Data Processing Agreement
Introduction
This Data Processing Agreement (“Agreement”) forms part of the Contract for
Services (“Principal Agreement”) between Control Confirm ABN 12 669 088 288
(“Data Processor”) and the Client (“Data Controller”) (collectively “Parties”), where
Data Processor provides Confirm Control software services globally.
1. Definitions
- "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Processing", and "GDPR" shall have the same meaning as in the GDPR.
- "Data Protection Laws" means the GDPR, any applicable national laws implementing or supplementing the GDPR, the Australian Privacy Principles under the Privacy Act 1988, U.S. state privacy laws such as the California Consumer Privacy Act (CCPA), and any other applicable law concerning the processing of Personal Data.
2. Processing of Personal Data
- Purpose: Data Processor agrees to process Personal Data solely for providing Confirm Control services in accordance with the conditions of this Agreement and the Principal Agreement.
- Data Controller's Obligations: Data Controller is responsible for ensuring that data processing directives to Data Processor are lawful, necessary notices have been provided, and consents obtained from Data Subjects.
3. Data Processor's Obligations
4. Data Subject Rights
- Security and Confidentiality: Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including AES-256 encryption of Personal Data in transit and at rest. All personnel authorized to process Personal Data have committed to confidentiality.
- Subprocessing: Processing by a subprocessor will only be carried out with prior consent from the Data Controller.
Data Processor shall assist Data Controller in fulfilling Data Controller's obligations to
respond to requests for exercising Data Subject's rights under the Data Protection
Laws, including rights outlined under U.S. state laws where applicable.
5. Data Breach
Data Processor shall notify Data Controller without undue delay upon becoming
aware of a Personal Data breach affecting Data Controller's Personal Data, in
compliance with GDPR, as well as any applicable U.S. state laws.
6. Data Transfers
Data Processor shall not transfer Personal Data outside of the European Economic
Area, Australia, or the U.S. without ensuring appropriate safeguards and compliance
with the Data Protection Laws.
7. Audits and Compliance
Data Processor shall make available all information necessary to demonstrate
compliance with this Agreement and allow for audits conducted by Data Controller or
an auditor mandated by Data Controller.
8. Deletion or Return of Personal Data
Upon termination of services or at Data Controller's request, Data Processor shall, at
the choice of Data Controller, delete or return all Personal Data, unless legal
obligations require storage of the Personal Data.
9. Handling of Government Identifiers
Data Processor shall not use government identifiers of Data Subjects as a means of
identification unless required by law, including applicable U.S. state laws.
10. Direct Marketing
Data Processor shall obtain explicit consent from Data Subjects before using their
Personal Data for direct marketing purposes and provide them with an option to opt-
out, adhering to both GDPR and U.S. state law requirements.
11. Data Quality and Access
Data Processor shall take reasonable steps to ensure that Personal Data is
accurate, complete, and up-to-date. Mechanisms shall be in place to allow Data
Subjects to access and, where necessary, correct their Personal Data.
12. Liability
Each party's liability under this Agreement shall be subject to the exclusions and
limitations of liability set out in the Principal Agreement.
13. Governing Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of
Queensland, Australia, and the parties submit to the exclusive jurisdiction of the
courts located in Queensland, Australia, for any disputes arising out of or in
connection with this Agreement.
