Data Processing Agreement
Last updated: June 2026 · Applies to Osapher Enterprise customers
Draft only — not reviewed by a lawyer
This Data Processing Agreement is a reference draft and has not yet been reviewed by a qualified lawyer. It does not constitute final or binding contract language and should not be relied upon as such. Enterprise customers requiring a DPA as part of a service agreement should contact legal@osapher.com — a reviewed version will be provided prior to contract execution.
1. Definitions
Controller means the Osapher Enterprise customer who determines the purposes and means of processing personal data.
Processor means Osapher (ABN 18 459 403 998), acting on the Controller's instructions.
Personal Data means any information relating to an identified or identifiable natural person processed by Osapher on behalf of the Controller, including director names, UBO names, and source of funds documentation uploaded to the platform.
Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
2. Scope and Purpose
This Data Processing Agreement governs the processing of Personal Data by Osapher on behalf of the Controller in connection with the Osapher Enterprise KYB platform. Osapher processes Personal Data solely to provide the services described in the applicable subscription agreement and as instructed by the Controller.
3. Controller Obligations
The Controller warrants that it has a lawful basis for providing Personal Data to Osapher for processing, and that it has obtained all necessary consents and authorisations required under the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the New Zealand Privacy Act 2020.
4. Processor Obligations
Osapher agrees to:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Not engage sub-processors without prior written consent from the Controller, except as listed in section 6
- Assist the Controller in responding to data subject access requests
- Delete or return all Personal Data upon termination of the agreement
- Notify the Controller within 72 hours of becoming aware of a Personal Data breach
5. Data Retention and Deletion
Personal Data is retained for the period required by applicable AML/CTF legislation (minimum 7 years from the date of verification under the AML/CTF Act 2006 (Cth) and the AML/CTF Act 2009 (NZ)). Upon expiry of the retention period or termination of the agreement, Personal Data will be deleted or returned as instructed by the Controller. The Controller may request early deletion of non-mandatory data via the Close Case function in the Enterprise portal or by contacting privacy@osapher.com.
6. Sub-processors
Osapher engages the following sub-processors in connection with the Enterprise service. A full and current list is maintained at osapher.com/sub-processors.
- Supabase Inc. — database and file storage (AWS ap-southeast-2, Sydney)
- Railway Corp. — application hosting (Singapore)
- Resend Inc. — transactional email (United States)
- OpenSanctions Datenbanken GmbH — sanctions and PEP screening data (Germany)
- Perplexity AI Inc. — adverse media search (United States)
- Anthropic PBC — AI analysis (United States)
7. Data Transfers
Verification records and uploaded documents are stored in Supabase on AWS ap-southeast-2 (Sydney, Australia). Screening queries are transmitted to OpenSanctions (Germany) and Perplexity AI (United States) for processing. Name and entity data transmitted to these services does not include Australian Tax File Numbers or government-issued identity document numbers.
8. Security Measures
Osapher implements the following technical and organisational measures:
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security (RLS) policies enforced at the database layer
- Access controls scoped to organisation — no cross-tenant data access
- Service role keys never exposed to client-side code
- SHA-256 cryptographic audit hash on every verification record
- 7-year retention lock enforced at database level via RLS DELETE policies
9. Governing Law
This agreement is governed by the laws of Victoria, Australia. Disputes are subject to the exclusive jurisdiction of the courts of Victoria.
10. Contact
Data protection enquiries: privacy@osapher.com
Osapher · ABN 18 459 403 998 · Melbourne, Victoria, Australia