Every planning control identified for any lot | LEP + SEPP + DCP cross-referenced in one query | Approval likelihood scored for every control | Conflicts and overrides resolved automatically | Every answer cited to the source clause | Ask planning questions in plain English | Results in under 1 second | Every planning control identified for any lot | LEP + SEPP + DCP cross-referenced in one query | Approval likelihood scored for every control | Conflicts and overrides resolved automatically | Every answer cited to the source clause | Ask planning questions in plain English | Results in under 1 second |

Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer and QuestFeed Pty Ltd for the provision of the ZoneDSS platform and services. ZoneDSS is a product name and brand of QuestFeed Pty Ltd — it is not a separately registered business or trademark.

DPA at a Glance

This DPA governs how QuestFeed Pty Ltd (operating the ZoneDSS platform) processes personal data on your behalf. It applies automatically to all customers and supplements our Terms of Service and Privacy Policy.

Enterprise customers requiring a custom or countersigned DPA can contact hello@zonedss.com.

GDPR

Art. 28 compliant

APPs

Privacy Act 1988

SCCs

EU transfer mechanism

30-day

LLM auto-deletion

1. Definitions

"Controller"

The Customer — the entity that determines the purposes and means of processing Personal Data by using the ZoneDSS platform.

"Processor"

QuestFeed Pty Ltd (ABN 58 632 013 855) — the legal entity that processes Personal Data on behalf of the Controller. ZoneDSS is the product name under which the Services are provided; all contractual obligations under this DPA are held by QuestFeed Pty Ltd.

"Sub-processor"

A third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Personal Data"

Any information relating to an identified or identifiable natural person that is processed by ZoneDSS in the course of providing the Services.

"Processing"

Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, combination, erasure, or destruction.

"Services"

The ZoneDSS planning intelligence platform, including spatial obligation resolution, Bayesian risk scoring, AI-powered planning Q&A, site report generation, and all related features.

2. Scope and Purpose of Processing

ZoneDSS processes Personal Data solely for the purpose of providing the Services as instructed by the Controller. Processing is limited to what is necessary to resolve planning obligations, generate reports, and provide AI-powered planning Q&A.

Processing is strictly limited to:

  • Receiving and processing planning queries (addresses, coordinates, development types)
  • Resolving obligations from planning instruments for queried locations
  • Generating site planning reports and compliance risk assessments
  • Providing AI-powered planning Q&A grounded in real obligation data
  • Managing Customer accounts, authentication, and billing

ZoneDSS will NOT: Process Personal Data for any purpose other than providing the Services; sell, rent, or trade Personal Data; use Personal Data for marketing, profiling, or advertising; or combine Personal Data with data from other customers.

3. Data Processing Details

Subject matter Provision of the ZoneDSS planning intelligence platform
Duration For the term of the Customer's subscription, plus up to 30 days for data deletion after termination
Nature of processing Spatial query resolution, obligation graph traversal, Bayesian risk scoring, AI-powered Q&A inference, report generation, storage and retrieval of planning analysis results
Purpose of processing To provide planning obligation resolution, compliance risk assessment, and AI-powered planning Q&A services as requested by the Customer
Categories of data subjects Customer employees and authorized users
Types of personal data Account data (name, email, role); query data (addresses searched, coordinates, development types); AI conversation history; payment information

4. AI and LLM Data Processing

Planning Q&A is powered by enterprise-grade large language models (LLMs) via API. The following safeguards apply to all AI-assisted processing:

30-Day Auto-Deletion

The LLM provider (xAI) automatically deletes all API inputs and outputs within 30 days. During this period, data is retained solely for safety and abuse monitoring purposes, after which it is permanently purged.

No Model Training

Your planning questions and obligation context are never used for model training, fine-tuning, or any form of machine learning improvement. This is explicitly prohibited under xAI's Enterprise Terms of Service.

Encrypted In-Transit Processing

Planning context is sent to the LLM API over encrypted channels (TLS 1.3) and processed for inference. No customer content is used beyond providing the API response.

Data Minimization

Only the obligation data and zone context necessary for answering the planning question is sent to the LLM. Customer account information, query history, and billing data are never transmitted to the LLM provider.

5. Sub-processors

ZoneDSS engages the following sub-processors to deliver the Services:

Sub-processor Purpose Location Data Retention
xAI LLM inference for planning Q&A United States 30-day auto-delete; no model training
Amazon Web Services (AWS) Cloud infrastructure — Lambda, RDS PostgreSQL/PostGIS, S3 US East (N. Virginia) Duration of subscription + 30-day deletion
Cloudflare CDN, DDoS protection, WAF, DNS, Pages hosting Global edge network Transient — edge cache only
Stripe Payment processing and billing United States Per Stripe's data retention policy and PCI-DSS requirements

ZoneDSS will notify the Customer at least 30 days before engaging a new sub-processor or replacing an existing one. The Customer may object to a new sub-processor on reasonable grounds related to data protection.

6. Security Measures

ZoneDSS implements appropriate technical and organizational measures to protect Personal Data:

Encryption

TLS 1.3 in transit, AES-256 at rest via AWS KMS. All data encrypted at every stage of its lifecycle.

Access Control

Role-based access control with least privilege. No engineer has persistent access to production. All access is just-in-time and audited.

Serverless Isolation

Ephemeral Lambda containers destroyed after each invocation. No persistent servers, no SSH access.

Backup & Recovery

Daily automated database backups with 35-day retention. Point-in-time recovery. Multi-AZ deployment.

For full details of our security practices, see our Security page.

7. Data Subject Rights

ZoneDSS will assist the Controller in fulfilling its obligations to respond to data subject requests under applicable Data Protection Laws, including:

Right of Access

ZoneDSS will provide the Controller with access to Personal Data processed on its behalf, in a structured, commonly used, and machine-readable format, within 30 days.

Right to Rectification

ZoneDSS will correct or update Personal Data upon instruction from the Controller.

Right to Erasure

ZoneDSS will delete Personal Data upon instruction from the Controller, subject to any legal retention requirements. Deletion completed within 30 days, including backups.

Right to Data Portability

The Customer can export their planning data and reports at any time via the platform.

8. Data Breach Notification

Notify

< 48 hours

Notify the Controller without undue delay and within 48 hours of becoming aware of a Personal Data breach.

Describe

With notification

Provide a description of the nature of the breach, including categories and approximate number of data subjects affected, likely consequences, and measures taken.

Assist

Ongoing

Assist the Controller in fulfilling its own breach notification obligations to supervisory authorities and affected data subjects.

Remediate

Immediate

Take immediate steps to contain the breach, mitigate its effects, and prevent recurrence. Conduct root cause analysis.

9. Data Deletion and Return

Upon termination or expiry of the Customer's subscription:

Data Export

The Customer may export all planning data, reports, and query history from the platform at any time before termination.

Deletion

ZoneDSS will delete all Personal Data within 30 days of termination, including all copies in primary storage, backups, and disaster recovery systems.

Retention Exceptions

ZoneDSS may retain Personal Data beyond 30 days only where required by applicable law (e.g., tax records). Any retained data continues to be protected under this DPA.

Sub-processor Deletion

ZoneDSS will ensure that all sub-processors delete Personal Data in accordance with the same timelines. The LLM provider operates under automatic 30-day deletion.

10. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of Queensland, Australia, except where Data Protection Laws require the application of the law of the data subject's jurisdiction. For EU/EEA data subjects, the GDPR and applicable member state implementations prevail. For UK data subjects, the UK GDPR and Data Protection Act 2018 prevail.

11. Amendments

ZoneDSS may update this DPA from time to time to reflect changes in our processing activities, sub-processors, or applicable Data Protection Laws. Material changes will be notified to the Customer at least 30 days before taking effect. Continued use of the Services after the effective date of a revised DPA constitutes acceptance of the updated terms.

DPA Contact

For questions about this DPA, data processing requests, or to exercise audit rights:

QuestFeed Pty Ltd

ABN: 58 632 013 855

Email: hello@zonedss.com

Document Version: 1.0 | Effective: March 2026

This DPA supplements the Terms of Service and Privacy Policy.