Data Processing Agreement
Effective 11 June 2026
This Data Processing Agreement (“DPA”) describes how BusyBee Labs Pty Ltd, trading as BusyBeeDoc (“Processor”), handles patient and personal information on behalf of the Australian medical practice that has subscribed (“Controller”). It forms part of the Master Services Agreement between BusyBeeDoc and the Controller. If there is any inconsistency between this DPA and the rest of that Agreement, this DPA prevails on data-processing matters.
This DPA is governed by the laws of Victoria, Australia, and should be read alongside our Privacy Policy and Terms of Service.
1. Roles
The Controller determines the purpose and means of processing patient data. The Processor handles patient data only on the Controller’s behalf and under its documented instructions. Both parties comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The Controller, as a health service provider, acknowledges that Health Information attracts additional protections under applicable Australian privacy legislation.
2. What we process and why
The Processor handles patient data solely to:
- Operate patient intake and referral forms on the Controller’s website.
- Store form submissions for retrieval by the Controller through the portal.
- Send administrative email notifications to the practice.
- Provide technical maintenance and security monitoring.
Patient data is not used for marketing, AI training, profiling, or disclosed to third parties without the Controller’s written consent.
3. Data storage and residency
All patient data is stored exclusively in Australia on AWS Asia Pacific (Sydney) infrastructure (ap-southeast-2). Data is not transferred outside Australia without the Controller’s prior written consent.
- Database: Supabase on AWS ap-southeast-2 — per-client schema isolation and row-level security (RLS).
- File storage: Amazon S3 ap-southeast-2 — per-client key prefix isolation, private access only.
- Email delivery: Amazon SES ap-southeast-2.
4. Email notifications and reasonable security measures
Email is standard and accepted practice for administrative notifications in Australian medical settings, consistent with OAIC guidance and RACGP 5th edition standards. The Processor applies TLS 1.2+ encryption in transit via Amazon SES; SPF, DKIM, and DMARC sender authentication; and Australian mail infrastructure throughout.
Standard notification emails to the practice may include basic patient contact details sufficient to action an enquiry (name, date of birth, phone, reason for contact, medication name for script repeats, referral reason). Full clinical records, uploaded documents, and S3 file links are never transmitted via email and remain accessible only through the authenticated secure portal. The Controller is responsible for managing internal inbox access controls within their practice.
Patient confirmation emails may include information the patient themselves submitted (their name, form type, summary of request), consistent with standard Australian GP practice. The patient’s act of submitting the form constitutes implied consent to receive a confirmation email at the address provided.
5. Security
The Processor maintains:
- TLS 1.2+ encryption in transit.
- AES-256 encryption at rest.
- Per-client data isolation with row-level security.
- Authenticated access controls on all patient data endpoints.
- Spam and bot filtering on all form endpoints.
- Automated daily backups retained for 7 days within ap-southeast-2.
- Uptime monitoring.
S3 file objects are stored with private ACL; access is via short-TTL presigned URLs generated only on authenticated portal request.
6. Subprocessors
We use a short list of Australian-hosted service providers to operate the portal. Each is bound by contract to protect information and process it only on our instructions.
| Subprocessor | Purpose |
|---|---|
| Supabase (AWS ap-southeast-2) | Database — stores form submissions and patient data |
| Amazon S3 (ap-southeast-2) | File storage — patient-uploaded files (private ACL) |
| Amazon SES (ap-southeast-2) | Email delivery — notifications and confirmations |
| Stripe Payments Australia | Payment processing — billing data only; no patient data |
| Cloudflare | DNS / CDN — no patient data stored or processed |
The Processor will give at least 14 days’ written notice of any proposed addition or replacement of subprocessors that handle patient data.
7. Retention and deletion
Patient data is retained only as long as necessary to provide the services or as required by law. Uploaded documents are automatically deleted from file storage 90 days after they are received by default.
On termination of the Agreement, the Processor will provide a full data export to the Controller and securely delete all patient data from its systems within 30 days, subject to any applicable legal retention obligations and to all outstanding fees being paid in full.
8. Data breach notification
The Processor will notify the Controller within 72 hours of becoming aware of a suspected or confirmed data breach involving patient data, including a description of the breach, categories of data affected, and steps taken. The Controller, as data controller, is responsible for assessing obligations under the Notifiable Data Breaches (NDB) scheme and making any required notifications to the OAIC and affected individuals.
9. Data subject rights
Where a patient exercises rights under the Privacy Act 1988 (Cth) — including access, correction, or complaint — the Controller is the primary contact. The Processor will assist the Controller in fulfilling such requests within 7 business days of a written request.
10. Contact
Processor privacy contact
BusyBee Labs Pty Ltd, trading as BusyBeeDoc — ABN 68 688 853 723
Email: hello@busybeedoc.com
Controller privacy contact — the privacy contact your practice nominates in its account.
Regulator — OAIC: www.oaic.gov.au · 1300 363 992