Developer Portal
 Developer Portal

INTAXIO DATA PROCESSING ADDENDUM (API CUSTOMERS)

Last Updated: 1 December 2025

This Data Processing Addendum (DPA) forms part of and is incorporated into the Intaxio Customer API Agreement and any Master Services Agreement and/or Order Form between Intaxio Payroll Pty Ltd (Intaxio) and the Customer (together, the Agreement), to the extent Intaxio processes Personal Information on behalf of Customer.

In the event of any conflict between this DPA and the Agreement regarding the processing of Personal Information, this DPA will prevail to the extent of the conflict.

1. DEFINITIONS

In this DPA:

  • Applicable Data Protection Laws means all privacy, data protection, data security and breach notification laws and regulations applicable to the processing of Personal Information under the Agreement, including (without limitation) the Privacy Act 1988 (Cth) and the Australian Privacy Principles, and, where applicable, similar laws in other jurisdictions.
  • Controller (or Data Controller) means the entity which determines the purposes and means of the processing of Personal Information.
  • Processor (or Data Processor) means the entity which processes Personal Information on behalf of a Controller.
  • Personal Information means any information about an identified individual or an individual who is reasonably identifiable, and any similar term defined in Applicable Data Protection Laws (for example, “personal data” under the GDPR), processed by Intaxio on behalf of Customer under the Agreement.
  • Sensitive Information means Personal Information of a sensitive nature as defined in Applicable Data Protection Laws (for example, health information, union membership), and includes Tax File Number (TFN) information.
  • Sub-processor means any third party engaged by or on behalf of Intaxio to process Personal Information in connection with the Services.
  • Services means the Intaxio APIs and related services described in the Agreement and the applicable Product Data Sheets.

Capitalised terms not defined in this DPA have the meaning given in the Agreement.

2. ROLES OF THE PARTIES

2.1 Customer as Controller. For Personal Information contained in Customer Data processed via the Services, Customer is the Controller and Intaxio is the Processor.

2.2 Intaxio as Independent Controller. Intaxio is an independent Controller in respect of:

  • Personal Information it processes for its own business administration (for example, billing, account management, security logging, audit trails and regulatory compliance); and
  • any Personal Information it collects directly from individuals in its own capacity (for example, its own employees or individuals registering for Intaxio training or marketing).

2.3 Compliance. Each party will comply with its respective obligations as Controller or Processor under Applicable Data Protection Laws.

3. SUBJECT MATTER, PURPOSE, NATURE AND DURATION OF PROCESSING

3.1 Subject Matter. Intaxio processes Personal Information as necessary to provide the Services, including:

  • Modern Awards APIs and Enterprise Agreement APIs;
  • PAYGW & STP APIs; and
  • Developer Portal access and related tooling.

3.2 Purpose. Processing is carried out for the following purposes:

  • calculating and returning award rates, allowances, penalty rates and related entitlements;
  • calculating tax withholding and other payroll calculations;
  • preparing, transmitting and reconciling STP and related submissions;
  • providing configuration, logging, monitoring and support via the Developer Portal; and
  • complying with Customer’s documented instructions as set out in the Agreement and this DPA.

3.3 Nature of Processing. Processing operations may include collection, recording, organisation, structuring, storage, retrieval, consultation, use, disclosure (where authorised), alignment, restriction, deletion and destruction, as required for the Services.

3.4 Duration. Intaxio will process Personal Information for the term of the Agreement and any applicable retention period required by law or agreed in the relevant Product Data Sheet, after which it will delete or de-identify Personal Information in accordance with section 10.

4. DATA SUBJECTS AND CATEGORIES OF PERSONAL INFORMATION

4.1 Data Subjects. The Personal Information processed may relate to:

  • Customer’s employees, workers and contractors;
  • employees and workers of Customer’s customers (where Customer is a payroll or HR provider);
  • Customer’s authorised users and administrators; and
  • other individuals whose data is captured in payroll, HR or STP processes.

4.2 Categories of Personal Information. Depending on the APIs and configuration selected, Personal Information may include (as determined by Customer):

  • identification details (for example, name, date of birth, contact details, employee IDs);
  • employment details (for example, job title, classification, award/eBA coverage, work pattern, pay rate, allowances, penalty arrangements);
  • tax and super related data (for example, tax residency indicators, withholding details, super fund identifiers, contribution amounts);
  • payroll transaction data (for example, gross earnings, deductions, leave balances, pay period details);
  • system metadata (for example, IP addresses, API credentials, user IDs, timestamps) associated with the operation of the Services.

4.3 Sensitive Information. The Services may involve limited processing of Sensitive Information such as:

  • health-related data where required for specific industrial instruments (for example, medical certificates, certain leave entitlements);
  • union membership status (where this affects payroll deductions); and
  • Tax File Number (TFN) or equivalent identifiers.

Customer must ensure any Sensitive Information is only submitted where strictly necessary and in accordance with Applicable Data Protection Laws (including the Privacy (Tax File Number) Rule and similar rules where applicable).

5. CUSTOMER INSTRUCTIONS

5.1 Instructions. Intaxio will process Personal Information only:

  • on behalf of Customer;
  • for the purposes described in this DPA and the Agreement; and
  • in accordance with Customer’s documented instructions, unless otherwise required by law.

5.2 Conflicting Instructions. If Intaxio considers that an instruction from Customer infringes Applicable Data Protection Laws, Intaxio will notify Customer (to the extent legally permitted) and may suspend the execution of the instruction until it is confirmed or modified.

6. INTAXIO OBLIGATIONS AS PROCESSOR

Intaxio will:

6.1 Confidentiality. Ensure that persons authorised to process Personal Information are bound by appropriate confidentiality obligations.

6.2 Security. Implement appropriate technical and organisational measures to protect Personal Information against unauthorised or unlawful processing and against accidental loss, destruction or damage, taking into account the nature of processing and the risks involved. These measures are described at a high level in the Security Overview and in relevant Product Data Sheets.

6.3 Sub-processors. Use Sub-processors as reasonably necessary to provide the Services, subject to:

  • imposing data protection obligations on Sub-processors that are no less protective than those in this DPA; and
  • remaining responsible for the acts and omissions of Sub-processors as if they were Intaxio’s own.

6.4 Data Subject Requests. Taking into account the nature of the processing, provide reasonable assistance to Customer to enable it to respond to requests from individuals to exercise rights under Applicable Data Protection Laws (for example, access, correction, deletion), to the extent such requests relate to Personal Information processed by Intaxio on Customer’s behalf.

6.5 Regulatory Cooperation. Provide reasonable assistance to Customer in dealings with privacy regulators where such dealings relate to Personal Information processed under this DPA.

6.6 Impact Assessments. Where required by law and reasonably requested by Customer, assist Customer with privacy impact assessments and consultation with regulators regarding high-risk processing involving the Services.

7. CROSS-BORDER TRANSFERS

7.1 Hosting Regions. By default, Intaxio will host Customer’s production data in the region(s) set out in the relevant Product Data Sheet and/or Security Overview (for example, Australian data centres), unless the parties agree otherwise in writing.

7.2 Transfers. If Personal Information is transferred or accessed from outside the primary hosting region, Intaxio will:

  • ensure such transfers comply with Applicable Data Protection Laws; and
  • implement appropriate safeguards (for example, contractual clauses or additional technical controls) as may be required.

7.3 Localisation Requirements. Where Customer requires that Personal Information remain within a particular region or jurisdiction, this must be explicitly agreed in the Order Form or Product Data Sheet.

8. DATA BREACH MANAGEMENT

8.1 Process. Intaxio will maintain an incident response process to detect, investigate and mitigate security incidents involving Personal Information.

8.2 Notification. In the event of an actual or suspected unauthorised access, use, disclosure, or loss of Personal Information processed on behalf of Customer that constitutes (or is likely to constitute) a notifiable data breach under Applicable Data Protection Laws (a Data Breach), Intaxio will:

  • notify Customer without undue delay after becoming aware of the Data Breach;
  • provide Customer with information reasonably required to meet its own regulatory and notification obligations (to the extent known to Intaxio); and
  • take reasonable steps to mitigate the effects of, and prevent recurrence of, the Data Breach.

8.3 Customer Notifications. Customer is responsible for determining whether to notify affected individuals and regulators, unless Applicable Data Protection Laws require Intaxio to notify directly.

9. AUDITS AND INFORMATION

9.1 Documentation. On reasonable notice, Intaxio will make available to Customer information necessary to demonstrate compliance with this DPA (for example, security summaries, certificates, or third-party audit reports, where available).

9.2 Audits. Where such information is insufficient, and subject to reasonable written notice and appropriate confidentiality safeguards, Customer (or its appointed auditor) may conduct a targeted audit or inspection of Intaxio’s relevant facilities and systems limited to verifying compliance with this DPA. Audits:

  • must occur during business hours and not more than once in any 12-month period, unless required by a regulator or following a material security incident; and
  • must be conducted in a manner that minimises disruption to Intaxio’s operations.

9.3 Costs. Customer is responsible for its own costs of audits. Intaxio may charge reasonable fees for time spent supporting an audit beyond what is reasonable for a standard review.

10. CUSTOMER OBLIGATIONS

Customer will:

  • ensure it has all necessary notices, consents and legal bases to process Personal Information and to enable Intaxio to process Personal Information as contemplated by the Agreement;
  • not instruct Intaxio to process Personal Information in a way that breaches Applicable Data Protection Laws; and
  • ensure that Personal Information provided to Intaxio is accurate and up to date, and that data sets are minimised to what is necessary.

11. RETENTION, RETURN AND DELETION

11.1 End of Services. Upon termination or expiry of the Services for a particular Customer environment, Intaxio will:

  • provide Customer, upon request and within a reasonable time, with an export of Personal Information stored in that environment in a commonly used machine-readable format (subject to technical feasibility); and
  • thereafter delete or irreversibly de-identify Personal Information in accordance with Intaxio’s retention and deletion schedules, except where retention is required by Applicable Law (for example, record-keeping obligations related to tax or employment).

11.2 Aggregated Data. Intaxio may retain non-identifiable or aggregated data created from the processing of Customer Data (for example, usage statistics), provided such data does not identify any individual or Customer.

12. LIABILITY AND ORDER OF PRECEDENCE

12.1 Liability. The limitations and exclusions of liability in the Agreement apply to this DPA.

12.2 Precedence. In the event of conflict between this DPA and other parts of the Agreement concerning the processing of Personal Information, this DPA prevails.