Data Processing Agreement
For White-Label and Organisation Clients
ABN 33 972 014 877 | Trading as Prokol | April 2026
1. Parties and purpose
This Data Processing Agreement ("DPA") is entered into between Prokol Health (ABN 33 972 014 877), trading as Prokol ("Processor", "we", "us") and the Organisation Client identified in the executed Services Agreement ("Controller", "you").
This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the delivery of the Prokol platform services under the Services Agreement.
2. Definitions
- "Personal data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- "Data subject" means the individual to whom personal data relates (including the Controller's clients and end users).
- "Sub-processor" means a third party engaged by the Processor to assist in processing personal data.
- "Services Agreement" means the commercial agreement between the parties for access to the Platform.
3. Roles and responsibilities
3.1 Controller responsibilities
The Controller is the data controller in respect of personal data collected from its clients and end users through the Platform. The Controller is responsible for:
- Ensuring it has a lawful basis for collecting and processing personal data.
- Providing appropriate privacy notices to data subjects.
- Obtaining any necessary consents from data subjects.
- Ensuring the Platform is used in compliance with applicable privacy laws including the Privacy Act 1988 (Cth) and any other applicable legislation.
- Responding to data subject access requests and complaints.
3.2 Processor responsibilities
The Processor will process personal data only on documented instructions from the Controller, which includes processing necessary to provide the Platform services. The Processor will:
- Process personal data only for the purposes specified in this DPA and the Services Agreement.
- Not disclose personal data to third parties except as permitted by this DPA.
- Implement and maintain appropriate technical and organisational security measures.
- Assist the Controller in responding to data subject requests to the extent technically feasible.
- Notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller's data.
4. Data isolation and security
The Processor maintains strict data isolation between Organisation Clients. The Controller's data is:
- Tagged with a unique organisation identifier at the database level.
- Accessible only to coaches and administrators within the Controller's organisation.
- Not accessible to coaches, clients, or administrators in other organisations.
- Protected by row-level security policies enforced at the database engine level.
- Not used by the Processor to contact the Controller's clients for Processor's own marketing purposes.
5. Types of personal data processed
The Processor will process the following categories of personal data on behalf of the Controller:
- Identity data: name, email address, date of birth, phone number.
- Health and fitness data: nutrition logs, workout records, weight history, progress photos.
- Physiological data: menstrual cycle data (which are non-clinical estimates), HRV, resting heart rate, sleep data.
- Communication data: messages between clients and coaches.
- Form and check-in responses submitted by clients.
- Subscription and billing information (processed via Stripe; full card data not stored by Processor).
6. Sub-processors
The Processor engages the following sub-processors in the delivery of Platform services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, auth, storage | United States |
| Vercel Inc. | Hosting, deployment | United States |
| Stripe Inc. | Payment processing | United States |
| Resend Inc. | Transactional email | United States |
The Processor will notify the Controller of any intended changes to sub-processors and provide an opportunity to object.
7. International data transfers
Sub-processors listed above are located in the United States. The Processor takes reasonable steps to ensure these transfers comply with the Australian Privacy Principles, including entering into data processing agreements with sub-processors that require equivalent data protection standards.
8. Data breach notification
In the event of a personal data breach affecting the Controller's data, the Processor will:
- Notify the Controller without undue delay and in any case within 72 hours of becoming aware.
- Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
- Cooperate with the Controller in managing the breach and fulfilling any notification obligations.
9. Data subject rights
Where data subjects exercise rights under applicable privacy law (including rights of access, correction, and deletion), the Controller is responsible for responding. The Processor will provide reasonable assistance to the Controller in fulfilling these obligations, including by providing data exports and executing deletions upon written request.
10. Return and deletion of data
Upon termination of the Services Agreement, the Processor will:
- Provide the Controller with a complete export of the Controller's data in a machine-readable format within 30 days of a written request.
- Delete or de-identify the Controller's personal data within 90 days of termination, except where retention is required by law.
- Confirm in writing when deletion is complete.
11. Audit rights
The Controller may request written confirmation that the Processor is complying with this DPA no more than once per calendar year. The Processor will respond within 30 days. Physical audits may be agreed in writing and conducted at the Controller's expense with reasonable prior notice.
12. Liability
Each party's liability under this DPA is subject to the limitations set out in the Services Agreement. The Processor is not liable for breaches caused by the Controller's instructions or the Controller's failure to comply with its data controller obligations.
13. Term
This DPA remains in effect for the duration of the Services Agreement and terminates automatically upon termination of the Services Agreement, subject to clauses relating to data return, deletion, and survival.
14. Governing law
This DPA is governed by the laws of New South Wales, Australia.
15. Execution
This DPA is incorporated into and forms part of the Services Agreement. By executing the Services Agreement, the parties agree to be bound by this DPA.
Signed for and on behalf of Prokol Health:
Name
Courtney Muscat
Title
Director, Prokol Health
Signature
Date
Signed for and on behalf of the Controller:
Organisation name
Name
Title
Signature
Date