Data Processing Addendum
This Data Processing Addendum (DPA) supplements the Activlink Terms of Service and applies whenever Activlink processes personal information on behalf of a customer.
1. Roles
The customer is the data controller. Activlink is the data processor. We process customer data only on documented instructions from the customer.
2. Data residency
All customer data is stored and processed in Amazon Web Services Sydney (ap-southeast-2). Data does not leave Australia.
3. Sub-processors
We use a small set of vetted sub-processors:
- Amazon Web Services — Sydney region — primary infrastructure, backups, encrypted storage.
- Resend — transactional email delivery.
- Neon — managed Postgres (Sydney region).
We notify customers of new or replacement sub-processors at least 30 days in advance, where reasonable.
4. Security measures
- AES-256 encryption at rest, TLS 1.3 in transit.
- Per-tenant logical data isolation.
- Automated daily backups with 35-day retention and point-in-time recovery.
- Role-based access control with audit logging.
- Vulnerability monitoring and patch management.
5. Data subject requests
Activlink assists the customer in responding to data subject requests (access, correction, deletion). Submit requests to .
6. Incident notification
If we become aware of a personal data breach affecting customer data we will notify the customer within 72 hours with the available facts, expected impact and our remediation plan.
7. Return and deletion
On termination, customer data is exportable in CSV for 30 days. After 30 days, all customer data (including backups within 35 days) is permanently deleted unless legally required to be retained.
8. Audits
Enterprise customers may request a security questionnaire response or a Privacy Impact Assessment by emailing .