754,627 rural NSW lots pre-computed | 183 data fields per property | Carbon credit estimates for every lot | 159+ regulatory obligations from 16 regulations | Soil, climate, water, vegetation intelligence | Know what you CAN do with your land | Reports in ~60 seconds | 754,627 rural NSW lots pre-computed | 183 data fields per property | Carbon credit estimates for every lot | 159+ regulatory obligations from 16 regulations | Soil, climate, water, vegetation intelligence | Know what you CAN do with your land | Reports in ~60 seconds |

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer and QuestFeed Pty Ltd for the provision of the AgDSS platform and services. AgDSS is a product name and brand of QuestFeed Pty Ltd — it is not a separately registered business or trademark.

DPA at a Glance

This DPA governs how QuestFeed Pty Ltd (operating the AgDSS platform) processes personal data on your behalf. It applies automatically to all customers and supplements our Terms of Service and Privacy Policy.

Enterprise customers requiring a custom or countersigned DPA can contact hello@agdss.com.

GDPR

Art. 28 compliant

APPs

Privacy Act 1988

SCCs

EU transfer mechanism

30-day

LLM auto-deletion

1. Definitions

"Controller"

The Customer — the entity that determines the purposes and means of processing Personal Data by using the AgDSS platform.

"Processor"

QuestFeed Pty Ltd (ABN 58 632 013 855) — the legal entity that processes Personal Data on behalf of the Controller. AgDSS is the product name under which the Services are provided; all contractual obligations under this DPA are held by QuestFeed Pty Ltd.

"Sub-processor"

A third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Personal Data"

Any information relating to an identified or identifiable natural person that is processed by AgDSS in the course of providing the Services.

"Processing"

Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, combination, erasure, or destruction.

"Services"

The AgDSS agricultural intelligence platform, including land capability analysis, soil and water intelligence, risk scoring, AI-powered agricultural Q&A, report generation, property monitoring, and all related features.

2. Scope and Purpose of Processing

AgDSS processes Personal Data solely for the purpose of providing the Services as instructed by the Controller. Processing is limited to what is necessary to analyse land capability, generate reports, and provide AI-powered agricultural Q&A.

Processing is strictly limited to:

  • Receiving and processing agricultural queries (addresses, coordinates, land-use selections)
  • Resolving applicable agricultural, biosecurity, water, and environmental obligations for queried locations
  • Generating farm and property reports and compliance risk assessments
  • Providing AI-powered agricultural Q&A with cited answers
  • Managing Customer accounts, authentication, and billing

AgDSS will NOT: Process Personal Data for any purpose other than providing the Services; sell, rent, or trade Personal Data; use Personal Data for marketing, profiling, or advertising; or combine Personal Data with data from other customers.

3. Data Processing Details

Subject matter Provision of the AgDSS agricultural intelligence platform
Duration For the term of the Customer's subscription, plus up to 30 days for data deletion after termination
Nature of processing Land capability analysis, risk scoring, AI-powered Q&A, report generation, storage and retrieval of agricultural analysis results
Purpose of processing To provide land capability analysis, compliance risk assessment, report generation, and AI-powered agricultural Q&A services as requested by the Customer
Categories of data subjects Customer employees and authorized users
Types of personal data Account data (name, email, role); query data (addresses searched, coordinates, development types); AI conversation history; payment information

4. AI and LLM Data Processing

Planning Q&A is powered by enterprise-grade large language models (LLMs) via API. The following safeguards apply to all AI-assisted processing:

30-Day Auto-Deletion

The LLM provider (xAI) automatically deletes all API inputs and outputs within 30 days. During this period, data is retained solely for safety and abuse monitoring purposes, after which it is permanently purged.

No Model Training

Your agricultural questions and the data used to answer them are never used for model training, fine-tuning, or any form of machine learning improvement. This is explicitly prohibited under xAI's Enterprise Terms of Service.

Encrypted In-Transit Processing

Planning context is sent to the LLM API over encrypted channels (TLS 1.3) and processed for inference. No customer content is used beyond providing the API response.

Data Minimization

Only the agricultural data necessary for answering your question is sent to the AI provider. Customer account information, query history, and billing data are never transmitted.

5. Sub-processors

AgDSS engages the following sub-processors to deliver the Services:

Sub-processor Purpose Location Data Retention
xAI LLM inference for agricultural Q&A United States 30-day auto-delete; no model training
Amazon Web Services (AWS) Cloud infrastructure — compute, database, storage US East (N. Virginia) Duration of subscription + 30-day deletion
Cloudflare CDN, DDoS protection, WAF, DNS, Pages hosting Global edge network Transient — edge cache only
Stripe Payment processing and billing United States Per Stripe's data retention policy and PCI-DSS requirements

AgDSS will notify the Customer at least 30 days before engaging a new sub-processor or replacing an existing one. The Customer may object to a new sub-processor on reasonable grounds related to data protection.

6. Security Measures

AgDSS implements appropriate technical and organizational measures to protect Personal Data:

Encryption

TLS 1.3 in transit, AES-256 at rest via AWS KMS. All data encrypted at every stage of its lifecycle.

Access Control

Role-based access control with least privilege. No engineer has persistent access to production. All access is just-in-time and audited.

Serverless Isolation

Ephemeral Lambda containers destroyed after each invocation. No persistent servers, no SSH access.

Backup & Recovery

Daily automated database backups with 35-day retention. Point-in-time recovery. Multi-AZ deployment.

For full details of our security practices, see our Security page.

7. Data Subject Rights

AgDSS will assist the Controller in fulfilling its obligations to respond to data subject requests under applicable Data Protection Laws, including:

Right of Access

AgDSS will provide the Controller with access to Personal Data processed on its behalf, in a structured, commonly used, and machine-readable format, within 30 days.

Right to Rectification

AgDSS will correct or update Personal Data upon instruction from the Controller.

Right to Erasure

AgDSS will delete Personal Data upon instruction from the Controller, subject to any legal retention requirements. Deletion completed within 30 days, including backups.

Right to Data Portability

The Customer can export their agricultural data and reports at any time via the platform.

8. Data Breach Notification

Notify

< 48 hours

Notify the Controller without undue delay and within 48 hours of becoming aware of a Personal Data breach.

Describe

With notification

Provide a description of the nature of the breach, including categories and approximate number of data subjects affected, likely consequences, and measures taken.

Assist

Ongoing

Assist the Controller in fulfilling its own breach notification obligations to supervisory authorities and affected data subjects.

Remediate

Immediate

Take immediate steps to contain the breach, mitigate its effects, and prevent recurrence. Conduct root cause analysis.

9. Data Deletion and Return

Upon termination or expiry of the Customer's subscription:

Data Export

The Customer may export all agricultural data, reports, and query history from the platform at any time before termination.

Deletion

AgDSS will delete all Personal Data within 30 days of termination, including all copies in primary storage, backups, and disaster recovery systems.

Retention Exceptions

AgDSS may retain Personal Data beyond 30 days only where required by applicable law (e.g., tax records). Any retained data continues to be protected under this DPA.

Sub-processor Deletion

AgDSS will ensure that all sub-processors delete Personal Data in accordance with the same timelines. The LLM provider operates under automatic 30-day deletion.

10. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of Queensland, Australia, except where Data Protection Laws require the application of the law of the data subject's jurisdiction. For EU/EEA data subjects, the GDPR and applicable member state implementations prevail. For UK data subjects, the UK GDPR and Data Protection Act 2018 prevail.

11. Amendments

AgDSS may update this DPA from time to time to reflect changes in our processing activities, sub-processors, or applicable Data Protection Laws. Material changes will be notified to the Customer at least 30 days before taking effect. Continued use of the Services after the effective date of a revised DPA constitutes acceptance of the updated terms.

DPA Contact

For questions about this DPA, data processing requests, or to exercise audit rights:

QuestFeed Pty Ltd

ABN: 58 632 013 855

Email: hello@agdss.com

Document Version: 1.0 | Effective: April 2026

This DPA supplements the Terms of Service and Privacy Policy.