This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Customer”) and ninthLABS Ventures Pty Ltd (“Processor”, “ninthLABS”) governing your use of the OBEL™ Services. It describes how ninthLABS processes personal data on your behalf and the sub-processors it engages to do so.
1. Definitions
Personal Data means any information relating to an identified or identifiable natural person processed through the Services.
Sub-processor means any third party engaged by ninthLABS to process Personal Data on behalf of the Customer.
Processing has the meaning given in the Australian Privacy Act 1988 (Cth) and includes collection, storage, use, disclosure, and deletion.
2. Scope and Purpose of Processing
ninthLABS processes Personal Data solely for the purpose of providing the OBEL™ Services as described in the Terms of Service. Processing is performed on instructions from the Customer; ninthLABS does not process Personal Data for its own commercial purposes or to train AI models.
Categories of Personal Data processed may include: user identifiers (email, name), usage metadata, and — where SIEM content forwarding is enabled by the Customer administrator — scrubbed prompt and response text. Raw, pre-scrub content is never stored or transmitted to sub-processors beyond the scope of the security event log.
3. Obligations of ninthLABS
ninthLABS will:
- Process Personal Data only on documented instructions from the Customer
- Ensure that personnel with access to Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Assist the Customer in fulfilling data subject rights requests within a reasonable timeframe
- Notify the Customer without undue delay upon becoming aware of a Personal Data breach
- Provide reasonable assistance for the Customer's compliance obligations under applicable privacy law
- Delete or return Personal Data upon termination of the agreement, unless required by law to retain it
4. Security Measures
ninthLABS implements the following technical measures for Personal Data:
- AES-256-GCM encryption for all credentials and API keys stored at rest
- TLS 1.2+ for all data in transit
- Row-level security (RLS) enforced at the database layer for all tenant data
- Real-time PII scrubbing before any data is forwarded to AI model providers
- Tamper-evident audit logging via append-only GitHub commits
- Principle of least privilege applied to all system access
5. Sub-processors
The Customer authorises ninthLABS to engage the following sub-processors. ninthLABS will notify the Customer of any intended changes to this list at least 14 days before the change takes effect, giving the Customer the opportunity to object.
Clerk Inc.
United StatesPurpose: User authentication, identity management, and session tokens
Data shared: Email address, name, account metadata
Privacy policy →Supabase Inc.
United States (multi-region)Purpose: Primary database, row-level-secured data storage, file storage
Data shared: All application data including user records, audit logs, and encrypted credentials
Privacy policy →Stripe Inc.
United StatesPurpose: Payment processing, subscription management, invoice generation
Data shared: Billing name, email, payment method metadata (card last 4, expiry)
Privacy policy →Anthropic, PBC
United StatesPurpose: Claude AI model inference
Data shared: Scrubbed prompt text (PII replaced with placeholders), model configuration
Privacy policy →OpenAI LLC
United StatesPurpose: GPT model inference (OpenAI API)
Data shared: Scrubbed prompt text (PII replaced with placeholders), model configuration
Privacy policy →Google LLC
United States / GlobalPurpose: Gemini model inference (Google AI Studio / Vertex AI)
Data shared: Scrubbed prompt text (PII replaced with placeholders), model configuration
Privacy policy →Groq Inc.
United StatesPurpose: Fast inference (Llama, Mixtral, and other open-weight models)
Data shared: Scrubbed prompt text (PII replaced with placeholders), model configuration
Privacy policy →GitHub, Inc. (Microsoft)
United StatesPurpose: Tamper-evident audit trail — append-only commit log stored in a private repository
Data shared: Session metadata, classification decisions, scrubber hit counts (no raw prompt content)
Privacy policy →6. International Data Transfers
Several sub-processors are located in the United States. ninthLABS takes reasonable steps to ensure that these sub-processors handle Personal Data in a manner consistent with the Australian Privacy Principles under APP 8 of the Privacy Act 1988 (Cth). Customers in the European Economic Area should contact us to discuss whether additional transfer mechanisms are required.
7. Governing Law
This DPA is governed by the laws of New South Wales, Australia. Privacy complaints may be lodged with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
8. Contact
Data privacy enquiries: privacy@ninthlabs.ai
ninthLABS Ventures Pty Ltd, New South Wales, Australia