Data Processing Agreement.
Last updated 20 May 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Caring Abode Pty Ltd (trading as roc.up) and the Customer. It governs the processing of personal information about the Customer's NDIS participants, workers, and other individuals that roc.up handles on the Customer's behalf.
1. Definitions
- Customer means the entity (or individual sole trader) that has signed up to roc.up under the Terms of Service.
- roc.up or we means Caring Abode Pty Ltd (ABN [REVIEW: ABN]).
- Personal Information has the meaning given to it in the Privacy Act 1988 (Cth) and includes sensitive information such as health information.
- Australian Privacy Principles or APPs mean the Australian Privacy Principles in Schedule 1 to the Privacy Act.
- Customer Personal Information means Personal Information about the Customer's NDIS participants, workers, contractors, or other individuals that the Customer enters into, uploads to, or generates in roc.up.
- Sub-processor means a third party engaged by roc.up to process Customer Personal Information.
- Eligible Data Breach has the meaning given to it in section 26WE of the Privacy Act.
2. Roles
For the purposes of the Privacy Act and the APPs, in relation to Customer Personal Information:
- The Customer is the APP entity that determines the purposes for which the information is collected and used — equivalent to a "data controller" in other regimes.
- roc.up processes Customer Personal Information on the Customer's behalf and on the Customer's documented instructions — equivalent to a "data processor".
roc.up does not use Customer Personal Information for its own purposes. The exceptions are: (a) for the limited operational purposes described in clause 5; and (b) where required by Australian law.
3. Subject matter and scope
The subject matter, duration, nature, and purpose of the processing are set out in Schedule 1 below.
4. Customer responsibilities
The Customer is responsible for:
- Having a lawful basis under the Privacy Act for collecting and processing Customer Personal Information in roc.up, including obtaining consent from participants (or their nominees) for the collection and processing of their health information (APP 3).
- Providing accurate, current, and complete Customer Personal Information.
- Configuring access controls inside roc.up appropriately — including per-worker section permissions on participant files.
- Notifying participants (or nominees) and workers of how their information is handled, consistent with the Customer's own privacy policy and with our handling described in this DPA.
- Compliance with the Customer's own obligations under the Privacy Act, the NDIS Quality and Safeguards Commission Rules, and any other applicable law.
5. roc.up's processing obligations
roc.up agrees that, in respect of Customer Personal Information:
- It will process Customer Personal Information only on the Customer's documented instructions — including the Terms of Service, this DPA, and the configuration choices the Customer makes inside the service (such as which sub-processors are enabled, which integrations are connected, and whether AI features are on).
- It will not sell Customer Personal Information, nor share it with third parties for marketing.
- It may process Customer Personal Information for the following operational purposes: (a) to deliver, maintain, and improve the roc.up service to the Customer; (b) to detect and prevent fraud, security incidents, and abuse; (c) to produce aggregated, de-identified analytics that cannot be used to identify the Customer or any individual; (d) to meet legal obligations and respond to lawful requests by competent authorities.
- It will ensure that personnel authorised to process Customer Personal Information are under appropriate confidentiality obligations.
- It will assist the Customer, to the extent reasonably possible, in responding to requests by individuals to exercise rights under the Privacy Act (see clause 8).
- It will assist the Customer in complying with its obligations under the Notifiable Data Breaches scheme (see clause 9).
6. Security measures
roc.up will implement and maintain appropriate technical and organisational measures to protect Customer Personal Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The full security posture is described in the Security overview and includes:
- Hosting in the AWS Sydney region (data does not leave Australia for storage).
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256).
- Row-level security policies enforcing per-workspace data isolation.
- Per-user authentication with hashed passwords and optional multi-factor authentication.
- Per-worker section permissions on participant files within each workspace.
- An audit log of edits to participant care files.
- Daily automated backups, retained for 7 days.
- Restricted staff access on a need-to-know basis, with logging.
7. Sub-processors
The Customer authorises roc.up to engage the sub-processors listed at subprocessors.html to process Customer Personal Information.
- Each sub-processor is bound by a written data-processing arrangement that imposes obligations no less protective than those in this DPA.
- roc.up remains responsible for the acts and omissions of its sub-processors in respect of Customer Personal Information.
- Changes. roc.up will give the Customer at least 30 days' notice before adding a new sub-processor or replacing an existing one, by email to the account holder and an updated entry on the sub-processors page.
- Objection. The Customer may object to a new sub-processor for reasonable, documented privacy or security concerns. The parties will work in good faith to resolve the objection — including by the Customer choosing an alternative configuration, or by terminating the affected service under clause 11 of the Terms of Service.
8. Data subject requests
Individuals (data subjects) have rights under the Privacy Act, including the right to access and correct their Personal Information (APPs 12 and 13).
- Where an individual contacts roc.up directly with a request about Customer Personal Information, roc.up will refer them to the Customer and notify the Customer.
- roc.up will provide reasonable assistance to the Customer in responding to data subject requests — including by providing tools within the service to access, export, or delete Customer Personal Information.
- roc.up will not respond to data subject requests itself in respect of Customer Personal Information, except where required by law.
9. Personal data breaches and the NDB scheme
If roc.up becomes aware of an actual or suspected unauthorised access to, unauthorised disclosure of, or loss of Customer Personal Information ("Personal Data Breach"):
- roc.up will notify the affected Customer without undue delay and in any event within 72 hours of becoming aware of the Personal Data Breach.
- The notification will include, to the extent known: the nature of the breach, the categories and approximate number of individuals concerned, the categories and approximate volume of Personal Information concerned, the likely consequences, and the measures taken or proposed to address the breach.
- roc.up will reasonably assist the Customer in meeting the Customer's own obligations under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act), including the Customer's obligation to assess whether the breach is an "eligible data breach" within 30 days and to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals where required.
- roc.up will not make a public statement attributing the breach to the Customer without the Customer's prior written agreement, except where required by law.
10. Audit
To enable the Customer to verify roc.up's compliance with this DPA:
- roc.up will make available to the Customer, on reasonable written request, the information necessary to demonstrate compliance — including security certifications, penetration test summaries, and the current sub-processor list.
- If the information made available is insufficient to demonstrate compliance and the Customer has a substantiated concern, the Customer may request an audit conducted by an independent third party. Such audits will be conducted no more than once per 12 months, with at least 30 days' written notice, during Australian business hours, and on terms (scope, confidentiality, cost-sharing) reasonably agreed in advance.
- Audit findings are confidential to the parties.
11. International transfers
Customer Personal Information is stored in Australia (AWS Sydney region). The only routine transfers outside Australia are:
- To the AI model provider (transient processing for Pattern Watch and AI-drafted incidents), where the data is not retained — see Security overview §5 and subprocessors.html.
- To Mailgun for email transport [REVIEW: confirm Mailgun region].
Where an overseas transfer happens, roc.up takes reasonable steps under APP 8 to ensure the overseas recipient handles the information in a way consistent with the APPs, including by contract.
12. Return or deletion of data
On termination of the Terms of Service:
- For 30 days after termination, the Customer may export Customer Personal Information via the export tools in the service or by request to roc.up.
- After 30 days, roc.up will delete Customer Personal Information from production systems.
- Encrypted backups containing Customer Personal Information may persist for up to a further 60 days before being overwritten in normal backup rotation. The backups are not accessible for ordinary use during that period.
- roc.up may retain Customer Personal Information for longer where required by Australian law, or in anonymised form for statistical purposes.
The Customer is responsible for retaining records that the NDIS Commission or other regulators require it to retain. roc.up provides export tools — the duty to retain belongs to the Customer.
13. Liability
The liability of each party under this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits any liability that cannot lawfully be limited.
14. Conflict with the Terms of Service
If there is a conflict between this DPA and the Terms of Service, this DPA prevails in respect of the processing of Customer Personal Information.
15. Changes to this DPA
roc.up may update this DPA from time to time. Material changes (such as a new category of sub-processor, a material change to security measures, or a change to international transfer practices) are notified to the account holder at least 30 days before they take effect. The current version is always at rocup.com.au/dpa.html.
16. Governing law
This DPA is governed by the laws of New South Wales, Australia. The parties submit to the exclusive jurisdiction of the courts of New South Wales and the federal courts of Australia.
Schedule 1 — Description of Processing
| Subject matter | Provision of the roc.up software-as-a-service to the Customer for management of the Customer's NDIS provider business. |
|---|---|
| Duration | The term of the Terms of Service, plus the post-termination retention window in clause 12. |
| Nature & purpose | Hosting, storing, transmitting, displaying, and analysing Customer Personal Information; generating service outputs (rosters, draft invoices, care files, training records, AI-flagged patterns, AI-drafted incident reports). |
| Categories of data subjects | (a) Account holders / administrators; (b) support workers; (c) NDIS participants; (d) participant nominees / next-of-kin contacts (where the Customer enters them); (e) other contacts the Customer enters (allied health professionals, GPs, etc.). |
| Categories of Personal Information | Identifiers (name, email, DOB, phone, address); employment information (workers); financial information (timesheets, billing); sensitive information — health information (medications, health conditions, allergies, care plans, clinical logs, incident reports, behaviour and mood records); NDIS plan details; uploaded documents; signature samples. |
| Special categories | Health information is sensitive information under the Privacy Act and is the predominant category of Personal Information processed. |
| Sensitive cohort | NDIS participants are, by definition, people with disability and may include children. The Customer is responsible for any heightened consent or substitute-decision-maker arrangements that apply to vulnerable individuals. |
17. Contact
- DPA questions or to request a signed counterpart — privacy@caringabode.com.au
- OAIC (escalation) — oaic.gov.au or 1300 363 992