Legal
Data Processing Agreement
Last updated · 23 May 2026
This Data Processing Agreement (“DPA”) supplements the TenderOpp Terms of Service between GBB Components Pty Ltd (“Processor”) and the Customer named in the order form or subscription record (“Controller”). It applies where the Processor processes Personal Data on behalf of the Controller in connection with the TenderOpp Service.
If you require a counter-signed copy on Customer paper or a redlined version against the EU SCCs / UK IDTA, email legal@tenderopp.com.
1. Definitions
Capitalised terms not defined here have the meanings in the GDPR (Regulation (EU) 2016/679), the UK GDPR, and the Privacy Act 1988 (Cth), as applicable. “Personal Data”, “Controller”, “Processor”, “Sub-processor”, and “Processing” have the meanings given in those instruments.
2. Scope and purpose
The Processor processes Personal Data only on the documented instructions of the Controller, which include those given through the Service and these Terms. The purpose of Processing is to provide and operate the Service as described at /terms.
3. Schedule of Processing
| Subject matter | Operation of the TenderOpp Service for the Controller |
|---|---|
| Duration | Term of the subscription + 30-day grace period |
| Nature of Processing | Storage, indexing, vector embedding, AI inference (fit scoring, qualification, drafting), retrieval, display, email delivery, payment processing |
| Categories of Data Subjects | The Controller’s authorised users, team members, and (in incidental cases) named contacts in uploaded documents |
| Categories of Personal Data | Names, business email addresses, business phone numbers, job titles, account credentials, content of uploaded documents, IP addresses, usage logs |
| Special categories | None expected. The Controller agrees not to upload special-category data (Art. 9 GDPR) without prior written agreement |
4. Processor obligations
- Process Personal Data only on documented instructions, including transfers to third countries (unless required by law, in which case the Processor will notify the Controller).
- Ensure persons authorised to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures (see Section 7 below).
- Assist the Controller with data subject requests and DPIAs as required.
- On termination, delete or return Personal Data within 30 days, unless retention is required by law.
- Make available all information necessary to demonstrate compliance with this DPA.
5. Sub-processors
The Controller authorises the Processor to engage Sub-processors. The current list is published at /privacy and is incorporated into this DPA by reference. The Processor will give the Controller at least 30 days’ notice before adding a new Sub-processor. If the Controller reasonably objects, the parties will cooperate in good faith to find an alternative; if none is possible, the Controller may terminate the affected portion of the Service.
6. International transfers
Where Personal Data is transferred outside the EEA, the UK, Switzerland, or Australia, the parties rely on:
- EU SCCs: Module Two (Controller-to-Processor) of the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914;
- UK Addendum: the International Data Transfer Addendum issued by the UK ICO;
- Australia–US transfers: the Controller is informed of transfers to US Sub-processors and the Processor has confirmed those Sub-processors implement appropriate safeguards.
A Transfer Impact Assessment is available on request from privacy@tenderopp.com.
7. Security measures
The Processor implements at minimum:
- Encryption in transit (TLS 1.2+) and at rest (Google-managed keys).
- Role-based access control with least-privilege IAM and multi-factor authentication for all administrative access.
- Network segmentation; database not exposed to the public internet.
- Centralised audit logging with 24-month retention.
- Daily encrypted database backups + point-in-time recovery.
- Security incident response procedures, including notification to the Controller without undue delay and within 72 hours of becoming aware of a Personal Data breach.
- Annual review of these measures.
8. Data subject requests
Where a Data Subject contacts the Processor with a request (access, rectification, erasure, portability, restriction, objection), the Processor will redirect them to the Controller and notify the Controller. The Processor will provide reasonable assistance to the Controller in responding to such requests.
9. Audits
The Controller may, no more than once per twelve months and on at least 30 days’ written notice, audit the Processor’s compliance with this DPA. Audits are at the Controller’s expense and subject to mutually-agreed confidentiality. In lieu of an on-site audit, the Processor may provide third-party attestations (e.g., SOC 2 Type II when available) which the Controller agrees are reasonable.
10. Liability
Liability under this DPA is subject to the limitations of liability in the Terms of Service.
11. Governing law
This DPA is governed by the laws of New South Wales, Australia, except where the SCCs or UK Addendum require otherwise; in those cases, the law specified in those instruments governs the corresponding obligations.
12. Order of precedence
In case of conflict between this DPA and the Terms of Service in relation to Processing of Personal Data, this DPA prevails. In case of conflict between this DPA and the SCCs or UK Addendum, those instruments prevail.
13. Contact
Data protection enquiries: privacy@tenderopp.com