Data Processing Addendum

Last updated: 1 June 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between Neudash Pty Ltd (ABN 42 692 560 517) ("Neudash", "Processor") and the entity or individual agreeing to those terms ("Customer", "Controller"), and supplements the Agreement and the Neudash Privacy Policy.

This DPA applies where and only to the extent that:

  • Neudash processes Personal Data on behalf of the Customer as a data processor in the course of providing the Services under the Agreement; and
  • such processing is subject to the EU GDPR or the UK GDPR.

This DPA does not apply to:

  • processing for which Neudash is a data controller in its own right (for example, account data, billing data and usage data), which is governed by the Privacy Policy; or
  • processing that is not subject to the EU GDPR or the UK GDPR (such processing to be governed by the Agreement and the Privacy Policy).

In the event of any conflict between this DPA and the Agreement or the Privacy Policy in relation to the processing of Personal Data that is subject to this DPA, this DPA will prevail.

1. Definitions

In this DPA, unless the context requires otherwise:

"Applicable Data Protection Law" means:

  • Regulation (EU) 2016/679 (the "EU GDPR"); and
  • the EU GDPR as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"), together with the Data Protection Act 2018 (UK).

"Controller" means the Customer, as the entity that determines the purposes and means of the processing of Personal Data.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"EEA" means the European Economic Area.

"Personal Data" means any Personal Information (as defined in the Agreement) that is contained in Customer Content and that Neudash processes on behalf of the Customer as a data processor in the course of providing the Services.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Neudash or its Subprocessors.

"Processing" (and "process", "processed" and "processes") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means Neudash, as the entity that processes Personal Data on behalf of the Controller.

"Restricted Transfer" means a transfer of Personal Data from the UK or EEA to a country that has not been recognised as providing an adequate level of data protection by (as applicable) the European Commission or the UK Secretary of State.

"SCCs" means:

  • in respect of transfers subject to the EU GDPR, the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Implementing Decision (EU) 2021/914 (the "EU SCCs"); and
  • in respect of transfers subject to the UK GDPR, the EU SCCs as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner's Office under section 119A of the Data Protection Act 2018 (the "UK Addendum").

"Services" has the meaning given to it in the Agreement.

"Subprocessor" means any third party engaged by Neudash (or by any existing Subprocessor of Neudash) to process Personal Data on behalf of the Customer in connection with the Services.

2. Scope and Roles

2.1 Roles of the parties

The parties acknowledge and agree that:

  • with respect to the processing of Personal Data under this DPA, the Customer is the Controller and Neudash is the Processor;
  • Neudash will process Personal Data only on behalf of and in accordance with the Customer's documented instructions, as set out in this DPA, the Agreement and the Privacy Policy; and
  • this DPA does not apply to any processing that falls outside the scope described in the introduction to this DPA, including processing for which Neudash acts as an independent data controller and processing that is not subject to the EU GDPR or the UK GDPR.

2.2 Customer's obligations

The Customer represents and warrants that:

  • it has complied, and will continue to comply, with all Applicable Data Protection Laws in respect of its collection and transfer of Personal Data to Neudash;
  • it has provided (and will continue to provide) all necessary notices to, and obtained (and will continue to obtain) all necessary consents or other lawful bases from, Data Subjects for the processing of their Personal Data by Neudash as contemplated by this DPA and the Agreement;
  • it has the right to transfer Personal Data to Neudash for processing in accordance with this DPA and the Agreement; and
  • its processing instructions to Neudash will comply with all Applicable Data Protection Laws.

2.3 Neudash's obligations

Neudash will:

  • process Personal Data only in accordance with the Customer's documented instructions, unless required to do otherwise by Applicable Data Protection Law (in which case Neudash will inform the Customer of that legal requirement before processing, unless prohibited by law from doing so);
  • immediately inform the Customer if, in Neudash's reasonable opinion, an instruction from the Customer infringes Applicable Data Protection Law; and
  • not process Personal Data for any purpose other than as necessary to provide the Services under the Agreement and as set out in this DPA.

3. Details of Processing

The details of the processing carried out by Neudash under this DPA are as follows:

Element Description
Subject matter The provision of the Services to the Customer under the Agreement
Duration For the term of the Agreement, plus any period necessary for the deletion or return of Personal Data as described in the "Deletion and Return of Personal Data" section
Nature and purpose of processing Processing Customer Content (including Personal Data contained therein) through AI and machine learning features to generate Outputs; storage, transmission, long-term management and display of Customer Content as necessary to provide the Services; client and matter management; document collection; triage and organisation; integration with third-party professional software; and any other processing activities described in the Agreement or applicable Product-Specific Terms
Types of Personal Data Any categories of Personal Data contained in Customer Content uploaded by the Customer, which may include (without limitation): names, email addresses, postal addresses, telephone numbers, job titles, employer information, financial information, health information, communications content, and any other categories of Personal Data the Customer elects to include in Customer Content
Categories of Data Subjects Any categories of Data Subjects whose Personal Data is contained in Customer Content, which may include (without limitation): the Customer's employees, contractors, customers, clients, patients, contacts, suppliers, visa applicants, and other individuals whose data is included in Customer Content
Special categories of data The Customer may include special categories of personal data (as defined in Article 9 of the UK GDPR / EU GDPR) in Customer Content. Certain Services (including client and matter management, document collection and triage, and integrations with third-party professional software) are designed for use in regulated industries (such as migration, legal, healthcare, accounting and financial services) and are therefore likely to involve the routine processing of special categories of data, including data revealing racial or ethnic origin, religious or philosophical beliefs, health data, and data concerning immigration or visa status. The Customer is responsible for ensuring that it has a valid lawful basis under Article 9 for any special categories of data included in Customer Content.

4. Confidentiality

4.1 Personnel obligations

Neudash will ensure that all personnel who are authorised to process Personal Data under this DPA:

  • have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • process Personal Data only in accordance with the Customer's documented instructions (as set out in this DPA and the Agreement); and
  • have received appropriate training on data protection and information security.

4.2 Access restrictions

Neudash will restrict access to Personal Data to those personnel who require access in order to perform the Services, and will implement and maintain appropriate access controls (including role-based permissions and multi-factor authentication) to enforce this restriction.

5. Security

5.1 Technical and organisational measures

Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Neudash will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including (as appropriate):

  • the pseudonymisation and encryption of Personal Data (including encryption in transit using TLS 1.2 or higher and encryption at rest using AES-256 or equivalent standards);
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing;
  • role-based access controls, multi-factor authentication and audit logging;
  • regular penetration testing and vulnerability assessments; and
  • an incident response plan for detecting, responding to and recovering from security incidents.

5.2 Security Overview

A description of Neudash's current technical and organisational security measures is set out in our Security Overview. Neudash may update its security measures from time to time, provided that any update does not materially decrease the overall level of security of the Services.

6. Subprocessors

6.1 General authorisation

The Customer provides a general written authorisation to Neudash to engage Subprocessors to process Personal Data in connection with the Services, subject to the requirements of this section.

6.2 Current Subprocessors

A current list of Subprocessors engaged by Neudash (including the name, description of processing and location of each Subprocessor) is available on our Subprocessors page (the "Subprocessor List").

6.3 Notification of changes

Neudash will notify the Customer at least 14 days before engaging any new Subprocessor or making any material change to its existing Subprocessors, by:

  • updating the Subprocessor List; and
  • sending a notification to the email address associated with the Customer's account (or, if the Customer has subscribed to Subprocessor notifications via its account settings, through that notification mechanism).

6.4 Right to object

If the Customer reasonably objects to a new or replacement Subprocessor on data protection grounds, the Customer must notify Neudash in writing within 15 days after receiving the notification under the "Notification of changes" paragraph above (the "Objection Period"). The parties will discuss the Customer's objection in good faith with a view to achieving a commercially reasonable resolution. If the parties are unable to resolve the objection, the Customer may, as its sole and exclusive remedy, terminate the Agreement (or, at the Customer's election, the affected Service only) by giving written notice to Neudash, and Neudash will provide a pro-rata refund of any prepaid fees attributable to the period after the effective date of termination.

6.5 Subprocessor obligations

Neudash will:

  • enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those set out in this DPA;
  • ensure that each Subprocessor agreement includes obligations equivalent to those imposed on Neudash under Article 28(3) of the UK GDPR / EU GDPR (to the extent applicable); and
  • remain fully liable to the Customer for the performance of each Subprocessor's obligations in relation to the processing of Personal Data.

6.6 AI model providers

For the avoidance of doubt, third-party AI providers (including large language model providers) used by Neudash to deliver AI features of the Services are Subprocessors for the purposes of this DPA. In addition to the obligations set out above, Neudash will ensure that its agreements with such providers contain contractual restrictions prohibiting the provider from using Personal Data (or any Customer Content containing Personal Data) to train, fine-tune, improve or develop the provider's own models or any third-party models.

7. International Transfers

7.1 General

The Customer acknowledges that Neudash and its Subprocessors may process Personal Data in countries outside the Customer's country of residence, including in Australia and the United States.

7.2 Restricted Transfers

Where the processing of Personal Data under this DPA involves a Restricted Transfer, the parties agree that such transfer will be subject to the SCCs, which are hereby incorporated into this DPA by reference as follows:

EU SCCs: For transfers subject to the EU GDPR, the EU SCCs (Module Two: Controller to Processor) apply, with the following elections:

  • Clause 7 (Docking clause): included;
  • Clause 9(a) (Authorisation of Subprocessors): Option 2 (General written authorisation), with a notification period of 14 days as specified in the "Notification of changes" paragraph of this DPA;
  • Clause 11(a) (Redress): the optional language is not included;
  • Clause 13(a) (Supervision): the supervisory authority of the EU member state in which the Customer is established (or, if the Customer is not established in the EU, the supervisory authority of the EU member state in which the Customer's EU representative is established, or the supervisory authority agreed between the parties);
  • Clause 17 (Governing law): Option 1, the law of Ireland;
  • Clause 18(b) (Choice of forum): the courts of Ireland;
  • Annex I (List of parties, description of transfer, competent supervisory authority): as set out in Schedule 1 to this DPA;
  • Annex II (Technical and organisational measures): as set out in Schedule 2 to this DPA (and as further described in the Security Overview); and
  • Annex III (List of Subprocessors): as set out in the Subprocessor List.

UK Addendum: For transfers subject to the UK GDPR, the UK Addendum applies to the EU SCCs as set out above, with the following elections:

  • Table 1 (Parties): as set out in Schedule 1 to this DPA;
  • Table 2 (Selected SCCs): the EU SCCs as incorporated into this DPA above, including the Appendix Information;
  • Table 3 (Appendix Information): as set out in Schedules 1 and 2 to this DPA; and
  • Table 4 (Ending the UK Addendum): neither party may end the UK Addendum in accordance with section 19 of the UK Addendum.

7.3 Supplementary measures

Where required by applicable guidance (including the EDPB's Recommendations 01/2020 on supplementary measures), Neudash will implement supplementary technical, organisational or contractual measures to ensure that the level of protection of Personal Data is not undermined by the transfer. The Customer may request details of any such supplementary measures by contacting Neudash at privacy@neudash.com.

7.4 Copies of safeguards

The Customer (and, where applicable, Data Subjects) may request a copy of the applicable SCCs and any supplementary measures by contacting Neudash at privacy@neudash.com. Neudash may redact commercially sensitive provisions that are not relevant to the data protection safeguards.

8. Assistance with Data Subject Rights

8.1 Data Subject requests

Taking into account the nature of the processing, Neudash will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, objection and rights relating to automated decision-making).

8.2 Notification

If Neudash receives a request directly from a Data Subject in relation to the Customer's Personal Data, Neudash will promptly (and in any event within 5 business days) notify the Customer and will not respond to the request directly unless authorised to do so by the Customer or required by Applicable Data Protection Law (in which case Neudash will inform the Customer of that legal requirement before responding, unless prohibited by law from doing so).

8.3 Costs

The Customer acknowledges that Neudash may charge a reasonable fee (at Neudash's then-current professional services rates) for any assistance provided under this section, except to the extent such assistance can be provided through the standard functionality of the Services.

9. Personal Data Breach

9.1 Notification

Neudash will notify the Customer without undue delay after becoming aware of a Personal Data Breach. The notification will include, to the extent reasonably available:

  • a description of the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  • the name and contact details of Neudash's point of contact from whom further information may be obtained;
  • a description of the likely consequences of the Personal Data Breach; and
  • a description of the measures taken or proposed to be taken by Neudash to address the Personal Data Breach, including (where appropriate) measures to mitigate its possible adverse effects.

9.2 Ongoing information

Where it is not possible to provide all information at the time of initial notification, Neudash will provide information in phases without further undue delay as it becomes available.

9.3 Cooperation

Neudash will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation and remediation of the Personal Data Breach, and in the Customer's compliance with any notification obligations under Applicable Data Protection Law (including notifications to supervisory authorities and Data Subjects).

9.4 No assessment of risk

Neudash's notification of a Personal Data Breach under this section shall not be construed as an acknowledgement by Neudash of any fault or liability with respect to the Personal Data Breach.

10. Deletion and Return of Personal Data

10.1 On termination

Upon termination or expiry of the Agreement, Neudash will, at the Customer's election (to be notified in writing within 30 days of termination or expiry, or such longer period as may be specified in applicable Product-Specific Terms):

  • return all Personal Data to the Customer in a structured, commonly used, machine-readable format; or
  • delete all Personal Data in Neudash's possession or control (including from backup systems).

If the Customer does not provide written instructions within the 30-day period, Neudash will delete all Personal Data in accordance with paragraph (b).

10.2 Deletion timelines

Deletion under the "On termination" paragraph above will be carried out in accordance with the following timelines:

  • Personal Data will be deleted from active systems within 30 days of the date on which deletion is triggered (or such longer period as may be specified in applicable Product-Specific Terms); and
  • Personal Data will be deleted from backup systems within 60 days of the date on which deletion is triggered (or such longer period as may be specified in applicable Product-Specific Terms).

10.3 Subprocessor deletion

Neudash will use reasonable endeavours to procure the deletion of any copies of Personal Data held by its Subprocessors (including third-party AI providers) within the timelines specified above.

10.4 Retention exceptions

Neudash may retain Personal Data (or copies thereof) to the extent required by Applicable Data Protection Law or where retention is necessary to comply with a legal, regulatory or professional record-keeping obligation applicable to the Customer (as notified to Neudash in writing), provided that Neudash will:

  • process such retained Personal Data only for the purpose of complying with the applicable legal requirement;
  • implement appropriate technical and organisational measures to protect the confidentiality and security of such retained Personal Data; and
  • delete such retained Personal Data as soon as the applicable legal requirement has been satisfied.

11. Audits and Compliance

11.1 Information

Neudash will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the UK GDPR / EU GDPR (to the extent applicable).

11.2 Compliance verification

The Customer may, no more than once per 12-month period, submit written questions or a compliance questionnaire to Neudash regarding Neudash's compliance with its obligations under this DPA and Applicable Data Protection Law. Neudash will respond to such questions in reasonable detail within 30 days of receipt.

Where the compliance verification process above does not adequately address the Customer's concern, the Customer may request that Neudash commission an independent audit report from a qualified third-party auditor (selected by Neudash acting reasonably) covering Neudash's compliance with its obligations under this DPA and Applicable Data Protection Law. Such a report will be provided to the Customer within 60 days of the request (subject to appropriate confidentiality obligations). The costs of the independent audit report will be borne by the Customer, unless the report reveals a material breach of this DPA by Neudash, in which case Neudash will bear the costs.

The Customer (or a qualified independent third-party auditor appointed by the Customer and approved by Neudash, such approval not to be unreasonably withheld) may conduct an inspection of Neudash's processing activities under this DPA only where: (i) the compliance verification process above does not adequately address the Customer's concern; (ii) the Customer has reasonable grounds to believe that a Personal Data Breach has occurred affecting the Customer's Personal Data; or (iii) an inspection is required by a competent supervisory authority.

Any inspection under this section is subject to the following conditions:

  • the Customer must give Neudash at least 30 days' prior written notice of the inspection (except where the inspection is required by a supervisory authority on shorter notice, in which case the Customer will provide as much notice as is reasonably practicable);
  • inspections may be conducted no more than once per 12-month period (except where required by a competent supervisory authority);
  • inspections must be conducted during Neudash's normal business hours and must not unreasonably disrupt Neudash's operations;
  • the Customer's auditor must not be a competitor of Neudash, and must comply with Neudash's reasonable security and confidentiality requirements;
  • Neudash may require that an inspection be conducted remotely (by secure video conference and remote access to relevant documentation) unless the Customer reasonably demonstrates that remote inspection would not be adequate in the circumstances;
  • the auditor must not access, review or be given visibility of any data or systems belonging to, or relating to, any other customer of Neudash; and
  • the Customer will bear all costs of the inspection (including any reasonable costs incurred by Neudash in facilitating the inspection), unless the inspection reveals a material breach of this DPA by Neudash, in which case Neudash will bear its own costs.

12. Data Protection Impact Assessments

Neudash will provide reasonable assistance to the Customer (at the Customer's cost) with any data protection impact assessment ("DPIA") and, where applicable, any prior consultation with a supervisory authority, that is required under Article 35 or Article 36 of the UK GDPR / EU GDPR (or any equivalent requirement under other Applicable Data Protection Law) in relation to the processing of Personal Data under this DPA.

13. No Model Training

Neudash will not use Personal Data (or any Customer Content containing Personal Data) to train, fine-tune, improve or develop any machine learning model, artificial intelligence model or algorithm, whether owned or operated by Neudash or any third party.

Neudash will ensure that its agreements with Subprocessors that are third-party AI providers contain contractual restrictions prohibiting such providers from using Personal Data (or any Customer Content containing Personal Data) to train, fine-tune, improve or develop their own models or any third-party models.

For the avoidance of doubt, this section does not restrict Neudash's use of de-identified, anonymised and aggregated data as described in the Privacy Policy, provided that such data does not constitute Personal Data.

14. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement (including the Aggregate Liability Cap and the Exclusion of Consequential Loss).

Nothing in this DPA limits or excludes either party's liability for any liability that cannot be limited or excluded under Applicable Data Protection Law.

15. Term and Termination

This DPA will take effect on the date it is executed by both parties (or, if published as a standard-form addendum and incorporated by reference, on the date the Agreement takes effect) and will remain in force for the duration of the Agreement.

Upon termination or expiry of the Agreement, this DPA will automatically terminate, subject to the "Deletion and Return of Personal Data" section, which will survive termination.

The following sections will survive termination of this DPA: "Confidentiality", "Personal Data Breach" (to the extent relevant to any breach occurring before termination), "Deletion and Return of Personal Data", "Audits and Compliance", "Liability", and this "Term and Termination" section.

16. General

16.1 Governing law

This DPA is governed by the laws of New South Wales, Australia, without giving effect to any choice or conflict of law provision or rule, except to the extent that a different governing law is mandated by Applicable Data Protection Law or the SCCs.

16.2 Order of precedence

In the event of any conflict between:

  • this DPA and the Agreement — this DPA will prevail in relation to the processing of Personal Data;
  • this DPA and the SCCs — the SCCs will prevail; and
  • the SCCs and the Agreement — the SCCs will prevail.

16.3 Amendments

This DPA may not be amended except in writing signed by both parties (or, if Neudash publishes an updated standard-form DPA, by the Customer's continued use of the Services after receiving notice of the update and having the opportunity to terminate under the Agreement).

16.4 Severability

If any provision of this DPA is found to be invalid, illegal or unenforceable, the remaining provisions will continue in full force and effect. The invalid, illegal or unenforceable provision will be modified to the minimum extent necessary to make it valid, legal and enforceable while preserving as closely as possible its original commercial intent.

16.5 Entire agreement

This DPA, together with the Agreement, the Privacy Policy and the SCCs (to the extent applicable), constitutes the entire agreement between the parties in relation to the processing of Personal Data by Neudash on behalf of the Customer, and supersedes all prior agreements, understandings and representations relating to such processing.

Schedule 1 — Description of Transfer

Part A: List of Parties

Data Exporter (Controller) Data Importer (Processor)
Name The Customer identified in the Agreement Neudash Pty Ltd
Address As specified in the Customer's account 12/62 Ocean Street, Woollahra, New South Wales 2025, Australia
Contact person The account owner identified in the Customer's account Privacy Team — privacy@neudash.com
Activities relevant to the transfer Use of the Services, including uploading Customer Content containing Personal Data for processing through AI features Provision of the Services, including processing Customer Content through AI features to generate Outputs
Role Controller Processor

Part B: Description of Transfer

Element Description
Categories of Data Subjects As described in the "Details of Processing" section of this DPA
Categories of Personal Data As described in the "Details of Processing" section of this DPA
Sensitive data (if any) The Customer may include special categories of personal data in Customer Content. Certain Services are designed for use in regulated industries and are therefore likely to involve the routine processing of special categories of data (see the "Details of Processing" section of this DPA for details).
Frequency of transfer Continuous, for the duration of the Agreement
Nature of processing As described in the "Details of Processing" section of this DPA
Purpose of transfer Provision of the Services under the Agreement
Retention period As described in the "Deletion and Return of Personal Data" section of this DPA and the retention section of the Privacy Policy

Part C: Competent Supervisory Authority

The competent supervisory authority is the supervisory authority of the EU member state in which the Customer is established or, if the Customer is established in the UK, the Information Commissioner's Office (ICO).

Schedule 2 — Technical and Organisational Measures

The following technical and organisational measures are implemented by Neudash. This Schedule supplements (and does not replace) the Security Overview.

1. Encryption

  • Data encrypted in transit using TLS 1.2 or higher.
  • Data encrypted at rest using AES-256 or equivalent encryption standards.

2. Access Controls

  • Role-based access controls limiting access to Personal Data to authorised personnel.
  • Multi-factor authentication for all personnel with access to production systems.
  • Audit logging of all access to Personal Data.
  • Principle of least privilege applied to all access permissions.

3. Personnel Security

  • Confidentiality obligations imposed on all personnel.
  • Regular data protection and information security training.

4. Physical Security

  • Data hosted in SOC 2 Type II certified (or equivalent) data centres.
  • Physical access controls, surveillance and environmental controls at data centre facilities.

5. Network Security

  • Firewalls, intrusion detection and prevention systems.
  • Network segmentation and isolation of production environments.
  • DDoS protection measures.
  • Least privilege service accounts.

6. Application Security

  • Secure software development lifecycle (SDLC) practices.
  • Regular penetration testing and vulnerability assessments.
  • Automated security scanning of code and dependencies.

7. Incident Response

  • Documented incident response plan with defined roles and escalation procedures.
  • Regular testing of incident response procedures.
  • Post-incident review and remediation processes.

8. Business Continuity and Disaster Recovery

  • Regular backups of Personal Data.
  • Documented disaster recovery plan with defined recovery time objectives (RTOs) and recovery point objectives (RPOs).
  • Regular testing of backup and recovery procedures.

9. Subprocessor Management

  • Due diligence assessment of Subprocessor security practices before engagement.
  • Written data processing agreements with all Subprocessors imposing obligations no less protective than this DPA.
  • Contractual restrictions on third-party AI providers prohibiting use of Personal Data for model training.
  • Ongoing monitoring of Subprocessor compliance.

10. Data Minimisation and Pseudonymisation

  • Processing limited to what is necessary for the provision of the Services.
  • Pseudonymisation and anonymisation techniques applied where practicable.
  • De-identification of data used for analytics and service improvement.

Related legal pages