Legal

Data Processing Agreement.

Last updated 20 May 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Caring Abode Pty Ltd (trading as roc.up) and the Customer. It governs the processing of personal information about the Customer's NDIS participants, workers, and other individuals that roc.up handles on the Customer's behalf.

Plain-English summary. When you use roc.up to handle participant or worker information, you are the data controller and we are the data processor. This DPA sets out the obligations we accept in that role — how we handle data, what sub-processors we use, what we do if there's a breach, and what rights you and your participants have. It is auto-accepted with the Terms of Service. A signed counterpart is available on request for procurement.

1. Definitions

2. Roles

For the purposes of the Privacy Act and the APPs, in relation to Customer Personal Information:

roc.up does not use Customer Personal Information for its own purposes. The exceptions are: (a) for the limited operational purposes described in clause 5; and (b) where required by Australian law.

3. Subject matter and scope

The subject matter, duration, nature, and purpose of the processing are set out in Schedule 1 below.

4. Customer responsibilities

The Customer is responsible for:

5. roc.up's processing obligations

roc.up agrees that, in respect of Customer Personal Information:

6. Security measures

roc.up will implement and maintain appropriate technical and organisational measures to protect Customer Personal Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The full security posture is described in the Security overview and includes:

7. Sub-processors

The Customer authorises roc.up to engage the sub-processors listed at subprocessors.html to process Customer Personal Information.

8. Data subject requests

Individuals (data subjects) have rights under the Privacy Act, including the right to access and correct their Personal Information (APPs 12 and 13).

9. Personal data breaches and the NDB scheme

If roc.up becomes aware of an actual or suspected unauthorised access to, unauthorised disclosure of, or loss of Customer Personal Information ("Personal Data Breach"):

10. Audit

To enable the Customer to verify roc.up's compliance with this DPA:

11. International transfers

Customer Personal Information is stored in Australia (AWS Sydney region). The only routine transfers outside Australia are:

Where an overseas transfer happens, roc.up takes reasonable steps under APP 8 to ensure the overseas recipient handles the information in a way consistent with the APPs, including by contract.

12. Return or deletion of data

On termination of the Terms of Service:

The Customer is responsible for retaining records that the NDIS Commission or other regulators require it to retain. roc.up provides export tools — the duty to retain belongs to the Customer.

13. Liability

The liability of each party under this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits any liability that cannot lawfully be limited.

14. Conflict with the Terms of Service

If there is a conflict between this DPA and the Terms of Service, this DPA prevails in respect of the processing of Customer Personal Information.

15. Changes to this DPA

roc.up may update this DPA from time to time. Material changes (such as a new category of sub-processor, a material change to security measures, or a change to international transfer practices) are notified to the account holder at least 30 days before they take effect. The current version is always at rocup.com.au/dpa.html.

16. Governing law

This DPA is governed by the laws of New South Wales, Australia. The parties submit to the exclusive jurisdiction of the courts of New South Wales and the federal courts of Australia.

Schedule 1 — Description of Processing

Subject matterProvision of the roc.up software-as-a-service to the Customer for management of the Customer's NDIS provider business.
DurationThe term of the Terms of Service, plus the post-termination retention window in clause 12.
Nature & purposeHosting, storing, transmitting, displaying, and analysing Customer Personal Information; generating service outputs (rosters, draft invoices, care files, training records, AI-flagged patterns, AI-drafted incident reports).
Categories of data subjects(a) Account holders / administrators; (b) support workers; (c) NDIS participants; (d) participant nominees / next-of-kin contacts (where the Customer enters them); (e) other contacts the Customer enters (allied health professionals, GPs, etc.).
Categories of Personal InformationIdentifiers (name, email, DOB, phone, address); employment information (workers); financial information (timesheets, billing); sensitive information — health information (medications, health conditions, allergies, care plans, clinical logs, incident reports, behaviour and mood records); NDIS plan details; uploaded documents; signature samples.
Special categoriesHealth information is sensitive information under the Privacy Act and is the predominant category of Personal Information processed.
Sensitive cohortNDIS participants are, by definition, people with disability and may include children. The Customer is responsible for any heightened consent or substitute-decision-maker arrangements that apply to vulnerable individuals.

17. Contact