Data Processing Agreement
Between the Controller (the institution or organisation subscribing to OpenBook Clinical) and OpenBook Clinical Pty Ltd (ABN 38 698 494 656) as Processor.
1. Definitions
In this Agreement, the following terms have the meanings set out below:
2. Subject Matter and Duration
This Agreement governs the Processor's Processing of Personal Data on behalf of the Controller in connection with the provision of the Services. The subject matter of Processing is AI-assisted clinical evidence retrieval and synthesis, as described in the AI Governance Framework published at /governance/ai-framework.
This Agreement commences on the date the Controller's subscription to the Services becomes active and continues for the duration of the subscription period, including any renewal periods, unless terminated earlier in accordance with Clause 9 (Deletion and Return).
Categories of data subjects: The Controller's employees, contractors, and students who are registered users of the OpenBook Clinical platform. OpenBook Clinical does not process the personal data of the Controller's patients.
Categories of Personal Data processed: Account registration information (name, email address, profession, AHPRA registration number where provided); clinical query content submitted by registered users; CPD activity logs and reflections; usage metadata (timestamps, session data, feature interactions).
3. Nature and Purpose of Processing
The Processor processes Personal Data for the sole purpose of providing the Services to the Controller and its authorised users. Processing activities include:
- Authenticating registered users and managing account access
- Storing and retrieving clinical queries submitted by users
- Processing clinical queries via AI-assisted evidence retrieval (passing query content to the Anthropic API under a zero-data-retention agreement)
- Storing CPD activity records associated with user accounts
- Generating usage analytics for platform improvement and institutional reporting
- Sending transactional communications (account notifications, billing receipts)
Patient data: The Processor does not process the personal data of the Controller's patients. Users are instructed not to enter patient-identifiable information into the platform. Technical controls including PII detection are in place to identify and warn against such entry.
4. Data Processor Obligations
The Processor undertakes to:
4.1 Process only on instruction
Process Personal Data only on documented instructions from the Controller (including as set out in this Agreement and the applicable Terms of Service), and not for any other purpose, unless required to do so by applicable law.
4.2 Confidentiality
Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations, whether by contract or professional duty.
4.3 Security
Implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (see Clause 7 for details).
4.4 Sub-processor management
Not engage any new Sub-processor without prior general authorisation by the Controller (this Agreement constitutes such authorisation for the Sub-processors listed in Clause 5). The Processor will notify the Controller of any intended additions or replacements of Sub-processors with not less than 14 days' notice, giving the Controller opportunity to object.
4.5 Data subject rights
Assist the Controller in responding to requests by data subjects to exercise their rights under the Privacy Act 1988 (Cth), including access, correction, and deletion requests, taking into account the nature of the Processing and information available to the Processor.
4.6 DPIA assistance
Provide reasonable assistance to the Controller in conducting any required Data Protection Impact Assessment (DPIA) relating to the Services, taking into account the nature of Processing and information available to the Processor.
4.7 Deletion
At the choice of the Controller, delete or return all Personal Data at the end of the subscription term (see Clause 9).
4.8 Audit cooperation
Make available to the Controller all information necessary to demonstrate compliance with this Agreement, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and at the Controller's cost.
5. Sub-processors
The Controller provides general authorisation for the Processor to engage the following Sub-processors as at the date of this Agreement. The Processor will maintain an updated list of Sub-processors and notify the Controller of any changes in accordance with Clause 4.4.
| Sub-processor | Entity | Purpose | Data location |
|---|---|---|---|
| Supabase | Supabase Inc. (USA) | Database hosting — user accounts, search history, CPD records | AWS ap-southeast-2 (Sydney, Australia) |
| Anthropic | Anthropic PBC (USA) | AI language model processing — query synthesis (zero-data-retention) | USA (no data retained) |
| Vercel | Vercel Inc. (USA) | Application hosting and serverless compute | AWS / global edge (no personal data stored at edge) |
| Stripe | Stripe Inc. (USA) | Payment processing — billing information | USA / EU (Stripe data centres) |
| Postmark | Wildbit LLC / ActiveCampaign (USA) | Transactional email delivery | USA |
6. Data Subject Rights
Registered users of the OpenBook Clinical platform may exercise the following rights under the Privacy Act 1988 (Cth):
- Access: Request access to personal data held by OpenBook Clinical
- Correction: Request correction of inaccurate personal data
- Deletion: Request deletion of account data (excluding records required for legal, billing, or audit purposes)
- Search history deletion: Delete individual search records or all history via the dashboard at any time
Requests may be submitted to openbookclinical@gmail.com (subject: Privacy Request). The Processor will respond within 30 days of receiving a verified request. Where a request cannot be fulfilled within 30 days, the Processor will notify the requester of the reason and the expected completion date.
Institutional Controllers may submit data subject requests on behalf of their users. The Processor will assist in fulfilling such requests in accordance with Clause 4.5.
7. Security Measures
The Processor implements the following technical and organisational security measures:
Encryption
- All data in transit is encrypted using TLS 1.3 or higher
- All data at rest in Supabase is encrypted using AES-256 (managed by AWS)
- Database credentials and API keys are stored in environment variables, never in source code
Access controls
- Row-Level Security (RLS) policies are enforced at the database layer; no user can access another user's data
- Administrative access to production systems is restricted to authorised personnel and requires multi-factor authentication
- Production database credentials are rotated on a regular schedule
Availability and integrity
- The platform targets 99.9% uptime, monitored via /api/health
- Database backups are automated and stored in encrypted form by Supabase
- Dependency updates and security patches are applied on a regular cycle
Incident response
The Processor maintains an incident response process. Security incidents are assessed within 24 hours of discovery. Where an incident constitutes an eligible data breach under the NDB scheme, notification obligations are triggered as described in Clause 8.
8. Breach Notification
In the event the Processor becomes aware of a personal data breach affecting Personal Data processed under this Agreement, the Processor will:
- Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach, providing: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects affected; (c) the categories and approximate number of records affected; (d) contact details of the Processor's privacy contact; (e) a description of likely consequences of the breach; and (f) the measures taken or proposed to address the breach.
- Where required by the Privacy Act 1988 (Cth) Notifiable Data Breaches scheme (Part IIIC), notify the Office of the Australian Information Commissioner (OAIC) and affected individuals within 30 days of the Processor becoming aware that an eligible data breach has occurred.
- Cooperate fully with the Controller in managing and investigating the breach, providing such information as the Controller may reasonably require.
9. Deletion and Return
On termination or expiry of the Controller's subscription, the Processor will, at the Controller's election (to be made within 30 days of termination):
- Delete: Permanently delete all Personal Data processed under this Agreement from the Processor's production systems and Sub-processor systems within 60 days of the election; or
- Return: Provide the Controller with an export of its Personal Data in a standard machine-readable format (CSV or JSON) within 30 days of request, following which the Processor will delete its copies as above.
Notwithstanding the above, the Processor may retain Personal Data where required by applicable law (including tax and financial record-keeping obligations), or where retention is necessary to comply with a legal obligation, resolve disputes, or enforce its agreements. Retained data will be limited to the minimum necessary for the relevant purpose.
Individual users may delete their own account data at any time via the dashboard (Settings → Account → Delete account). Account deletion is processed within 30 days and removes all search history, CPD records, and care plan data. Billing records are retained for 7 years in accordance with Australian tax law.
10. Intellectual Property
10.1 Controller IP retention
The Controller retains all intellectual property rights in:
- research questions, queries, and prompts submitted to the Platform;
- documents, datasets, manuscripts, and other materials uploaded by the Controller;
- outputs, analyses, and synthesis generated by the Platform in response to the Controller's queries; and
- any research ideas, insights, or inventions arising from use of the Platform.
10.2 No Processor ownership claim
The Processor makes no claim to ownership of any content generated by or derived from the Controller's use of the Platform. No licence, assignment, or transfer of intellectual property rights to the Processor is created by virtue of the Controller using the Platform or providing content to the Platform.
10.3 No AI model training
The Processor will not use Controller data — including queries, uploaded documents, AI-generated outputs, or any derived content — to train, fine-tune, or improve any AI model, foundation model, or machine learning system. This commitment applies to all sub-processors, including the AI provider (Anthropic PBC), which processes queries under a zero-data-retention, no-training agreement as documented in the Sub-processor schedule (Clause 5).
11. Governing Law
This Agreement is governed by and construed in accordance with the laws of New South Wales, Australia. The parties submit to the non-exclusive jurisdiction of the courts of New South Wales and the Federal Court of Australia.
Nothing in this Agreement limits the rights of data subjects under the Privacy Act 1988 (Cth) or any other applicable Australian privacy legislation.
If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions will continue in full force and effect.
Request a countersigned DPA
If your institution requires a countersigned version of this Agreement, or needs amendments to accommodate specific procurement requirements, please contact us. We respond to all DPA requests within 5 business days.
Email openbookclinical@gmail.comOpenBook Clinical Pty Ltd · ABN 38 698 494 656 · Sydney, NSW, Australia