Data Processing Addendum
Prevado Pty Ltd (ABN 92 697 862 203, ACN 697 862 203) 1/6 Geehi Way, Ravenhall VIC 3029, Australia Email: contact@prevado.com
Effective date: July 2026
This Data Processing Addendum (the “DPA”) forms part of, and is incorporated into, the agreement between Prevado Pty Ltd (“Prevado”) and the Customer comprising the Prevado Terms of Service and each applicable Order Form (the “Agreement”). This DPA reflects the parties’ agreement with respect to the handling of Personal Information contained within Customer Data that Prevado processes on the Customer’s behalf in connection with the Products. In the event of any inconsistency between this DPA and the remainder of the Agreement, this DPA prevails to the extent of the inconsistency in respect of its subject matter.
1. Definitions
Capitalised terms not defined in this DPA have the meanings given in the Agreement. In this DPA:
- “Customer Personal Information” means Personal Information contained within Customer Data that Prevado processes on behalf of the Customer in the course of providing the Products, including Personal Information relating to End Users.
- “Personal Information” has the meaning given in the Privacy Act 1988 (Cth) (the “Privacy Act”), and includes information or an opinion about an identified individual, or an individual who is reasonably identifiable.
- “Privacy Laws” means the Privacy Act, the Australian Privacy Principles, applicable state and territory workplace surveillance and surveillance devices legislation, and any other privacy or data protection laws applicable to a party’s handling of Customer Personal Information.
- “Process” and “Processing” mean any operation performed on Personal Information, including collection, recording, organisation, storage, use, disclosure, transmission, retrieval and destruction.
- “Security Incident” means any unauthorised access to, or unauthorised disclosure, alteration or loss of, Customer Personal Information held by Prevado.
- “Subprocessor” means a third party engaged by Prevado to Process Customer Personal Information in connection with the Products.
2. Roles and scope
2.1 Roles of the parties. As between the parties, the Customer determines the purposes for which, and the manner in which, Customer Personal Information is collected and Processed through the Products, and Prevado Processes Customer Personal Information on behalf of, and on the documented instructions of, the Customer. The Agreement, each Order Form, this DPA, and the Customer’s configuration of and use of the Products constitute the Customer’s documented instructions to Prevado.
2.2 Nature of Processing. The subject matter, nature, purpose and duration of the Processing, the categories of individuals, and the categories of Customer Personal Information are as described in Schedule 1 to this DPA.
2.3 Prevado as controller. This DPA does not apply to Personal Information that Prevado collects and handles for its own purposes, including account, billing and marketing information relating to the Customer’s representatives, which is handled in accordance with the Prevado Privacy Policy.
3. Customer obligations
The Customer must:
(a) comply with all Privacy Laws applicable to its collection and use of Customer Personal Information through the Products, including its obligations as the party that determines the purposes of Processing;
(b) provide all notices to, and obtain all consents and authorisations from, End Users and any other individuals whose Personal Information is Processed through the Products, as required by Privacy Laws, including workplace surveillance and surveillance devices legislation applicable to vehicle tracking, location monitoring and any in-vehicle video or audio recording;
(c) ensure that its instructions to Prevado, and its collection and use of Customer Personal Information, are lawful; and
(d) respond to enquiries, requests and complaints from End Users and other individuals regarding Customer Personal Information, it being acknowledged that Prevado will refer any such enquiries it receives to the Customer in accordance with clause 4.1(e).
4. Prevado obligations
4.1 General. Prevado must:
(a) Process Customer Personal Information only on the Customer’s documented instructions and only as necessary to provide the Products and perform its obligations under the Agreement, unless Processing is otherwise required by law, in which case Prevado will notify the Customer of the legal requirement before Processing, unless prohibited from doing so;
(b) not use, disclose or retain Customer Personal Information for any other purpose, and not sell Customer Personal Information;
(c) ensure that personnel authorised to Process Customer Personal Information are subject to obligations of confidentiality;
(d) implement and maintain the technical and organisational security measures described in clause 6;
(e) promptly refer to the Customer any request, enquiry or complaint received from an individual in relation to Customer Personal Information, and, taking into account the nature of the Processing, provide reasonable assistance to the Customer in responding to such requests and in meeting the Customer’s obligations under Privacy Laws; and
(f) provide reasonable cooperation and assistance to the Customer in connection with any privacy impact assessment or regulatory enquiry relating to the Processing, to the extent the Customer cannot reasonably obtain the relevant information itself.
4.2 De-identified information. Nothing in this DPA prevents Prevado from generating and using de-identified, anonymised or aggregated information in accordance with the Agreement, provided that such information does not identify the Customer or any individual and Prevado does not attempt to re-identify it.
5. Subprocessors
5.1 Authorisation. The Customer provides a general authorisation for Prevado to engage Subprocessors in connection with the provision of the Products. The categories of Subprocessors engaged as at the effective date of this DPA, and the locations in which they Process Customer Personal Information, are set out in Schedule 2. A current list of Subprocessors is available from Prevado on request.
5.2 Requirements. Prevado must: (a) impose on each Subprocessor obligations regarding the protection of Customer Personal Information that are no less protective in substance than those set out in this DPA; and (b) remain responsible to the Customer for the performance of each Subprocessor’s obligations.
5.3 Changes. Prevado will give the Customer prior notice of the addition or replacement of a Subprocessor, by email or by publication through the Products or the Site. If the Customer has a reasonable objection to a new Subprocessor on data protection grounds, the parties will discuss the objection in good faith; if the objection cannot be resolved, the Customer may terminate the affected Order Form on written notice.
6. Security
Prevado must implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Information from misuse, interference and loss, and from unauthorised access, modification or disclosure, having regard to the nature of the information. These measures include:
(a) encryption of Customer Personal Information in transit and at rest; (b) role-based access controls, with access limited to personnel who require it for the performance of their duties; (c) logical separation of each Customer’s data within the platform; (d) network segregation of production databases from public networks; (e) logging and monitoring of production systems; (f) secure software development and change management practices; and (g) regular review of security measures against current industry practice.
7. Security Incidents and data breaches
7.1 Notification. If Prevado becomes aware of a Security Incident, Prevado will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of it, and will provide the Customer with information reasonably available to Prevado regarding the nature of the incident, the categories of Customer Personal Information affected, the measures taken or proposed to address the incident, and a contact point for further information.
7.2 Cooperation. Prevado will take reasonable steps to contain and remediate the Security Incident and will provide reasonable cooperation and assistance to the Customer in connection with the Customer’s assessment of, and response to, the incident, including any assessment or notification the Customer is required to undertake under the Notifiable Data Breaches scheme of the Privacy Act.
7.3 Responsibility for notifications. As between the parties, and unless otherwise required by law, the Customer is responsible for determining whether an eligible data breach has occurred in respect of Customer Personal Information and for making any notifications to affected individuals and to the Office of the Australian Information Commissioner. Prevado will not make such notifications on the Customer’s behalf without the Customer’s prior agreement, except where Prevado is itself legally required to do so.
7.4 No fault admission. Prevado’s notification of, or response to, a Security Incident is not an acknowledgement of fault or liability.
8. Overseas Processing
Customer Personal Information is hosted in Australia and stored primarily within Australia. Certain Subprocessors identified in Schedule 2 Process limited categories of Customer Personal Information from, or maintain infrastructure in, locations outside Australia, principally the United States, the United Kingdom and the European Union, and New Zealand. Where Customer Personal Information is disclosed to an overseas recipient, Prevado will take reasonable steps, including contractual measures, to ensure that the recipient handles the information in a manner consistent with the Australian Privacy Principles, and the Customer authorises such disclosures for the purpose of providing the Products.
9. Audit and information
Upon the Customer’s reasonable written request, no more than once in any 12-month period, Prevado will make available information reasonably necessary to demonstrate its compliance with this DPA, which may include summaries of security practices, policies and third-party assessments. Any such information is Prevado’s confidential information. Where the information made available is not reasonably sufficient to demonstrate compliance, the parties will agree on the scope, timing and conditions of any further review, to be conducted at the Customer’s cost, no more than once in any 12-month period, during business hours, and without access to other customers’ data.
10. Return and deletion of Customer Personal Information
Upon the conclusion of the Subscription Term, and subject to the export and deletion provisions of the Agreement: (a) the Customer may export Customer Data, including Customer Personal Information, within 90 days; and (b) following that period, Prevado will delete or de-identify Customer Personal Information within a reasonable period, except to the extent retention is required by law, in which case Prevado will continue to protect the retained information in accordance with this DPA and will Process it only for the purpose of the applicable legal requirement.
11. Liability
The liability of each party under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement.
Schedule 1: Description of Processing
Subject matter and purpose. The provision of the Prevado fleet management platform, including vehicle tracking and telematics, compliance and safety features, maintenance and inspection workflows, messaging, and related support services.
Duration. The Subscription Term, together with the post-termination export and deletion periods described in the Agreement and this DPA.
Categories of individuals. End Users of the Customer, being drivers, employees and contractors of the Customer; other personnel of the Customer with access to the Products.
Categories of Customer Personal Information.
- identification and account details of End Users, including name, email address, telephone number and role;
- vehicle location and movement data, including GPS position, routes, trips, speed and driving events, where associated with an identifiable driver;
- vehicle and asset operational data, including engine, sensor and diagnostic data, where associated with an identifiable driver;
- driver activity records, including vehicle assignments, inspection and prestart submissions, defect and repair reports;
- messaging content exchanged through the Products, including text, images and documents; and
- media captured by in-vehicle cameras, where deployed by the Customer, which may include video and audio of identifiable individuals.
Retention. Vehicle telemetry and location data and messaging content are retained for the periods specified in the Agreement or the applicable Order Form, and otherwise in accordance with the Prevado Privacy Policy.
Schedule 2: Subprocessor categories and locations
| Category | Function | Location of Processing |
|---|---|---|
| Cloud infrastructure | Hosting of the platform, databases and stored Customer Data; transactional email delivery | Australia |
| Identity and authentication | User authentication and account management | United States |
| Telematics data services | Ingestion and processing of vehicle telemetry | European Union |
| Real-time messaging delivery | Delivery of in-application messages (message storage remains within cloud infrastructure in Australia) | United Kingdom / United States |
| Mapping services | Map display and geocoding | United States |
| Payment processing | Processing of subscription and invoice payments | United States |
| Accounting and invoicing | Invoice generation and financial records | New Zealand / Australia |
| Mobile notification services | Delivery of push notifications to mobile devices | United States |
| Monitoring and analytics | Error monitoring, logging and product analytics | United States |
A current list of Subprocessors, including their identities, is available from Prevado on request at contact@prevado.com.
Prevado Pty Ltd 1/6 Geehi Way, Ravenhall VIC 3029, Australia Email: contact@prevado.com