Hoist AIAssets Sign in
HomeLegalDPA

Data Processing Addendum.

Template DPA. Sign-able as-is for most customers; customisations welcome. Take to your lawyer; we'll sign their redlines if they're reasonable.

Version 1.02026-05-15Lawyer review pending
Plain disclaimer. This is a working template, not a fully-lawyered final document. Final DPAs are signed as PDF on a customer-by-customer basis after legal review. Treat the text here as the substance, not the form.

1. Definitions

  • Hoist Assets, We, Us — HoistAI Pty Ltd (ABN 11 695 718 659), 81–83 Campbell Street Surry Hills NSW 2010.
  • Customer, You — the entity that has executed the Hoist Assets Terms of Service.
  • Personal Information — has the meaning given in the Privacy Act 1988 (Cth) Section 6.
  • Service — the Hoist Assets API, MCP server, and dashboard.
  • APPs — the Australian Privacy Principles.

2. Roles

You are the entity responsible for any Personal Information you submit to the Service. We act as your service provider in processing search inputs and storing outputs. Where the inputs you submit identify Australian organisations (ACN/ABN) and not individuals, Personal Information is not generally implicated; the org-only scope (see /trust/npii-boundary) is designed to keep individual Personal Information out of the system entirely.

3. Subject matter and duration

  • Subject matter: processing of search inputs and results for the purpose of providing the Service.
  • Duration: the term of your Hoist Assets subscription, plus a 30-day export window after termination.
  • Nature and purpose: running register searches; storing certificates and Due Diligence Records; maintaining an audit chain.
  • Types of data: Account information (email, role, billing); Search inputs (ACN, ABN, serial number, optional reference); Search outputs (certificates, records, audit-chain entries).

4. Sub-processors

Current sub-processors: trust/index.html#subprocessors. We notify customers of material sub-processor changes 30 days before they take effect. Objection window: 30 days; if you object, you may terminate the subscription with pro-rated refund.

5. Security measures

See /trust/security for the current posture: TLS 1.3 in transit, AES-256 at rest, OAuth 2.1 with scope-based access control, annual penetration test, append-only audit chain.

6. Data subject rights

You handle data-subject access, correction, and deletion requests directed to you. Where you need us to assist (e.g., to retrieve or delete data we hold as your service provider), email [email protected] and we'll cooperate at no charge.

7. Breach notification

If we become aware of a security breach affecting your data, we notify you within 72 hours of confirmation, with: nature of the breach, categories of data affected, likely consequences, measures taken or proposed.

8. International transfers

Most data stays in AU. Sub-processors handle some categories in the US (Stripe, Postmark, Clerk). Where personal information of Australian subjects crosses borders, we rely on contractual safeguards consistent with APP 8.

9. Audit rights

You may request our most recent penetration test summary, our SOC 2 certificate (when issued), and the answers to a reasonable security questionnaire, at no charge, once per year. On-site audits are by agreement.

10. Return or deletion of data

On termination, all customer data is exportable for 30 days via the dashboard. After 30 days, records are deleted from production. Audit-chain hashes (no PII) are retained indefinitely for verification.

11. Governing law

This Addendum is governed by the laws of New South Wales, Australia.

Signing this

Email [email protected]. We'll countersign within 2 business days, faster if your timeline requires it.