Data Processing Addendum.
Last updated: 22 May 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between Surau Engineering (ABN 51 696 483 468), trading as “Pitlane HQ” (“PitlaneHQ”, “we”, “us”), and the customer that subscribes to the Service (the “Workshop”, “you”), governing our handling of Customer Personal Information processed on your behalf. It supplements our Terms of Service and works together with our Privacy Policy and Sub-processors list. If there is a conflict on the subject of personal information handling, this DPA prevails.
1. Definitions
- Privacy Act — the Privacy Act 1988(Cth), including the Australian Privacy Principles (“APPs”).
- Customer Personal Information — personal information (as defined in the Privacy Act) that the Workshop, or its end customers and employees, inputs into or generates within the Service — for example customer and vehicle records, jobs, invoices, employee and payroll records, and communications.
- Process / Processing — any operation performed on Customer Personal Information, including collection, storage, use, disclosure, and deletion.
- Sub-processor — a third party engaged by PitlaneHQ to Process Customer Personal Information in connection with the Service, as listed at pitlanehq.com.au/legal/sub-processors.
2. Roles of the parties
For Customer Personal Information, the Workshop is the responsible APP entity (it determines the purposes and means of Processing) and PitlaneHQ is the service providerthat Processes that information on the Workshop's behalf. The Workshop is responsible for ensuring it has the authority and any necessary consents or notices to collect that information and to have PitlaneHQ Process it under this DPA. PitlaneHQ remains the responsible APP entity for the Workshop's own account, billing, and usage data, which is governed by the Privacy Policy.
3. Scope and instructions
PitlaneHQ Processes Customer Personal Information only:
- to provide, maintain, secure, and support the Service;
- in accordance with the Workshop's documented instructions, which the Terms of Service, the Service's configuration and features, and this DPA constitute; and
- as required by Australian law (in which case we will inform you unless legally prohibited).
We will not sell Customer Personal Information and will not use it for our own independent purposes. Where we use AI features at the Workshop's direction, Processing is scoped to the Workshop and is not used to train models served to other customers (see the Privacy Policy, “Artificial Intelligence”).
4. Confidentiality
We ensure that personnel authorised to Process Customer Personal Information are bound by appropriate confidentiality obligations and access it only on a need-to-know basis.
5. Security
We implement and maintain technical and organisational security measures appropriate to the risk, consistent with APP 11 and the measures described in our Privacy Policy — including encryption in transit and at rest, role-based access controls, multi-tenant isolation, Australian data residency for the primary database, and audit logging.
6. Sub-processors
You authorise PitlaneHQ to engage the Sub-processors listed at pitlanehq.com.au/legal/sub-processors. We impose data-protection obligations on Sub-processors substantially equivalent to those in this DPA, and we remain responsible for their performance. We will give at least 30 days' notice before engaging a new Sub-processor that Processes Customer Personal Information. If you object on reasonable, good-faith grounds within that window, we will work with you to resolve the concern or, failing that, allow you to terminate the affected Service component.
7. Cross-border disclosure (APP 8)
Some Sub-processors Process data outside Australia, as identified on the Sub-processors page. Before disclosing Customer Personal Information overseas, we take reasonable steps to ensure the recipient handles it consistently with the APPs — through Data Processing Addendums, Standard Contractual Clauses, or reliance on the recipient being bound by substantially similar protections. The primary database remains in Australia.
8. Assistance with individuals' rights
The Service provides tools that let the Workshop access, correct, export, and delete Customer Personal Information directly. If an individual contacts PitlaneHQ directly to exercise a right in respect of data the Workshop controls, we will refer them to the Workshop and reasonably assist the Workshop to respond within the time required by the Privacy Act.
9. Data breach notification
If PitlaneHQ becomes aware of a data breach affecting Customer Personal Information, we will notify the affected Workshop without undue delay and provide information reasonably necessary for the Workshop to assess the breach and meet its own obligations under the Notifiable Data Breaches scheme. We will reasonably assist the Workshop's response and take steps to contain and remediate the breach.
10. Audit
On reasonable written request (no more than once per 12 months, except following a breach or where required by a regulator), we will make available information reasonably necessary to demonstrate compliance with this DPA — for example security documentation, certifications, or summary reports. Any on-site audit will be at the Workshop's cost, on reasonable notice, during business hours, subject to confidentiality, and conducted so as not to disrupt the Service or compromise other customers' data.
11. Return and deletion
On termination or expiry of the Service, the Workshop may export its Customer Personal Information using the Service's export features during a wind-down window. After that window, we will delete or de-identify Customer Personal Information in the live Service, except where retention is required by law; residual copies in backups are purged on the rolling backup cycle.
12. Liability and relationship to the agreement
This DPA is subject to the limitations and exclusions of liability in the Terms of Service. Except as expressly modified here, the Terms of Service remain in full force.
13. Governing law
This DPA is governed by the laws of Queensland, Australia, and the parties submit to the non-exclusive jurisdiction of the courts of that State and the Commonwealth of Australia.
14. Contact
- Privacy / data protection: privacy@pitlanehq.com.au
- General enquiries: hello@pitlanehq.com.au