Data Processing Agreement

1. Parties & Scope

This Data Processing Agreement ("DPA") forms part of the Service Agreement between Moirai Health Pty Ltd (ABN pending), a company incorporated under the laws of Australia with its registered office in Canberra, ACT ("Processor", "Moirai", "we", "us"), and the entity that has executed the Service Agreement ("Controller", "Customer", "you").

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Moirai clinical AI governance infrastructure (the "Service"). It reflects the parties' commitment to comply with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles ("APPs"), and where applicable, the EU General Data Protection Regulation ("GDPR").

In the event of any conflict between this DPA and the Service Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is Processed by the Processor on behalf of the Controller in connection with the Service.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller in connection with the Service.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Controller" means the entity that determines the purposes and means of Processing Personal Data, being the Customer under the Service Agreement.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller, being Moirai Health Pty Ltd.
• "Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed by the Processor.

3. Data Processing Details

Important note: Moirai is designed to process practice-level governance and compliance data. The Service is not intended to process, and the Customer shall not submit, Protected Health Information (PHI), patient records, or individually identifiable health information through the platform.

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside Australia, unless required to do so by applicable law. In such case, the Processor shall inform the Controller of that legal requirement before Processing, unless prohibited by law.
• Ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Section 5.
• Assist the Controller, taking into account the nature of the Processing, by appropriate technical and organisational measures insofar as possible, in fulfilling the Controller's obligations to respond to Data Subject requests under the Australian Privacy Act and APPs.
• Assist the Controller in ensuring compliance with breach notification obligations, taking into account the nature of Processing and the information available to the Processor.
• At the choice of the Controller, delete or return all Personal Data to the Controller upon termination of the Service Agreement, and delete existing copies unless applicable law requires retention.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, as detailed in Section 10.
• Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes applicable data protection legislation.

5. Security Measures

The Processor implements and maintains the following technical and organisational security measures to protect Personal Data:

The Processor shall regularly assess the effectiveness of these measures and update them as necessary to address evolving threats and industry best practices.

6. Sub-processors

The Controller provides general authorisation for the Processor to engage the following Sub-processors. The Processor has entered into data processing agreements with each Sub-processor that impose data protection obligations no less protective than those set out in this DPA.

The Processor shall notify the Controller at least 30 days before engaging any new Sub-processor or replacing an existing Sub-processor. The notification shall include the Sub-processor name, purpose, and location. The Controller may object to the engagement of a new Sub-processor by providing written notice within 14 days of receiving the notification, including reasonable grounds for the objection. If the parties cannot resolve the objection within 30 days, the Controller may terminate the affected Service with no penalty.

7. International Data Transfers

The primary datastore for the Service is located in ap-southeast-2 (Sydney, Australia). All core application data, including governance records, compliance assessments, and evidence documents, is stored in this region.

Where Sub-processors Process Personal Data outside of Australia, the Processor ensures that adequate safeguards are in place in accordance with APP 8 (cross-border disclosure of personal information). These safeguards include:

• Contractual obligations requiring Sub-processors to handle Personal Data in accordance with standards substantially similar to the APPs.
• Where applicable, EU Standard Contractual Clauses (SCCs) for transfers involving EU-based data protection laws.
• Sub-processor certifications and compliance frameworks (e.g., SOC 2 Type II, ISO 27001) as additional assurance measures.
• Regular assessment of the data protection laws and practices of destination countries.

The Controller acknowledges that certain ancillary services (authentication, billing, error monitoring, email delivery) may involve the Processing of limited Personal Data in the United States and European Union, as specified in the Sub-processor table above.

8. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under the Australian Privacy Act 1988 (Cth), including:

• Access (APP 12) — the right to request access to Personal Data held about the Data Subject.
• Correction (APP 13) — the right to request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading Personal Data.
• Deletion — the right to request erasure of Personal Data where it is no longer necessary for the purpose for which it was collected, subject to any applicable legal retention obligations.
• Complaint — the right to complain to the Office of the Australian Information Commissioner (OAIC) about the handling of Personal Data.

The Processor shall promptly notify the Controller upon receiving a request from a Data Subject directly and shall not respond to the request without the Controller's prior written authorisation, unless required by law.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting Personal Data Processed under this DPA.

The notification shall include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected.
• The name and contact details of the Processor's point of contact for further information.
• A description of the likely consequences of the Data Breach.
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at the time of notification, information may be provided in phases without undue delay. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Data Breach, including compliance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.

10. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller.

Audit requests are subject to the following conditions:

• The Controller shall provide at least 30 days written notice of an intended audit, unless a Data Breach or regulatory investigation requires more urgent action.
• Audits shall be conducted during normal business hours and in a manner that minimises disruption to the Processor's operations.
• The Controller shall bear its own costs associated with the audit, unless the audit reveals material non-compliance by the Processor.
• The Processor may satisfy audit requests by providing copies of relevant certifications, third-party audit reports (e.g., SOC 2 Type II), or summaries of its security and data protection practices where such documentation reasonably addresses the scope of the audit.
• Audits shall not exceed one per twelve-month period unless required by regulatory authority or following a Data Breach.

11. Term & Termination

This DPA shall become effective upon the date the Controller executes the Service Agreement and shall remain in effect for the duration of the Service Agreement. The obligations of the Processor under this DPA shall survive termination of the Service Agreement to the extent necessary to complete the Processing activities described herein.

Upon termination or expiry of the Service Agreement:

• The Controller may request the return of all Personal Data in a commonly used, machine-readable format within 30 days of termination.
• If no return request is made, the Processor shall securely delete all Personal Data within 30 days of termination, including all copies held by Sub-processors.
• The Processor may retain Personal Data to the extent required by applicable Australian law (including the Privacy Act 1988, tax legislation, or court orders), provided that the Processor shall continue to protect such data in accordance with this DPA and shall limit Processing to the purposes required by law.
• The Processor shall certify in writing to the Controller that deletion has been completed upon request.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of New South Wales, Australia, without regard to its conflict of laws provisions. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of New South Wales.

To the extent that the GDPR applies to the Processing of Personal Data under this DPA, the relevant provisions of the GDPR shall apply in addition to the terms of this DPA, and in the event of conflict, the GDPR provisions shall prevail.

13. Contact

For questions, requests, or notifications relating to this DPA, please contact:

The Processor shall respond to all DPA-related enquiries within 10 business days.