Data Processing Addendum
Version 1.0 — Effective Date: 15 June 2026
At a glance
This addendum supplements our Terms of Service and Privacy Policy. It describes how NovoCove processes personal information on behalf of customers (data controllers), the subprocessors we engage, the security measures we apply, and your data-subject rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The full, legally binding text is in the in-app version of this document.
1. Roles
Customer (you): the data controller. You determine the purposes and means of processing personal information about your staff.
NovoCove (we): the data processor. We process personal information only on your documented instructions to provide the platform.
2. Data categories we process
- Personal information: name, contact details, employment details of your staff
- Government identifiers: Working with Children Check numbers, teacher registration numbers, AHPRA registrations, ABNs
- Certification evidence: PDFs, images, and other documents you upload to demonstrate compliance
- Usage data: logs, IP addresses, browser types, page views necessary to operate and secure the platform
3. Subprocessors
We engage a small set of trusted subprocessors, all bound by confidentiality and data-protection obligations no less protective than this addendum:
| Subprocessor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud infrastructure and data storage | Sydney, Australia |
| Stripe | Payment processing | Australia / US |
| Resend | Transactional email delivery | US |
| Google Analytics | Anonymous usage analytics (gated on consent) | US |
A current list of subprocessors is always available in-app under Settings → Legal → Subprocessors. We notify customers at least 30 days before adding a new subprocessor.
4. Security measures
AES-256 encryption at rest for all stored data
TLS 1.2+ encryption in transit for all data transmissions
Role-based access control (RBAC) with multi-factor authentication for administrative access
Audit logging of all access to and changes on staff and certification records
Australian data sovereignty — customer data is stored in AWS Sydney
5. Data breach notification
In the event of a data breach affecting customer personal information, NovoCove will:
- Notify the customer (data controller) within 24 hours of discovery
- Provide all information reasonably necessary for the customer to comply with the Notifiable Data Breaches (NDB) scheme
- Cooperate with the customer's notification to the Office of the Australian Information Commissioner (OAIC) where required
- Take immediate steps to contain the breach and prevent further unauthorised access
6. Data return and deletion
On termination, customers can request a full export of their data in CSV or JSON format within 30 days. After a 90-day grace period, all personal information is permanently deleted from production systems and backups, subject to legal retention obligations.
7. Cross-border data transfers
Customer data is stored in Australia (AWS Sydney). Some subprocessors listed in Section 3 may process data outside Australia under confidentiality agreements that are APP 8 compliant. We do not transfer personal information outside Australia without appropriate safeguards.
8. Contact
For questions about this addendum, your data-subject rights, or to request a copy of the full document:
Looking for the full text?
Logged-in users of the NovoCove platform can access the complete, legally binding Data Processing Addendum from the in-app legal section. The full text is the authoritative source; this page is a public summary.