PPeerPlacement Back to home

Data Processing Agreement

Last updated: 3 May 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer (“Controller”) and PeerPlacement (“Processor”) governing the Processor’s processing of personal data on the Controller’s behalf. It is intended to satisfy the requirements of the GDPR (Articles 28 and 32), the Australian Privacy Principles, and PIPL where applicable.

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. “Customer Personal Data” means personal data the Controller uploads to or generates in the Service. “Sub-processor” means a third party engaged by the Processor to process Customer Personal Data.

2. Subject matter and duration

The Processor processes Customer Personal Data to provide the Service for the duration of the Customer’s subscription (and any post-termination period agreed in writing).

3. Nature and purpose of processing

Hosting, storage, access management, AI-assisted analysis (document verification, scoring, application drafting), submission to institutions at the Controller’s direction, audit logging, and customer support.

4. Categories of data subjects

  • Platform users: consultancy staff, agents, administrators, institution contacts.
  • Student applicants and, where applicable, their guardians or sponsors.
  • Other contacts uploaded by the Controller (e.g. references).

5. Categories of personal data

  • Identifiers: name, email, phone, role, employer.
  • Government and identity documents: passport scans, national IDs.
  • Academic records: transcripts, certificates, English-test results.
  • Financial records uploaded for visa or admission purposes.
  • Communications and notes within the Service.
  • Special-category data only where explicitly uploaded by the Controller (e.g. health information for visa applications).

6. Processor obligations

  • Process Customer Personal Data only on the documented instructions of the Controller (including via the Service’s configuration).
  • Ensure personnel authorised to process Customer Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational measures (see Section 8 and our Security overview).
  • Assist the Controller in responding to data-subject requests, DPIAs, and prior consultations.
  • Notify the Controller without undue delay (and within 72 hours where feasible) on becoming aware of a personal data breach.
  • Delete or return Customer Personal Data at the end of the engagement, subject to retention obligations under law.

7. Sub-processors

The Processor engages the following categories of sub-processor:

  • Cloud infrastructure (Australia and customer-selected regions).
  • Email delivery (transactional and notification email).
  • AI inference providers (configurable per tenant; the Controller may choose self-hosted models).
  • Payment processing (for paying customers).
  • Error monitoring and observability.

The current list of named sub-processors is available on request from legal@peerplacement.com. The Processor will give the Controller advance notice of new sub-processors and provide an opportunity to object on reasonable data-protection grounds.

8. Security measures

  • Encryption: AES-256 at rest with per-tenant keys; TLS 1.3 in transit; field-level encryption for sensitive identifiers.
  • Access control: role-based access, field-level permissions, MFA, session expiry, least-privilege admin access.
  • Tenant isolation: per-tenant database, storage bucket, and encryption key.
  • Logging and monitoring: immutable audit log, anomaly alerting, regular access reviews.
  • Backups and disaster recovery: encrypted backups, tested restore procedure, defined RPO/RTO.
  • Secure development lifecycle: code review, dependency scanning, regular vulnerability assessments.

9. International transfers

Where the Processor transfers Customer Personal Data outside the Controller’s region, the parties rely on appropriate safeguards including the Standard Contractual Clauses (incorporated by reference) and, where applicable, PIPL separate-consent or standard-contract requirements. The Controller may select a data-residency region in tenant settings to constrain primary storage location.

10. Audits

The Processor will make available all information necessary to demonstrate compliance with this DPA. Where the Controller requires an on-site audit, the parties will agree the timing, scope, and confidentiality terms in advance. Audit rights may be satisfied by independent third-party reports (e.g. SOC 2 or ISO 27001) where reasonably available.

11. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the underlying agreement (the Terms of Service or signed order form).

12. Contact

Data protection enquiries: dpo@peerplacement.com