Data Processing Addendum

Definitions

Scope and Application

This DPA applies to Processing of Customer Data by the Processor on behalf of you in connection with the Services.

To the extent of any inconsistency, this DPA prevails over the Terms with respect to Personal Data Processing.

Roles and Responsibilities

You act as Data Controller and we act as Data Processor in relation to Customer Data processed through the Services.

Each party is responsible for complying with applicable privacy and data protection laws. You are responsible for ensuring you have a lawful basis for processing Personal Data.

We act as an independent Data Controller for personal data we process to operate and manage the Services, including for account administration, billing, security, service improvement, analytics, and legal compliance. This DPA does not apply to that processing.

Processing of Personal Data

We will process Personal Data only as necessary to provide the Services in accordance with the Terms and your use of the Services, unless we are required to do otherwise by law.

We will not process Personal Data for any other purpose unless agreed with you in writing.

You are responsible for ensuring there is a valid legal basis for the processing of Personal Data, as required by applicable data protection laws (including Article 6 of the GDPR).

Security Measures

We implement appropriate technical and organisational safeguards to protect Personal Data based on the level of risk, including:

• Encryption and pseudonymisation of Personal Data where applicable
• Maintaining the confidentiality, integrity, availability, and resilience of our systems
• Restoring access to Personal Data promptly following a technical or physical incident
• Regularly testing and reviewing the effectiveness of our security measures
• Restricting access to Personal Data to authorised personnel only

Confidentiality

Where appropriate, we take reasonable steps to ensure that personnel authorised to access or process Personal Data are subject to confidentiality obligations.

Sub-Processing

You authorise us to use third-party service providers where reasonably necessary to deliver the Services.

Where we use third-party providers to process Personal Data, we take reasonable steps to ensure they are subject to appropriate confidentiality, security, and data protection obligations. This may include selecting reputable providers, reviewing their privacy and security commitments, limiting data shared, and enabling available security controls.

These providers may include cloud hosting, data storage, analytics tools, customer support systems, and other service providers required to operate the Services.

We remain responsible for the processing of Personal Data carried out by our service providers on our behalf.

International Transfers

Where Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland is transferred outside those regions, we will ensure appropriate safeguards are in place as required by applicable data protection laws. These safeguards may include the use of Standard Contractual Clauses or other legally recognised transfer mechanisms.

Where Personal Data is disclosed outside Australia, we take reasonable steps to ensure the recipient handles the information in a manner consistent with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

Our service providers may be located in, or process data from, countries outside your jurisdiction. Information about data hosting locations and key service providers is available upon reasonable request.

Data Subject Rights

Where we process Personal Data on your behalf and receive a request relating to that data, we will notify you and, where reasonably practicable, assist you in responding.

We will not respond directly to such requests unless authorised by you or required by law.

You are responsible for managing and responding to requests relating to Personal Data you control.

Data Breach Notification

If we become aware of a Personal Data Breach affecting data we process on your behalf, we will notify you without undue delay and, where feasible, within 48 hours.

Our notification will include, where available:

• A description of the nature of the breach, including the types and approximate number of individuals and records affected
• Contact details for further information
• The likely impact of the breach and the steps taken or proposed to contain and address it

We will provide reasonable assistance to help you investigate, contain, and respond to the breach where required.

Retention and Deletion

We retain Personal Data only for as long as needed to provide the Services and meet legal or regulatory requirements.

When your subscription ends, or upon written request, we will delete or return Personal Data we process on your behalf within a reasonable period, unless we are required to retain it by law.

We can confirm deletion upon reasonable request.

Audit and Inspection

We will make available information reasonably necessary to demonstrate our compliance with this DPA.

Where appropriate, this may include security documentation, policies, or independent audit reports.

On-site audits will only be permitted where required by law or where the information provided is insufficient, and must be conducted with reasonable notice and in a manner that does not disrupt our operations or compromise security.

Any audit costs must be borne by the requesting party.

Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws specified in the Terms.

Changes to this Addendum

We may update this DPA from time to time to reflect changes in data protection laws or our practices.

We will notify you of updates by posting the revised DPA on our website and/or through your account or email notification. Continued use of the Services after the update takes effect constitutes acceptance of the revised DPA.

If an update materially affects your rights or obligations, we will provide reasonable advance notice.