Data Processing Agreement
Last updated: 2026-05-23
1. Parties and scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Exit Advisory Group Pty Ltd ("Processor") and the organisation accepting the Terms ("Controller"). It governs the processing of personal information that Controller submits to or generates via the Service.
2. Processing details
- Subject matter: processing of personal information to deliver the Service.
- Duration: for as long as Controller maintains an active account, plus the retention period in the Privacy Policy.
- Nature and purpose: AI-assisted generation of broker artefacts (valuations, IMs, add-back schedules) from financial and intake data.
- Categories of personal information: account holder details, seller representatives' details, buyer recipients' emails, financial data sourced from connected Xero organisations.
- Categories of data subjects: Controller's personnel, sellers' principals and personnel, buyers receiving share links.
3. Processor obligations
- Process personal information only on Controller's documented instructions, which include accepted Terms and configured features.
- Ensure personnel authorised to access the data are bound by confidentiality.
- Implement appropriate technical and organisational measures to secure the data (Section 5).
- Engage sub-processors only as listed in Section 6 and notify Controller of additions at least 14 days in advance.
- Assist Controller in responding to data subject requests, data breach notifications, and regulator inquiries.
- On termination, return or delete personal information in line with the Privacy Policy unless retention is required by law.
4. Controller obligations
- Have a lawful basis for the data submitted to the Service, including consent or authorisation from sellers whose financial information is connected.
- Not submit special-category data (health, biometric, religious) through the Service.
- Be responsible for data subject notices to sellers and buyers as required by the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
5. Technical and organisational measures
- Encryption in transit: all connections use TLS 1.2+.
- Encryption at rest: Xero tokens encrypted with AES-256-GCM; Supabase storage and DB encrypted at rest.
- Tenant isolation: Postgres row-level security enforced on every tenant-scoped table.
- Access control: magic-link authentication; role-based access (owner / admin / member / viewer).
- Audit logging: append-only audit_events table (UPDATE/DELETE blocked by database trigger).
- Backups: Supabase point-in-time recovery retained per provider defaults.
- Vulnerability management: dependency scanning, periodic security review (see security review internal document).
- Incident response: data breach notification within 72 hours of confirmation.
6. Sub-processors
As at the date of this DPA, we engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | Sydney, Australia (ap-southeast-2) |
| Anthropic | AI inference (Claude API) | United States |
| Vercel | Web hosting, edge network | Sydney edge / United States origin |
| Inngest | Background job execution | United States |
| Resend | Transactional email | United States / European Union |
| Upstash | Rate limiting (Redis) | Sydney, Australia |
| Sentry | Error monitoring | United States |
| PostHog | Product analytics (anonymised) | United States / European Union |
Cross-border transfers to the United States are subject to standard contractual protections in our agreements with each sub-processor.
7. Data breach
We will notify Controller without undue delay and at the latest within 72 hours of confirming a personal data breach. Notice will describe the nature of the breach, categories and approximate number of data subjects, likely consequences, and measures taken or proposed.
8. Termination
This DPA terminates when the Terms of Service terminate. On termination we will return or delete personal information per the retention provisions in the Privacy Policy.