Skip to main content

Data Processing Agreement

Last updated: 19 February 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Lucive Pty Ltd ("Processor", "Lucive") and the subscribing healthcare practice ("Controller", "you") for the provision of the Lucive platform. This DPA governs the processing of personal information, including health information, by Lucive on your behalf.

1. Definitions

In this DPA, "personal information" and "health information" have the meanings given in the Privacy Act 1988 (Cth). "Processing" means any operation performed on personal information, including collection, storage, use, disclosure, and deletion.

2. Roles and responsibilities

You, as the Controller, determine the purposes and means of processing personal information. Lucive, as the Processor, processes personal information only on your documented instructions and for the purpose of providing the Lucive platform services.

3. Scope of processing

Lucive processes personal information solely to:

  • Generate and manage GP referral letters on your behalf.
  • Integrate with your practice management system as authorised by you.
  • Provide support and maintain the platform.

4. Sub-processors

Lucive may engage sub-processors to assist in delivering the service. We will maintain a current list of sub-processors and notify you of any changes at least 30 days in advance. You may object to a new sub-processor on reasonable grounds. All sub-processors are bound by data protection obligations no less protective than those in this DPA.

5. Data security

Lucive implements appropriate technical and organisational measures to protect personal information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls and least-privilege principles.
  • Regular vulnerability assessments and penetration testing.
  • Multi-factor authentication for all staff with data access.
  • Audit logging of all data access events.

6. Data breach notification

Lucive will notify you without undue delay, and no later than 72 hours, upon becoming aware of a data breach affecting personal information processed under this DPA. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach. We will cooperate with you in meeting your obligations under the Notifiable Data Breaches scheme.

7. Data return and deletion

Upon termination of the agreement or at your written request, Lucive will return or securely delete all personal information processed on your behalf within 30 days, unless retention is required by law. We will provide written confirmation of deletion upon request.

8. Audit rights

You may request, no more than once per year and with reasonable advance notice, that Lucive provide information or allow an audit to verify compliance with this DPA. Lucive will cooperate and provide reasonable access to relevant records, systems, and personnel. Audits will be conducted in a manner that minimises disruption to Lucive's operations.

9. Cross-border transfers

Where personal information is transferred outside Australia, Lucive will ensure that the recipient is subject to a law or binding scheme that provides protections substantially similar to the APPs, in accordance with APP 8.

10. Term and termination

This DPA remains in effect for the duration of your use of the Lucive platform. Obligations relating to data security, deletion, and confidentiality survive termination.

11. Contact

For questions about this DPA, please contact us at privacy@lucive.com.au.