Data Processing Agreement
Last updated: 9 April 2026
1. Definitions
- “Customer” means the entity that has agreed to the Inferis Terms of Service.
- “Personal Information” has the meaning given in the Privacy Act 1988 (Cth).
- “Processing” means any operation performed on Personal Information, including collection, use, storage, disclosure, or deletion.
- “Processor” means Inferis, which processes Personal Information on behalf of the Customer.
- “Sub-processor” means a third party engaged by the Processor to assist in processing Personal Information.
- “Data Breach” means an eligible data breach as defined in Part IIIC of the Privacy Act 1988 (Cth).
- “Services” means the Inferis platform and related services as described in the Terms of Service.
2. Scope and Purpose
This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer and Inferis and governs the processing of Personal Information by Inferis on behalf of the Customer in connection with the Services.
Inferis processes Personal Information solely for the purpose of providing the Services, which includes document storage, indexing, AI-powered search, and related functionality as described in the Terms of Service.
3. Obligations of the Processor
Inferis will:
- Process Personal Information only in accordance with the Customer's documented instructions and the Terms of Service
- Ensure that persons authorised to process Personal Information are subject to confidentiality obligations
- Implement appropriate technical and organisational security measures as described in Section 5
- Not use Personal Information for any purpose other than providing the Services
- Not sell, rent, or otherwise disclose Personal Information to third parties except as required to provide the Services or as required by law
- Comply with all applicable requirements of the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
- Not use Customer documents or data to train AI models
4. Sub-processors
The Customer authorises Inferis to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud / Firebase | Hosting, authentication, database, storage, cloud functions | Sydney, AU |
| Google Vertex AI (Gemini) | AI model inference for document queries | US (us-central1) |
| Stripe | Payment processing and subscription management | US / Global |
| Google Analytics | Aggregated usage analytics | US / Global |
Inferis will notify the Customer at least 30 days before engaging any new sub-processor. If the Customer has a reasonable, good-faith objection based on data protection grounds, they may notify us in writing within 14 days. We will work with you to find a commercially reasonable solution, or you may terminate the affected portion of the Service without penalty.
5. Data Security
Inferis implements the following technical and organisational measures to protect Personal Information:
- Encryption at rest using AES-256 and in transit using TLS 1.3
- Firebase Authentication with secure session management and optional multi-factor authentication
- Per-firm data isolation enforced by server-side security rules
- Role-based access controls at application and database levels
- Infrastructure monitoring via Google Cloud Platform (24/7)
- Regular security reviews and vulnerability assessments
- Automatic data backup and disaster recovery via Google Cloud
6. Data Breach Notification
In accordance with Part IIIC of the Privacy Act 1988 (Cth) (Notifiable Data Breaches scheme):
- Inferis will notify the Customer without undue delay, and in any event within 72 hours, upon becoming aware of a suspected or confirmed Data Breach involving the Customer's Personal Information
- The notification will include: the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach
- Inferis will cooperate with the Customer in investigating and remediating the breach
- Where required, Inferis will assist the Customer in notifying the Office of the Australian Information Commissioner (OAIC) and affected individuals within the 30-day assessment period prescribed by the Act
7. Data Subject Rights
Inferis will assist the Customer in responding to requests from individuals exercising their rights under the Australian Privacy Principles, including:
- Access to Personal Information held about them (APP 12)
- Correction of inaccurate Personal Information (APP 13)
- Deletion of their account and associated data
- Information about how their Personal Information has been used or disclosed
Customers can manage user data directly through the Inferis platform. For requests that require Inferis's assistance, contact admin@inferis.ai.
8. Cross-Border Data Transfers
Customer documents are stored in Australia (Sydney, australia-southeast1). Original files never leave Australian infrastructure.
When a Customer submits a query, the query text and relevant document excerpts are sent to Google Vertex AI for processing. This inference occurs in us-central1 (United States). The data is processed in memory only, is not stored by Google, and is not used for model training under Google's enterprise Vertex AI terms.
Payment data is processed by Stripe in accordance with Stripe's Data Processing Agreement and PCI DSS standards.
In accordance with APP 8 (cross-border disclosure), Inferis takes reasonable steps to ensure that overseas recipients of Personal Information comply with the APPs or are subject to substantially similar obligations.
9. Data Retention and Deletion
Personal Information is retained for the duration of the Customer's use of the Services. Upon termination of the agreement or at the Customer's request:
- All Customer documents and associated data will be permanently deleted within 30 days
- Account information and metadata will be removed
- Inferis will confirm deletion in writing upon request
- Aggregated, anonymised analytics data that cannot identify individuals may be retained
10. Audit Rights
Upon reasonable request and subject to confidentiality obligations, Inferis will make available to the Customer information necessary to demonstrate compliance with this DPA. This may include:
- Summary of security measures and controls in place
- Results of third-party security assessments (where available)
- Confirmation of sub-processor compliance
- Records of data breach incidents (if any)
Audit requests should be directed to admin@inferis.ai with at least 30 days' notice.
11. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of applicable privacy legislation to the extent such liability cannot be excluded by law (including under the Australian Consumer Law).
Subject to the above, Inferis's total aggregate liability under this DPA shall not exceed the greater of: (a) the fees paid by the Customer in the 12 months preceding the event giving rise to liability, or (b) AUD $10,000.
12. Term and Termination
This DPA takes effect when the Customer agrees to the Terms of Service and remains in force for the duration of the agreement. Obligations relating to data deletion, confidentiality, and breach notification survive termination.
13. Governing Law
This DPA is governed by and construed in accordance with the laws of New South Wales, Australia. The parties submit to the exclusive jurisdiction of the courts of New South Wales.
14. Contact
For questions about this DPA or to exercise any rights under it, contact:
Inferis
Privacy Officer
admin@inferis.ai