Data protection terms for customers using CASHO as a processor of personal data.
Last updated: 20 March 2026
This Data Processing Addendum (DPA) applies where a customer acts as Data Controller and CASHO acts as Data Processor for personal data processed through the service, as described in the Privacy Policy and Terms of Service.
This DPA is incorporated by reference into all service agreements and complies with GDPR Article 28, CCPA regulations, and data protection laws applicable to your jurisdiction.
CASHO processes personal data only on documented instructions from the customer, including regarding international transfers, deletion, or restriction.
CASHO may process without explicit instruction where required by applicable law or competent authority.
Customer must ensure it has lawful basis and consent to share personal data with CASHO.
CASHO implements security technical and organizational safeguards appropriate to the risk of processing:
- Encryption: AES-256 for data at rest, TLS 1.3 for data in transit
- Authentication: OAuth 2.0 + multi-factor authentication (MFA) for admin and primary user access
- Access controls: Role-based access, least-privilege principle, regular access reviews
- Audit logging: All data access logged, retention 90 days, reviewed quarterly
- Monitoring: Real-time intrusion detection, DDoS protection, anomaly detection
- Incident response: 24-hour discovery window, customer notification within 24 hours, 5-day investigation SLA
- Backups: Encrypted daily backups, 90-day retention, recovery tested quarterly
Annual SOC 2 Type II audit results available for customer review (subject to NDA).
CASHO may engage subprocessors (data processors) to support service delivery, analytics, hosting, and security.
Current authorized subprocessors: AWS (cloud hosting), Stripe (payments), Auth0 (authentication), Hotjar (analytics), Segment (data), Intercom (support), SendGrid (email).
List of subprocessors maintained at: https://casho.com.au/subprocessors (or available upon request).
For new subprocessors, CASHO provides 30 days' written notice to customer with subprocessor details and processing scope.
Customer may object to new subprocessors within 30 days; CASHO will work with customer to resolve, or customer may terminate enrollment for the affected service without penalty.
All subprocessors are contractually bound by data protection obligations equivalent to GDPR Article 28(4) and this DPA.
CASHO provides reasonable assistance to enable customers to respond to data subject rights requests (DSRs) under GDPR Articles 12-22, CCPA, LGPD, PIPEDA.
Types of requests supported: access, correction, deletion/erasure, restriction, portability, objection, automated decision-making review.
Response SLA: CASHO will respond to support requests within 15 business days of customer request.
Data portability: CASHO exports data in structured, machine-readable format (CSV/JSON) as requested.
Erasure attestation: Upon deletion, CASHO provides written attestation confirming data deletion (subject to legal holds or retention obligations).
Human review: For automated decision-making affecting data subjects, CASHO is available for manual review coordination.
Upon discovery of a confirmed personal data breach affecting customer data, CASHO will notify customer within 24 hours of confirmation.
Notification includes: date/time of breach, data types affected, number of individuals affected (where known), likely consequences, measures to remediate.
CASHO will cooperate with customer in meeting regulatory notification deadlines (GDPR: 72 hours to authority, CCPA: reasonable delay without undue delay).
CASHO will investigate the breach, document root cause, and provide remediation plan within 5 business days.
Customer is responsible for notifying affected individuals and authorities as required by law; CASHO provides necessary information to facilitate.
If CASHO processes customer data on servers outside the country of origin: CASHO implements appropriate safeguards including Standard Contractual Clauses (SCCs), Binding Corporate Rules, or other approved transfer mechanisms.
For transfers from EU to non-EU: CASHO adopts EU Commission Standard Contractual Clauses as supplementary safeguard, combined with encryption, access controls, and legal hold procedures.
Post-Schrems II: CASHO evaluates third-country laws restricting data access; if unacceptable, supplementary encryption or alternative processing locations offered.
Customer may request details of transfer mechanisms and supplementary safeguards; contact privacy@casho.com.au.
CASHO undergoes annual SOC 2 Type II audit; results available to customers upon request (subject to confidentiality agreement).
Customers may request additional audit information to verify GDPR/data protection compliance, limited to once per calendar year and conditional on 60 days' advance notice.
Audit scope limited to data protection controls, security measures, incident management; customer bears reasonable audit costs (>40 hours).
CASHO retains right to restrict audit access if it would compromise platform security, competitive information, or other non-data-subject considerations.
Third-party auditors (Big 4 or equivalent) may audit on behalf of customer (with mutual confidentiality agreement and CASHO approval).
Upon account closure, data termination request, or end of service agreement: CASHO will return or delete customer data according to documented retention schedule within 30 days.
Deletion method: Secure deletion (cryptographic erasure, multi-pass overwrite, or physical destruction).
Exceptions to automatic deletion: data subject to legal hold, court order, regulatory investigation, or backup/disaster recovery schedules (deleted after max 90 days).
Customer may request deletion attestation confirming secure deletion; CASHO provides upon request.
This DPA survives the service agreement and continues until all customer data is deleted or returned.
CASHO may not unilaterally modify material DPA terms; material changes require 90 days' written notice and customer objection right.
Material changes include: security standards reduction, subprocessor restrictions removal, audit rights limitation.
If customer objects to material changes, customer may terminate the affected service without penalty and receive pro-rata refund.
This DPA incorporates requirements of: GDPR (EU), CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada), Australian Privacy Act 1988, UK GDPR, and similar frameworks.
CASHO certifies compliance with ISO 27001 (information security) and commits to ongoing compliance maintenance.
CASHO acknowledges supervisory authority cooperation: OAIC (Australia), ICO (UK), CNIL (France), national DPA, California Attorney General, Brazilian ANPD, Privacy Commissioner Canada.
For DPA questions or amendments: privacy@casho.com.au
For data subject request support: dsar@casho.com.au
For breach notifications: security@casho.com.au
For audit requests: compliance@casho.com.au
Enterprise customers: enterprise@casho.com.au