Data Processing Agreement

⇓ Print / Save as PDF

Parties

Data Controller	The organisation that has accepted the Roadmapp Terms of Service and operates a Roadmapp account (“Customer” or “Controller”). Controller details are as recorded in the Roadmapp account at the time of acceptance.
Data Processor	Vick Solutions Pty Ltd (ABN 34 657 016 487) Trading as Digital Roadmap, operating the Roadmapp platform at app.roadmapp.com.au Contact: hello@roadmapp.com.au

1. Definitions

In this DPA:

• “Controller Personal Data” means personal data processed by the Processor on behalf of the Controller under this DPA.
• “Data Subject” means an identified or identifiable natural person whose personal data is processed.
• “GDPR” means EU Regulation 2016/679 (General Data Protection Regulation).
• “UK GDPR” means the GDPR as retained in UK law by the Data Protection Act 2018.
• “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision 2021/914, Module 2 (Controller to Processor), as set out in Annex III.
• “IDTA” means the UK International Data Transfer Agreement issued by the ICO (effective 21 March 2022).
• “Services” means the Roadmapp project and portfolio management platform and any related services provided to the Controller.
• “Sub-processor” means any third party engaged by the Processor to process Controller Personal Data.
• “Supervisory Authority” means (as applicable) the relevant EU national data protection authority, the UK Information Commissioner’s Office (ICO), or the Australian Office of the Australian Information Commissioner (OAIC).
• Terms not defined here have the same meaning as in the GDPR / UK GDPR.

2. Processing Instructions

The Processor shall process Controller Personal Data only on documented instructions from the Controller, including as set out in Annex I (Description of Processing) and as updated from time to time in writing, unless required to do so by applicable law — in which case the Processor shall, to the extent permitted by law, inform the Controller of that legal requirement before processing.

The Controller’s use of the Services constitutes documented instructions to the Processor to process Controller Personal Data as described in Annex I. The Controller warrants that it has authority to give those instructions and that those instructions are lawful.

3. Processor Obligations

The Processor shall:

1. Process Controller Personal Data only on documented instructions from the Controller (Section 2).
2. Ensure that persons authorised to process Controller Personal Data are bound by appropriate confidentiality obligations.
3. Implement technical and organisational security measures appropriate to the risk, as described in Annex II.
4. Respect the Sub-processor restrictions in Section 5 and maintain an up-to-date list of Sub-processors.
5. Assist the Controller in fulfilling its obligations to respond to Data Subject rights requests, taking into account the nature of the processing and insofar as this is possible.
6. Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of the processing and information available to the Processor.
7. At the Controller’s choice, delete or return all Controller Personal Data after the end of the provision of the Services, and delete existing copies unless applicable law requires storage of the personal data.
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 GDPR, and allow for and contribute to audits and inspections as set out in Section 6.
9. Notify the Controller immediately if, in the Processor’s opinion, an instruction from the Controller infringes the GDPR or UK GDPR.

4. Security Measures

The Processor has implemented the technical and organisational measures described in Annex II to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures take into account:

• The state of the art and costs of implementation.
• The nature, scope, context, and purposes of processing.
• The risk of varying likelihood and severity to the rights and freedoms of Data Subjects.

The Controller acknowledges that security measures evolve over time and the Processor may update the measures in Annex II provided the overall level of protection is not diminished.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage the Sub-processors listed in Annex IV. The Processor shall:

• Provide at least 30 days’ prior written notice (by email or in-app notification) before engaging any new Sub-processor or materially changing an existing Sub-processor’s role.
• Impose data protection obligations on each Sub-processor at least equivalent to those in this DPA.
• Remain fully liable to the Controller for the performance of each Sub-processor’s obligations.

If the Controller reasonably objects to a new Sub-processor within 14 days of notice, the parties will work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the affected Services on 30 days’ written notice without penalty.

6. Audit Rights

The Processor shall make available to the Controller, upon reasonable request (no more than once per calendar year except where required by a Supervisory Authority), information necessary to demonstrate compliance with this DPA.

The Controller or an independent auditor appointed by the Controller may conduct an audit of the Processor’s data processing facilities and practices relevant to this DPA, subject to:

• At least 30 days’ prior written notice.
• Reasonable confidentiality protections.
• Audit scope limited to Controller Personal Data and the Processor’s relevant processing activities.
• The Controller bearing its own costs and a reasonable share of the Processor’s direct costs of facilitating the audit.

As an alternative to a direct audit, the Processor may provide a current independent third-party security certification (e.g. SOC 2 Type II report or equivalent) in satisfaction of this obligation.

7. Personal Data Breach

The Processor shall notify the Controller of a personal data breach affecting Controller Personal Data without undue delay and in any case within 48 hours of becoming aware of it. Notification shall include, to the extent then known:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and personal data records affected.
• Contact details of the Processor’s privacy contact.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach and mitigate its effects.

Notification may be provided in stages as information becomes available. The Controller is responsible for any notifications to Supervisory Authorities or Data Subjects that are required under Article 33–34 GDPR / UK GDPR.

8. Data Return and Deletion

Upon termination or expiry of the Services, the Processor shall, at the Controller’s election:

• Return: Provide an export of all Controller Personal Data in a common machine-readable format (CSV/JSON) within 30 days of request.
• Delete: Permanently delete all Controller Personal Data from production systems within 30 days of the end of the Services, and from backup systems within 90 days, unless applicable law requires longer retention.

The Processor shall provide written certification of deletion on the Controller’s request. Deletion obligations apply to all Sub-processors as well.

9. International Data Transfers

9.1 Transfers from the EU/EEA to Australia

Controller Personal Data originating in the EEA is transferred to Australia (a third country without an EU adequacy decision) under the EU Standard Contractual Clauses (Module 2: Controller to Processor) as set out in Annex III. The SCCs are incorporated into this DPA in full and shall prevail over this DPA to the extent of any inconsistency.

The Processor has conducted a Transfer Impact Assessment (TIA) and confirms that Australian law does not unduly impair the protections afforded by the SCCs, based on the Privacy Act 1988 (Cth), the Australian Privacy Principles, and the nature of Australian government access laws. The TIA is available on request.

9.2 Transfers from the UK to Australia

Australia benefits from a UK adequacy regulation under Section 17A of the UK Data Protection Act 2018. Transfers of Controller Personal Data from the UK to Australia are therefore permitted without additional safeguards.

For transfers onward from Australia to US-based Sub-processors (Supabase, Netlify, Microsoft), the UK International Data Transfer Agreement (IDTA) as issued by the ICO (effective 21 March 2022) applies and is incorporated into this DPA as Annex III(b).

9.3 Sub-processor Transfer Chains

The Processor ensures that all Sub-processors listed in Annex IV have executed appropriate transfer mechanisms (SCCs, IDTA, or adequacy) to cover any onward transfers of Controller Personal Data outside the EEA or UK.

10. UK GDPR — Specific Provisions

This DPA shall be read in a manner consistent with the UK GDPR where the Controller is established in, or processes personal data in, the United Kingdom. References to “GDPR” in this DPA shall, in relation to UK personal data, be read as references to the “UK GDPR”. References to supervisory authorities include the ICO. References to SCCs include the IDTA where required for UK transfers.

11. Term

This DPA comes into effect when the Controller first accepts the Roadmapp Terms of Service and remains in force for as long as the Processor processes Controller Personal Data under the Services, including for the data return/deletion period described in Section 8.

Annex I — Description of Processing Activities

A. List of Parties

Data exporter (Controller)	The Customer organisation as identified in its Roadmapp account.
Data importer (Processor)	Vick Solutions Pty Ltd (ABN 34 657 016 487), app.roadmapp.com.au

B. Description of the Transfer

Categories of data subjects	Employees, contractors, and consultants of the Controller who are assigned as users of the platform, and third parties (stakeholders, sponsors, resource personnel) whose details are entered by the Controller.
Categories of personal data	Name, work email address, job title, phone number (optional), project and task assignments, timesheet entries, resource allocation data, RAID log entries, stakeholder register entries, uploaded documents, system access logs, IP addresses.
Special categories of data	None. The Controller is responsible for ensuring no special category data is entered into the platform.
Frequency of transfer	Continuous (real-time as the Controller uses the Services).
Nature of processing	Storage, retrieval, organisation, structuring, display, analysis, and deletion of project management and portfolio data.
Purpose of processing	To provide the Controller with the project and portfolio management Services as described in the Terms of Service.
Duration of retention	For the duration of the Services plus 30 days for data export, or as required by applicable law.

C. Competent Supervisory Authority

For EU data subjects: the supervisory authority in the EU member state where the Controller is established, or where the data subjects affected by the processing are located.
For UK data subjects: the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Annex II — Technical and Organisational Security Measures

The following measures are implemented and maintained by Vick Solutions Pty Ltd in respect of Controller Personal Data:

Encryption

• All data in transit encrypted using TLS 1.2 or higher.
• All data at rest encrypted using AES-256 (managed by Supabase / AWS).
• Passwords stored using bcrypt/Argon2 one-way hashing — never in plaintext.

Access Controls

• Row-level security (RLS) policies enforced at the database layer — users can access only data belonging to their own organisation.
• Five-tier role-based access control (RBAC): member, gatekeeper, project_manager, portfolio_manager, admin.
• Multi-factor authentication (TOTP) available; enforceable by organisation administrators.
• Automatic session timeout (configurable, default 15 minutes of inactivity).
• Internal staff access to production data governed by least-privilege principles.

Availability and Resilience

• Infrastructure hosted on AWS (ap-southeast-2) via Supabase with automated backups.
• Point-in-time recovery (PITR) enabled for database.
• CDN delivery via Netlify for frontend assets.

Monitoring and Incident Response

• Comprehensive audit logging of privileged actions with IP capture.
• Security incident response procedure with 48-hour Controller notification commitment.
• Periodic security reviews and penetration testing.

Organisational Measures

• Personnel with access to Controller Personal Data are bound by confidentiality obligations.
• Staff data protection training.
• Documented data retention and deletion procedures.
• Sub-processor agreements requiring equivalent security standards.

Annex III — Transfer Mechanisms

A. EU Standard Contractual Clauses (Module 2)

The EU SCCs adopted by Commission Implementing Decision 2021/914 of 4 June 2021 (Module 2: Controller to Processor) are incorporated into this DPA and apply to transfers of personal data from the EEA to Australia.

Clause 7 (Docking clause): Not applicable.
Clause 11 (Redress): The optional language regarding an independent dispute resolution body is not included; disputes are resolved per Section 11 of the main DPA.
Clause 17 (Governing law): The law of the Republic of Ireland applies.
Clause 18 (Forum): The courts of the Republic of Ireland have jurisdiction.

B. UK International Data Transfer Agreement (IDTA)

The UK IDTA (version B1.0, effective 21 March 2022) issued by the Information Commissioner’s Office applies to transfers of personal data from the UK to Australia and to US-based Sub-processors.

Table 1 (Parties): As set out in Annex I of this DPA.
Table 2 (Selected SCCs): EU SCCs Module 2, as specified above.
Table 3 (Appendix): Annexes I and II of this DPA.
Table 4 (Ending the IDTA): Either party may end the IDTA if the Approved IDTA changes in a way that is not reasonably practical to comply with.

Annex IV — Approved Sub-processors

Sub-processor	Country	Purpose	Transfer mechanism
Supabase Inc.	USA (data stored in AWS ap-southeast-2, Australia)	Database hosting, authentication, file storage	DPA + EU SCCs Module 2 / UK IDTA
Amazon Web Services Inc.	USA (data stored in ap-southeast-2, Australia)	Cloud infrastructure (via Supabase)	AWS Customer Agreement + SCCs
Netlify Inc.	USA	Web application hosting and CDN (static assets only — no personal data at CDN edge)	Netlify DPA + SCCs
Microsoft Corporation	USA (EU routing available)	Transactional email delivery via Microsoft Graph API	Microsoft Product Terms DPA + SCCs

The Processor will notify the Controller at least 30 days before adding any new Sub-processor. The current sub-processor list is maintained in the Privacy Policy → Section 5.

Acceptance

This DPA is accepted by the Controller by accepting the Roadmapp Terms of Service. Acceptance constitutes execution of this DPA and the incorporated SCCs and IDTA by both parties as of the date of acceptance.

If your organisation requires a separately countersigned DPA for procurement or compliance purposes, please contact us at hello@roadmapp.com.au. We will provide a signed copy within 5 business days.