Skip to content
CORAZ
Product Founders Consulting Philosophy Pricing About Contact
Request access → Try the demo →
Product Founders Consulting Philosophy Pricing About Contact
Request access → Try the demo →
LEGAL

Data Processing Agreement.

VERSION 1.0 · EFFECTIVE 9 JUNE 2026 · Coraz PTY LTD ACN 696 741 885
This is the standard form DPA. It forms part of your agreement with Coraz when incorporated by reference in an Order Confirmation or Master Services Agreement. To request a redlined or executed copy, contact legal@coraz.ai.

1. Background

1.1 Coraz Pty Ltd ACN 696 741 885 ("Processor", "Coraz") provides a software platform and consultancy services to its customers ("Controller") under a Terms of Service or Master Services Agreement ("Principal Agreement").

1.2 In performing those services, Coraz processes personal information on behalf of the Controller. This Data Processing Agreement ("DPA") sets out the terms on which Coraz does so.

1.3 This DPA supplements and is incorporated into the Principal Agreement. In the event of conflict, this DPA prevails with respect to data processing matters.

2. Definitions

  • APPs — the Australian Privacy Principles in Schedule 1 of the Privacy Act 1988 (Cth).
  • Controller Personal Data — personal information that the Controller provides to Coraz, or that Coraz collects on the Controller's behalf, in connection with the services.
  • Data Breach — unauthorised access to, or disclosure or loss of, Controller Personal Data that is likely to result in serious harm to one or more individuals.
  • Data Subject — an individual whose personal information is included in Controller Personal Data.
  • Privacy Act — the Privacy Act 1988 (Cth), including the APPs and the Notifiable Data Breaches scheme.
  • Processing — any operation performed on Controller Personal Data, including collection, storage, use, disclosure, and deletion.
  • Sub-processor — a third party engaged by Coraz to perform Processing on the Controller's behalf.

3. Subject Matter, Duration, and Nature of Processing

3.1 Subject matter. Coraz processes Controller Personal Data to provide and operate the Daxo platform and any Consultancy Services under the Principal Agreement.

3.2 Duration. Processing continues for the term of the Principal Agreement and for any retention period permitted under this DPA or required by law.

3.3 Nature of processing. Storage, retrieval, querying, AI-assisted analysis, and deletion of Controller Personal Data as necessary to operate the platform and perform the services.

3.4 Purpose. Solely to provide the services described in the Principal Agreement. Coraz will not process Controller Personal Data for its own purposes, including to train AI models on identifiable data.

4. Categories of Personal Data and Data Subjects

4.1 The categories of personal data processed and the categories of data subjects will be as determined by the Controller and uploaded or generated through the platform. Common categories include:

Category of data Typical data subjects
Names, email addresses, contact details Controller's clients, employees, counterparties
Business and financial information Controller's clients, business contacts
Documents, correspondence, file attachments Controller's clients, employees
Operational records (tasks, decisions, audit events) Controller's employees and operators

4.2 The Controller is responsible for ensuring it has a lawful basis under applicable law to provide Controller Personal Data to Coraz for processing.

5. Controller's Obligations

5.1 The Controller must:

  • ensure it has a lawful basis for providing Controller Personal Data to Coraz;
  • provide processing instructions to Coraz that comply with applicable privacy law;
  • ensure the accuracy and completeness of Controller Personal Data before providing it;
  • notify Coraz promptly of any changes to its processing instructions; and
  • where applicable, obtain any required consents from data subjects for the processing described in this DPA.

5.2 The Controller acknowledges that Coraz is a processor and not a controller of Controller Personal Data. Coraz's obligations under this DPA are conditioned on receiving lawful instructions from the Controller.

6. Processor's Obligations

6.1 Instructions

Coraz will process Controller Personal Data only on documented instructions from the Controller (including as set out in this DPA and the Principal Agreement), unless required to do so by law. Coraz will notify the Controller if, in its opinion, an instruction infringes applicable privacy law.

6.2 Confidentiality of processing

Coraz will ensure that personnel authorised to process Controller Personal Data are bound by appropriate confidentiality obligations and are trained on privacy obligations relevant to their role.

6.3 Security

Coraz will implement and maintain technical and organisational measures appropriate to the risk, including:

  • encryption in transit (TLS 1.2 minimum) and at rest;
  • row-level tenant isolation enforced at the database layer;
  • access controls restricting staff access to Controller Personal Data to those with a documented operational need;
  • an append-only audit log of all access and processing events; and
  • regular review of security measures appropriate to the nature of the data and the processing.

A summary of current security measures is published at coraz.ai/security.

6.4 Data subject rights

Coraz will assist the Controller in responding to data subject requests for access, correction, or deletion of Controller Personal Data, to the extent technically practicable and within timeframes agreed with the Controller. The Controller remains responsible for responding to data subjects.

6.5 Regulatory assistance

Coraz will provide reasonable assistance to the Controller in meeting its obligations under applicable privacy law, including in relation to data protection impact assessments, security notifications, and responses to regulators, taking into account the nature of the processing and the information available to Coraz.

7. Sub-processors

7.1 The Controller provides general authorisation for Coraz to engage sub-processors as listed in the Schedule to this DPA. Coraz will impose data protection obligations on sub-processors consistent with those in this DPA.

7.2 Coraz will notify the Controller of any intended changes to sub-processors (additions or replacements) with at least 30 days' prior notice. The Controller may object to a new sub-processor on reasonable data protection grounds within 14 days of notice. If the parties cannot resolve the objection, the Controller may terminate the relevant services on 30 days' written notice without penalty.

7.3 Coraz remains liable for the acts and omissions of its sub-processors to the same extent as if Coraz performed the processing itself.

8. International Transfers

8.1 Controller Personal Data is stored in Australian data centres. Coraz does not transfer stored data outside Australia for production workloads.

8.2 AI inference — Anthropic PBC (United States). When the Controller uses AI features of the platform, queries and associated context from Controller Personal Data are transmitted to Anthropic PBC in the United States for processing. Before making this transfer, Coraz takes reasonable steps under APP 8 to ensure Anthropic does not breach the APPs with respect to that data. Anthropic is bound by contractual data processing obligations consistent with applicable privacy law.

8.3 By using AI features of the platform, the Controller acknowledges this transfer and confirms it has a lawful basis for the transfer to Anthropic under applicable law. If the Controller's applicable law requires additional safeguards (e.g., standard contractual clauses under the GDPR), the Controller must notify Coraz so that appropriate arrangements can be put in place.

9. Data Breach Notification

9.1 Coraz will notify the Controller within 24 hours of becoming aware of a confirmed Data Breach affecting Controller Personal Data.

9.2 The notification will include, to the extent then known: the nature of the breach; the categories and approximate number of data subjects affected; the categories and approximate volume of data affected; the likely consequences of the breach; and the measures taken or proposed to address it.

9.3 Coraz will co-operate with the Controller in investigating the breach and in meeting the Controller's obligations under the Notifiable Data Breaches scheme or other applicable law. The Controller remains responsible for notifying data subjects and the OAIC as required.

9.4 Notification under clause 9.1 does not constitute an admission of fault or liability by Coraz.

10. Return and Deletion of Data

10.1 On termination or expiry of the Principal Agreement, Coraz will, at the Controller's election:

  • make Controller Personal Data available for export for 30 days post-termination; and
  • thereafter, securely delete or destroy all copies of Controller Personal Data in Coraz's possession or control, within a reasonable time.

10.2 Coraz may retain Controller Personal Data that it is required to retain by law, for the duration of that legal obligation only.

10.3 On request, Coraz will provide written confirmation that deletion has been completed.

11. Audit Rights

11.1 The Controller may, on at least 30 days' written notice, conduct or commission an audit of Coraz's processing of Controller Personal Data, no more than once per calendar year (unless following a confirmed Data Breach).

11.2 Audits must be conducted during business hours, without unreasonable disruption to Coraz's operations, and at the Controller's cost. Coraz may require the auditor to sign a confidentiality agreement.

11.3 Coraz may satisfy audit obligations by providing its most recent third-party security assessment (SOC 2 report or equivalent) in lieu of a direct audit, where that report addresses the relevant scope.

12. Liability

12.1 Each party's liability under this DPA is subject to the limitations and exclusions in the Principal Agreement.

12.2 Nothing in this DPA excludes or limits liability that cannot be excluded under the Privacy Act 1988 (Cth) or other applicable law.

13. Governing Law

This DPA is governed by the laws of New South Wales, Australia, consistent with the Principal Agreement.

Schedule — Approved Sub-processors

Current as at the effective date of this DPA. Coraz will maintain an up-to-date version at this URL and notify Controllers of changes per clause 7.2.

Sub-processor Country Purpose Data processed
Anthropic PBC United States AI inference — processing queries submitted to Ask Daxo and other AI features Query text and context, which may include Controller Personal Data
Australian cloud infrastructure provider Australia Hosting, database, storage, backups All Controller Personal Data stored on the platform

Note: The specific infrastructure provider will be named in executed copies of this DPA. Contact legal@coraz.ai for the current provider details.

Executing this DPA

This standard form DPA applies automatically where referenced in an Order Confirmation or Master Services Agreement. For customers who require a separately executed DPA — including those with GDPR obligations, regulated-vertical requirements, or bespoke redlines — contact us:

legal@coraz.ai · Executed copies returned within 5 business days.

Legal: legal@coraz.ai · Privacy Policy: coraz.ai/privacy · Security: coraz.ai/security