How we process data on behalf of our customers
Last updated: 1 March 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Wollemia Pty Ltd (ABN 35 692 226 323) ("Processor", "we", "us") and the customer ("Controller", "you") who uses the Cavuno platform to operate a job board. By using Cavuno, you agree to the terms of this DPA.
This DPA governs the processing of personal data that you collect from end users of your job board and that we process on your behalf to provide the Cavuno platform.
The following terms have the meanings set out below. Where not defined here, terms have the meanings given in the Australian Privacy Act 1988, the EU General Data Protection Regulation (GDPR), or our Terms of Service.
We process personal data solely to provide and maintain the Cavuno platform on your behalf. This includes hosting your job board, delivering job alert emails, processing search queries, generating analytics, and any other functionality available through the platform.
The types of personal data we process on your behalf include:
The categories of data subjects whose data we process include job seekers, candidate profile holders, job alert subscribers, job posters, and visitors to your job board. Cavuno does not process or store job application data — job listings redirect applicants to external application URLs controlled by the employer.
We process personal data only on your documented instructions, which are defined by your use of the Cavuno platform and the features you enable. We will not process personal data for any purpose other than providing the service to you.
If we believe an instruction from you infringes applicable data protection law, we will inform you without delay.
We commit to the following obligations when processing personal data on your behalf:
You authorise us to engage the subprocessors listed on our Subprocessors page to process personal data on your behalf. This page is maintained as the current list of approved subprocessors.
We will notify you of any intended changes to the list of subprocessors by updating the Subprocessors page. You may object to a new subprocessor by contacting us within 14 days of the update. If we cannot reasonably accommodate your objection, either party may terminate the affected service.
Personal data processed on your behalf may be transferred to and processed in countries outside your jurisdiction, including the United States and Germany, as detailed on our Subprocessors page.
Where personal data is transferred outside the European Economic Area or the United Kingdom, we ensure that appropriate safeguards are in place. We can provide EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreement upon request.
For transfers from Australia, we take reasonable steps to ensure that overseas recipients comply with the Australian Privacy Principles, consistent with our obligations under APP 8.
We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. A detailed description of our security measures is available on our Security page. These measures include encryption in transit and at rest, multi-tenant data isolation using row-level security, access controls governed by the principle of least privilege, and automated vulnerability scanning.
In the event of a data breach affecting personal data processed on your behalf, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach.
Our notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
We will cooperate with you and provide reasonable assistance in investigating the breach and meeting your notification obligations to supervisory authorities and data subjects.
We will assist you in fulfilling your obligations to respond to data subject requests. The Cavuno platform provides tools to access, export, and delete subscriber and applicant data. Where a data subject contacts us directly with a request relating to your job board, we will promptly refer them to you unless otherwise instructed.
We will make available to you the information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by you or an auditor mandated by you.
Audit requests must be submitted in writing with reasonable notice. We may charge a reasonable fee for audits that go beyond reviewing our existing documentation and certifications. We will cooperate in good faith to address any findings.
This DPA takes effect when you begin using the Cavuno platform and remains in effect for the duration of our provision of the service to you.
Upon termination of the service, we will delete all personal data processed on your behalf within 30 days, unless retention is required by applicable law (for example, billing records retained under Australian tax law). Backup copies may persist for up to 30 days after deletion from primary systems.
You may request a copy of your data before termination using the export tools available in the platform, or by contacting us directly.
Upon termination or expiry of the service, and at your written request, we will either return all personal data to you in a structured, commonly used, and machine-readable format, or delete it. The choice is yours.
We will confirm deletion in writing upon request. Any personal data that we are required to retain by law will be isolated and protected from further processing.
This DPA is governed by the laws of New South Wales, Australia, consistent with our Terms of Service. For data subjects in the European Economic Area, this DPA is also subject to the GDPR. For data subjects in the United Kingdom, this DPA is also subject to the UK GDPR.
For questions about this DPA or to exercise any rights under it, please contact us: