Home Policies Data Processing Agreement

Data Processing Agreement

Last updated on Mar 31, 2026

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Onidel Cloud Terms of Service (“Agreement”) between:

Onidel Pty Ltd (ABN 67 662 357 397), an Australian proprietary company (“Onidel” or “Data Processor”); and

The Customer identified in the applicable Onidel Cloud account (“Customer” or “Data Controller”).

Together referred to as the “Parties” and each a “Party.”

1. Purpose and Scope

This DPA sets out the obligations of Onidel when processing personal information or other data on behalf of the Customer in connection with the provision of cloud infrastructure services, including virtual private servers, block storage, object storage, and related services (the “Services”).

This DPA is intended to ensure compliance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles and the Notifiable Data Breaches (“NDB”) scheme under Part IIIC of the Privacy Act, as well as any other applicable Australian data protection laws and regulations.

For the purposes of this DPA:

• “Customer Data” means all data, including personal information as defined in the Privacy Act 1988 (Cth), that the Customer stores, transmits, or processes using the Services.

• “Data Breach” means any unauthorised access to, disclosure of, or loss of Customer Data, or any event that is, or is likely to be, an “eligible data breach” within the meaning of Part IIIC of the Privacy Act 1988 (Cth).

• “Sub-processor” means any third party engaged by Onidel that has access to or processes Customer Data in connection with the delivery of the Services.

2. Data Handling Obligations

2.1 Processing Instructions

Onidel shall process Customer Data only in accordance with the Customer’s documented instructions and solely for the purpose of providing the Services. Onidel will not process Customer Data for any independent purpose, including marketing, analytics, profiling, or any purpose unrelated to the delivery of the Services.

2.2 Prohibition on Unauthorised Access

Onidel shall not access, use, copy, modify, or disclose Customer Data except as:

(a) Strictly necessary to deliver, maintain, or support the Services;

(b) Required by applicable Australian law or a valid order of an Australian court or regulatory authority; or

(c) Expressly authorised in writing by the Customer.

Where Onidel is compelled by law to access or disclose Customer Data, Onidel will, to the extent permitted by law, promptly notify the Customer of such requirement before making the disclosure.

2.3 Infrastructure-Only Access

The Customer acknowledges that Onidel provides infrastructure-as-a-service. Onidel’s personnel may access the underlying hypervisor, storage, and network infrastructure for operational purposes (such as hardware maintenance, security patching, and incident response), but will not access the contents of Customer Data except as set out in clause 2.2.

2.4 Account Data

Onidel collects and stores Customer account information (such as name, email address, billing details, and contact information) for the purpose of administering the Services. Customer account passwords are stored using industry-standard one-way cryptographic hashing and are not stored in plain text. Sensitive information shared by the Customer via support tickets (such as credentials, access keys, or similar material) is automatically purged from the ticketing system after 7 days.

3. Security — Shared Responsibility Model

Onidel operates an infrastructure-as-a-service platform. Security is a shared responsibility between Onidel and the Customer. Onidel is responsible for securing the physical infrastructure, hypervisor, storage hardware, and network infrastructure. The Customer is responsible for securing the guest operating system, applications, and data within their provisioned instances.

3.1 Shared Responsibility Summary

The following table summarises the division of security responsibilities:

3.2 Onidel’s Security Obligations

Onidel implements and maintains the following security measures for the infrastructure under its control:

  • Encryption in transit: All management, API, and control-plane communications are encrypted using TLS 1.2 or higher.

  • Access controls: Role-based access limited to personnel whose roles require infrastructure access for the delivery of the Services, with multi-factor authentication for administrative access to production systems.

  • Monitoring and logging: Logging and monitoring of administrative access to infrastructure components, with regular review of access privileges to ensure compliance with the principle of least privilege.

  • Physical security: All data centre facilities provide enterprise-grade physical security including biometric or multi-factor access controls, 24/7 monitoring, CCTV surveillance, and environmental protections. Details of each facility are set out in Schedule 1.

3.3 Customer’s Security Obligations

The Customer is solely responsible for:

  • Implementing encryption of data at rest within provisioned instances where required by applicable law or the Customer’s regulatory obligations (for example, using full-disk encryption such as LUKS/dm-crypt or application-level encryption);

  • Securing and patching the guest operating system and all software installed within provisioned instances;

  • Managing user access, authentication, and authorisation within provisioned instances;

  • Implementing application-level firewalls, intrusion detection, and security monitoring;

  • Maintaining backups of Customer Data in accordance with the Customer’s own business continuity and disaster recovery requirements; and

  • Classifying data and ensuring the Services selected are appropriate for the sensitivity and regulatory requirements of the Customer’s data.

3.4 Confidentiality

All Onidel employees and contractors with access to infrastructure on which Customer Data may reside are bound by written confidentiality obligations. These obligations survive the termination of their employment or engagement.

4. Sub-processors

4.1 Current Sub-processors

Onidel engages the following sub-processors in connection with the delivery of the Services. Only sub-processors relevant to the Customer’s selected data centre location(s) apply to the Customer’s deployment.

An up-to-date list of Onidel data centre locations and facilities is maintained at: https://kb.onidel.com/hc/kb/articles/1756088660-datacenters

4.2 Sub-processor Obligations

Onidel ensures that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA, including confidentiality, security, and restrictions on data use.

4.3 Notification of New Sub-processors

Onidel will provide the Customer with at least 30 days’ prior written notice before engaging any new sub-processor that would have access to Customer Data. The notice will include the identity of the sub-processor, the nature of the processing, and the location of processing.

4.4 Right to Object

The Customer may object to the engagement of a new sub-processor by providing written notice to Onidel within 14 days of receiving notification. Onidel will work in good faith with the Customer to address the objection, which may include providing an alternative sub-processor. If the Parties are unable to resolve the objection within a reasonable period, the Customer may terminate the affected Services without penalty on 30 days’ written notice.

5. Data Breach Notification

5.1 Notification Timeframe

In the event Onidel becomes aware of a suspected or confirmed Data Breach affecting Customer Data, Onidel will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will be made via the Customer’s registered email address and, where applicable, through the Onidel control panel.

5.2 Content of Notification

The breach notification will include, to the extent known at the time:

  • A description of the nature of the breach, including the categories and approximate volume of data affected;

  • The likely consequences of the breach;

  • The measures taken or proposed to be taken by Onidel to address the breach and mitigate its effects; and

  • A contact point at Onidel for further information.

5.3 Cooperation with NDB Obligations

Onidel will provide reasonable assistance to the Customer in meeting the Customer’s own obligations under the NDB scheme, including providing information and cooperation necessary for the Customer to assess whether an eligible data breach has occurred and to prepare any notification to the Office of the Australian Information Commissioner (“OAIC”) or affected individuals.

5.4 Scope of Breach Notification

For the avoidance of doubt, Onidel’s breach notification obligations under this clause 5 apply only to breaches of the infrastructure, systems, or networks under Onidel’s control. Security incidents originating within the Customer’s provisioned instances (such as application vulnerabilities or compromised credentials) are the Customer’s responsibility to detect, assess, and report.

6. Data Location

6.1 Data Residency

Customer Data is stored and processed in the data centre location(s) selected by the Customer at the time of provisioning. Onidel will not replicate, transfer, or store Customer Data to any location other than the Customer’s selected data centre location(s) without the Customer’s prior written consent.

6.2 Australian Data Residency

Where the Customer has provisioned Services exclusively in Onidel’s Sydney data centre (Equinix SY3, Alexandria, NSW), Customer Data will remain within Australia. This may assist the Customer in meeting obligations under the Privacy Act regarding cross-border disclosure of personal information.

6.3 Multi-Region Deployments

If the Customer elects to provision Services in data centres located outside Australia, the Customer acknowledges that Customer Data will be stored in the selected jurisdiction(s). In such cases, the Customer is solely responsible for ensuring compliance with the Privacy Act and any other applicable requirements regarding cross-border disclosure of personal information.

7. Customer Rights

7.1 Evidence of Compliance

Upon the Customer’s written request (no more than once per 12-month period unless a Data Breach has occurred), Onidel will provide the Customer with a summary of its security measures, compliance status, and any relevant audit reports or certifications held by Onidel or its data centre providers. Onidel may satisfy this obligation by providing third-party audit reports, SOC reports from its data centre providers, or an attestation signed by an authorised officer.

7.2 Right to Object to Sub-processors

The Customer’s right to object to sub-processors is set out in clause 4.4 above.

7.3 Data Portability and Access

During the term of the Agreement, the Customer retains full access to Customer Data through the Services and may export or retrieve Customer Data at any time using the tools and interfaces provided by Onidel.

8. Data Deletion and Return on Termination

Upon termination or expiry of the Agreement, or upon the Customer’s written request:

(d) Onidel will continue to make Customer Data available for retrieval for a period of 14 days following termination (“Retrieval Period”);

(e) Following the expiry of the Retrieval Period, Onidel will delete all Customer Data from its systems within 30 days of the termination date, including any copies, backups, or replicas, except to the extent that retention is required by applicable Australian law; and

(f) Upon the Customer’s request, Onidel will provide written confirmation that deletion has been completed.

The Customer acknowledges that once Customer Data has been deleted, it cannot be recovered.

9. Governing Law and Jurisdiction

This DPA is governed by and construed in accordance with the laws of the State of New South Wales and the Commonwealth of Australia, including the Privacy Act 1988 (Cth). The Parties submit to the non-exclusive jurisdiction of the courts of New South Wales.

9.1 Cooperation with Regulatory Authorities

Onidel will cooperate with any inquiry, investigation, or determination by the OAIC or any other Australian regulatory authority in connection with the processing of Customer Data under this DPA, to the extent such cooperation is required by law or reasonably requested by the Customer.

10. Term and Amendment

This DPA commences on the Effective Date and remains in force for the duration of the Agreement. It will automatically terminate upon termination or expiry of the Agreement, subject to any surviving obligations (including data deletion under clause 8 and confidentiality under clause 3.4).

This DPA may only be amended by written agreement signed by both Parties.

11. Conflict

In the event of any conflict between this DPA and the Agreement (including the Onidel Terms of Service and Privacy Policy), the terms of this DPA will prevail to the extent of the inconsistency with respect to matters relating to data processing and data protection.

12. Contact

For any queries relating to this DPA, the Customer may contact Onidel at: