How Vorana processes Customer Data on your behalf, the security measures we apply, and your rights as data controller.
Last updated: 1 May 2026
This Addendum forms part of the agreement between you (“Customer”) and Vorana Pty Ltd (82842478628) (“Vorana”) covering use of the Vorana service. It is drafted primarily under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”). Where Customer Data also includes personal data of individuals in the European Economic Area, the United Kingdom, or another jurisdiction with comparable data-protection laws, the additional clauses in section 9 apply. This Addendum supplements the Terms of Service or signed MSA.
“Personal Information” has the meaning given in section 6 of the Privacy Act 1988 (Cth). “APP entity”, “APP”, “Eligible Data Breach”, and “Sensitive Information” have the meanings given in the Privacy Act. “Customer Data” means information (including Personal Information) you submit to or generate through the Service. Where the GDPR or UK GDPR applies, “Personal Data”, “Controller”, “Processor”, “Sub-processor”, and “Data Subject” have the meanings given in those laws and are read alongside their Australian equivalents.
Both Customer and Vorana are APP entities (where applicable) and have independent obligations under the Privacy Act in respect of Personal Information they handle. As between the parties, Customer determines the purposes and means of Processing and Vorana acts on Customer’s documented instructions, including those embedded in Customer’s configuration of the Service. Where the GDPR or UK GDPR applies to a particular Processing activity, Customer is the Controller and Vorana is the Processor for that activity.
Personnel authorised to handle Personal Information are bound by written confidentiality obligations and trained on the Privacy Act and our internal privacy procedures.
Vorana takes such steps as are reasonable in the circumstances to protect Personal Information from misuse, interference, loss, unauthorised access, modification, or disclosure, in line with APP 11. Measures include: TLS 1.2+ in transit, encryption at rest, per-tenant customer-managed encryption keys (CMK) for the audit store, signed policy and skill bundles, region-locked routing, role-based access control, comprehensive audit logging, and regular independent security testing. See Security overview.
Customer authorises Vorana to engage Sub-processors to perform Processing on its behalf. Where any Sub-processor is overseas, Vorana’s obligations under APP 8 apply (see section 9). A current list and a notification mechanism for new Sub-processors is available at privacy@vorana.ai. Customer may object to a new Sub-processor in writing within 30 days; if the parties cannot resolve the objection, Customer may terminate the affected portion of the Service.
Vorana provides Customer with self-service tools (audit search, replay, deletion) and reasonable assistance, taking into account the nature of the Processing, to enable Customer to respond to access (APP 12) and correction (APP 13) requests, and equivalent rights under other applicable laws. Vorana will redirect to Customer any request it receives directly.
Vorana will notify Customer without undue delay after becoming aware of a data breach affecting Customer Data, and in any event within 72 hours of awareness, providing the information reasonably needed for Customer to assess whether the breach is an Eligible Data Breach under Part IIIC of the Privacy Act and to comply with its own notification obligations. Where Vorana itself is required to notify the OAIC and affected individuals as an APP entity, it will do so as soon as practicable in accordance with the Notifiable Data Breaches scheme.
APP 8. Where Vorana discloses Personal Information about Australian individuals to overseas recipients, Vorana takes reasonable steps to ensure those recipients do not breach the APPs in relation to that information. Region-locked deployments are available for Customers that require Personal Information to remain within Australia.
EEA / UK transfers. Where Customer Data includes personal data subject to the GDPR or UK GDPR and is transferred to a country without an adequacy decision, the EU Standard Contractual Clauses (Module 2 — Controller to Processor) and the UK International Data Transfer Addendum (where relevant) are incorporated by reference and signed by Customer’s acceptance of this DPA.
Vorana will make available, under NDA, current independent attestations (such as ISO/IEC 27001 certificates, SOC 2 reports, and IRAP assessment summaries where applicable). Customer may conduct an audit no more than once per year on reasonable prior notice; the parties will agree scope and timing in good faith and Vorana may charge its reasonable costs for any on-site audit.
On termination, Customer may export Customer Data via API or Admin Portal for 30 days. After that period, Vorana will delete or de-identify Customer Data within 60 days, subject to retention required by Australian law.
The liability provisions of the underlying agreement apply to claims arising under this DPA, subject always to any non-excludable rights under the Australian Consumer Law and the Privacy Act.
To the extent of any conflict, this DPA prevails over the underlying agreement with respect to the handling of Personal Information.
This DPA is governed by the laws of New South Wales, Australia. Each party submits to the exclusive jurisdiction of the courts of New South Wales and the courts of appeal from them.
Privacy Officer, Vorana Pty Ltd — privacy@vorana.ai.