What is an ITP in construction?

An Inspection and Test Plan (ITP) is a quality assurance document used in construction to define inspection activities, hold points, and witness points at key stages of work. It specifies what needs to be checked, by whom, and records the results for audit and compliance purposes.

How much does HoldPoint QA cost?

HoldPoint QA charges $45 AUD per active project per month for 1–5 projects, and $35 per project per month for 6 or more active projects. There are no per-seat fees or per-document charges. Projects start as draft (free) until the first document is added.

Can external clients sign ITPs without an account?

Yes. HoldPoint QA sends a secure sign-off link via email. External signatories — clients, principal's representatives, or engineers — can review the full ITP checklist and sign digitally without needing an account or app.

Does HoldPoint generate ITP PDFs automatically?

Yes. When an ITP is approved, HoldPoint automatically generates a branded PDF containing all checklist results, inspection notes, photos, and signatures. PDFs are regenerated if any information changes.

Legal

Data Processing Agreement

Version 1.0 · Effective 1 April 2026 · For enterprise customers requiring a formal DPA

Who needs this?

This Data Processing Agreement (DPA) is for enterprise customers who need a formal data processing agreement for their own compliance obligations (e.g. ISO 27001, government contracts, or enterprise procurement requirements). Most small-to-medium construction businesses are fully covered by our Privacy Policy.

To request a signed copy of this DPA, email legal@holdpoint.co.

1. Parties and definitions

This Data Processing Agreement is entered into between:

Data Controller: the company ("Customer") that has accepted HoldPoint's Terms of Service and is using the HoldPoint QA platform; and
Data Processor: HoldPoint QA Pty Ltd ("HoldPoint"), the provider of the HoldPoint QA software.

"Personal Data" means any information relating to an identified or identifiable natural person processed by HoldPoint on behalf of the Customer through the HoldPoint platform, including names, email addresses, and digital signatures of document signatories.

2. Role and scope of processing

HoldPoint acts as a data processor on behalf of the Customer. The Customer is the data controller — they determine the purposes for which personal data is collected and how it is used.

HoldPoint processes personal data only to the extent necessary to provide the services described in the Terms of Service and as directed by the Customer. HoldPoint does not process personal data for its own purposes beyond operating and improving the platform.

Processing activities include:

Storing and displaying documents, signatures, and project data;
Sending sign-off request emails to nominated signatories;
Generating PDF documents containing personal data;
Processing payments via Stripe on behalf of the Customer.

3. Customer obligations

The Customer agrees to:

Have a lawful basis for providing personal data to HoldPoint (e.g. consent, contract);
Ensure that data subjects (e.g. signatories) are informed about how their data will be processed;
Comply with all applicable privacy laws, including the Australian Privacy Act 1988; and
Not submit sensitive categories of personal data to HoldPoint unless necessary for the contracted service.

4. HoldPoint obligations

HoldPoint agrees to:

Process personal data only on documented instructions from the Customer (as described in this DPA and the Terms of Service);
Ensure that personnel with access to personal data are bound by confidentiality obligations;
Implement appropriate technical and organisational security measures (see section 6);
Assist the Customer in responding to data subject access requests, to the extent technically feasible;
Delete or return personal data on termination of the agreement, subject to legal retention obligations; and
Notify the Customer of any data breach affecting their data (see section 7).

5. Sub-processors

HoldPoint uses the following sub-processors to deliver the service. The Customer consents to these sub-processors by accepting HoldPoint's Terms of Service.

Sub-processor	Purpose	Location
Supabase Inc.	Database, file storage, authentication	USA (AWS Sydney region used)
Stripe Inc.	Payment processing	USA
Resend Inc.	Transactional email delivery	USA
Vercel Inc.	Application hosting and edge delivery	USA / global edge
Anthropic PBC	AI ITP template generation (scope text only)	USA

HoldPoint will notify the Customer of any changes to sub-processors by updating this page and notifying account holders by email.

6. Security measures

HoldPoint implements the following technical and organisational security measures:

Encryption in transit: TLS 1.2 or higher on all connections.
Encryption at rest: database and file storage encrypted at rest by Supabase (AES-256).
Access controls: row-level security policies in the database ensure data is scoped to individual companies. Administrative access requires strong authentication.
Document immutability: approved compliance documents are locked and cannot be modified after sign-off, ensuring audit trail integrity.
Penetration testing and security audits: regular internal security reviews. External penetration testing conducted as the product scales.
Least privilege: service accounts have the minimum permissions required to perform their function.
Vulnerability management: dependencies are monitored and patched regularly.

7. Data breach notification

In the event HoldPoint becomes aware of a security incident that affects the Customer's personal data, HoldPoint will:

Notify the Customer within 72 hours of becoming aware of the breach;
Provide details of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach; and
Cooperate with the Customer in any required notification to affected individuals or regulatory authorities.

Notification will be sent to the primary account email address and to security@holdpoint.co.

8. Data retention and deletion

On termination of the agreement:

HoldPoint will provide read-only access to the Customer's approved documents for 90 days;
The Customer may export their data during this period;
After 90 days, non-approved data will be deleted; and
Approved compliance documents may be retained for up to 7 years as required for legal compliance, after which they will be deleted.

To request earlier deletion, contact privacy@holdpoint.co. Requests may be declined where retention is legally required.

9. International transfers

Personal data may be transferred to and processed in countries outside Australia (including the USA) by the sub-processors listed in section 5. By accepting these terms, the Customer consents to these transfers.

HoldPoint takes reasonable steps to ensure sub-processors provide adequate data protection, including reviewing their privacy policies and security certifications.

10. Governing law

This DPA is governed by the laws of Victoria, Australia, and the Australian Privacy Act 1988 (Cth). Disputes are subject to the exclusive jurisdiction of the courts of Victoria.

11. Signed DPA

If your organisation requires a countersigned DPA for procurement or compliance purposes, email legal@holdpoint.co with your company name and requirements. We will respond within 5 business days.