Data Processing Addendum (Australia)

Last updated: 17 November 2025

1. Background

This Addendum forms part of the Service Agreement between the parties and governs the processing of Personal Information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It applies where the Processor handles Personal Information on behalf of the Controller.

2. Definitions

• Personal Information: As defined in the Privacy Act 1988 (Cth).
• Processing: Any operation performed on Personal Information, including collection, storage, use, disclosure, or destruction.
• Controller: The entity determining the purposes and means of processing Personal Information.
• Processor: The entity processing Personal Information on behalf of the Controller.
• Privacy Laws: The Privacy Act 1988 (Cth), APPs, and any applicable state/territory privacy laws.
• Eligible Data Breach: As defined under Part IIIC of the Privacy Act (NDB scheme).

3. Scope and Purpose

The Processor will process Personal Information solely for the purpose of delivering the Services under the main agreement and in accordance with the Controller's documented instructions.

4. Processor Obligations

The Processor shall comply with the Privacy Act 1988 (Cth) and APPs, implement reasonable security measures, ensure confidentiality, not engage sub-processors without consent, and maintain records of processing activities where required by law.

5. Data Location & Subprocessors

• Hosting region: Australia.
• Subprocessors: Limited to global open-source cybersecurity solutions; details available upon request.

6. Cross-Border Transfers

The Processor will not transfer Personal Information outside Australia without taking reasonable steps to ensure compliance with APPs and obtaining Controller's consent.

7. Security Measures

The Processor will implement technical and organisational measures, including encryption, access controls, and regular vulnerability assessments.

8. Notifiable Data Breaches

The Processor will notify the Controller as soon as practicable upon becoming aware of an Eligible Data Breach and assist with OAIC notifications within statutory timelines.

9. Assistance with Privacy Rights

The Processor will assist the Controller in responding to requests for access, correction, or deletion of Personal Information under APPs.

10. Audit & Compliance

The Controller may request reasonable information to verify compliance. The Processor will cooperate with audits or inspections as required by law.

11. Termination & Data Return

Upon termination of the main agreement, the Processor will delete or return all Personal Information to the Controller, unless retention is required by law.

12. Liability

Each party remains responsible for its own compliance with Privacy Laws. The Processor's liability is limited as per the main agreement, subject to non-excludable rights under the Australian Consumer Law.

13. Governing Law

This Addendum is governed by the laws of Queensland, Australia, and the parties submit to the exclusive jurisdiction of its courts.