This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Terms of Use between Get a Handl PTY LTD (ABN 53 676 423 304), trading as Handl Billing (“Handl”, “Processor”), and the customer that has accepted those Terms (“Customer”, “Controller”). It applies whenever Handl processes Personal Data on the Customer’s behalf in providing the Service.
If there is any conflict between this DPA and the Terms of Use in relation to the processing of Personal Data, this DPA prevails.
1. Definitions
- “Privacy Laws” means the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), together with any other data protection laws that apply to the Customer’s use of the Service.
- “Personal Data” means information about an identified or reasonably identifiable individual that the Customer uploads to, or generates within, the Service — for example the names and contact details of the Customer’s own clients, and related billing and project information (“Customer Personal Data”).
- “Processing” means any operation performed on Personal Data (collecting, storing, using, disclosing, deleting, and so on).
- “Data Subject” means the individual the Personal Data is about.
- “Sub-processor” means a third party engaged by Handl to process Customer Personal Data.
- Terms not defined here have the meaning given in the Terms of Use.
2. Roles of the parties
For Customer Personal Data, the Customer is the controller and Handl is the processor. The Customer determines the purposes and means of processing; Handl processes only to provide the Service and on the Customer’s instructions.
(Separately, Handl is the controller of the Customer’s own account information — for example the account holder’s name and login. That processing is governed by Handl’s Privacy Policy, not this DPA.)
3. Customer instructions
- Handl will process Customer Personal Data only on the Customer’s documented instructions. The Terms of Use, this DPA, and the Customer’s configuration and use of the Service together constitute those instructions.
- Handl will tell the Customer if, in its opinion, an instruction breaches Privacy Laws (without obligation to give legal advice).
4. Customer obligations
The Customer warrants that:
- it has a lawful basis to collect and share the Customer Personal Data it puts into the Service, and to have Handl process it;
- it has given any notices and obtained any consents required under Privacy Laws; and
- its instructions to Handl comply with Privacy Laws.
5. Handl’s obligations
Handl will:
- process Customer Personal Data only as set out in Clause 3;
- ensure that personnel authorised to process Customer Personal Data are bound by confidentiality;
- implement and maintain the security measures in Annex B;
- assist the Customer, taking into account the nature of the processing, with responding to Data Subject requests (Clause 7) and with the Customer’s own breach-notification and compliance obligations (Clause 9), so far as Handl reasonably can; and
- on termination, delete or return Customer Personal Data in accordance with Clause 12.
6. Sub-processors
- The Customer gives general authorisation for Handl to engage the Sub-processors listed in Annex C to process Customer Personal Data.
- Handl will impose data-protection obligations on each Sub-processor that are materially no less protective than this DPA, and remains responsible for its Sub-processors’ performance.
- Handl will give the Customer notice (by updating Annex C, the Privacy Policy, or by email) before adding or replacing a Sub-processor. If the Customer reasonably objects on data-protection grounds, the parties will discuss in good faith; if the concern can’t be resolved, the Customer may stop using the affected part of the Service or terminate.
7. Data Subject requests
If Handl receives a request from a Data Subject relating to Customer Personal Data (for example, a request to access, correct, or delete it), Handl will not respond directly except to confirm it should be directed to the Customer, and will forward the request to the Customer without undue delay. Handl will provide reasonable assistance to enable the Customer to respond.
8. Security
Handl will maintain technical and organisational measures appropriate to the risk, as described in Annex B, designed to protect Customer Personal Data against misuse, loss, and unauthorised access, modification, or disclosure.
9. Personal data breach
If Handl becomes aware of a breach affecting Customer Personal Data, Handl will notify the Customer without undue delay and provide the information reasonably available to help the Customer meet its obligations under the Privacy Act’s Notifiable Data Breaches scheme (or other applicable law), including the nature of the breach, the data affected (where known), and the steps taken in response.
10. Overseas processing
Customer Personal Data may be stored and processed outside Australia by Handl’s Sub-processors (including in the United States — see Annex C). Handl will take steps reasonable in the circumstances to ensure those Sub-processors handle Customer Personal Data in a manner consistent with the APPs and this DPA. Where another privacy law requires a specific cross-border transfer mechanism, the parties will put appropriate arrangements in place.
11. Records and audit
Handl will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice, no more than once in any 12-month period (unless required by a regulator or following a breach), and subject to confidentiality, Handl will respond to a reasonable written audit questionnaire; where a Sub-processor provides an independent audit report or certification, Handl may provide that report to satisfy this clause.
12. Return or deletion
On termination of the Service, the Customer may export its data. Handl will then delete or de-identify Customer Personal Data within a reasonable period, except to the extent it is required to retain it by law (for example, financial records).
13. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Use.
14. Term and governing law
This DPA takes effect when the Customer accepts the Terms of Use and continues for as long as Handl processes Customer Personal Data. It is governed by the laws of New South Wales, Australia.
Annex A — Details of processing
- Subject matter: Handl’s provision of the billing and financial-operations Service to the Customer.
- Duration: for the term of the Customer’s use of the Service, plus any legally required retention period.
- Nature and purpose: generating, sending, and tracking invoices and reminders; managing scope-change orders; enabling payments via Stripe; cash-flow reporting; and the AI-assisted features the Customer enables.
- Types of Personal Data: names, contact details, and business information of the Customer’s clients; invoice, project, milestone, rate, and payment-status data; and communications content the Customer creates in the Service.
- Categories of Data Subjects: the Customer’s clients and their personnel, and any individuals the Customer includes in its billing and project data.
Annex B — Security measures
- Encryption of Customer Personal Data in transit.
- Access controls limiting access to personnel who need it, with authentication.
- Use of reputable infrastructure providers (see Annex C) with their own security certifications.
- Card data handled by Stripe under its PCI-DSS certification; Handl does not store full card numbers.
- Logging and monitoring designed to detect and respond to security events.
- Procedures to delete or de-identify Customer Personal Data when no longer required.
Annex C — Approved Sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Stripe | Payment processing (on the Customer’s connected account) | Global (incl. US) |
| Google Cloud (incl. Gemini) | Application hosting, storage, email infrastructure, and AI features | Global (incl. US) |
This list mirrors §6 of the Privacy Policy and is kept in sync with it.