Data Processing Agreement

01 · Purpose.

This DPA governs how we handle personal data in connection with the Service.

02 · Roles of the parties.

KoalaFix operates in a dual role:

Processor. For the core delivery of the Service — processing conversation content, performing remediation actions, operating the account — you are the Controller and KoalaFix is the Processor. We process personal data only to provide the Service in accordance with your instructions, these Terms, and applicable law.
Independent Controller. For the use of conversation content to improve and train our own AI models, KoalaFix acts as an independent Controller for its own purposes, as disclosed in our Privacy Policy. Authorised Users may opt out of training use at any time via their account settings or by emailing support@koalafix.com.

03 · Categories of data subjects and data processed.

Data subjects may include you, your employees, contractors, and any end users whose data is present on the device or account connected to the Service.

Categories of personal data may include:

Chat inputs, prompts, and AI-generated responses
User identifiers (name, email, account ID)
Device and technical data (OS version, running processes, service states, IP address)
Remediation events and outcomes
Where a Microsoft 365 account is connected: calendar, mailbox, and OneDrive content accessed via Microsoft Graph using scopes Files.Read, offline_access, openid, profile, User.Read

04 · Purpose and duration of processing.

We process personal data to provide AI-assisted diagnostics and automated remediation, operate and secure the Service, respond to support requests, and (in our Controller capacity) improve our AI models. Processing continues for the duration of your subscription plus any retention period required by law or set out in our Privacy Policy.

05 · Subprocessors.

Our current subprocessors are:

Subprocessor	Purpose	Location
Supabase	Data hosting, database, and infrastructure	Sydney, Australia (ap-southeast-2)
Anthropic, PBC	Primary AI/LLM processing of conversation content	United States
OpenAI, L.L.C.	Fallback AI/LLM processing when Anthropic is unavailable	United States
Stripe	Payment processing	United States / Australia
Microsoft	Graph API access (only if a Microsoft 365 account is connected)	Per your Microsoft 365 region

Each subprocessor is subject to data protection obligations consistent with this DPA and to that subprocessor's applicable terms and privacy policies.

We will give at least 30 days' notice of any change to this list by email to the account administrator on file. During that period you may object on reasonable data-protection grounds; if we cannot resolve your objection, you may terminate the affected part of the Service.

06 · Model improvement and training.

In our capacity as an independent Controller (see Section 2), we may use conversation content from the Service to improve our AI models, subject to the protections described in our Privacy Policy, including:

Automated filtering to exclude detected passwords, payment details, government identifiers, and other sensitive personal information
An opt-out available to Authorised Users via account settings or by emailing support@koalafix.com
No use of opted-out content in future training runs

Once content has been incorporated into a trained model, it cannot be removed from that model retroactively.

07 · Data security.

We implement reasonable technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, role-based access controls, audit logging of administrative access, and regular patching and security review. No system is completely secure.

08 · Data retention.

We retain personal data only as long as necessary to provide the Service or comply with legal obligations, as described in the Privacy Policy.

09 · Confidentiality.

We ensure that personnel authorised to process personal data are bound by written confidentiality obligations.

10 · Assistance.

We will provide reasonable assistance to help you respond to data subject access, correction, or deletion requests, and to meet data protection impact assessment or regulator consultation obligations where applicable.

11 · Data breach notification.

We will notify you without undue delay, and in any case within 72 hours, of becoming aware of a confirmed personal data breach affecting your data. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

12 · International transfers.

Personal data may be processed outside Australia, including in the United States via Anthropic and OpenAI. Where required, we rely on appropriate transfer mechanisms and take reasonable steps to ensure data is protected consistently with applicable Australian, New Zealand, and US law.

13 · Audit.

On reasonable written notice, and no more than once per 12-month period, we will provide information reasonably necessary to demonstrate compliance with this DPA, which may include third-party audit reports or responses to a written questionnaire. On-site audits will be considered where required by law and will be at your cost.

14 · Deletion or return of data.

On termination of the Service, we will delete or de-identify personal data within 90 days, except for information we are legally required to retain. On written request before deletion, we will provide an export of your data in JSON or CSV format at our discretion.

15 · Liability.

This DPA is subject to the limitations of liability set out in the Terms of Service.

16 · Governing law.

This DPA is governed by the laws of Victoria, Australia.

17 · Contact.

KoalaFix Pty Ltd · ACN 696 245 959
425 Smith Street, Fitzroy VIC 3065
Email: support@koalafix.com