Legal

Data Processing Agreement

Bury Digital Pty Ltd · ABN 31 850 554 300 · Last updated: May 2026

This Data Processing Agreement ("DPA") supplements the Terms of Service between Bury Digital Pty Ltd ("Processor", "Bury Digital", "we") and the Customer ("Controller", "you") and applies to the processing of personal information by Bury Digital on the Customer's behalf in connection with the Service.

In the event of conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict, but only in relation to data protection matters.

1. Definitions

Capitalised terms not defined here have the meaning given in the Terms of Service or the Privacy Act 1988 (Cth).

  • "Personal Information" has the meaning given in the Privacy Act.
  • "End User Personal Information" means Personal Information about an End User that is processed through the Service.
  • "APPs" means the Australian Privacy Principles set out in Schedule 1 of the Privacy Act.
  • "Sub-processor" means a third party engaged by Bury Digital to process Personal Information on its behalf.

2. Roles and responsibilities

  • The Customer is the Controller of End User Personal Information collected through the Service.
  • Bury Digital is the Processor, acting on the Customer's documented instructions.
  • The Customer is responsible for the lawful basis for collecting and processing End User Personal Information, including obtaining consents where required.
  • Bury Digital is responsible for processing the data securely and in accordance with this DPA.

3. Subject matter and duration of processing

  • Subject matter. Provision of the Service as described in the Terms of Service.
  • Duration. For the duration of the Customer's Subscription, plus any post-termination retention period set out in the Privacy Policy.

4. Nature and purpose of processing

The processing involves:

  • Receiving inbound call metadata from forwarded numbers
  • Sending and receiving SMS to and from End Users
  • Generating AI-qualified summaries of End User enquiries
  • Storing the resulting data in the Customer's account for the Customer's access

The purpose is to enable the Customer to recover, qualify, and triage missed-call enquiries from their End Users.

5. Categories of Personal Information processed

  • End User name (where provided)
  • End User phone number
  • SMS content exchanged with the End User
  • Call metadata (date, time, duration)
  • Information disclosed by the End User during qualification (e.g. enquiry type, location, urgency)
  • For some Customers (such as health-related practices), this may include Health Information within the meaning of Part IIIA of the Privacy Act

6. Categories of data subjects

People who contact the Customer's forwarded business number (typically prospective customers, existing customers, or general enquirers).

7. Bury Digital's obligations as Processor

Bury Digital will:

(a) Process Personal Information only on documented instructions from the Customer, including the Terms of Service, this DPA, and the configuration of the Customer's account. We will inform the Customer if we believe an instruction breaches the Privacy Act or other applicable law.

(b) Ensure confidentiality. Personnel authorised to process Personal Information are bound by appropriate confidentiality obligations.

(c) Implement appropriate security measures. Including those set out in the Security page at bury-digital.com/security.html. These measures meet the "reasonable steps" standard under APP 11.

(d) Engage Sub-processors only as permitted. We currently engage the Sub-processors listed at bury-digital.com/subprocessors.html. We will give at least 30 days' notice before adding a new Sub-processor. If the Customer reasonably objects on data protection grounds, the Customer may terminate the affected Subscription with a pro-rata refund.

(e) Assist the Customer with data subject requests. Where an End User contacts us with a request relating to data we process on the Customer's behalf, we will promptly forward the request to the Customer. We will assist the Customer in responding to access, correction, or deletion requests at no additional charge, to the extent reasonably necessary.

(f) Notify the Customer of breaches. If we become aware of a personal information breach affecting the Customer's data, we will notify the Customer without undue delay and in any event within 72 hours of forming a reasonable belief that a breach has occurred. The notice will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

(g) Assist with Notifiable Data Breach obligations. We will provide reasonable assistance to enable the Customer to meet their notification obligations under the Privacy Act.

(h) Delete or return Personal Information on termination. On termination of the Subscription, we will make Customer Data available for export for 30 days. After 30 days, we will delete the Customer's Personal Information, except where retention is required by law.

(i) Make available information to demonstrate compliance. On reasonable request, we will provide the Customer with information necessary to demonstrate compliance with this DPA. The Customer may audit our compliance no more than once per 12 months, subject to reasonable notice, confidentiality, and at the Customer's expense. We may satisfy audit requests by providing a recent third-party audit report where one is available.

8. International transfers

Some Sub-processors are located outside Australia. Where Personal Information is transferred overseas, Bury Digital will take reasonable steps to ensure the Sub-processor handles the data in a manner consistent with the APPs. Current overseas locations are disclosed in the Subprocessor List.

9. Customer obligations

The Customer warrants and undertakes that:

  • It has a lawful basis to provide End User Personal Information to the Service
  • It has provided End Users with any required notice or consent under the Privacy Act
  • It will not configure the Service to collect Personal Information that is unlawful to collect
  • It will respond to End User requests relating to the Customer's own data controller obligations

10. Liability

Liability under this DPA is governed by the limitation of liability clause in the Terms of Service. Nothing in this DPA increases either party's liability beyond what is set out in the Terms.

11. Term and termination

This DPA takes effect on the start of the Customer's Subscription and continues until termination of the Subscription. The obligations relating to confidentiality, security, and post-termination data handling survive termination.

12. Governing law

This DPA is governed by the laws of Victoria, Australia.

13. Contact

For questions about this DPA, or to formally invoke it (e.g. by signing a counter-signed copy for your records), email [email protected].