Statura Care
Statura.
Care

Data Processing Schedule

Privacy and security obligations tied to the live platform.

This schedule forms part of the Statura Care customer agreement and applies where Statura processes customer data on behalf of a provider.

Last updated: 23 April 2026

This Data Processing Schedule forms part of the Statura Care customer agreement and applies where Statura processes customer data on behalf of a customer.

1. Roles

  1. The customer determines the purposes for which customer data is collected and used in the service, and is responsible for the lawfulness of those decisions.
  2. Statura processes customer data on the customer's behalf to provide the service and associated support, security, and continuity functions.
  3. For the purposes of this schedule, the customer is the primary controller or principal responsible for customer data and Statura acts as processor, service provider, or equivalent contracted provider in relation to that customer data.

2. Subject matter and duration

  1. Subject matter: hosting, storage, organisation, transmission, retrieval, reporting, workflow support, support delivery, and deletion or de-identification of customer data in the service.
  2. Duration: for the subscription term and any post-termination retention period required by law, backup rotation, dispute resolution, or legitimate security purposes.

3. Categories of data

Depending on the modules a customer uses, customer data may include:

  • client, resident, and care-recipient identity details
  • family, nominee, guardian, and representative contact details
  • staff and contractor identity, roster, workforce, payroll-adjacent, and screening data
  • health information, care records, medications, observations, incidents, and assessments
  • communications, support tickets, audit logs, and portal activity records
  • billing, invoice, contribution, and claims-adjacent records
  • device and session data, including registered devices, push tokens, and access logs

4. Customer obligations

The customer must:

  • collect and disclose customer data lawfully and transparently
  • provide all privacy notices and APP 5 collection notices required for its own services
  • obtain and maintain any consents, authorities, or representative permissions needed for care delivery, portal access, messaging, and data sharing
  • ensure customer data and instructions are accurate, current, and not misleading
  • determine retention settings, access permissions, and configuration choices appropriate for its own legal obligations
  • review and approve any output, export, or submission before using it operationally or submitting it to a regulator, funder, worker, resident, or representative

5. Statura processing obligations

Statura will:

  • process customer data only on the customer's documented instructions, as necessary to provide, support, secure, and improve the service, or as required by law
  • ensure personnel with access to customer data are bound by confidentiality obligations
  • implement and maintain reasonable technical and organisational measures appropriate to the nature of customer data and the risks presented by the processing
  • maintain auditability and access controls within the service appropriate to the modules and workflows provided
  • notify the customer without undue delay after becoming aware of a verified security incident affecting customer data, unless notification is legally prohibited

6. Security measures

Statura's measures may include:

  • authentication controls and role-based access restrictions
  • encryption in transit and encryption at rest where supported by the relevant service component
  • logging and audit trails for access and key workflow activity
  • environment separation, backups, change controls, and recovery procedures
  • monitoring and incident-response tooling

This schedule does not guarantee any particular regulatory outcome, certification, or absolute security state. Security obligations are based on reasonable measures in light of the nature of the service and customer data.

7. Subprocessors and cross-border handling

  1. The customer authorises Statura to use the subprocessors listed in the current Subprocessor Schedule.
  2. Statura remains responsible for the acts and omissions of its subprocessors to the extent required by law and this schedule.
  3. Statura's primary production hosting for core application data is configured in Australia. However, certain support, telemetry, communications, and billing services may involve limited processing outside Australia.
  4. Where customer data is disclosed outside Australia through an approved subprocessor, Statura will take reasonable steps to ensure the recipient is subject to contractual or equivalent protections appropriate to the nature of the processing.

8. Assistance and cooperation

Taking into account the nature of the processing and the information available to Statura, Statura will provide reasonable assistance with privacy and security enquiries, access or deletion requests that the customer cannot reasonably fulfil without Statura's assistance, and incident investigation relating to the service.

If a request is extensive, repetitive, or outside the standard scope of the service, Statura may charge reasonable professional-services fees after giving notice.

9. Audits and information rights

  1. On reasonable written request, Statura will provide information reasonably necessary to demonstrate compliance with this schedule.
  2. Where that information is insufficient and the customer has a reasonable basis for concern, the customer may request one audit in any 12-month period on reasonable notice, during business hours, subject to confidentiality and security controls, and without access to another customer's data or Statura's trade secrets.
  3. Audits must not unreasonably interfere with the service or involve penetration testing, source-code review, or access to shared production systems without Statura's written approval.

10. Return, deletion, and retention

  1. During the subscription term, the customer may export customer data using available platform functionality or reasonable assistance requested from Statura.
  2. After termination, Statura will provide a reasonable export window and then delete or de-identify remaining customer data, except to the extent retention is required by law, for backup rotation, dispute resolution, or for security logging, fraud prevention, or lawful internal record-keeping.
  3. Where deletion is not legally or technically practicable, Statura will continue to protect retained data in accordance with this schedule and limit further processing to the retention purpose.

11. Privacy complaints and regulator engagement

  1. Each party remains responsible for its own compliance with laws that apply directly to that party, including privacy law, workplace law, and aged care law.
  2. If a privacy regulator or other authority makes an enquiry relating specifically to the service or Statura's processing, Statura may respond directly and will, where lawful and appropriate, keep the affected customer informed.

12. Priority

If there is any inconsistency between this schedule and the main customer agreement, this schedule prevails to the extent of the inconsistency for privacy, data-processing, and security matters.

Contact details