokens, and system credentials are stored exclusively in RAM during active use and are never written to disk in plaintext. At rest, credentials are encrypted with AES-256 and access is audit-logged.
• Access controls. Role-based access control enforced at the API layer. Platform users can only access data within their organisation. All access is identity-bound and audited.
• Audit trail. An immutable, append-only audit log records all workflow executions, data movements, and adapter calls. Logs are retained for a minimum of 12 months.
• Multi-factor authentication. MFA is enforced for all Demiton staff with access to production infrastructure.
• Penetration testing. Demiton conducts annual penetration testing of its platform and remediates findings within defined SLAs.

Customer Data is retained for the duration of the Agreement. On termination or expiry of the Agreement, Demiton will:

• Provide the Customer with an export of their Customer Data in a standard machine-readable format within 30 days of written request.
• Delete or irreversibly anonymise all Customer Data from live systems within 60 days of the termination date, unless a longer retention period is required by Australian law.
• Certify deletion in writing upon request.

Anonymised, aggregated telemetry data that cannot be attributed to the Customer or any individual may be retained beyond this period for platform improvement purposes.

Demiton will provide reasonable assistance to the Customer to:

• Respond to access, correction, or complaint requests from individuals under the Australian Privacy Principles.
• Conduct privacy impact assessments where required under the Privacy Act 1988 or by the Customer's own governance obligations.
• Meet obligations under the Notifiable Data Breaches scheme, including by providing timely incident information and supporting the Customer's assessment of whether notification to the OAIC is required.

The Customer may, on reasonable written notice (not less than 14 days), request an audit of Demiton's processing activities relevant to this DPA. Demiton will provide access to relevant documentation and personnel. Audits must be conducted during normal business hours, at the Customer's cost, and no more than once per 12-month period unless a Security Incident has occurred.

Demiton may satisfy audit requests by providing a current third-party audit report (such as an ISO 27001 certification or SOC 2 report) covering the relevant controls, in lieu of a bespoke audit.

This DPA is governed by the laws of Queensland, Australia. Any dispute arising from this DPA that cannot be resolved by the parties in good faith within 30 days will be referred to mediation before either party may commence legal proceedings.

Nothing in this DPA limits either party's obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles, or the Notifiable Data Breaches scheme.

For privacy and data processing inquiries, or to request a countersigned copy of this DPA for procurement purposes, contact: