When insolvency practitioners use Clarity Workflow to manage their client matters, they upload personal information about their clients, creditors, directors, employees, and other third parties. In that context:

• Your firm (the "Controller"): You determine what personal data is collected, why it is processed, and what it is used for. Your firm bears the obligations of a Data Controller under the Privacy Act 1988 (Cth) with respect to that data.
• Clarity Workflow (the "Processor"): We process personal data solely on your firm's behalf and strictly for the purpose of providing the Platform services described in our Terms of Service. We act only on your instructions as expressed through your use of the Platform.

This arrangement is standard for B2B SaaS platforms. Your firm's obligation to its own clients under the Privacy Act and applicable insolvency regulations is not affected by this agreement.

Categories of Data Processed

We process the following categories of personal data on your behalf:

• Practitioner account data — email addresses, display names, and role assignments of your firm's users
• Client and matter data — names, addresses, contact details, and other identifying information about insolvency matter subjects (companies and individuals) entered into the Client Database
• Financial records — bank statements (PDF, CSV, OFX, QIF), transaction histories, BSB and account numbers, categorised entries, and related financial data uploaded to the Bank Statement Analysis feature
• Document data — documents uploaded to the Document Creator, including populated Word templates containing client variables
• Workflow and task data — matter checklists, task completion records, due dates, and notes

Purpose of Processing

We process this data solely to provide the Platform services — that is, to store, organise, analyse (where instructed), and return data to you through the Platform interface. We do not process your data for any purpose beyond what is necessary to operate the Platform.

As your Data Processor, Clarity Workflow commits to the following:

Processing on instructions only

• We process personal data only in accordance with your firm's documented instructions, as expressed through your use of the Platform. We will not process data for any other purpose.
• If we are required by law to process data in a way that goes beyond your instructions, we will notify you before doing so unless legally prohibited from notifying you.

Confidentiality

• All personnel who have access to personal data held on the Platform are bound by confidentiality obligations
• Access to production data is restricted to authorised personnel on a need-to-know basis

Technical and organisational security measures

• Encryption in transit: All data is transmitted over TLS 1.2+ (HTTPS)
• Encryption at rest: Sensitive personal information fields (names, contact details, financial data) are encrypted using AES-256-GCM before storage
• Infrastructure: Production data is hosted on Microsoft Azure in East Australia (NSW) with private network endpoints not exposed to the public internet
• Access controls: Role-based access control (RBAC) enforces least-privilege access within the Platform; multi-factor authentication (MFA) is available for all users
• Secret management: Encryption keys and credentials are stored in Azure Key Vault, not in application source code
• Audit logging: All significant access and data actions are logged to an immutable audit trail with timestamps, user identifiers, and IP addresses
• Backup encryption: Automated database backups are encrypted at rest

Data breach notification

In the event of a personal data breach that affects data we hold on your behalf, we will notify your firm's owner at the registered email address within 72 hours of becoming aware of the breach. Our notification will include a description of the nature of the breach, the categories of data affected, and the steps we are taking to address it.

Where a breach constitutes an "eligible data breach" under the Notifiable Data Breaches (NDB) scheme, we will cooperate with your firm in any required notification to affected individuals and the Office of the Australian Information Commissioner (OAIC).

We use the following sub-processors to deliver the Platform. Each is bound by data processing terms consistent with these obligations:

Sub-processor	Purpose	Data location
Microsoft Azure	Infrastructure, compute, database (Azure SQL), and blob storage for uploaded files	East Australia (NSW) — no cross-region transfer of client data
Sentry	Error tracking and application monitoring. Personal data is anonymised before transmission — no client financial data or identifiable client information is sent to Sentry.	United States (Sentry.io infrastructure). Error payloads contain only anonymised technical data.
PostHog	Product analytics (page views, feature usage). All form inputs including any sensitive fields are masked and never transmitted. PostHog is explicitly excluded from all admin and site-operator pages.	United States (PostHog Cloud). No personal data from client records is included in analytics events.
OpenAI	AI-assisted processing of bank statement text (used only when the Bank Statement Analysis feature is active and a statement is processed). Data is transmitted only to process the specific request and is not retained or used for training by OpenAI under our API terms.	United States (OpenAI API). Limited to transaction text extracted from uploaded bank statements.
Stripe	Payment processing and subscription management. Stripe holds billing information only (name, email, payment details). Stripe does not have access to client matter data.	United States (Stripe infrastructure). Billing data only.

We will notify firm owners at least 14 days in advance of adding any new sub-processor that would have access to personal data from client matters. This page will be updated to reflect any changes to the sub-processor list.

All client matter data — including bank statements, client records, documents, and workflow data — is stored exclusively in Microsoft Azure infrastructure in East Australia (New South Wales). This data does not leave Australian soil during normal platform operation.

The following limited cross-border transfers occur as described in the sub-processor table above:

• OpenAI: Bank statement text is transmitted to the United States for AI-assisted processing only when you use the Bank Statement Analysis feature. This transfer is necessary to provide the service. Data is not retained by OpenAI beyond the immediate processing of the request.
• Sentry and PostHog: Anonymised technical and analytics data is transmitted. No personal client data is included in these transfers.
• Stripe: Your firm's billing information (not client matter data) is processed by Stripe in the United States.

If your firm has specific requirements regarding cross-border data transfers, please contact us at admin@clarityworkflow.com to discuss.

You retain full control over your firm's data at all times during the subscription period. You can export client data, documents, and workflow data from within the Platform.

On termination of your subscription:

• Your firm's data is preserved and available for export for 30 days following termination
• After the 30-day period, all data associated with your firm — including client records, uploaded bank statements, documents, workflow data, and audit logs — is permanently and irreversibly deleted from all systems including backups
• We will send a reminder email to the firm owner's registered email address before data deletion occurs
• We will provide written confirmation of deletion on request, within 14 days of the deletion taking place

Individual records may also be deleted by authorised users within the Platform at any time. Soft-deleted records are permanently purged after 12 months in accordance with our standard retention policy described in the Privacy Policy.

You have the right to request evidence that we are complying with our obligations under this DPA. We will respond to reasonable audit requests within 30 days. Audit requests may be submitted to admin@clarityworkflow.com.

We may satisfy an audit request by providing:

• Documentation of technical and organisational security measures in place
• Third-party security certifications or audit reports, where available
• Responses to a standard security questionnaire (e.g. SIG Lite or equivalent)
• Evidence of compliance with this DPA

Where an in-person or on-site audit is requested, we will work with you to arrange this at a mutually agreed time, subject to reasonable confidentiality protections for our systems and other customers' data. The costs of any audit beyond reasonable documentation requests will be borne by the requesting firm.

Enterprise and Professional-tier clients whose own IT governance, compliance requirements, or client-facing obligations require a formally executed Data Processing Agreement may request a signed copy.

To request a signed DPA:

• Send an email to admin@clarityworkflow.com with the subject line "DPA Request — [Your Firm Name]"
• Include your firm name, the name and title of the authorised signatory, and the email address to which the DPA should be sent
• We will provide a countersigned PDF within 5 business days

If you have questions about our data processing practices that are not addressed in this document, please contact us at the address above. We aim to respond to all data-related enquiries within 5 business days.