Data Processing Addendum

Effective Date: 01.01.2026
Last Updated: 22.06.2026

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer", "Controller") and Kollabhouse Pty Ltd (ABN 57 695 091 840) ("Kollabhouse", "Processor") when you use the Kollabhouse platform to process personal data about your clients, collaborators, or other third parties.

1. Roles & Scope

For personal data you upload or collect through Kollabhouse about your clients and project contacts, you are the data controller and Kollabhouse acts as your data processor (or service provider). Kollabhouse processes that data only on your documented instructions as set out in your use of the Platform and our Terms of Service.

For your own account data (e.g. your name, email, billing details), Kollabhouse is the controller — see our Privacy Policy.

2. Subject Matter & Duration

Subject matter: Processing of personal data submitted to or generated through the Platform in connection with your client projects.

Duration: For the term of your Kollabhouse subscription or free account, plus any retention period required by law or described in our Privacy Policy after account closure.

Nature & purpose: Hosting, storing, displaying, transmitting, and securing client data; enabling proposals, portals, messaging, contracts, questionnaires, invoicing workflows, and related features you configure.

3. Types of Data & Data Subjects

Categories of data subjects: Your clients, client contacts, collaborators, and other individuals whose data you choose to store in the Platform.

Types of personal data: May include names, email addresses, phone numbers, business details, contract and proposal content, questionnaire responses, messages, files, invoices, payment-related metadata (processed via Stripe Connect on your Stripe account), and other information you upload.

4. Customer Obligations

You agree to:

  • Have a lawful basis to collect and process personal data you upload
  • Provide appropriate privacy notices to your clients where required
  • Not upload unlawful, excessive, or unnecessary personal data
  • Respond to data subject requests for client data you control, using Platform tools where available
  • Comply with applicable privacy laws in your jurisdiction and your clients' jurisdictions

5. Processor Obligations

Kollabhouse will:

  • Process personal data only on your instructions, except where required by law
  • Ensure personnel with access are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Not sell client data processed on your behalf
  • Not use client data for our own marketing except where strictly necessary to operate the service you requested
  • Assist you, where reasonably possible, with data subject requests and regulatory inquiries relating to data you control
  • Delete or return client data upon account deletion, subject to legal retention requirements

6. Sub-processors

You authorise Kollabhouse to engage sub-processors to provide the Platform. Current sub-processors include:

  • Supabase — database hosting
  • Vercel — application hosting
  • Cloudflare — CDN, security, and file storage
  • Stripe — subscription billing; Stripe Connect for client invoices on your connected account
  • Postmark — transactional email
  • Google — OAuth and analytics (with consent)
  • Meta — advertising measurement (with consent)
  • Sentry — error monitoring

We will impose data protection obligations on sub-processors through contract. We will notify you of material changes to sub-processors by updating our Privacy Policy or contacting account holders where appropriate.

7. International Transfers

Personal data may be processed in Australia, the United States, and other countries where our sub-processors operate. Where required by UK, EEA, or other applicable law, we rely on appropriate transfer mechanisms such as standard contractual clauses or equivalent safeguards.

8. Security & Breach Notification

We maintain reasonable security measures appropriate to the nature of the data processed. If we become aware of a personal data breach affecting client data we process on your behalf, we will notify you without undue delay after confirming the breach, and provide information reasonably available to help you meet your notification obligations.

9. Audits

Upon reasonable written request, we will provide information necessary to demonstrate compliance with this DPA. Formal audits may be conducted no more than once per year with 30 days' notice, during business hours, and subject to confidentiality and security restrictions.

10. Term & Incorporation

This DPA is effective when you create a Kollabhouse account or continue using the Platform after this DPA is published, and remains in effect for as long as Kollabhouse processes personal data on your behalf.

If there is a conflict between this DPA and the Terms regarding processing of client personal data, this DPA prevails. For a countersigned copy, email support@kollabhouse.com.

11. Contact

Kollabhouse Pty Ltd

ABN 57 695 091 840

Email: support@kollabhouse.com