Data Processing Addendum
Last updated: 23 May 2026
This Data Processing Addendum ("DPA") supplements the Aeovio Terms of Service and Privacy Policy and sets out how Aeovio handles personal information that is disclosed to overseas recipients, in accordance with Australian Privacy Principle 8 (cross-border disclosure of personal information).
It is intended to give Customers — and where applicable, the individuals whose personal information is processed — a transparent view of the third parties and offshore personnel that may access personal information as part of operating the Aeovio Services.
1. Purpose and scope
This DPA applies to personal information that Aeovio collects, holds, uses, or discloses in the course of providing the Services to Customers, including personal information that flows to:
- third-party sub-processors that operate parts of the platform; and
- Aeovio's own offshore delivery personnel.
This DPA is not a stand-alone contract — it should be read together with the Terms of Service and Privacy Policy.
2. Roles and responsibilities
Under the Privacy Act 1988 (Cth), Aeovio is the APP entity that determines the purposes and means of handling personal information collected through the Services. Sub-processors act on Aeovio's instructions in respect of personal information.
Aeovio remains accountable for the acts and practices of overseas recipients in relation to personal information it discloses to them, under APP 8.1.
3. Categories of personal information
The personal information disclosed to sub-processors and offshore personnel includes (depending on the function):
- account-level personal information: full name, email address, organisation name, business website domain, industry, country, role;
- authentication information: hashed passwords, multi-factor authentication state, OAuth tokens (encrypted at rest);
- billing information: Stripe customer ID, subscription state, invoice metadata;
- platform usage and audit log records;
- SEO performance data attributed to the Customer's account (rankings, traffic, content drafts, audit findings); this data may incidentally contain third-party personal information (for example, an author byline on a competitor's page).
Aeovio does not collect government identifiers (APP 9) and does not knowingly include identifiable personal information about end users in AI prompts unless the Customer supplies it.
4. Overseas sub-processors
The current list of overseas sub-processors that may access personal information is set out below. This list is updated as the platform evolves; the current list is also published on the public Privacy Policy.
| Sub-processor | Function | Data accessed | Country | Safeguards |
|---|---|---|---|---|
| Supabase | Database, authentication, file storage | Account data, OAuth tokens (encrypted), audit logs, content, SEO data | United States | SOC 2 Type II; encryption at rest; TLS in transit; row-level security; data-processing addendum. |
| Stripe | Payment and subscription processing | Stripe customer ID, billing address, payment method metadata (no PAN to Aeovio) | United States | PCI-DSS Level 1; data-processing addendum; Standard Contractual Clauses where applicable. |
| Resend | Transactional and marketing email delivery | Recipient email, message content | United States | TLS in transit; data-processing addendum. |
| Anthropic | AI content, strategy, and report generation | Prompts (which may include business context and keywords) | United States | API inputs not used for model training (per Anthropic's published terms); data-processing addendum. |
| OpenAI | AI image generation | Image generation prompts | United States | API inputs not used for public model training (per OpenAI's published terms); data-processing addendum. |
| Vercel | Application hosting, edge delivery | Request metadata, application logs | United States | SOC 2 Type II; TLS in transit; data-processing addendum. |
| Firecrawl | Website crawling and content extraction | URLs submitted for crawling and the resulting page content | United States | Contractual confidentiality and security obligations; data-processing addendum. |
| DataForSEO | SEO data, rankings, SERP analysis | Keywords and domain identifiers submitted for lookup | Bulgaria | EU-aligned data-protection commitments; contractual safeguards. |
Bulgaria is a Member State of the European Union and is subject to the EU General Data Protection Regulation. The United States is not the subject of an Australian adequacy decision; Aeovio relies on the contractual safeguards above and the accountability provisions of APP 8.1.
5. Offshore delivery personnel (Pakistan, South Africa)
In addition to sub-processors, Aeovio engages offshore delivery personnel located in Pakistan and South Africa to perform a range of internal operational and delivery functions.
5.1 Functions performed
Offshore delivery personnel may, on a role-based and need-to-know basis, perform:
- customer support (responding to tickets, troubleshooting, configuration help);
- content quality review and editing of AI-generated drafts before publishing;
- account configuration (for example, setting up site connections, importing keywords);
- platform operations (monitoring health, executing operational runbooks);
- agent supervision and remediation of failed automation runs.
5.2 Data accessed
To perform these functions, offshore delivery personnel may have access to:
- Customer account profile data (name, email, organisation, website);
- the content of support tickets and the message history with the Customer;
- SEO data held in the Customer's account (rankings, traffic, content, audits, reports);
- audit log records of platform activity.
They do not have routine access to:
- raw payment card numbers (handled by Stripe directly);
- plaintext OAuth tokens (stored encrypted at rest);
- plaintext API keys (stored as HMAC hashes only).
5.3 Safeguards
The following safeguards apply to all offshore delivery personnel:
- written contractual confidentiality and data-protection obligations equivalent to those expected of Aeovio under the Privacy Act 1988 (Cth);
- mandatory privacy and security onboarding training, with annual refreshers;
- role-based access controls within the platform, with audit logging of significant actions;
- prohibition on copying, exporting, or storing personal information outside Aeovio's managed systems;
- offboarding workflow that revokes all access within one business day of role change or departure.
5.4 Customer disclosure
This DPA, the Privacy Policy, and the Terms of Service collectively disclose the existence of offshore delivery personnel to Customers. By signing up, the Customer acknowledges this disclosure for the purposes of APP 8.
6. Safeguards
Aeovio applies the following safeguards across the full sub-processor and personnel stack:
- Contractual: data-processing agreements with each sub-processor; confidentiality undertakings with all personnel.
- Technical: encryption in transit (TLS) and at rest (AES-256-GCM for OAuth tokens and other secrets); HMAC hashing of API keys; multi-factor authentication for staff and offshore personnel; least-privilege role-based access.
- Operational: audit logging; quarterly access reviews; documented incident-response and breach-notification procedures aligned with the Notifiable Data Breaches scheme.
7. Sub-processor changes
Aeovio may add, remove, or replace sub-processors as the platform evolves. The current list is maintained in this DPA and in the Privacy Policy. For material additions, we will update both documents and, where reasonable, notify Customers by email or in-portal notification.
A "material addition" is the addition of a sub-processor that has access to personal information beyond what existing sub-processors already access.
8. Audit and information rights
On reasonable request, and subject to confidentiality, Aeovio will provide Customers with summary information about its security controls and sub-processor arrangements sufficient to allow the Customer to assess Aeovio's compliance with this DPA and the Privacy Act. Live audit access is not provided by default but may be arranged for enterprise customers under a separate written agreement.
9. Sub-processor incidents
If Aeovio becomes aware of a security incident affecting personal information at a sub-processor or involving offshore delivery personnel, it will:
- assess whether the incident triggers obligations under the Notifiable Data Breaches scheme (see Privacy Policy §14);
- notify affected Customers without undue delay if the incident is likely to result in serious harm;
- cooperate with sub-processors and regulators in investigating and remediating the incident.
10. Contact
For questions about this DPA, sub-processors, or offshore delivery arrangements, contact hello@aeovio.com.au.