Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Karven Terms of Service between you ("Customer") and Tradeforge Pty Ltd (trading as Karven) ("Karven"). It governs how Karven processes Personal Information (as defined in the Privacy Act 1988 (Cth)) and Personal Data (as defined in the EU General Data Protection Regulation and the UK GDPR) that the Customer uploads, transmits, or otherwise routes through the Karven platform on behalf of the Customer's own customers.

The DPA applies automatically to every Karven account that handles third-party personal information. You do not need to sign anything additional to receive its benefit; using Karven to quote a customer triggers it. The most recent version published on this page is the operative version.

The Customer is the controller (within the meaning of Article 4(7) GDPR) and the APP entity (within the meaning of the Privacy Act 1988 (Cth)) in respect of the Personal Information of the Customer's own customers, subbies, suppliers and other third parties that the Customer enters into Karven.

Karven is the processor (Article 4(8) GDPR) in respect of that Personal Information. Karven processes that data only on documented instructions from the Customer, and the act of uploading or entering it is itself a documented instruction.

In respect of Personal Information collected directly by Karven from the Customer (account details, billing, support correspondence), Karven is the controller and the Privacy Policy applies.

Subject matter: provision of the Karven quoting platform to the Customer.

Duration: for as long as the Customer has an active Karven account, plus the retention periods described in the Privacy Policy.

Nature and purpose: storage, organisation, retrieval, calculation, formatting, transmission (by email or SMS), and routine technical operations necessary to deliver the platform.

Categories of data subject: the Customer's own customers, the Customer's subcontractors, and any individual whose personal information the Customer enters.

Categories of personal data: identifying information (name, business name, address), contact information (email, phone), site notes, photographs of work sites, quote line items, compliance documents (where the subbies module is used), and financial information (invoiced amount, due amount, payment status).

Karven will:

• Process the Personal Information only on the Customer's documented instructions, including with regard to transfers of Personal Information outside Australia (see Section 7).
• Ensure that personnel authorised to process the Personal Information are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational measures (TLS 1.3 in transit, AES-256 at rest, row-level security at the database, hardware-key 2FA for staff access, just-in-time elevation, daily encrypted backups).
• Assist the Customer (taking into account the nature of processing and the information available to Karven) in fulfilling its obligations to respond to requests from data subjects exercising their rights.
• Assist the Customer in ensuring compliance with security, breach notification, data-protection-impact-assessment and prior-consultation obligations.
• Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including by responding to written audit questionnaires once per twelve-month period.
• Notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting the Customer's data.

The Customer gives Karven a general written authorisation to engage the sub-processors listed in the Privacy Policy (Supabase, Stripe, Resend, Twilio, MYOB, Xero, Google, Vercel, Sentry, plus any successor to those services). The current list is available at any time at https://www.karven.com.au/privacy.

Karven will notify the Customer at least 30 days before engaging any new sub-processor that will have access to the Customer's Personal Information. The Customer may object to the change in writing within that 30-day window. If the parties cannot resolve the objection in good faith, the Customer may terminate the Karven subscription without penalty.

Each sub-processor is bound by a written contract that imposes data-protection obligations equivalent to those in this DPA.

Karven exposes self-service tooling that allows the Customer to fulfil most data-subject rights without contacting us:

• Right of access: the Customer can download every record they hold via /settings/data-export.
• Right of rectification: the Customer can edit any field directly inside the app.
• Right of erasure: the Customer can delete any customer record, subbie, or quote individually, or delete the entire account via /settings/delete-account.
• Right of portability: the data-export ZIP is produced in machine-readable JSON.

Where a data subject contacts Karven directly with a request that we cannot fulfil without the Customer's authorisation, we will (a) acknowledge receipt to the data subject and (b) refer the request to the Customer at the email address on the account. Contact: privacy@karven.com.au.

Application data is stored in Supabase's Sydney region. Where personal data is transferred to a sub-processor outside Australia (primarily Stripe, Resend, Sentry and Twilio in the United States), the transfer is made under the European Commission Standard Contractual Clauses (Decision 2021/914) and the UK International Data Transfer Addendum where relevant.

Karven warrants that it has performed a transfer-impact assessment for each onward transfer of EU/UK personal data and is satisfied that the recipient can provide an essentially equivalent level of protection. The assessment is available on written request.

Karven will notify the Customer of any Personal Data Breach affecting the Customer's data without undue delay and in any event within 72 hours of Karven becoming aware. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures Karven has taken or proposes to take to address the breach.

The Customer remains responsible for assessing whether the breach is also an eligible data breach under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988 (Cth) or a notifiable breach under Article 33 GDPR, and for making any notifications required by those laws to the OAIC, the EU supervisory authority, and affected data subjects.

On termination of the Karven subscription, the Customer may export all Personal Information via the data-export tool. Karven will retain the Customer's data in a deactivated state for 30 days, after which it will be hard-deleted in line with the Privacy Policy except for records Karven is required by law to retain (such as billing history for seven years).

The liability of each party under this DPA is subject to the limitations and exclusions set out in the Karven Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable law.

This DPA is governed by the laws of New South Wales, Australia, save that where the processing is subject to the GDPR, the data-protection provisions of this DPA will be construed by reference to the GDPR and the European Commission Standard Contractual Clauses.

Questions about this DPA, or requests to execute a counter-signed copy on Karven letterhead, should be directed to privacy@karven.com.au.