SaaS Agreement (Australia)
This Software as a Service Agreement (the “Agreement”) is entered into on [Effective Date] (the “Effective Date”) by and between:
[Provider Name] (ABN [Provider ABN]), with its registered or principal address at [Provider Address], [Provider City] [Provider State] [Provider Postcode], Australia (the “Provider”); and
[Customer Name] (ABN [Customer ABN]), with its registered or principal address at [Customer Address], [Customer City] [Customer State] [Customer Postcode], Australia (the “Customer”).
The Provider and the Customer are referred to collectively as the “Parties” and individually as a “Party”.
BACKGROUND
WHEREAS, the Provider operates a software as a service platform known as [Service Name] and wishes to grant the Customer access to that platform on a subscription basis; and
WHEREAS, the Customer wishes to subscribe to the Service on the terms and conditions set out in this Agreement;
NOW, THEREFORE, in consideration of the subscription fees paid and the mutual obligations set out herein, the Parties agree as follows:
1. DEFINITIONS
1.1 In this Agreement, the following terms shall have the meanings set out below:
- “Service” means the [Service Name] platform, being [Service Description], made available to the Customer by the Provider via the internet on a software as a service basis.
- “Authorised Users” means the employees, contractors, or agents of the Customer who are authorised to access and use the Service, up to the maximum number specified in clause 3.
- “Customer Data” means all data, content, and information uploaded to or generated by the Customer on the Service.
- “Subscription Plan” means the [Subscription Plan] subscription tier selected by the Customer.
- “Subscription Fee” means the recurring fee payable by the Customer for access to the Service as set out in clause 5.
- “GST” has the meaning given in the A New Tax System (Goods and Services Tax) Act 1999 (Cth).
- “ACL” means the Australian Consumer Law, being Schedule 2 to the Competition and Consumer Act 2010 (Cth).
- “Uptime” means the percentage of time the Service is operational and available to the Customer in any given calendar month, excluding scheduled maintenance.
2. GRANT OF ACCESS
2.1 Subject to the terms of this Agreement and payment of the Subscription Fee, the Provider hereby grants the Customer a non-exclusive, non-transferable right to access and use the Service during the Subscription Term solely for the Customer’s internal business purposes.
2.2 The Customer shall not: (a) sub-licence, sell, resell, transfer, or commercially exploit the Service; (b) use the Service to provide services to third parties on a bureau or outsourcing basis without the Provider’s prior written consent; (c) use the Service to develop a competing product or service; or (d) attempt to gain unauthorised access to any systems or networks connected to the Service, which may constitute an offence under the Criminal Code Act 1995 (Cth).
2.3 The Customer shall ensure that Authorised Users comply with this Agreement and shall be responsible for any breach of this Agreement by any Authorised User.
3. AUTHORISED USERS
3.1 Under the [Subscription Plan], the Customer is permitted up to [Authorised Users] Authorised Users. The Customer shall not permit the Service to be accessed by more than this number of Authorised Users.
3.2 The Customer shall maintain accurate records of all Authorised Users and shall ensure that each Authorised User keeps login credentials confidential.
3.3 If the Customer requires additional Authorised Users beyond the limit set out in clause 3.1, the Parties may agree in writing to upgrade the Customer’s subscription to a higher tier at the prevailing rates.
4. SUBSCRIPTION FEE AND PAYMENT
4.1 In consideration of the access granted under this Agreement, the Customer shall pay the Provider the Subscription Fee of AUD [Subscription Fee] per [Billing Cycle] (exclusive of GST), payable in advance at the start of each billing period.
4.2 GST is payable in addition to the Subscription Fee at the applicable rate on receipt of a valid tax invoice from the Provider.
4.3 The Provider may increase the Subscription Fee on renewal by giving the Customer not less than 30 days’ written notice prior to the renewal date.
4.4 If the Customer fails to pay any sum due by the due date, the Provider may: (a) suspend access to the Service until all outstanding amounts are paid; and (b) charge interest on the overdue sum at the rate of 10% per annum, accruing daily from the due date until actual payment.
5. SUBSCRIPTION TERM AND TERMINATION
5.1 This Agreement shall commence on the Effective Date and shall continue for [Initial Term] (the “Initial Term”). On expiry of the Initial Term, this Agreement shall automatically renew for successive periods equal to the Initial Term, unless either Party gives the other not less than [Renewal Notice Period] days’ written notice of non-renewal before the end of the then-current term.
5.2 Either Party may terminate this Agreement immediately on written notice if the other Party: (a) commits a material breach that is incapable of remedy or remains unremedied 30 days after receipt of written notice requiring remedy; (b) becomes insolvent, enters voluntary administration, is placed into liquidation, or ceases to trade; or (c) is subject to a change of control without the other Party’s prior written consent.
5.3 On termination or expiry of this Agreement, the Customer’s access to the Service shall cease. The Provider shall provide the Customer with a reasonable opportunity (not less than 30 days) to export Customer Data before permanently deleting it from the Provider’s systems.
6. SERVICE LEVELS
6.1 The Provider shall use commercially reasonable efforts to make the Service available with an uptime of [Uptime Commitment]% in any given calendar month, measured on a 24/7 basis, excluding scheduled maintenance windows.
6.2 The Provider shall give the Customer at least 48 hours’ advance notice of any planned maintenance that is likely to materially affect the availability of the Service.
6.3 The uptime commitment shall not apply to unavailability resulting from: (a) factors outside the Provider’s reasonable control, including internet or telecommunications outages or force majeure events; (b) the Customer’s acts or omissions; or (c) third-party services or infrastructure not under the Provider’s direct control.
7. PRIVACY
7.1 Both Parties shall comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in relation to any personal information processed under this Agreement.
7.2 To the extent the Provider processes personal information on behalf of the Customer in the course of providing the Service, the Provider shall: (a) handle that information only as directed by the Customer; (b) implement security measures consistent with APP 11; (c) not use or disclose that information for its own purposes; and (d) assist the Customer in responding to access and correction requests under APPs 12 and 13.
7.3 Where personal information will be disclosed to an overseas recipient, the disclosing party shall comply with APP 8 (cross-border disclosure of personal information) and shall satisfy itself that the recipient will handle the information in a manner that is consistent with the APPs.
7.4 The Provider shall comply with the Spam Act 2003 (Cth) in respect of any commercial electronic messages sent in connection with the Service.
8. INTELLECTUAL PROPERTY RIGHTS
8.1 All intellectual property rights in the Service, including the underlying software, platform, and documentation, are and shall remain the exclusive property of the Provider. This Agreement does not transfer any intellectual property rights to the Customer.
8.2 The Customer shall not reverse engineer, decompile, or disassemble any part of the Service, except to the extent expressly permitted by applicable Australian law.
8.3 If the Customer provides feedback, suggestions, or enhancement requests to the Provider in relation to the Service, the Customer grants the Provider a perpetual, royalty-free licence to use such feedback in any way, including incorporating it into the Service.
9. AUSTRALIAN CONSUMER LAW
9.1 Nothing in this Agreement excludes, restricts, or modifies any consumer guarantee, right, or remedy conferred on the Customer under the ACL that cannot be excluded, restricted, or modified by agreement.
9.2 To the extent permitted by the ACL, the Provider’s liability for a breach of a consumer guarantee is limited, at the Provider’s option, to re-supplying the services or paying the cost of having the services re-supplied.
9.3 The Parties acknowledge that the unfair contract terms provisions in ss 23–28 of the ACL apply to this Agreement if it is a standard form consumer or small business contract. The Provider represents that the terms of this Agreement are not unfair within the meaning of the ACL.
10. LIMITATION OF LIABILITY
10.1 Subject to clause 11 and to the extent permitted by applicable law, neither Party shall be liable for any indirect, special, or consequential loss or damage, including loss of profits, loss of business, or loss of data, whether arising in contract, tort, or otherwise.
10.2 Subject to clauses 11 and 12.1, the Provider’s total aggregate liability under this Agreement shall not exceed the total Subscription Fees paid by the Customer in the 12 months immediately preceding the event giving rise to the claim.
11. CONFIDENTIALITY
11.1 Each Party shall keep confidential all information of a confidential nature disclosed by the other Party in connection with this Agreement and shall use such information only for the purposes of this Agreement. The obligations in this clause survive termination for a period of three years.
12. GENERAL PROVISIONS
12.1 Entire Agreement. This Agreement constitutes the entire agreement between the Parties in relation to its subject matter and supersedes all prior representations and agreements.
12.2 Amendment. No amendment to this Agreement shall be effective unless made in writing and signed by authorised representatives of both Parties.
12.3 Assignment. The Customer may not assign or transfer this Agreement without the Provider’s prior written consent. The Provider may assign this Agreement to any successor entity or in connection with a sale or merger of its business.
12.4 Notices. Notices under this Agreement shall be sent in writing by email to: Provider: [Provider Email]; Customer: [Customer Email].
12.5 Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
12.6 Governing Law. This Agreement is governed by the laws of [Provider State], Australia, and each Party submits to the non-exclusive jurisdiction of the courts of that state or territory and the Federal Court of Australia.
IN WITNESS WHEREOF, the Parties have executed this SaaS Agreement as of the Effective Date first written above.
THE PROVIDER
Full name: [Provider Name]
ABN: [Provider ABN]
Address: [Provider Address], [Provider City] [Provider State] [Provider Postcode]
THE CUSTOMER
Full name: [Customer Name]
ABN: [Customer ABN]
Address: [Customer Address], [Customer City] [Customer State] [Customer Postcode]
Provider
________________
Signature
Date: ________________
Customer
________________
Signature
Date: ________________
What Is a SaaS Agreement (Australia)?
A SaaS Agreement in Australia records the software-as-a-service to be provided, the fees, the service standards, and each party's obligations between the provider and the client under the Corporations Act 2001 (Cth).
Australian SaaS agreements must comply with a distinct set of legal requirements that differ materially from US or UK templates. The key statutes are the Australian Consumer Law (ACL) — Schedule 2 to the Competition and Consumer Act 2010 (Cth), enforced by the Australian Competition and Consumer Commission (ACCC) — the Privacy Act 1988 (Cth), the Spam Act 2003 (Cth), and the A New Tax System (Goods and Services Tax) Act 1999 (Cth).
The ACL's unfair contract terms (UCT) regime under Sections 23 to 28 is one of the most significant considerations for SaaS providers. Since 9 November 2023, under the Treasury Laws Amendment (More Competition, Better Prices) Act 2022 (Cth), unfair terms in standard form contracts with consumers and small businesses are void and their use attracts civil penalties of up to $50 million for corporations (or three times the benefit, or 30% of adjusted turnover, whichever is greatest). A SaaS agreement is a standard form contract if one party has not had a genuine opportunity to negotiate the terms. Under Section 23(3A) of the ACL, a small business is defined as having fewer than 100 employees or annual turnover below $10 million. Terms commonly challenged under the UCT regime include broad unilateral variation rights, automatic renewal clauses with short cancellation windows, and asymmetric termination rights.
Privacy obligations arise under the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs) for APP entities — broadly, organisations with annual turnover above $3 million and certain categories of entity regardless of turnover. APP 11 requires reasonable security safeguards for personal information. APP 8 imposes obligations before disclosing personal information to overseas recipients, including cloud infrastructure providers. APP 1 requires a current, publicly available privacy policy. Under Section 13G of the Privacy Act 1988 (Cth), serious or repeated interference with the privacy of individuals can attract civil penalties of up to $50 million. The Office of the Australian Information Commissioner (OAIC) enforces the Privacy Act and can investigate complaints, conduct audits, and seek civil penalty orders for serious or repeated contraventions. The Spam Act 2003 (Cth) requires SaaS providers to obtain consent before sending commercial electronic messages and to provide functional unsubscribe mechanisms. The Australian Communications and Media Authority (ACMA) enforces the Spam Act 2003 and can impose infringement notices and civil penalties for non-compliance. The forms-legal.com SaaS Agreement (Australia) template addresses all material ACL, Privacy Act, and Spam Act obligations within a commercially practical framework.
When Do You Need a SaaS Agreement (Australia)?
Any Australian business offering cloud-based software on a subscription basis needs a compliant SaaS agreement before onboarding its first subscriber. The agreement governs every customer relationship for the life of the platform and failure to have one in place exposes the provider to uncapped liability, privacy law penalties, and unenforceable payment terms.
The agreement is immediately needed when the SaaS platform collects, stores, or processes personal information about end users or customers. In that case, the provider becomes an APP entity with obligations under the Privacy Act 1988 (Cth), and the agreement must address customer data ownership, APP 11 security obligations, APP 8 cross-border disclosure controls, and what happens to data on termination. Where the provider uses offshore cloud infrastructure — such as Amazon Web Services, Microsoft Azure, or Google Cloud — APP 8 requires taking reasonable steps to requires the overseas recipient handles the information in accordance with the APPs.
A SaaS agreement is critical when the provider sends marketing emails or in-app promotional messages to subscribers. The Spam Act 2003 (Cth) prohibits unsolicited commercial electronic messages with an Australian link unless the recipient has given express or inferred consent. Penalties for serious contraventions can reach approximately $2 million per day for corporations. The agreement should confirm that the provider's communications comply with the Spam Act 2003, that consent has been obtained where required, and that a functional unsubscribe mechanism is maintained.
Where the customer base includes consumers or small businesses (fewer than 100 employees or annual turnover below $10 million under s 23(3A) of the ACL), the UCT regime applies. The provider must audit its standard terms — particularly limitation of liability clauses, auto-renewal provisions, unilateral price increase rights, and data deletion policies — to confirm they do not create a significant imbalance in the parties' rights that is not reasonably necessary to protect the provider's legitimate interests.
SaaS providers operating in regulated sectors — including financial services licensees regulated by the Australian Securities and Investments Commission (ASIC) under the Corporations Act 2001 (Cth), healthcare providers regulated by the Australian Health Practitioner Regulation Agency (AHPRA), and credit providers regulated by the Australian Prudential Regulation Authority (APRA) — may face additional sector-specific obligations affecting the SaaS agreement's data handling, outsourcing, and notification provisions. Legal advice from an Australian technology lawyer is recommended for providers in these sectors.
What to Include in Your SaaS Agreement (Australia)
A legally sound Australian SaaS Agreement must address the following elements to comply with the ACL, Privacy Act 1988 (Cth), Spam Act 2003 (Cth), and commercial established standards.
Parties and service description: Full legal names and Australian Business Numbers (ABNs) of both parties; a precise description of the software service including version, platform, and any included support or professional services; the number of authorised users; and any geographic or usage restrictions.
Subscription fees and billing: The subscription fee in AUD, expressed inclusive or exclusive of GST as required under the A New Tax System (Goods and Services Tax) Act 1999 (Cth); the billing cycle (monthly or annual); the auto-renewal terms and notice required to cancel; the provider's right to increase fees on renewal; and consequences of late payment.
Uptime SLA and service credits: The uptime commitment expressed as a percentage (e.g., 99.5% measured monthly); how downtime is measured and what events are excluded (scheduled maintenance, events beyond the provider's control); the service credit calculation for SLA breaches; and the process for claiming credits.
Intellectual property: Confirmation that the provider owns all IP in the software and grants the customer a limited, non-exclusive licence to use it during the subscription term; that the customer owns its data; and that neither party acquires any rights in the other's background IP. Under Section 35(6) of the Copyright Act 1968 (Cth), software created by an employee in the course of employment is owned by the employer, a factor relevant to providers' IP chain of title.
Customer data and privacy: A clear statement that the customer retains ownership of its data; the provider's obligation to process data only as instructed and in accordance with the APPs; APP 11 security safeguards including encryption, access controls, and incident response; APP 8 cross-border disclosure controls for data stored or processed offshore under Section 16C of the Privacy Act 1988 (Cth); the data return and deletion process on termination; and breach notification obligations consistent with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth), enforced by the OAIC. Under Section 26WF of the Privacy Act 1988 (Cth), APP entities must notify the OAIC and affected individuals of eligible data breaches likely to result in serious harm.
ACL compliance: An acknowledgment that the ACL consumer guarantees under Sections 60 to 62 (due care and skill, fitness for purpose) cannot be excluded; confirmation that the agreement does not contain unfair terms prohibited by Sections 23 to 28; and a limitation of liability clause that complies with Section 64A of the ACL for consumer contracts.
Spam Act compliance: A representation that all marketing and promotional communications sent by the provider to subscribers comply with the Spam Act 2003 (Cth), including consent, sender identification, and unsubscribe requirements enforced by the Australian Communications and Media Authority (ACMA).
Governing law: The laws of the relevant Australian state or territory; the jurisdiction of that state's Supreme Court or the Federal Court of Australia for disputes; and an optional mediation step before litigation. The forms-legal.com SaaS Agreement (Australia) template covers all these elements in a format ready for immediate use by Australian technology businesses, including those regulated by the Australian Securities and Investments Commission (ASIC) under the Corporations Act 2001 (Cth).
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). SaaS Agreement (Australia) (Australia) [Legal document template]. Forms Legal. https://forms-legal.com/australia/business/services/saas-agreement-australia
"SaaS Agreement (Australia) (Australia)." Forms Legal, 2026, https://forms-legal.com/australia/business/services/saas-agreement-australia.
@misc{formslegal-saas-agreement-australia,
author = {{Forms Legal}},
title = {SaaS Agreement (Australia) (Australia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/australia/business/services/saas-agreement-australia}},
note = {Free legal document template. Based on Corporations Act 2001 (Cth)}
}Also available for these jurisdictions:
Frequently Asked Questions
Since 9 November 2023, the unfair contract terms (UCT) regime under ss 23 to 28 of the Australian Consumer Law (ACL) applies to standard form contracts with consumers and small businesses. A 'small business' is defined under s 23(3A) of the ACL (as amended by the Treasury Laws Amendment (More Competition, Better Prices) Act 2022 (Cth)) as a business that employs fewer than 100 persons or has an annual turnover of less than $10 million. A SaaS agreement is a standard form contract if one party has not had a genuine opportunity to negotiate the terms. Under the amended regime, unfair terms are not merely voidable — they are void and their use may attract civil penalties of up to $50 million, three times the benefit obtained, or 30% of adjusted turnover for the relevant period, whichever is greatest, for corporations. A term is unfair if it would cause a significant imbalance, is not reasonably necessary to protect a legitimate interest, and would cause detriment. SaaS providers should review their standard agreements to ensure they comply with this stricter regime.
A SaaS provider that is an APP entity (broadly, any private sector organisation with an annual turnover above $3 million, or certain other categories of entity) must comply with the Australian Privacy Principles (APPs) in Schedule 1 to the Privacy Act 1988 (Cth). Key obligations for SaaS providers include APP 1 (maintaining an up-to-date privacy policy), APP 3 (collecting personal information only if reasonably necessary and, in the case of sensitive information, with consent), APP 6 (not using or disclosing personal information for a secondary purpose unless an exception applies), APP 8 (taking reasonable steps before disclosing personal information to overseas recipients), APP 11 (implementing reasonable security safeguards to protect personal information from misuse, interference, loss, and unauthorised access), and APPs 12 and 13 (providing individuals with access to and the ability to correct their personal information). Where a SaaS provider processes personal information on behalf of a customer, it is established standards to document the handling obligations in a data processing agreement or DPA schedule.
The Spam Act 2003 (Cth) prohibits the sending of unsolicited commercial electronic messages with an Australian link — broadly, messages sent to an account accessed in Australia, sent from Australia, or sent by an organisation based in Australia. A commercial electronic message is a message that offers, advertises, or promotes goods, services, or a business or investment opportunity. SaaS providers must require that marketing emails, promotional in-app messages, and upsell communications are sent only to subscribers who have given express or inferred consent, include accurate sender identification, and include a functional unsubscribe facility that is honoured within 5 business days. Transactional messages (such as invoices, password reset emails, and service outage notifications) are generally not commercial electronic messages and do not require consent. Penalties for breaches of the Spam Act 2003 can be substantial — up to approximately $2 million per day for corporations for serious breaches.
Data itself is not protected by copyright in Australia to the same extent as original works — raw data sets typically do not attract copyright protection unless they reflect sufficient originality in selection or arrangement (as per Desktop Marketing Systems Pty Ltd v Telstra Corporation Ltd [2002] FCAFC 112, though the position has since become less settled with IceTV Pty Ltd v Nine Network Australia Pty Ltd [2009] HCA 14). However, the Privacy Act 1988 (Cth) gives individuals significant rights over their personal information, regardless of who holds it. In practice, SaaS agreements universally provide that the customer retains ownership of its customer data and that the provider uses that data only to the extent necessary to deliver the service. The provider should be prohibited from using customer data for its own commercial purposes (such as analytics or advertising) without explicit consent. On termination, the customer should have a reasonable period to export its data before the provider deletes it.
A SaaS Agreement (Australia) does not legally require a lawyer in Australia, and individuals and businesses may draft and execute the document independently. The Corporations Act 2001 (Cth) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Australia lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Federal Court of Australia has jurisdiction over disputes arising from this type of document, and Australian Securities and Investments Commission (ASIC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Software Licence Agreement (Australia)
Licence software in Australia with this comprehensive Software Licence Agreement covering SaaS, on-premises, and hybrid delivery models. Compliant with the Copyright Act 1968 (Cth) (software protected as literary work), the Australian Consumer Law (Schedule 2 to the Competition and Consumer Act 2010 (Cth)) including consumer guarantees for digital products, and the Privacy Act 1988 (Cth) with Notifiable Data Breaches scheme. Covers uptime SLA, support terms, acceptable use, IP ownership of customisations, data ownership, GST, and limitation of liability.
Service Agreement (Australia)
Create a comprehensive Australian Service Agreement compliant with the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)) and the common law of contract. Covers scope of services, GST-inclusive or exclusive fees, payment terms, consumer guarantees, intellectual property ownership, confidentiality, Privacy Act 1988 obligations, limitation of liability, and termination rights. Suitable for consultants, freelancers, agencies, and businesses providing services to other businesses or consumers across all Australian states and territories.
Data Processing Agreement (Australia)
As Australian businesses increasingly outsource data-intensive functions to third-party service providers — cloud platforms, payroll processors, CRM vendors, IT support companies, and analytics firms — the need for a formal Data Processing Agreement (DPA) has become critical. An Australian Data Processing Agreement is a contract that governs how a service provider (the Processor) handles personal information on behalf of an APP entity (the organisation responsible for that information), ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Australia does not have a regulation precisely equivalent to the European Union's GDPR Article 28, which mandates a written data processing agreement between controllers and processors. However, the Privacy Act 1988 (Cth) imposes obligations on APP entities that effectively require them to ensure service providers handling personal information on their behalf are contractually bound to appropriate privacy standards. Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. APP 2.1 provides that an individual must have the option of not identifying themselves or of using a pseudonym where lawful and practicable. The OAIC's Guide to Securing Personal Information identifies contractual arrangements with third parties as a key technical and organisational measure that APP entities should implement. The Notifiable Data Breaches (NDB) scheme, introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and now in Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an Eligible Data Breach occurs — that is, a breach likely to result in serious harm to one or more individuals. Where personal information is held by a service provider on behalf of an APP entity, the service provider may discover the breach first. A DPA should establish clear contractual obligations on the service provider to notify the APP entity promptly (the DPA should specify a timeframe shorter than the OAIC notification deadline) so the APP entity can assess whether the breach is notifiable and take required action. Cross-border disclosure of personal information is governed by Australian Privacy Principle 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the overseas recipient will handle the information in a manner consistent with the APPs. This is a particularly important consideration for Australian businesses using US-based cloud services (such as AWS, Azure, Google Cloud, or Salesforce), as the United States does not have a national privacy law equivalent to the APPs. A DPA should address whether the Processor may transfer or disclose personal information to overseas sub-processors and what safeguards must be in place. Under APP 8.2(b), an alternative is for the individual to consent to the overseas disclosure, but this is not always practicable. The Privacy Act 1988 (Cth) distinguishes between 'personal information' (broadly defined in s 6(1) as information or an opinion about an identified individual or an individual who is reasonably identifiable) and 'sensitive information' (a subset defined in s 6(1) to include health information, biometric information, genetic information, information about racial or ethnic origin, criminal records, religious beliefs, and other specified categories). Sensitive information attracts heightened protection under the APPs, particularly APP 3 (which requires consent for collection in most circumstances) and APP 6 (which restricts secondary use and disclosure). Where a Processor will handle sensitive information, the DPA should expressly acknowledge this and require enhanced security measures. The Australian Government released a revised Privacy Act Review Report in 2023, recommending significant reforms to the Privacy Act 1988 (Cth), including the introduction of a statutory tort of serious invasion of privacy, enhanced individual rights, and stronger enforcement powers for the OAIC. Businesses should monitor developments in Australian privacy law, as some of the recommended reforms may require updates to existing DPAs when legislation is enacted. Best practice for an Australian DPA — informed by the OAIC's guidance and aligned with international standards — includes: documented handling instructions from the APP entity to the Processor; restrictions on using personal information for the Processor's own purposes; security obligations aligned with APP 11 and the OAIC's Guide to Securing Personal Information; sub-processor controls; cross-border disclosure restrictions consistent with APP 8; breach notification obligations that dovetail with the NDB scheme; access and correction assistance for APPs 12 and 13; data destruction or de-identification obligations under APP 11.2 on termination; and audit rights for the APP entity. This Australian Data Processing Agreement template addresses all of these requirements. It uses Australian legal terminology (APP Entity rather than Controller, personal information rather than personal data, OAIC rather than ICO), references to the Privacy Act 1988 (Cth) and APPs, the NDB scheme under Part IIIC, and Australian business conventions including ABN identification and AUD pricing.
Privacy Policy (Australia)
Create a compliant Australian Privacy Policy for your business or website. Our template is drafted in accordance with the Privacy Act 1988 (Cth) and covers all 13 Australian Privacy Principles (APPs), including APP 1 (open management), APP 5 (notification), APP 6 (use and disclosure), APP 7 (direct marketing), APP 8 (cross-border disclosure), APP 11 (security), APP 12 (access), and APP 13 (correction). Includes the Notifiable Data Breaches scheme, OAIC complaint process, and the $3 million turnover threshold explanation.
Website Terms of Use (Australia)
Create compliant Website Terms of Use for your Australian business, drafted in accordance with the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)), the Electronic Transactions Act 1999 (Cth), the Privacy Act 1988 (Cth), and the Online Safety Act 2021 (Cth). Our template covers acceptance mechanisms, intellectual property protections, user obligations, limitation of liability, consumer guarantee disclaimers, and governing law. Unlike generic templates, this document reflects Australian-specific legal requirements — including the mandatory acknowledgement that consumer guarantees under the Australian Consumer Law cannot be excluded.