1. Introduction 

This Data Processing Agreement (“DPA”) forms part of any service agreement (“Service Agreement”) between Firehouse Technology Pty Ltd (“FHT” or “Processor”) and its client (the “Controller”). It governs the handling of personal data by FHT on behalf of the Client under Australian Privacy Law, the EU General Data Protection Regulation (GDPR) (where applicable), and ISO27001 standards. 

Effective Date: The date on which the Service Agreement is executed or otherwise incorporates this DPA. 

2. Definitions 

• “Applicable Data Protection Laws”: Refers collectively to the Privacy Act 1988 (Cth), GDPR, and other relevant regulations governing personal data. 

• “Client” or “Controller”: The natural or legal entity which determines the purposes and means of personal data processing. 

• “FHT” or “Processor”: Firehouse Technology Pty Ltd, which processes personal data on behalf of the Controller. 

• “Personal Data”: Any information relating to an identified or identifiable natural person. 

• “Processing”: Any operation performed on personal data (e.g., collection, recording, organisation, storage, use, deletion). 

• “Sub-processor”: Any third party engaged by FHT to process personal data on behalf of the Controller. 

• “Security Incident”: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data. 

3. Purpose and Scope of Processing 

3.1 Purpose 

FHT processes personal data exclusively to provide services under the Service Agreement, which may include: 

• Cloud Migrations (seamless R6 strategy-driven transitions) 

• FinOps (eliminating cloud wastage and optimising costs) 

• Infrastructure Modernisation (containerised platforms, modern app development) 

• Cloud Security (ensuring confidentiality, integrity, availability) 

• Managed IT & Security Services (24/7 cybersecurity expertise, ITIL/QMS compliance) 

• Data Analytics & AI/ML (LLM integrations, data-driven software development) 

• Enterprise Applications (CRM, ERP, marketing technology) 

• Consulting & Product Development (strategic advisory, revenue-generating products) 

• Other similar services.  

3.2 Categories of Data Subjects 

• The Client’s employees, contractors, or representatives. 

• The Client’s own customers or end-users. 

• Website or application users whose data the Client sends to FHT’s systems. 

3.3 Types of Personal Data 

Types of data vary based on the Client’s project needs but may include: 

• Basic Identifiers: Names, emails, phone numbers, and usernames. 

• Technical Data: IP addresses, cookies, device information, system logs. 

• Financial/Transactional Data: Payment details or purchase histories (if relevant to FinOps or enterprise apps). 

• User-Generated Content: Customer inquiries, chat logs, or files uploaded into FHT-managed systems. 

3.4 Duration of Processing 

FHT will process personal data for the duration of the Service Agreement or until deletion or return of data is instructed by the Client, except where retention is required by law. 

4. Obligations of Firehouse Technology (Processor) 

4.1 Compliance with Laws 

FHT will process personal data in accordance with the Client’s documented instructions and in compliance with applicable data protection laws, including the Privacy Act 1988 (Cth) and GDPR (where relevant).

4.2 Technical and Organisational Measures 

To ensure a high level of security and confidentiality, FHT maintains an ISO27001-aligned information security management system. Measures include: 

• Encryption (TLS/SSL in transit, encrypted storage at rest where feasible). 

• Access Controls (role-based permissions, multi-factor authentication). 

• Data Minimisation (only process data needed for project scope). 

• Regular Security Audits & Testing (vulnerability assessments, penetration testing). 

• Incident Response (documented protocols, rapid notification timelines). 

4.3 Confidentiality 

FHT ensures that personnel authorised to process the Client’s personal data are subject to binding confidentiality obligations. FHT provides regular training to reinforce data protection best practices. 

4.4 Assistance with Data Subject Rights 

• If FHT receives a data subject request (e.g., access, rectification, erasure), FHT will promptly inform the Client. 

• FHT will provide reasonable assistance to help the Client fulfil its obligation to respond to such requests. 

4.5 Data Protection Impact Assessments (DPIA) 

Where processing may result in a high risk to data subjects, FHT shall assist the Client (at the Client’s request and cost) with any necessary DPIA and subsequent consultations with regulatory authorities. 

4.6 Security Incidents 

In the event of a confirmed Security Incident, FHT will: 

• Notify the Client without undue delay. 

• Investigate and provide relevant information to help the Client meet breach notification obligations. 

• Remediate to mitigate further risks. 

4.7 Sub-processing 

• FHT may engage sub-processors to support specific tasks (e.g., secure hosting, DevOps, or specialised consulting). 

• FHT remains liable for sub-processors’ compliance with obligations similar to those in this DPA. 

• A current list of major sub-processors can be provided upon request. 

4.8 Return or Deletion of Data 

Upon termination or expiration of the Service Agreement, or upon written request by the Client, FHT will securely delete or return all personal data, unless further retention is required by law. 

5. Obligations of the Client (Controller) 

5.1 Lawful Basis for Processing 

The Client must ensure it has lawful grounds (e.g., consent, contractual necessity, legitimate interests) for collecting and transferring personal data to FHT for processing. 

5.2 Instructions 

The Client’s instructions must be clear, lawful, and documented. Any change in the scope or nature of processing may require an amendment to the Service Agreement. 

5.3 Data Accuracy & Minimisation 

The Client is responsible for providing accurate, up-to-date personal data, ensuring it does not supply more data than is strictly necessary for the defined purposes. 

5.4 Handling Data Subject Requests 

The Client remains responsible for responding to data subject requests regarding personal data processed by FHT on the Client’s behalf. FHT will assist to the extent feasible. 

5.5 Cooperation on Security 

The Client shall maintain appropriate technical and organisational measures on its own systems and interfaces, recognising that security is a shared responsibility. 

6. Audits and Certifications 

6.1 Audit Rights 

• The Client may request an audit of FHT’s relevant processes to verify compliance with this DPA. 

• Audits require 30 days’ prior written notice, must occur during normal business hours, and should not unreasonably disrupt FHT’s operations. 

• Costs related to audits are borne by the Client unless otherwise agreed. 

6.2 Certifications 

FHT maintains an ISO27001-aligned security program and adheres to GDPR principles as applicable. Proof of certification or relevant documentation (such as bridging letters or audit summaries) can be provided upon request. 

7. International Data Transfers 

FHT operates globally. Where personal data is transferred outside of Australia or the European Economic Area, FHT will ensure compliance with GDPR adequacy mechanisms (e.g., Standard Contractual Clauses) or other recognised safeguards to maintain equivalent levels of data protection. 

8. Liability and Indemnification 

• 8.1 Limitation of Liability: Any liability arising under this DPA is subject to limitations set forth in the main Service Agreement. 

•  

• 8.2 Indemnification: The Client agrees to indemnify FHT for any breaches of data protection law caused by the Client’s acts or omissions (e.g., providing unlawful instructions or failing to obtain required consents). 

9. Term and Termination 

This DPA remains in effect for as long as FHT processes personal data for the Client. Upon termination of the Service Agreement, this DPA terminates automatically, subject to the obligations regarding data return or deletion. 

10. Governing Law and Dispute Resolution 

• This DPA is governed by the laws of South Australia in Australia, except where otherwise mandated by data protection laws. 

• Any disputes arising under this DPA shall be resolved in the competent courts of South Australia, unless overridden by relevant international regulations.