Data Processing Addendum
This Data Processing Addendum (including the annexures, together the Addendum) forms part of and supplements the Agreement and is entered into by us and you (the counterparty accepting the Agreement). You enter into this Addendum by accepting the Agreement in accordance with clause 5.1 (Acceptance) of the Agreement.
1. Processing of Your Personal Data
1.1 Application: This Addendum will only apply to the extent the Applicable Laws apply to the processing of Your Personal Data.
1.2 Role of Parties: The Parties acknowledge that for the purposes of this Addendum:
(a) Annex 1 describes the subject matter and details of the processing of Your Personal Data;
(b) with respect to EU Data Protection Laws, we act as a Processor of Your Personal Data; and
(c) with respect to EU Data Protection Laws, you act as a Controller or Processor of Your Personal Data (as applicable).
1.3 Compliance: Each Party will comply with all Applicable Laws in the Processing of Your Personal Data.
1.4 Authority: If you act as a Processor of Your Personal Data, you represent and warrant to us that you are authorised by the relevant Controller to provide your instructions and take any actions you take with respect to Your Personal Data.
1.5 Your instructions: By entering into this Addendum, you instruct us to Process Your Personal Data only:
(a) to provide the Services and any related technical support;
(b) as specified by you during your use of the Services and any related technical support;
(c) as documented in the Agreement, including this Addendum; and
(d) as otherwise further instructed by you.
1.6 Compliance with your instructions: We will only Process Your Personal Data in accordance with your instructions as set out in clause 1.5 (Your instructions), unless other Processing is required by an Applicable Law to which we are
subject, in which case we will, inform you of that legal requirement before Processing Your Personal Data for that
purpose, unless the Applicable Law prohibits us from doing so on important grounds of public interest.
2.1 Existing Subprocessors: You specifically authorise our engagement of the Subprocessors already engaged by us as at the date of this Addendum (as set out in Annex 2).
2.2 New Subprocessors: We will give you prior written notice (including via email) of the appointment of any new Subprocessor. If, within 10 days of the date of that notice:
(a) you have not taken this opportunity to object by notifying us in writing of any objections (on reasonable grounds) to the proposed appointment of that Subprocessor, we will deem you to have authorised the appointment of that Subprocessor; or
(b) you notify us in writing of any objections (on reasonable grounds) to the proposed appointment we will do one of the following, at our election: (i) not appoint that Subprocessor; (ii) not disclose any of Your Personal Data to that Subprocessor; (iii) not disclose any of Your Personal Data to that Subprocessor until reasonable steps have been
taken to address the objections you raised and you have been informed of and agreed to that Subprocessor based on the reasonable steps taken; or (iv) inform you that you may terminate the Agreement immediately upon written notice to us. You agree that the remedies in this clause 2.2(b) (New Subprocessors) are the only remedies available if you object to any new Subprocessor.
2.3 Our Subprocessor obligations: With respect to each Subprocessor we will:
(a) ensure that the arrangement between us and the Subprocessor is governed by a written contract including terms which meet the requirements of Article 28(3) of the GDPR; and
(b) remain fully liable to you for the performance of all obligations subcontracted to such Subprocessor, and for any acts or omission of such Subprocessor that cause us to breach any of our obligations under this Addendum.
3. Data Subject Rights
3.1 Self-service: As part of the Services, if available, we may provide you with some self-service features via your Account which you may be able to use, at no additional cost, to access, port, rectify, delete, object to or restrict the use of Your Personal Data in connection with your obligations under Applicable Laws with respect to responding to
requests from Data Subjects.
3.2 Our assistance with requests: If:
(a) there is a self-service option and you require additional assistance with responding to requests from Data Subjects, we will use commercially reasonable efforts to assist you to the extent legally required. Any assistance we provide to you in accordance with this clause 3.2(a) (Our assistance with requests) will be at your expense (on a time and materials basis); or
(b) there is no self-service option available and you require assistance with responding to requests from Data Subjects, we will assist you to the extent legally required.
3.3 Notifying you: We will promptly notify you if we receive a request from a Data Subject under any EU Data Protection Laws in respect of Your Personal Data, and we will not respond to that request except:
(a) to acknowledge the request and/or direct the Data Subject to you;
(b) on your documented instructions; or
(c) as required by Applicable Laws to which we are subject, in which case we will, to the extent permitted by Applicable Laws, inform you of that legal requirement before responding to the request.
3.4 No restriction: For the avoidance of doubt, nothing in this Addendum will restrict or prohibit us from responding to any Data Subject Request with respect to Personal Data for which we are the Controller or where an Applicable Law requires us to respond.
4. Data Protection Impact Assessment and Prior Consultation
4.1 Other compliance assistance: Upon your written request and to the extent required by EU Data Protection Laws, we will (taking into account the nature of the Processing and the information available to us) provide all reasonably
requested assistance to you where you are fulfilling your obligations under the EU Data Protection Laws, including
where you are carrying out a data protection impact assessment or engaging in prior consultations with Supervisory Authorities, as follows:
(a) by complying with clause 6 (Security) and clause 7 (Audit) of this Addendum;
(b) by providing the information contained in the Agreement, including this Addendum; and
(c) if you reasonably require further assistance to fulfil your obligations under the EU Data Protection Laws, by providing such further assistance at your expense (on a time and materials basis).
5. Restricted Transfers
5.1 Data importer and exporter: To the extent EU Data Protection Laws apply and subject to clause 5.2(Application), we (as data importer) and you (as data exporter) (notwithstanding that you may be located outside the EU) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from you to us. The Parties agree that for the purpose of the Standard Contractual Clauses, Annex 1 to this Addendum will replace Appendix 1 to the Standard Contractual Clauses and Annex 3 to this Addendum will replace Appendix 2 to the Standard Contractual Clauses.
5.2 Application: The Standard Contractual Clauses will come into effect under clause 5.1 (Data importer and exporter) on the commencement of the relevant Restricted Transfer, unless the jurisdiction to which Your Personal Data is transferred is recognised by the European Commission as providing an adequate level of protection for Personal Data.
6.1 Our security measures: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk to the rights and freedoms of natural persons (in particular from a Personal Data Breach), we will implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, the measures described in Annex 3. We may update our security measures, including, the measures described in Annex 3, from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.
6.2 Your security measures: You agree that, except as expressly provided by this Addendum, you are solely responsible for your secure use of the Services, including:
(a) assessing and using the Services so as to ensure an acceptable level of risk to Your Personal Data;
(b) keeping your account credentials confidential and secure; and
(c) protecting Your Personal Data that you elect to store or transfer outside of the Services (and for which we will have no obligation).
6.3 Confidentiality: We will take reasonable steps to ensure any of our personnel who Process Your Personal Data, have been informed of the confidential nature of Your Personal Data and have committed themselves to keeping Your Personal Data confidential.
6.4 Personal Data Breach: We will notify you after we become aware of a Personal Data Breach promptly and without undue delay and, to the extent possible, provide you with information about the Personal Data Breach to assist you to meet your obligations under Applicable Laws. On your reasonable request we will take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of any Personal Data Breach and if the Personal Data Breach is caused or contributed to by you, you agree this assistance will be your expense (on a time and materials basis). Our notification of, or response to, a Personal Data Breach in connection with this clause 6.4 (Personal Data Breach) will not be construed as an acknowledgment by us of any fault or liability with respect to the Personal Data Breach.
6.5 No restriction: For the avoidance of doubt, nothing in this Addendum will restrict or prohibit us from notifying a
Personal Data Breach where we reasonably believe an Applicable Law or contractual commitment requires us to do
7.1 Your audit rights: To the extent EU Data Protection Laws apply and subject to written notice of not less than 30 days, and no more than once annually, on receiving a reasonable request from you for us to demonstrate compliance with Article 28(3) of the GDPR, we will (subject to our obligations of confidentiality):
(a) make available information directly relating to Your Personal Data and necessary to demonstrate our compliance with Article 28(3) of the GDPR; and
(b) if the information provided under clause 7.1(a) (Your audit rights) is not sufficient to confirm compliance, allow you or an independent and suitably qualified auditor appointed by you, to carry out audits, including inspections, in relation to the Processing of Your Personal Data by us in compliance with Article 28(3) of the GDPR, and
you agree to:
(c) only request access to information for the purpose of good faith fulfilment of your obligations under EU Data Protection Laws; and
(d) take all reasonable measures to limit any adverse impact on us.
8. Deletion or return of Your Personal Data
8.1 Deletion or return process: Following the expiry or termination of the Agreement, we will, within 90 days of the date of expiry or termination, destroy or return to you (if you request Your Personal Data to be returned to you within
5 days after the date of expiry or termination), all Your Personal Data in our possession or control unless any Applicable Laws require that we retain Your Personal Data.
9. General Terms
9.1 Liability: Each Party’s liability taken together in the aggregate arising out of or related to this Addendum (including the Standard Contractual Clauses) will be subject to the exclusions and limitations of liability in the Agreement.
9.2 Term: This Addendum will commence on the date the Agreement commences and will remain in effect until, and
automatically terminate on deletion or return of Your Personal Data in accordance with clause 8.1 (Deletion or
9.3 Order of precedence: The Parties agree that this Addendum will replace any existing data processing agreement or substantially similar document that the Parties may have previously entered into in connection with the Services. In the event of any conflict or inconsistency between the documents entered into between the Parties, the Standard
Contractual Clauses will prevail, then this Addendum, then the terms of the Agreement, and then any other documents incorporated into the Agreement.
9.4 Obligations under the Terms: Subject to clause 9.3 (Order of precedence), nothing in this Addendum reduces the Parties’ obligations under the other documents which form part of the Agreement and the terms of these documents will continue to apply in full force and effect.
9.5 Severance: If a provision of this Addendum is held to be void, invalid, illegal or unenforceable, that provision is to be read down as narrowly as necessary to allow it to be valid or enforceable, failing which, that provision (or that part of that provision) will be severed from this Addendum without affecting the validity or enforceability of the remainder of that provision or the other provisions in this Addendum.
9.6 Governing law: This Addendum is governed by the laws of Victoria, Australia.
10. Definitions and Interpretation
10.1 In this Addendum, capitalised terms have the meanings assigned to them in the terms of the Agreement and the following terms will have the meanings set out below and cognate terms will be construed accordingly:
(a) Agreement means the terms and conditions of the SaaS Agreement entered into between the Parties and all documents attached to, or referenced in, those terms and conditions (including this Addendum) and any other addendums, annexures, schedules or attachments;
(b) Applicable Laws means (a) any EU Data Protection Laws applying to the Processing of Your Personal Data; (b) the Privacy Act as it applies to the Processing of Your Personal Data; and (c) any other law applicable to a Party;
(c) Your Personal Data means any Personal Data Processed by us on your behalf, including any Personal Data about your Authorised Users, in connection with the Agreement;
(d) EEA means the European Economic Area;
(e) EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
(f) Restricted Transfer means a transfer of Your Personal Data where such transfer would be prohibited by EU Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of EU Data Protection Laws) in the absence of the Standard Contractual Clauses or another lawful data transfer mechanism as set out at clause 5 (Restricted transfers) above;
(g) Standard Contractual Clauses means the contractual clauses set out by the European Commission available at https://eurlex.europa.eu/legalcontent/en/TXT/?uri=CELEX%3A32010D0087, as updated or replaced from time to time; and
(h) Subprocessor means any person (including any third Party, but excluding our employees or contractors) appointed by or on behalf of us to Process Your Personal Data.
10.2 The terms, Commission, Controller, Data Subject, Member State, Personal Data Breach, Processor, Processing, Special Categories of Data and Supervisory Authority will have the same meaning as in the GDPR, and their cognate terms will be construed accordingly.
Annex 1 – Details of processing of your personal data
This Annex 1 includes certain details of the Processing of Your Personal Data as required by Article 28(3) GDPR.
1. Subject matter and duration of the Processing of Your Personal Data
The subject matter and duration of the Processing of Your Personal Data are set out in the Agreement and this Addendum.
2. The nature and purpose of the Processing of Your Personal Data
The nature and purpose of the Processing of Your Personal Data is further specified in the Agreement, this Addendum and as further instructed by you.
3. The types of Your Personal Data to be Processed
The types of Your Personal Data to be Processed may
include but is not limited to the following:
a. Data Subject’s name;
b. Data Subject’s email address;
c. Data Subject’s phone number;
d. Data Subject’s City/Region/Country
e. the entity/entities the Data Subject is connected to;
f. Data Subject’s role within an entity;
g. information about a Data Subject’s use of the online Services;
h. details of the Services requested by a Data Subject and provided to a Data Subject’s and our response to a Data Subject, including with respect to any support requests;
i. any feedback a Data Subject’s provides to us, including in any feedback surveys;
j. Data Subject’s IP address;
k. Data Subject’s device type;
l. Data Subject’s device carrier/service provider;
m. Data Subjects operating software (OS);
n. Data Subjects preferred language;
o. any other Personal Data requested by us and/or provided by you or a third Party about a Data Subject.
We do not request any Special Categories of Data for Processing.
4. The categories of Data Subject to whom Your Personal Data relates
The categories of Data Subject to whom Your Personal Data relates are as follows:
a. an Authorised User under your Account for the Services.
5. Your obligations and rights
Your obligations and rights are set out in the Agreement and this Addendum.
Annex 2 – Details of our current Subprocessors
This Annex 2 includes a full list of your current Subprocessors for the Services.
Annex 3 – Technical and organisational security measures
Description of the technical and organisational security measures implemented by the data importer in accordance with clauses 4(d) and 5(c) of the Standard Contractual Clauses:
We implement technical and organisation security measures to protect Your Personal Data which we Process.
b. Multi-tenant security controls for separation of users and data within the service;
c. All APIs/open interfaces secured and encrypted. JWTs used for authentication, HTTPS connections required;
d. All data in transit is encrypted using SSL;
e. Encryption of User passwords;
f. Physical security controls at office.