Data Processing Agreement
Last updated: 12 May 2026
Active region: Asia Pacific (Sydney)
This policy applies to firms hosted in Asia Pacific. The Inferis platform serves customers in multiple regions — your firm's region is set at firm creation and cannot be changed without a support-led migration.
1. Definitions
- “Customer” means the entity that has agreed to the Inferis Terms of Service.
- “Personal Information” has the meaning given in the Privacy Act 1988 (Cth).
- “Processing” means any operation performed on Personal Information, including collection, use, storage, disclosure, or deletion.
- “Processor” means Inferis, which processes Personal Information on behalf of the Customer.
- “Sub-processor” means a third party engaged by the Processor to assist in processing Personal Information.
- “Data Breach” means an eligible data breach as defined in Part IIIC of the Privacy Act 1988 (Cth).
- “Services” means the Inferis platform and related services as described in the Terms of Service.
2. Scope and Purpose
This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer and Inferis and governs the processing of Personal Information by Inferis on behalf of the Customer in connection with the Services.
Inferis processes Personal Information solely for the purpose of providing the Services, which includes document storage, indexing, AI-powered search, and related functionality as described in the Terms of Service.
3. Obligations of the Processor
Inferis will:
- Process Personal Information only in accordance with the Customer's documented instructions and the Terms of Service
- Ensure that persons authorised to process Personal Information are subject to confidentiality obligations
- Implement appropriate technical and organisational security measures as described in Section 5
- Not use Personal Information for any purpose other than providing the Services
- Not sell, rent, or otherwise disclose Personal Information to third parties except as required to provide the Services or as required by law
- Comply with all applicable requirements of the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
- Not use Customer documents or data to train AI models
4. Sub-processors
The Customer authorises Inferis to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud / Firebase | Hosting, authentication, database, storage, cloud functions | Sydney, AU (AU firms) / Frankfurt + Belgium (EU firms) |
| Google Vertex AI (Gemini) | AI model inference and embedding generation for document queries | US (us-central1) for AU firms / Belgium (europe-west4) for EU firms |
| Stripe | Payment processing and subscription management | US / Global |
| Sentry | Application error monitoring (errors only — no document content). Loaded only after explicit consent in supported regions. | US |
| ipapi.co | IP-based country detection at signup, used to recommend the correct data region. IP address only, processed once, not stored. | US |
| BetterStack | Public uptime status page (no customer data; aggregated availability checks only) | US / Global |
| Google Analytics | Aggregated usage analytics. Loaded only after explicit consent in supported regions. | US / Global |
Inferis will notify the Customer at least 30 days before engaging any new sub-processor. If the Customer has a reasonable, good-faith objection based on data protection grounds, they may notify us in writing within 14 days. We will work with you to find a commercially reasonable solution, or you may terminate the affected portion of the Service without penalty.
5. Data Security
Inferis implements the following technical and organisational measures to protect Personal Information:
- Encryption at rest using AES-256 and in transit using TLS 1.3
- Firebase Authentication with secure session management and optional multi-factor authentication
- Per-firm data isolation enforced by server-side security rules
- Role-based access controls at application and database levels
- Infrastructure monitoring via Google Cloud Platform (24/7)
- Regular security reviews and vulnerability assessments
- Automatic data backup and disaster recovery via Google Cloud
6. Data Breach Notification
In accordance with Part IIIC of the Privacy Act 1988 (Cth) (Notifiable Data Breaches scheme):
- Inferis will notify the Customer without undue delay, and in any event within 72 hours, upon becoming aware of a suspected or confirmed Data Breach involving the Customer's Personal Information
- The notification will include: the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach
- Inferis will cooperate with the Customer in investigating and remediating the breach
- Where required, Inferis will assist the Customer in notifying the Office of the Australian Information Commissioner (OAIC) and affected individuals within the 30-day assessment period prescribed by the Act
7. Data Subject Rights
Inferis will assist the Customer in responding to requests from individuals exercising their rights under the Australian Privacy Principles, including:
- Access to Personal Information held about them (APP 12)
- Correction of inaccurate Personal Information (APP 13)
- Deletion of their account and associated data
- Information about how their Personal Information has been used or disclosed
Customers can manage user data directly through the Inferis platform. For requests that require Inferis's assistance, contact admin@inferis.ai.
8. Data Residency & Cross-Border Transfers
Your firm's data is stored in Asia Pacific. The active data centre is australia-southeast1 (Sydney). Firestore (database) is hosted in australia-southeast1 (Sydney). Customer documents are stored in Australia and never leave Australian infrastructure.
AI inference for query answering runs in us-central1 (Iowa, USA) where the required Gemini model versions are available. Only the text of your query and relevant document excerpts are sent to the AI model. Your original files remain in Asia Pacific.
As an Australian customer, you are protected by the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs). Your supervisory authority is the Office of the Australian Information Commissioner (OAIC).
Payment data is processed by Stripe in accordance with Stripe's Data Processing Agreement and PCI DSS standards.
For Australian customers: in accordance with APP 8 (cross-border disclosure), Inferis takes reasonable steps to ensure overseas recipients of Personal Information comply with the APPs or are subject to substantially similar obligations.
For EU customers: a Standard Contractual Clauses (SCC) compliant addendum is available on request via admin@inferis.ai pending finalisation of the formal published version.
9. Data Retention and Deletion
Personal Information is retained for the duration of the Customer's use of the Services. Upon termination of the agreement or at the Customer's request:
- All Customer documents and associated data will be permanently deleted within 30 days
- Account information and metadata will be removed
- Inferis will confirm deletion in writing upon request
- Aggregated, anonymised analytics data that cannot identify individuals may be retained
10. Audit Rights
Upon reasonable request and subject to confidentiality obligations, Inferis will make available to the Customer information necessary to demonstrate compliance with this DPA. This may include:
- Summary of security measures and controls in place
- Results of third-party security assessments (where available)
- Confirmation of sub-processor compliance
- Records of data breach incidents (if any)
Audit requests should be directed to admin@inferis.ai with at least 30 days' notice.
11. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of applicable privacy legislation to the extent such liability cannot be excluded by law (including under the Australian Consumer Law).
Subject to the above, Inferis's total aggregate liability under this DPA shall not exceed the greater of: (a) the fees paid by the Customer in the 12 months preceding the event giving rise to liability, or (b) AUD $10,000.
12. Term and Termination
This DPA takes effect when the Customer agrees to the Terms of Service and remains in force for the duration of the agreement. Obligations relating to data deletion, confidentiality, and breach notification survive termination.
13. Governing Law
This DPA is governed by and construed in accordance with the laws of New South Wales, Australia. The parties submit to the exclusive jurisdiction of the courts of New South Wales.
14. Contact
For questions about this DPA or to exercise any rights under it, contact:
Inferis
Privacy Officer
admin@inferis.ai