Legal · binding on acceptance
Data Processing Addendum
Last updated: 8 May 2026
1. Scope and overview
This Data Processing Addendum (DPA) supplements the VoxQuote Terms of Service available at /terms and applies whenever VoxQuote (operated as a sole trader in Australia; a Pty Ltd is being registered and this DPA will be reissued by the company on incorporation) processes personal information on behalf of a Customer.
Capitalised terms not defined here have the meaning given in the Terms of Service. Where a term is defined in the Privacy Act 1988 (Cth) or the EU General Data Protection Regulation (GDPR), it has that meaning when applicable to the jurisdiction governing the relevant data subject.
2. Roles and responsibilities
For the purposes of this DPA the Customer is the Controller (or APP Entity, where the Privacy Act applies) and VoxQuote is the Processor. VoxQuote processes personal information only on the Customer's documented instructions, including processing necessary to deliver the services described in the Terms of Service.
3. Categories of data and data subjects
The Customer determines what personal information enters the service. Typical categories include:
- Quote-recipient data: name, email, phone, postal address, job description, photographs of the work site supplied by the Customer or their end-customer.
- Operator data: Customer staff identifiers (name, email, phone, role) for users with access to the Customer's account.
- Voice recordings + transcripts: short voice dictations the Customer records to draft a quote, plus the AI transcript. Recordings are deleted within 24 hours of the quote being saved unless the Customer enables long-term retention.
Sensitive information (as defined in APP 3) and special-category data (as defined in GDPR Art. 9) are out of scope. The Customer agrees not to enter such information into the service.
4. Sub-processors
VoxQuote engages the following sub-processors to deliver the service. The Customer is notified at least 30 days before any new sub-processor is added; objections may be lodged through the Customer's account or by email to legal@voxquote.com.au.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase (US) | Database, auth, file storage | ap-southeast-1 (Singapore) |
| Vercel | Application hosting, edge runtime | Sydney (syd1) + global edge |
| OpenAI (US) | Speech-to-text + extraction (primary) | US (no data retention enabled) |
| Groq Cloud (US) | Speech-to-text + extraction (fallback) | US (no data retention enabled) |
| Sentry (US) | Error monitoring (PII may incidentally appear in stack traces) | US / EU |
| Vercel Analytics | Cookie-free aggregated traffic + speed insights | Global edge |
| Resend (US) | Transactional email delivery | US |
| Twilio (US) | SMS + WhatsApp delivery | US / multi-region |
| Stripe (Australia) | Subscription billing + customer payment links | AU |
5. International transfers
Personal information is stored at rest in the Asia-Pacific region on Supabase's Singapore (ap-southeast-1) cluster — the closest region currently provisioned. We plan to migrate to Sydney (ap-southeast-2) once the project is on a Supabase tier that supports custom region selection; this DPA will be updated when the migration completes. Where sub-processors are located in the United States, transfers occur under contractual terms aligned with APP 8 (Cross-border disclosure of personal information) and, where applicable, the EU Standard Contractual Clauses 2021/914.
6. Security measures
VoxQuote maintains technical and organisational measures appropriate to the risks of processing, including:
- Data in transit protected by TLS 1.2+ (TLS 1.3 on supporting clients) with HSTS preload.
- Data at rest encrypted via the underlying cloud provider's managed encryption (AES-256).
- Row-level security on every multi-tenant table; explicit per-user policies on every read and write path.
- Least-privilege access for VoxQuote personnel; production database access requires multi-factor authentication and is logged.
- Vulnerability disclosure programme published at /.well-known/security.txt.
- Public-quote pages served with
frame-ancestors: none, strict Content-Security- Policy, and a vulnerability-blocked iframe stance. - Optional Enterprise controls: IP allowlisting, audit-log export, SSO via Google or Apple identity providers (OIDC).
7. Personal-data breach notification
VoxQuote will notify the Customer without undue delay (and in any case within 72 hours) on becoming aware of a Notifiable Data Breach (as defined in the Privacy Act) or a personal data breach (as defined in GDPR Art. 4(12)) affecting the Customer's data. Notification is made to the email address on the Customer's account and includes the categories of data affected, the approximate number of data subjects, the likely consequences, and the measures taken or proposed in response.
8. Data subject rights
The Customer is responsible for responding to data-subject requests (access, correction, erasure, portability, objection). VoxQuote assists by providing self-service tools at /settings/data (audit log export, account erase, customer export) and by responding to requests for assistance within 7 business days of receipt at privacy@voxquote.com.au.
9. Audit and information rights
The Customer may request, no more than once per twelve-month period, a written summary of VoxQuote's information-security practices and the most recent third-party security review. On reasonable notice and at the Customer's reasonable expense, VoxQuote will respond in good faith to information requests necessary for the Customer to verify compliance with this DPA.
10. Return or deletion of data
On termination of the underlying contract, VoxQuote will at the Customer's choice either return the Customer's personal information in a portable format or delete it in accordance with the retention policy at /retention. Backups are purged within 90 days of deletion.
11. Liability and governing law
The liability terms in the Terms of Service apply to this DPA. The DPA is governed by the laws of New South Wales, Australia, and the parties submit to the exclusive jurisdiction of the courts of New South Wales. Where applicable to a data subject within the EU, EEA, or UK, the laws of that jurisdiction govern matters arising under that jurisdiction's data-protection regime to the extent mandated by it.
12. Acceptance
By using the VoxQuote service the Customer accepts this DPA. A counter-signed PDF version is available on request to support@voxquote.com.au for procurement teams that require an executed copy.
This page is a substantive summary of the binding DPA. For matters where the executed counter-signed PDF and this page conflict, the executed PDF prevails.