Data Processing Agreement

Template version: 10 May 2026

What this is. This is the public template of the Data Processing Agreement (“DPA”) that Validera offers to customers whose use of the Service involves processing personal data. It is structured to satisfy Article 28 of the EU General Data Protection Regulation (GDPR), the equivalent UK GDPR, and the Australian Privacy Act 1988.

How to execute. Email legal@validera.io with your organisation's legal name, address, and the name of the person who will sign on behalf of the customer. We will send a counter-signature copy in PDF.

Note: This template is provided for review. Material amendments requested by your legal team should be raised before signature; we are happy to negotiate reasonable changes. Customers should obtain their own legal advice on whether this DPA meets the requirements of their specific operating context.

Parties

This DPA is entered into between:

Agentic Labs Group Pty Ltd (ACN 692 724 584), of Sydney NSW Australia (“Processor”); and
The customer organisation identified in the cover page (“Controller”).

This DPA forms part of, and supplements, the customer agreement signed between the parties (the “Principal Agreement”). In the event of conflict between this DPA and the Principal Agreement on matters of personal data processing, this DPA prevails.

1. Definitions

Capitalised terms used in this DPA have the meaning given to them in the GDPR unless otherwise defined here. “Customer Personal Data” means personal data processed by the Processor on behalf of the Controller in connection with the Service, as further described in Annex I. “Sub-processor” has the meaning in Article 28(2) of the GDPR.

2. Subject matter, duration, nature and purpose

The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects of the processing are set out in Annex I. In summary: Validera processes ticket text and booking transaction data on behalf of the Controller in order to deliver pre-commit verification verdicts and an audit trail. Processing continues for the duration of the Principal Agreement and any wind-down period agreed in writing.

3. Processor's obligations

The Processor will:

process Customer Personal Data only on the documented instructions of the Controller, including with regard to transfers, unless required to do so by Australian, EU, or other applicable law (in which case the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such notice);
ensure that persons authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
implement and maintain the technical and organisational security measures described in Annex II, and review them periodically;
respect the conditions in clauses 4 and 5 below for engaging Sub-processors and for international transfers;
taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligations to respond to data-subject requests;
assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments) taking into account the information available to the Processor;
at the Controller's choice, delete or return all Customer Personal Data after the end of the provision of services and delete existing copies, unless storage is required by law;
make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in clause 7.

4. Sub-processors

The Controller authorises the Processor to engage the Sub-processors listed at validera.io/subprocessors as of the effective date. The Processor will give the Controller at least thirty (30) days notice by email before adding or replacing a Sub-processor. The Controller may object on reasonable grounds within that notice period. The parties will work in good faith to find a resolution; if none can be found, the Controller may terminate the affected services without penalty.

The Processor will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to the Controller for the performance of each Sub-processor's obligations.

5. International transfers

Where the Processor transfers Customer Personal Data outside the European Economic Area, the United Kingdom, or Australia (as applicable to the Controller), the Processor relies on the following transfer mechanisms:

From the EEA / UK: the European Commission's Standard Contractual Clauses (Module Two: controller-to-processor) as set out in Implementing Decision (EU) 2021/914, incorporated by reference into this DPA;
From Australia: the contractual measures required under Australian Privacy Principle 8.1, as reflected in this DPA and in the relevant Sub-processor agreements.

The Processor will, on request, provide the Controller with copies of the executed Standard Contractual Clauses with relevant Sub-processors, redacted as necessary to protect commercial confidentiality.

6. Personal data breach

The Processor will notify the Controller in writing without undue delay, and in any event within 72 hours after becoming aware of a personal data breach affecting Customer Personal Data. The notification will, to the extent then known, include:

the nature of the breach, including the categories and approximate number of data subjects and records affected;
the name and contact details of the Processor's contact for the matter;
the likely consequences of the breach;
the measures taken or proposed to address the breach and to mitigate its possible adverse effects.

For Australian Controllers, the Processor will assist the Controller in meeting its obligations under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988).

7. Audit

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA. On reasonable prior written notice (at least 30 days, except in the event of a personal data breach or regulator request), and no more than once per calendar year, the Controller (or an independent auditor mutually agreed) may conduct an audit of the Processor's relevant systems and processes. Audits will be conducted during business hours, with reasonable steps to minimise disruption, and the auditor will be subject to confidentiality obligations.

Where industry-standard audit reports (e.g. SOC 2 Type II, ISO 27001) are available, the Processor may satisfy this clause by providing those reports in lieu of a customer-led audit.

8. Return and deletion of data

Within thirty (30) days of the termination or expiry of the Principal Agreement, the Processor will, at the Controller's written election, either:

return Customer Personal Data to the Controller in a structured, commonly used, machine-readable format; or
delete Customer Personal Data and provide written confirmation of deletion.

This obligation does not apply to data the Processor is required to retain by law, in which case the Processor will continue to apply the obligations in this DPA to that retained data for so long as it is held.

9. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions set out in the Principal Agreement, except where applicable law prevents such limitation or exclusion.

10. Term and termination

This DPA takes effect on the date the Principal Agreement takes effect and continues until the Principal Agreement is terminated or expires. Clauses 3(g), 6, 8, and 9 survive termination.

11. Governing law

This DPA is governed by the laws of New South Wales, Australia, except that, where the Standard Contractual Clauses apply to a transfer, those Clauses are governed by the laws of the EU member state designated in the Clauses.

Annex I — Description of processing

A. Categories of data subjects

The Controller's authorised agents (typically employees) who use the Validera Chrome extension to verify booking actions;
Claimants and other individuals whose personal data appears in source-of-truth tickets that the Controller's agents process (e.g. insured persons, payees, accommodation occupants).

B. Categories of personal data

Agent identifiers: name, organisational email, agent ID;
Source ticket content: claim references, claimant names, policy numbers, accommodation requirements, dates, budgets;
Booking transaction details: property identifier, dates, price, currency, source URL;
Verification outcomes and override reasons typed by agents;
Operational metadata: timestamps, latencies, IP addresses (transient).

Validera does not process special categories of personal data (Article 9 GDPR) as part of its standard service. If the Controller's source tickets contain such data incidentally, it is processed under the same protections as ordinary personal data.

C. Nature and purpose of processing

Pre-commit verification: extracting structured intent from source tickets, comparing it against the booking transaction the agent is about to commit, returning a pass/warn/block verdict, and writing an audit-log entry. Audit logs are retrievable by Controller-side admins via the Validera dashboard.

D. Duration of processing

For the term of the Principal Agreement, plus any wind-down or transition period agreed in writing. Audit-log retention follows the schedule in the Privacy Policy and may be customised in the Principal Agreement.

Annex II — Technical and organisational security measures

The Processor implements the following technical and organisational measures to protect Customer Personal Data. These measures are reviewed periodically and may evolve over time; the current state is reflected at validera.io/security.

1. Encryption

In transit: TLS 1.2 or higher on all endpoints.
At rest: AES-256 on all stored data via the underlying database storage layer.
Secrets: API keys and database credentials stored only in the encrypted environment-variable store of the hosting provider; never embedded in client code or written to logs.

2. Access control

Per-tenant API keys; every API call resolves to a tenant; no cross-tenant access path at the application layer.
Database access via service-role credentials held only by backend services; no direct end-user database access.
Production systems access restricted to a named list of personnel; least-privilege principle applied.

3. Application security

Input validation on every API endpoint via schema-based validators.
Per-IP rate limiting on every public endpoint, with tighter limits on unauthenticated paths.
No customer data written to runtime logs in identifiable form.

4. Operational measures

Code reviewed before merge to the main branch.
Dependency updates tracked and applied promptly for security advisories.
Database backups managed by the hosting provider on at least a daily cadence.

5. Incident response

Personal-data breach notification to the Controller within 72 hours of confirmation, in line with clause 6 of this DPA.
Designated contact for security matters: security@validera.io.

6. Personnel

All personnel are bound by written confidentiality obligations.
Access is removed promptly upon termination of engagement.

Annex III — Authorised Sub-processors

The current list of authorised Sub-processors is published and maintained at validera.io/subprocessors. That list, together with the categories of data each Sub-processor handles and the relevant transfer mechanism, is incorporated into this DPA by reference. Updates to that list are governed by clause 4 of this DPA.

Signature

This DPA is executed in counterparts, including by signed PDF exchanged by email, each of which is an original and all of which together constitute one and the same instrument.