Data Processing Agreement
RR Sols Pty Ltd t/a WattleAddr · ABN 00 000 000 000 · Last updated 12 July 2026
This Data Processing Agreement (DPA) forms part of the agreement between the Customer and RR Sols Pty Ltd (ABN 00 000 000 000) t/a WattleAddr and governs our processing of personal information on the Customer's behalf. All processing occurs within Australia.
1. Scope and roles
This DPA applies where WattleAddr ("WattleAddr", "we") processes personal information on behalf of the Customer ("you") in providing the Service. In respect of End User data submitted to the Service, you are the entity that determines the purposes and means of processing (the controlling entity under the Privacy Act 1988 (Cth)) and WattleAddr is the service provider (processor) acting on your instructions. Each party is responsible for complying with its own obligations under the Privacy Act and the Australian Privacy Principles (APPs).
Where there is any conflict between this DPA and the Terms of Service on the subject of personal-information processing, this DPA prevails.
2. Definitions
- "Personal Information" has the meaning in the Privacy Act 1988 (Cth).
- "End User Data" means Personal Information contained in the address queries and related data you submit to the Service (for example, an individual's address).
- "Process" / "Processing" means any operation performed on Personal Information.
- "Sub-processor" means a third party engaged by WattleAddr to Process End User Data.
- "APPs" means the Australian Privacy Principles.
3. Processing details
We Process End User Data only to provide, secure, support and maintain the Service, in accordance with your documented instructions (including your configuration of the Service, such as retention settings) and this DPA. If we believe an instruction breaches the Privacy Act or other law, we will inform you. The subject matter, duration, nature, purpose, categories of data and categories of individuals are set out in Annex A.
4. Your obligations
- You must have a lawful basis to collect End User Data and to submit it to the Service, and to authorise the Processing described in this DPA.
- You must comply with the APPs (or other applicable privacy law) in your own handling of End User Data, including providing any required notices to, and obtaining any required consents from, individuals.
- You are responsible for the accuracy of the instructions you give and the configuration you choose (including retention and query-hashing options).
5. Our obligations
- We will Process End User Data only on your instructions and for the purposes of providing the Service, and will not use it for our own purposes or disclose it except as permitted by this DPA or required by law.
- We will ensure personnel authorised to Process End User Data are subject to confidentiality obligations.
- We will implement and maintain the technical and organisational security measures described in Annex B (APP 11).
- We will assist you, taking into account the nature of the Processing, to respond to individuals exercising their rights (including access and correction) and to meet your obligations regarding security and data-breach notification.
6. Data residency
All End User Data is stored and Processed within Australia (primary infrastructure in Sydney with a backup in Melbourne). We do not transfer or disclose End User Data to any overseas recipient, and address queries are not routed outside Australia.
7. Sub-processors
You authorise us to engage the Sub-processors listed in Annex C to Process End User Data, each of which is located in Australia and is bound by obligations no less protective than those in this DPA. We will give you reasonable notice before adding or replacing a Sub-processor, and you may object on reasonable data-protection grounds; if we cannot address your objection, you may terminate the affected Service.
Geoscape Australia is the source of the underlying G-NAF address dataset and is not a Sub-processor of your End User Data — we do not send your queries or End User Data to Geoscape.
8. Data breach notification
If we become aware of a data breach affecting End User Data, we will notify you without undue delay and provide information reasonably available to help you assess the breach and meet your obligations under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act). We will take reasonable steps to contain and remediate the breach.
9. Individual requests
If we receive a request from an individual relating to End User Data (for example, for access, correction or deletion), we will, to the extent legally permitted, refer the request to you and assist you to respond, rather than responding directly.
10. Retention, return and deletion
We retain End User Data in the search log for the retention period you configure, after which it is automatically purged. On termination of the Service, or on your written request, we will delete or de-identify End User Data within a reasonable period, except where retention is required by law. Aggregated, de-identified usage data that is not Personal Information may be retained.
11. Audit and information
On reasonable written request (and no more than once per year unless required by a regulator or following a data breach), we will make available information reasonably necessary to demonstrate our compliance with this DPA. For Enterprise customers, additional audit arrangements may be agreed in an order form, subject to reasonable confidentiality and security conditions.
12. Liability and term
Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service. This DPA takes effect when you accept the Terms of Service (or on the date of your order form) and continues while we Process End User Data on your behalf. Provisions that by their nature should survive termination will do so.
13. Governing law
This DPA is governed by the laws of New South Wales, Australia, consistent with the Terms of Service.
14. Annex A — Details of Processing
| Item | Detail |
|---|---|
| Subject matter | Provision of Australian address autocomplete, verification and geocoding |
| Duration | For the term of the Service and the configured retention period |
| Nature and purpose | Matching, verifying and returning address results; metering; security and support |
| Categories of individuals | The Customer's End Users who enter addresses into the Customer's applications |
| Categories of Personal Information | Address text and matched addresses (which may include an individual’s address), API usage metadata and IP address |
| Sensitive information | Not intended to be Processed |
15. Annex B — Security measures
- Encryption of data in transit (TLS) and Australian-hosted infrastructure with access controls.
- Hashing of passwords and API keys; keys shown once and stored only as prefix + hash.
- Least-privilege access, authentication, and logging and monitoring of access.
- Configurable data retention and query hashing/omission to minimise Personal Information held.
- Regular review of controls, backups (Melbourne), and an incident-response and data-breach plan.
16. Annex C — Approved Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Binary Lane Pty Ltd | Cloud hosting & infrastructure | Australia (Sydney, Melbourne) |
| Pinch Payments | Payment processing (card & bank direct debit) | Australia |
17. Contact
For DPA and privacy matters, contact privacy@wattleaddr.com.au.
This document is provided for transparency and does not constitute legal advice. For questions, contact legal@wattleaddr.com.au.