CENTRIM LIFE – TERMS AND CONDITIONS

Provider:

Centrim Life Pty Ltd with ABN: 44 669 185 184 and Registered Office: 35B, 240 Plenty Road, Bundoora, VIC 3083("Centrim Life", "we", "us", "our")

Customer:

The entity subscribing to the Services ("Customer", "you", "your")

1. DEFINITIONS & INTERPRETATION

1.1 Definitions

Agreement means these Terms & Conditions, all Schedules, Order Forms, the Data Processing Agreement (DPA), Privacy Policy and Data Governance Framework.
Authorized Users means employees, contractors, clinicians, carers, agents, and representatives authorized by the Customer.
Business Day means a day excluding weekends and public holidays in Victoria, Australia.
Confidential Information includes all non-public business, technical, financial, security, software, operational and data information.
Controller / Processor has the meaning under the Privacy Act 1988 (Cth).
Fees means all subscription, usage, implementation, and service fees.
Intellectual Property Rights means all present and future rights in copyright, patents, trademarks, designs, confidential information, and know-how.
Personal Information has the meaning in the Privacy Act.
Services means the Centrim Life SaaS platform and its subscribed modules, including without limitation:
- Dining & Nutrition
- Maintenance & Asset Management
- Housekeeping
- Lifestyle & Engagement
- CRM & Admissions
- Visitor Management
- Feedback, Compliance & Incidents
- Concierge & Service Booking
- AI, Voice & Automation tools
Subscription Term means the term stated in the Order Form.

2. AGREEMENT STRUCTURE AND PRIORITY

2.1 This Agreement applies when the Customer executes an Order Form, activates any Centrim Life module, or continues use after notice of these Terms.

2.2 Contractual hierarchy (highest to lowest priority):

Order Form
Data Processing Agreement
These Terms & Conditions
Privacy Policy & Governance Framework

3. LICENCE GRANT

3.1 Centrim Life grants the Customer a non-exclusive, non-transferable, revocable licence to access and use the Services solely for its internal business operations during the Subscription Term.

3.2 The Customer must not:

Sub-licence, sell or commercially exploit the Services
Reverse engineer or copy the platform
Permit access by unauthorized persons
Create competing products from the Services

4. CUSTOMER OBLIGATIONS

The Customer must:

4.1 Ensure all Authorized Users comply with this Agreement

4.2 Maintain secure credentials and internal access controls

4.3 Ensure lawful collection and use of Personal Information

4.4 Ensure accuracy and legality of all data entered

4.5 Comply with all applicable laws and regulations

4.6 Maintain internal clinical, operational and governance oversight

4.7 Prevent malware, viruses, and unlawful content upload

4.8 Maintain payment authorizations for concierge and services modules

5. FEES AND PAYMENT

5.1 Fees are payable as stated in the Order Form.

5.2 All Fees:

Are exclusive of GST
Are payable in advance unless stated otherwise
Are non-refundable except where required by law

5.3 Late payment may result in:

Immediate service suspension
Data access restrictions
Recovery costs payable by the Customer

6. SERVICE DELIVERY AND AVAILABILITY

6.1 Services are provided on an "as is, as available" basis.

6.2 Centrim Life does not guarantee uninterrupted availability unless expressly stated in a separate SLA.

6.3 Scheduled maintenance may occur without liability.

7. DATA PROTECTION AND PRIVACY

7.1 Each party must comply with:

Privacy Act 1988 (Cth)
Australian Privacy Principles (APPs)
Notifiable Data Breaches Scheme

7.2 The DPA forms part of this Agreement and governs all processing.

7.3 The Customer is the Controller. Centrim Life is the Processor.

8. DATA OWNERSHIP AND GOVERNANCE

8.1 All Customer data remains the exclusive property of the Customer.

8.2 Centrim Life:

Does not sell or monetize client data
Does not use data for advertising
Does not profile individuals

8.3 Governance is enforced under the Data Governance Framework (ISO-aligned).

9. INFORMATION SECURITY

Centrim Life implements industry-standard, ISO-aligned controls including:

Encryption at rest and in transit
MFA & role-based access
Audit logging
Backup and disaster recovery
Penetration testing and threat monitoring

10. CLINICAL AND CARE DISCLAIMER

The Services are not a medical device, clinical decision system, or substitute for professional judgment.

All dietary, clinical, care and treatment decisions remain solely the responsibility of the Customer and its professionals.

Centrim Life:

Does not diagnose
Does not prescribe
Does not make care decisions
Does not verify clinical accuracy of data entered

11. AI & AUTOMATION DISCLAIMER

11.1 AI outputs:

May contain errors
Are provided "as is"
Must be validated by the Customer before use

11.2 Centrim Life:

Does not warrant AI accuracy
Does not accept liability for reliance on AI output
Does not train public AI models on Customer data

11.3 The Customer indemnifies Centrim Life for all reliance-based claims arising from AI usage.

12. SUBCONTRACTING AND OFFSHORE ACCESS

12.1 Centrim Life may engage subcontractors to deliver infrastructure, development, support, analytics, or communications services.

12.2 All subcontractors are bound by equivalent confidentiality, privacy, and security obligations.

12.3 Centrim Life remains responsible for subcontractor acts.

13. CONFIDENTIALITY

Each party must protect the other's Confidential Information with reasonable security measures.

Confidentiality obligations survive termination.

14. INTELLECTUAL PROPERTY

14.1 All IP in:

The platform
Enhancements
Updates
Integrations
Derivative works

Remains the exclusive property of Centrim Life.

14.2 Customers retain ownership of their data.

15. WARRANTIES

Centrim Life warrants that:

It has authority to provide the Services
The Services will perform materially in accordance with documentation
It will comply with applicable laws

All other warranties are excluded except those required under the Australian Consumer Law.

16. SUSPENSION AND TERMINATION

Centrim Life may immediately suspend access for:

Non-payment
Security threats
Regulatory breaches
Misuse of Services

Either party may terminate for material breach or insolvency.

17. DATA RETURN AND DELETION

Upon termination:

Export may be requested
Live data deleted within 30 days
Backup purge within 30–60 days
Certificate of Destruction available

18. LIMITATION OF LIABILITY (HARD COMMERCIAL CAP)

To the maximum extent permitted by law:

Total liability is capped at 12 months of Fees
No liability for:
- Loss of profits
- Business interruption
- Loss of data
- Indirect or consequential losses

A separate cap may apply to privacy breaches (equal to 12 months of Fees).

19. CUSTOMER INDEMNITY (DATA & MISUSE)

The Customer indemnifies Centrim Life against all claims arising from:

Incorrect, misleading or unlawful data
Staff misuse
Clinical misjudgement
Regulatory non-compliance
AI reliance
Unauthorized use

20. FORCE MAJEURE

Neither party is liable for delays caused by events beyond reasonable control.

21. ASSIGNMENT AND SUBCONTRACTING

Centrim Life may assign or subcontract with notice. Customers may not assign without consent.

22. VARIATION

Centrim Life may update these Terms with written notice. Continued use constitutes acceptance.

23. SEVERABILITY

Invalid terms are severed without affecting the remainder.

24. GOVERNING LAW AND JURISDICTION

This Agreement is governed by the laws of Victoria, Australia.

25. ENTIRE AGREEMENT

This Agreement constitutes the entire agreement between the parties.

CENTRIM LIFE - PRIVACY POLICY

Entity: Centrim Life Pty Ltd with ABN: 44 669 185 184 and Registered Office: 35B, 240 Plenty Road, Bundoora, VIC 3083

1. INTRODUCTION

Centrim Life Pty Ltd ("Centrim Life", "we", "our", "us") provides software‑as‑a‑service (SaaS) solutions to aged care, retirement living and healthcare organizations. This Privacy Policy explains how we collect, use, disclose, store, and protect Personal Information in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. WHAT PERSONAL INFORMATION WE COLLECT

We collect the following categories of information:

Identifiers: names, titles, gender, dates of birth, addresses, phone numbers, email addresses.
Resident Information: room/unit data, preferences, dietary requirements, allergies, IDDSI textures.
Sensitive Information: health data, food intake, incident reports, care‑related notes, feedback & complaints.
Staff Information: roles, permissions, rostering‑related data.
Visitor Data: entry/exit logs, identity verification, purpose of visit.
Technical Data: IP addresses, device identifiers, audit logs, activity history, error logs.
Payment Data: payment tokens processed via Stripe (we do not store full card details).

3. HOW WE COLLECT INFORMATION

We collect Personal Information directly through forms, platform interactions, support communications, mobile apps, AI‑assisted workflows, integrations (e.g., PCS, Nourish), uploaded files, photographs, 360‑degree inspection images, and automated logging systems.

4. PURPOSES OF USE

We use Personal Information to:

Operate Centrim Life modules including Dining, Maintenance, Housekeeping, CRM, Visitor Management, Lifestyle, Feedback & Compliance, Incidents and Concierge.
Support aged‑care operations, workflows, reporting and compliance.
Facilitate AI‑enabled documentation, dining notes, and search where authorized.
Provide secure access, authentication, and audit trails.
Process payments for concierge services.
Improve, maintain and secure the platform.

We do NOT use Personal Information for advertising, resale, or behavioural profiling.

5. DISCLOSURE OF PERSONAL INFORMATION

We may disclose information to:

The organization that controls the data (Controller).
Authorized staff and user roles.
Sub‑processors including: AWS (Australia), Stripe, Postmark, MessageMedia/Burst SMS, Gleap and Mixpanel (optional pseudonymized analytics), Ecaret Solutions (secure VPN restricted access only; no data export).
Government bodies or regulators where required by law.

6. CROSS-BORDER DISCLOSURES

Centrim Life stores data exclusively in Australia. Overseas developer access may occur solely through encrypted VPN sessions with no copying, exporting, or offshoring of Personal Information. This approach satisfies APP 8 requirements for cross‑border disclosure.

7. DATA SECURITY

We implement ISO 27001‑aligned controls including encryption (at rest and in transit), MFA, Azure AD SSO, RBAC, secure coding practices, firewalls, automated monitoring, penetration testing, encrypted backups, DR protocols (RTO 1 hour, RPO 4 hours) and strict access controls.

8. DATA RETENTION

We retain Personal Information while the client maintains an active subscription. Upon termination, live data is deleted within 30 days, and backup data is purged within 30–60 days. A certificate of destruction is available upon request.

9. NOTIFIABLE DATA BREACHES SCHEME

If we become aware of an eligible data breach, we will notify the Controller within 24 hours and assist with assessment, remediation, OAIC notifications, and affected individual communications as required.

10. ACCESS AND CORRECTION RIGHTS

Individuals may request access to or correction of their Personal Information. Requests must be directed to the relevant customer organization acting as the Controller. We will assist Controllers in fulfilling such requests.

11. ANONYMIZED DATA AND ANALYTICS

We may produce aggregated or anonymized data for reporting, benchmarking, or platform improvement. This data contains no Personal Information and cannot identify individuals.

12. COOKIES AND TRACKING TECHNOLOGIES

We use cookies for authentication, session management, security, and performance. We do not use cookies for advertising or behavioural tracking.

13. CHANGES TO POLICY

We may update this Privacy Policy to reflect legislation, platform enhancements, or operational changes. The current version will be published on our website.

14. CONTACT DETAILS

Privacy Officer

Centrim Life Pty Ltd

Email: privacy@centrimlife.com.au

Address: 35B, 240 Plenty Road, Bundoora, VIC 3083

CENTRIM LIFE - DATA GOVERNANCE FRAMEWORK

Entity: Centrim Life Pty Ltd
ABN: 44 669 185 184
Registered Office: 35B, 240 Plenty Road, Bundoora, VIC 3083

1. PURPOSE AND GOVERNANCE OBJECTIVE

This Data Governance Framework defines how Centrim Life Pty Ltd ("Centrim Life") governs, manages, secures, and ensures the lawful handling of data across its software-as-a-service (SaaS) platforms used within:

Aged care services
Retirement living operations
Healthcare-connected environments
Community and support services

The framework ensures:

Compliance with the Privacy Act 1988 (Cth)
Compliance with the Australian Privacy Principles (APPs)
Alignment with ISO/IEC 27001:2022 Information Security Management standards
Protection of sensitive health and care-related information
Full accountability across the entire data lifecycle

This framework applies to all Centrim Life systems, applications, mobile platforms, integrations, AI tools, and support operations.

2. DATA OWNERSHIP AND ACCOUNTABILITY MODEL

Centrim Life operates under a strict Controller–Processor structure:

Customer (Controller): Owns and controls all Personal Information entered into the platform.
Centrim Life (Processor): Processes information only on the documented instructions of the Controller.

Centrim Life:

Does not sell data
Does not use client data for advertising
Does not monetise or profile individuals
Does not repurpose data for unrelated activities

All data remains the legal property of the customer.

3. DATA CLASSIFICATION FRAMEWORK

All information processed within Centrim Life is classified under a formal four-tier model:

Classification Level	Description
Public	Marketing content, publicly available material
Internal	Internal operational logs and system metadata
Confidential	Staff records, operational reports, visitor systems
Restricted (Sensitive)	Resident data, health information, dietary data, incidents, complaints, clinical or risk-related data

Restricted data receives the highest level of technical, procedural, and access protection.

4. DATA LIFECYCLE GOVERNANCE

4.1 Lawful Collection

Data is collected only where:

Necessary for delivery of contracted services
Required for clinical, operational, safety, or compliance purposes
Lawfully authorised by the customer

Data minimisation is enforced by design.

4.2 Secure Storage

All production data is:

Stored within Australian-based data centres
Encrypted using strong industry-standard cryptography
Segregated by individual customer tenancy
Protected from unauthorised physical and logical access

4.3 Lawful Use

Data is used exclusively for:

Dining, nutrition, and intake workflows
Maintenance, housekeeping, and compliance operations
Incident, complaint and risk management
Visitor management and site safety
CRM, enquiries and resident engagement
Concierge and service booking
Reporting, auditing and regulatory compliance
Platform security, stability and support

No behavioural profiling, advertising use, or commercial exploitation occurs.

4.4 Controlled Disclosure

Information is disclosed only to:

Authorised users of the customer organisation
Contractually bound service providers strictly required to operate the system
Regulators and authorities where legally required

All disclosures are:

Logged
Access controlled
Subject to contractual confidentiality obligations

4.5 Retention Governance

Data retention is governed by:

Active contractual service periods
Statutory record-keeping obligations
Clinical and compliance retention requirements

Upon lawful termination:

Production data is removed within 30 days
Secure backup data is purged within 30–60 days
A Certificate of Secure Data Destruction is available upon request

4.6 Secure Destruction

Data destruction is performed using:

Cryptographic overwrite methods
Logical eradication procedures
Verified deletion controls

Destruction is documented and auditable.

5. IDENTITY, ACCESS AND PRIVILEGE GOVERNANCE

Centrim Life enforces a strict least-privilege access model, including:

Role-Based Access Control (RBAC)
Multi-Factor Authentication (MFA)
Single Sign-On (SSO) where supported
Device and session management
Password complexity enforcement
Time-based access restrictions where required

All access to Restricted data is:

Logged
Timestamped
User-attributed
Monitored for anomalous behaviour

6. SUB-PROCESSOR AND VENDOR GOVERNANCE

Centrim Life engages specialist infrastructure, communications, payment and support service providers to deliver its platform.

All such providers are governed by:

Formal vendor risk assessments
Contractual confidentiality and security obligations
Privacy Act–equivalent data protection standards
Mandatory breach notification clauses
Annual security and compliance review processes

Centrim Life remains fully accountable to customers for all data processing activities.

7. CROSS-BORDER DATA GOVERNANCE (APP 8 COMPLIANCE)

No production customer data is stored outside Australia
Where limited offshore technical access is required:
- Access is secured via encrypted channels
- Export, replication and permanent storage are technically restricted
- Activity is logged and monitored
- Legal safeguards enforce Australian privacy equivalence

8. AI, AUTOMATION AND ADVANCED PROCESSING GOVERNANCE

AI and automation tools integrated into Centrim Life operate under strict governance:

AI acts only on explicit user-initiated instructions
AI models do not train on live client production data
All AI-generated outputs remain:
- Encrypted
- Tenant-isolated
- Subject to standard access controls
Voice and AI-generated notes are governed as Restricted data

No Personal Information is transferred to public AI training systems.

9. INFORMATION SECURITY GOVERNANCE (ISO-ALIGNED)

Centrim Life implements an ISO-aligned Information Security Management System (ISMS) including:

Encryption at rest and in transit
Secure software development lifecycle (SSDLC)
Firewalls and intrusion detection
Continuous logging and security monitoring
Vulnerability management and penetration testing
Backup equity and disaster recovery testing
Change management and access reviews
Incident response and escalation playbooks

10. DATA BREACH AND CYBER INCIDENT GOVERNANCE

In the event of a security incident or eligible data breach:

Immediate detection and containment
Impact assessment and forensic analysis
Notification to customers within 24 hours
Regulatory reporting under the Notifiable Data Breaches Scheme where required
Remediation and preventative control enhancement

11. DATA INTEGRITY, QUALITY AND AUDITABILITY

Centrim Life enforces:

Validation rules across all forms and workflows
Referential integrity across related datasets
Immutable audit logs for:
- Clinical and dining notes
- Incidents and complaints
- Maintenance activities
- Compliance actions

This ensures:

Evidence-grade audit trails
Non-repudiation
Regulatory defensibility

12. REGULATORY AND SECTOR COMPLIANCE COVERAGE

This governance framework supports compliance with:

Privacy Act 1988 (Cth)
Australian Privacy Principles (APPs)
Notifiable Data Breaches Scheme
Australian Aged Care Quality Standards (including 2025 reforms)
Clinical safety and risk governance expectations
Cyber insurance underwriting requirements
Enterprise ICT security due diligence

13. ACCOUNTABILITY, OVERSIGHT AND REVIEW

Centrim Life maintains:

Appointed Privacy & Data Governance Officer
Formal data governance ownership
Annual oversight and policy review cycles
Documented access control governance
Vendor security assurance reviews
Board-level escalation pathways for incidents

14. CONTINUOUS IMPROVEMENT AND MATURITY

Centrim Life continuously improves its data governance through:

Regulatory monitoring
Threat intelligence
Platform upgrades
Security testing and audits
Client feedback and risk assessments

Governance maturity is reviewed annually.

15. DATA GOVERNANCE CONTACT

Privacy & Data Governance Officer

Centrim Life Pty Ltd

35B, 240 Plenty Road, Bundoora, VIC 3083

Email: privacy@centrimlife.com.au

CENTRIM LIFE - DATA PROCESSING AGREEMENT (AUSTRALIA)

This Data Processing Agreement ("DPA") forms part of the SaaS Services Agreement between:

Controller: The Customer as identified in the Services Agreement ("Controller")
Processor: Centrim Life Pty Ltd with ABN: 44 669 185 184 and Registered Office: 35B, 240 Plenty Road, Bundoora, VIC 3083 ("Processor")

1. DEFINITIONS

'Privacy Act' means the Privacy Act 1988 (Cth)
'APPs' means the Australian Privacy Principles
'Personal Information' has the meaning given in section 6 of the Privacy Act
'Sensitive Information' includes health, dietary, incident, and care-related information
'Processing' includes collecting, storing, using, disclosing, deleting, or otherwise handling Personal Information
'Services' means the Centrim Life SaaS platform and its activated modules
'Data Breach' means an eligible data breach under the Notifiable Data Breaches Scheme.

2. PURPOSE OF PROCESSING

The Processor shall Process Personal Information solely for the purpose of providing the Services to the Controller, including platform hosting, maintenance, support, system analytics, security monitoring, and approved integrations. The Processor shall not use Personal Information for marketing, profiling, resale, or unrelated purposes.

3. CATEGORIES OF DATA AND DATA SUBJECTS

Data Subjects include residents, staff, contractors, family members, visitors, and authorized representatives.

Personal Information includes names, contact details, identifiers, dietary requirements, health and incident data, service and workflow records, visitor logs, authentication data, and audit trails.

4. PROCESSOR OBLIGATIONS

The Processor must:

Process Personal Information only in accordance with the Controller's lawful documented instructions
Ensure all personnel with access to Personal Information are bound by confidentiality obligations
Implement appropriate technical and organizational security measures including encryption, access control, multi-factor authentication, firewalls, and monitoring
Assist the Controller to comply with data subject access and correction requests
Maintain audit logs and access controls
Immediately notify the Controller of any unauthorized access or security incident.

5. SUB-PROCESSORS

Approved Sub-Processors include:

AWS (Australia) – hosting & infrastructure
Stripe – payments
Postmark – transactional email
Message Media/Burst SMS – SMS
Gleap – support ticketing
Mixpanel (optional) – analytics (pseudonymized)
Ecaret Solutions – restricted VPN development and support access only.

The Processor shall ensure that all Sub-Processors are contractually bound to equivalent privacy and security obligations.

6. CROSS-BORDER DISCLOSURE

The Processor shall not disclose Personal Information to recipients outside Australia without the prior written authorization of the Controller and only where APP 8 compliance is ensured through contractual safeguards.

7. DATA BREACH NOTIFICATION

The Processor shall notify the Controller within 24 hours of becoming aware of any Data Breach and provide all reasonable assistance required under the Notifiable Data Breaches Scheme.

8. DATA RETENTION AND DESTRUCTION

Upon termination of the Services, all Personal Information shall be securely deleted or returned to the Controller within 30 to 60 days, subject to backup retention policies.

9. AUDIT RIGHTS

The Controller may conduct reasonable audits on written notice to verify compliance with this DPA, subject to confidentiality and non-disruption requirements.

10. LIABILITY

All liability relating to data protection obligations is governed by the limitation of liability clause in the SaaS Services Agreement. This DPA does not expand the Processor's commercial liability.

11. GOVERNING LAW

This Agreement is governed by the laws of Victoria, Australia.