Data Processing Agreement
This Data Processing Agreement ("DPA") applies automatically to all customers of BoardTable and forms part of the Terms of Service. It describes how BoardTable Pty Ltd processes personal information on behalf of your organisation. If your board policy or procurement process requires a countersigned DPA, contact legal@boardtable.com.au.
1. Definitions
In this DPA:
- "Controller" means your organisation — the entity that determines the purposes and means of processing personal information entered into BoardTable.
- "Processor" means BoardTable Pty Ltd, which processes personal information on the Controller's behalf.
- "Personal Information" has the meaning given in the Privacy Act 1988 (Cth) and includes names, email addresses, roles, and any other identifying information about individuals stored in your BoardTable account.
- "Processing" means any operation performed on Personal Information, including collection, storage, retrieval, transmission, deletion, and all operations in between.
- "Sub-processor" means any third party engaged by BoardTable to assist in processing Personal Information.
2. Roles and Responsibilities
Your organisation is the Controller of all Personal Information your users upload to BoardTable. BoardTable is the Processor — we handle that data only to the extent necessary to provide and maintain the Service, and only in accordance with your documented instructions (as set out in your use of the platform and these Terms).
BoardTable does not determine the purpose of processing your organisation's Personal Information. We do not use it to train AI models, sell it, or share it with third parties for any purpose other than providing the Service.
3. Controller Instructions
By using BoardTable, you instruct us to process Personal Information as necessary to:
- Provide and maintain access to the BoardTable platform.
- Authenticate users and enforce role-based access controls.
- Store, retrieve, and display governance records as directed by your administrators.
- Send transactional notifications (meeting reminders, document-signing requests, password resets).
- Generate backups and ensure service continuity.
- Comply with legal obligations applicable to BoardTable as a service provider.
If you require us to process data in a way not covered by these instructions, please contact legal@boardtable.com.au to discuss a supplementary arrangement.
4. Security Measures
BoardTable implements and maintains technical and organisational measures appropriate to the risk of processing Personal Information. These measures include:
- AES-256 encryption of data at rest; TLS 1.2+ for all data in transit.
- Role-based access controls ensuring users can only access data they are authorised to see.
- Bcrypt password hashing (work factor 10).
- Audit logging of all significant access and administrative events, retained for 12 months.
- Daily encrypted database backups with point-in-time recovery for 7 days.
- Annual independent penetration testing.
- Hosting exclusively on Microsoft Azure Australia East (ISO 27001, SOC 2 Type II accredited).
Full details are available on our Security page.
5. Sub-processors
BoardTable engages the following sub-processors to deliver the Service. All sub-processors are bound by confidentiality obligations and data processing terms consistent with this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud hosting, database, and file storage | Australia East (Sydney) |
| Microsoft Clarity | Behavioural analytics (anonymised usage patterns) | USA (Microsoft data centres) |
| Stripe | Payment processing (billing information only) | USA / Australia |
| Resend | Transactional email delivery | USA |
We will notify account administrators by email at least 14 days before adding or replacing a sub-processor. You may object to a new sub-processor by contacting legal@boardtable.com.au within 14 days of notification.
6. Data Breach Notification
In the event of a data breach involving your organisation's Personal Information, BoardTable will:
- Notify affected organisations without undue delay and ordinarily within 72 hours of becoming aware of the breach.
- Provide a written incident report describing the nature of the breach, the categories and approximate volume of Personal Information involved, likely consequences, and measures taken or proposed to address it.
- Comply with the mandatory Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth), including notifying the Office of the Australian Information Commissioner (OAIC) and affected individuals where required.
- Cooperate with your organisation's own notification obligations to the extent reasonably practicable.
To report a suspected security incident or data breach, contact privacy@boardtable.com.au immediately.
7. Data Retention and Deletion
BoardTable retains Personal Information and governance records for the duration of your organisation's subscription plus seven (7) years, in line with common board record retention obligations under Australian law.
Upon account termination or at your written request:
- You will have read-only access to your data for 30 days following termination to allow data export.
- Active data will be permanently deleted within 30 days of that read-only period ending.
- Encrypted backup copies will be purged within 90 days as backup cycles complete.
- We will provide written confirmation of deletion on request.
Earlier deletion of specific Personal Information (e.g. a departed director's profile) may be requested by your administrator via account settings or by contacting privacy@boardtable.com.au, subject to any applicable legal retention obligations.
8. Audit Rights
You may request information necessary to demonstrate BoardTable's compliance with this DPA, including copies of our security questionnaire responses and relevant certifications. Requests should be directed to legal@boardtable.com.au. We will respond within 15 business days.
On-site audits of BoardTable's infrastructure are not offered as a standard entitlement given the shared-infrastructure nature of the Service, but we will make available audit reports, certifications, and attestations from our infrastructure providers (Microsoft Azure, Stripe) upon request.
9. Assistance with Your Obligations
BoardTable will, taking into account the nature of processing and information reasonably available to us, assist your organisation to respond to:
- Requests from individuals exercising rights under the Australian Privacy Principles (access, correction, deletion, complaints).
- Requirements to conduct privacy impact assessments.
- Inquiries or investigations by the OAIC.
Contact privacy@boardtable.com.au to request assistance.
10. Confidentiality of Processing
BoardTable personnel who process Personal Information are bound by confidentiality obligations and have received appropriate privacy training. Access to customer data is limited to staff with a legitimate operational need, is logged, and requires manager approval for any access beyond routine platform maintenance.
11. Changes to This DPA
We may update this DPA from time to time to reflect changes in law, our sub-processors, or our security practices. We will notify account administrators by email at least 14 days before material changes take effect. The current version is always available at boardtable.com.au/dpa.
12. Countersigned DPA
If your organisation requires a countersigned DPA — for example to satisfy ACNC governance requirements, board policy, insurance conditions, or a procurement process — please contact legal@boardtable.com.au. We will issue a signed agreement promptly, typically within 3 business days.
13. Governing Law
This DPA is governed by the laws of the State of Victoria, Australia, consistent with the Terms of Service.