Skip to content

Data Processing Agreement (DPA)

Last Updated: 19 May 2026 | Version 2.0

This Data Processing Agreement ("DPA") supplements the Master Subscription Agreement ("MSA") between duely ("Data Processor") and the Reporting Entity / Subscriber ("Firm" or "Data Controller"). It sets out the standards and obligations for processing personal and sensitive data handled by the duely platform.

This agreement aligns with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). A separate GDPR addendum is available on request for Firms serving EU-connected clients.

1. Roles and Responsibilities

  • Data Controller: the Firm determines the purposes and parameters for processing its clients' personal data.
  • Data Processor: duely processes the data according to the documented instructions of the Firm, as provided through the platform's workflows and configuration.

1A. Scope and Duration of Processing

Categories of Data Subjects

  • Employees and personnel of the Firm (Subscriber account holders and users).
  • Clients and customers of the Firm whose data is processed for AML/CTF compliance purposes.
  • Beneficial owners, controllers, and associated parties of the Firm's clients.

Types of Personal Data Processed

  • Contact information (names, email addresses, phone numbers, residential addresses).
  • Identity documents (government-issued IDs, passport details, driver's licence information).
  • Biometric data (facial recognition, liveness, and face-match data, processed via Didit outside Australia, in the European Union).
  • Financial and business information (ABN/ACN, company structures, beneficial ownership details).
  • Screening results (PEP status, sanctions matches, adverse media findings).
  • Risk assessment data (risk ratings, enhanced due diligence records).
  • Audit trail data (user actions, timestamps, matter lifecycle events).

Duration of Processing

Processing commences on the Firm's activation of a duely subscription and continues for the duration of the subscription. On termination, data is retained for a 90-day export window as specified in the MSA, after which it is securely deleted unless a longer retention period is agreed in writing or required by law.

1B. Processor Obligations

Lawful Instructions

duely processes personal data only on documented instructions from the Firm. If duely considers that an instruction from the Firm infringes applicable privacy legislation, duely will promptly inform the Firm before carrying out the instruction, unless prohibited by law from doing so.

Personnel Confidentiality

duely ensures that all personnel authorised to process personal data on behalf of the Firm are bound by appropriate confidentiality obligations, whether by contract or by statutory duty. Access to Firm data is granted on a need-to-know basis and subject to internal access controls.

2. Technical and Organisational Measures

duely implements technical and organisational measures appropriate to the risks associated with the processing of AML/CTF data, including:

  • Encryption: AES-256 encryption for data at rest, and TLS 1.3 encryption for data in transit.
  • Access Controls: Role-Based Access Control (RBAC) segregated by tenant / Firm. Internal duely staff do not have default access to Firm matter data, and access is granted only on a temporary, audited basis when authorised by the Firm for support purposes.
  • Audit Trails: append-only event streams that record actions within matters.

3. Data Localisation

Application hosting and the primary storage of matter, document, and evidence data are located in Tier 1 data centres in the Australian region (Sydney and Melbourne). Certain specialist processing — identity verification, biometric (liveness / face-match), and AML screening — is performed by our sub-processor Didit outside Australia, in the European Union. Didit processes this data on a process-and-purge basis and does not retain it after returning the result; the resulting evidence is stored back in Australia. See the Sub-Processors list below and the cross-border transfer disclosure in the Privacy Policy.

4. Sub-Processors

duely uses sub-processors to deliver core platform functionality. The sub-processor list is maintained as a living document within this DPA.

Current Sub-Processors

  • Didit: identity verification, biometric (liveness / face-match) data, and AML (PEP / sanctions / adverse-media) screening. Processed outside Australia, in the European Union (AWS). duely operates Didit on a process-and-purge basis — identity and biometric data is deleted once the verification result is returned and is not retained by Didit. Didit is GDPR-compliant and holds ISO 27001 and SOC 2 (Type I) certification.
  • InfoTrack: ASIC and business registry extracts.
  • Stripe: subscription payments and billing.
  • Keycloak: platform authentication and identity management.
  • Microsoft Azure: cloud infrastructure within Australian data centres (Australia East in Sydney, and Australia Southeast in Melbourne).

Changes to Sub-Processors (Right to Object)

duely will notify Firms at least thirty (30) days before appointing any new sub-processor that handles personal data. Within this notification period, the Firm has a right to object to the new sub-processor on reasonable data protection grounds. If duely cannot address the Firm's concerns, the Firm may terminate the affected Subscription without penalty.

5. Security Breach Notification

duely operates in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.

  • If duely becomes aware of an actual or reasonably suspected personal data breach, duely will notify affected Firms without undue delay, and no later than 72 hours after becoming aware of the breach.
  • duely will cooperate with the Firm and provide information needed to help the Firm fulfil its notification obligations to the OAIC and affected data subjects.

6. AI Processing Limitation

duely does not, and will not, use protected customer data, identity documents, screening results, or matter metadata provided by the Firm to train foundational AI or large language models. This is a limitation on duely's processing.

6A. Data Return and Deletion on Termination

On termination or expiry of the MSA:

  1. Export window. The Firm has 90 days to export all personal data held within the platform, including evidence packs, matter records, customer data, and audit logs.
  2. Deletion. After the 90-day export window, duely will securely delete all personal data processed on behalf of the Firm from its primary systems within thirty (30) days, using standard data destruction methods.
  3. Backup purge. Personal data residing in encrypted backups will be overwritten through the normal backup rotation cycle, not exceeding 180 days from the deletion of primary data.
  4. Certificate of Destruction. On written request by Enterprise-tier Firms, duely will provide a Certificate of Data Destruction confirming completion of the deletion process.
  5. Exceptions. duely may retain anonymised, aggregated data that cannot be used to identify any individual. duely may also retain data where required by law or court order, in which case the Firm will be notified to the extent legally permitted.

7. Audits and Compliance

(a) On reasonable prior written notice, and no more than once in any twelve (12) month period, duely will make available to the Firm (or an independent auditor engaged by the Firm and bound by confidentiality terms acceptable to duely) duely's most recent SOC 2 Type II report (when available), penetration test summary, and architectural overview, for the limited purpose of verifying duely's compliance with this DPA.

(b) Any on-site audit is at the Firm's cost, must be conducted during business hours, must not unreasonably interrupt duely's operations, and is subject to duely's security and confidentiality requirements.

(c) Where duely's standard reports reasonably address the Firm's audit query, the Firm will accept those reports in lieu of a separate audit.

8. Governing Law

This Data Processing Agreement is governed by the laws of New South Wales, Australia, and is subject to the jurisdiction of the courts of New South Wales.