Data Processing Agreement
Precision CAD Australia (ABN 61 451 007 505), trading as RTOFlow
Version 2.0 — Last updated: 18 March 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller ("Customer"): The organisation subscribing to RTOFlow services, as identified in the applicable Subscription agreement.
- Data Processor ("RTOFlow"): Precision CAD Australia (ABN 61 451 007 505), trading as RTOFlow.
This DPA forms part of, and is subject to, the Terms of Service and Privacy Policy. In the event of any conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict in relation to data processing matters.
2. Definitions
- "Personal Data" has the meaning given to "personal information" in the Privacy Act 1988 (Cth).
- "Sensitive Information" has the meaning given in section 6 of the Privacy Act 1988 (Cth), and includes health information, disability information, and information about an individual's learning abilities.
- "Processing" means any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- "Data Breach" means an eligible data breach as defined under Part IIIC of the Privacy Act 1988 (Cth).
- "Sub-processor" means any third party engaged by RTOFlow to process Personal Data on behalf of the Customer.
- "APPs" means the Australian Privacy Principles set out in Schedule 1 of the Privacy Act 1988 (Cth).
3. Scope of Processing
RTOFlow processes Personal Data on behalf of the Customer solely for the purpose of providing the Platform services described in the Terms of Service. The following table describes the categories of data processed and their purposes:
| Data Category | Examples | Purpose |
|---|---|---|
| Account Data | Full name, email address, role, password (hashed) | Authentication, access control, user management |
| Organisation Data | RTO name, RTO code, ABN, scope of registration | Service delivery, compliance verification, multi-tenant isolation |
| Student and Learner Data | Student names, email, date of birth, LLN assessment levels, employer details, learning goals, prior qualifications | Contextualization of training content, cohort management, RPL assessment |
| Content Data | Generated documents, templates, uploaded materials, notes | Core service functionality, AI content generation |
| Usage Data | Login timestamps, feature usage, generation requests | Service improvement, billing, audit logging |
| Payment Data | Billing name, email, transaction amounts, invoice records | Subscription billing (card details handled by Stripe) |
| Signature Data | Digital signatures captured within the Platform | User profile management, document signing |
Sensitive Information: Student LLN assessment data may constitute sensitive information under the Privacy Act (as it may reveal information about cognitive abilities or learning disabilities). The Customer is responsible for obtaining explicit, informed consent from learners before uploading sensitive information to the Platform, in accordance with APP 3.
4. Obligations of RTOFlow (Data Processor)
RTOFlow shall:
- Process Personal Data only on the documented instructions of the Customer, unless required to do so by Australian law
- Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 7)
- Not engage another processor (sub-processor) without the prior general authorisation of the Customer (see Section 6)
- Assist the Customer in responding to requests from individuals exercising their rights under the APPs
- Assist the Customer in ensuring compliance with data breach notification obligations under Part IIIC of the Privacy Act (see Section 8)
- At the Customer's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless Australian law requires storage
- Make available to the Customer all information necessary to demonstrate compliance with this DPA
5. AI Processing Disclosure
RTOFlow uses third-party AI large language model (LLM) providers to generate training and assessment content. The following describes how Customer data flows through AI processing:
5.1 Data Flow
- Prompt Construction: RTOFlow constructs prompts containing training package requirements, organisational context, and — where the contextualization feature is used — student personal data (names, LLN levels, employer details, workplace context).
- API Transmission: Prompts are sent to AI providers via encrypted API connections (TLS 1.2+).
- Processing: The AI provider processes the prompt and returns generated content. Processing is transient — providers do not retain input or output data beyond the processing window.
- Storage: Generated content is stored solely within RTOFlow's infrastructure (AWS ap-southeast-2 where available). AI providers do not independently store copies.
5.2 AI Provider Commitments
All AI providers are engaged under enterprise or API agreements that include:
- No model training: Customer data is not used for training, fine-tuning, or improving AI models
- No data retention: Input prompts and output content are not retained beyond the processing window (typically seconds to minutes)
- Data minimisation: RTOFlow minimises personal information in prompts; where possible, de-identified or pseudonymised data is used
- Encrypted transmission: All data is encrypted in transit using TLS 1.2 or higher
- Access controls: AI providers do not have standing access to RTOFlow's stored data
6. Sub-processors
The Customer provides general authorisation for RTOFlow to engage the sub-processors listed below. RTOFlow will notify the Customer of any intended changes to sub-processors at least 30 days in advance, giving the Customer the opportunity to object.
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| OpenAI | AI content generation | Document content, prompts; student data when contextualization is used | United States |
| Anthropic | AI content generation | Document content, prompts; student data when contextualization is used | United States |
| Google (Gemini) | AI content generation and document OCR | Document content, prompts, uploaded document images; student data when contextualization is used | United States |
| DeepSeek | AI content generation | Document content, prompts; student data when contextualization is used | Singapore / China |
| xAI (Grok) | AI content generation | Document content, prompts; student data when contextualization is used | United States |
| Perplexity | AI-powered research and packaging rule verification | Training package identifiers, unit codes, industry context (no personal data) | United States |
| Replicate | Image processing (upscaling and background removal) | Uploaded images for processing (no personal data) | United States |
| Amazon Web Services (AWS) | Cloud hosting, database, storage, backups | All platform data | Australia (ap-southeast-2) where available; United States for some services |
| Stripe | Payment processing | Billing name, email, payment card details, transaction amounts | United States |
| Resend | Transactional email delivery | Email address, name, email content | United States |
| Google (OAuth) | OAuth authentication (optional) | Email address, name, profile photo (as authorised by user during login) | United States |
| Microsoft (OAuth) | OAuth authentication (optional) | Email address, name (as authorised by user during login) | United States |
| Replit (OAuth) | OAuth authentication (optional) | Email address, name, profile photo (as authorised by user during login) | United States |
Note regarding DeepSeek: DeepSeek operates from Singapore and China. China's data protection framework (the Personal Information Protection Law) differs materially from Australian privacy law. RTOFlow takes additional precautions when routing data through DeepSeek, including minimising personal information in prompts and ensuring contractual protections are in place.
7. Data Security
RTOFlow implements the following technical and organisational measures to protect Personal Data:
- Encryption at rest: AES-256 encryption for all stored data
- Encryption in transit: TLS 1.2 or higher for all data transmission
- Multi-tenant isolation: Full per-organisation data separation at the application and database levels
- Access controls: Role-based access control (RBAC) with least-privilege principles
- Authentication: Passwords stored using industry-standard hashing algorithms; support for OAuth SSO
- Backup and recovery: Automated backups using Grandfather-Father-Son rotation (7 daily, 4 weekly, 12 monthly) with geographic redundancy and integrity verification
- Monitoring: Automated health, security, and intrusion monitoring
- Incident response: Documented incident response procedures with defined escalation paths
- Audit logging: Comprehensive audit trail of data access and modifications
8. Data Breach Notification
In the event of a Data Breach affecting Customer Personal Data, RTOFlow will:
- Contain the breach and take immediate steps to mitigate harm
- Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide the Customer with the following information: the nature and categories of data affected, the approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach
- Assist the Customer in meeting its obligations under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988), including notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals
- Document all breaches, including facts, effects, and remedial actions taken
9. Data Retention and Deletion
RTOFlow retains Customer Personal Data for the duration of the Subscription plus the following periods:
| Data Type | Retention After Subscription Ends |
|---|---|
| User account data | 12 months after deletion request |
| Generated content and documents | 30 days after cancellation |
| Student and learner data | 30 days after cancellation |
| Audit and activity logs | 24 months |
| Payment and billing records | 7 years (Australian tax law) |
| Backups | Up to 12 months (GFS rotation) |
| Support correspondence | 24 months after resolution |
Upon written request by the Customer, RTOFlow will export and/or permanently delete all Customer Personal Data within 30 Business Days, except where retention is required by Australian law.
10. Cross-Border Data Transfers
The Customer acknowledges that certain sub-processors are located outside Australia (see Section 6). Before disclosing Personal Data overseas, RTOFlow takes reasonable steps in accordance with APP 8 to ensure that overseas recipients do not breach the APPs, including:
- Entering into contractual arrangements requiring overseas processors to handle Personal Data in accordance with standards substantially similar to the APPs
- Assessing the privacy laws and practices of the recipient's jurisdiction
- Minimising personal information sent to overseas AI providers
Countries to which Personal Data may be transferred: United States (OpenAI, Anthropic, xAI, Google, Microsoft, Replit, Perplexity, Replicate, Stripe, Resend, AWS) and Singapore / China (DeepSeek).
11. Data Subject Rights
RTOFlow will assist the Customer in responding to requests from data subjects (individuals) exercising their rights under the APPs, including:
- Access (APP 12): Providing access to Personal Data held about the individual
- Correction (APP 13): Correcting Personal Data that is inaccurate, out of date, incomplete, irrelevant, or misleading
- Deletion: Deleting Personal Data where requested and not required to be retained by law
- Data portability: Exporting Personal Data in standard machine-readable formats (DOCX, PDF, CSV)
RTOFlow will respond to Customer assistance requests within 10 Business Days.
12. Audits and Compliance
RTOFlow will make available to the Customer, on reasonable request, information necessary to demonstrate compliance with this DPA. The Customer may request an audit of RTOFlow's data processing practices, subject to:
- Reasonable advance notice (at least 30 days)
- The audit being conducted during normal business hours and not unreasonably interfering with RTOFlow's operations
- The Customer bearing its own costs of the audit
- Confidentiality obligations applying to audit findings
13. Term and Termination
This DPA remains in effect for the duration of the Customer's Subscription and for as long as RTOFlow processes Personal Data on behalf of the Customer. Upon termination of the Subscription:
- RTOFlow will cease processing Personal Data except as required for data retention obligations
- The Customer will have at least 30 days to export their data
- RTOFlow will delete or return Personal Data in accordance with Section 9
14. Governing Law
This DPA is governed by and construed in accordance with the laws of the State of Victoria, Australia, and the parties submit to the exclusive jurisdiction of the courts of Victoria.
15. Contact
For DPA-related enquiries, data processing questions, or to exercise rights under this agreement, please contact:
Privacy Officer
Precision CAD Australia
Trading as RTOFlow
- Email: privacy@rtoflow.au
- Support: support@rtoflow.au
- Website: https://rtoflow.au