Rostery
Legal

Data Processing Addendum

Last updated: 9 June 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Notion Tech Pty Ltd (ACN 698 318 124) and the Provider (the “Customer”) and applies whereNotion Tech Pty Ltdprocesses personal information (including sensitive and health information) on the Customer’s behalf through the Rostery Service.

1. Roles

In respect of personal information contained in Customer Data, the Customer is the entity responsible for that information (the data custodian) and Notion Tech Pty Ltdprocesses it as the Customer’s service provider, only on the Customer’s documented instructions (including as set out in the Terms and as effected through the Customer’s use of the Service).

2. Scope & nature of processing

  • Subject matter: provision of the Rostery Service.
  • Categories of data subjects: the Customer’s workers, NDIS participants/clients, and their family/guardians.
  • Types of data: contact and identity data, employment/qualification data, location (EVV), care and health information, medication records, incidents, notes, media, and billing data.
  • Purpose: hosting, processing and making the data available to the Customer to operate its services, plus support, security and improvement of the Service.

3. Our obligations

  • process personal information only on the Customer’s instructions and as permitted by law;
  • implement appropriate technical and organisational security measures (consistent with APP 11), including encryption, access controls, tenant isolation, audit logging and backups;
  • ensure personnel who access the data are subject to confidentiality obligations;
  • assist the Customer, taking into account the nature of processing, to respond to individuals’ access/correction requests and to meet the Customer’s security and breach-notification obligations.

4. Sub-processors

The Customer authorises Notion Tech Pty Ltd to engage sub-processors to provide the Service, including cloud hosting (in Australia), communications (email/SMS) providers, payment processors, and AI providers. We impose data-protection obligations on sub-processors substantially consistent with this DPA and remain responsible for their performance. A current list is available on request.

5. Cross-border processing

Customer Data is primarily hosted in Australia. Certain sub-processors (in particular AI and communications providers) may process limited data overseas, including in the United States. We take reasonable steps to ensure overseas recipients handle the data consistently with the Australian Privacy Principles.

6. Data breaches

We will notify the Customer without undue delay after becoming aware of a data breach affecting Customer Data, and provide reasonable information to assist the Customer to meet its obligations under the Notifiable Data Breaches scheme and any applicable NDIS notification requirements.

7. Return & deletion

On expiry or termination, the Customer may export Customer Data for a reasonable period. Thereafter we will delete or de-identify Customer Data, except to the extent retention is required by law or for the Customer’s NDIS record-keeping obligations (records may need to be retained for up to seven years or longer). The Customer is responsible for determining and instructing applicable retention periods.

8. Audits

On reasonable written request and notice (no more than once per year, except following a breach), we will make available information reasonably necessary to demonstrate compliance with this DPA.

9. Liability

The liability of each party under this DPA is subject to the limitations and exclusions in the Terms of Service.

10. Contact

Notion Tech Pty Ltd (ACN 698 318 124) — info@rostery.com.au