Australian privacy law does not use the “controller/processor” distinction found in some overseas regimes; under the Privacy Act, each entity is responsible for its own handling of personal information. For the purposes of this DPA and to make the parties' responsibilities clear:
WattleDB will handle Customer Personal Information only: (a) to provide, secure, support and maintain the Services; (b) in accordance with the Customer's documented instructions, including those given through the configuration and use of the Services; and (c) as required by Australian law (in which case WattleDB will, where lawful, inform the Customer). If WattleDB considers an instruction may breach the Privacy Act or other law, it will notify the Customer.
The Customer warrants that: (a) it has collected and handled Customer Personal Information in accordance with the APPs and any other applicable law; (b) it has provided all necessary notices and obtained any required consents for WattleDB to handle Customer Personal Information as contemplated by the Terms; and (c) its instructions to WattleDB are lawful. The Customer is responsible for the accuracy and legality of the Customer Data it submits and for configuring the Services appropriately (including access controls and data-masking features).
The Customer authorises WattleDB to engage Sub-processors to help provide the Services, such as Australian-based data-centre and hosting providers, our payment provider (for billing), and our email delivery provider (for transactional messages). WattleDB will: (a) impose data-protection and confidentiality obligations on each Sub-processor that are consistent with this DPA; and (b) remain responsible for each Sub-processor's performance of those obligations. WattleDB will make available an up-to-date list of Sub-processors on request and will give the Customer reasonable notice of any intended addition or replacement of a Sub-processor so the Customer may object on reasonable grounds.
Taking into account the state of the art, the costs of implementation, and the nature, scope and purposes of processing, WattleDB implements appropriate technical and organisational measures to protect Customer Personal Information, including:
WattleDB stores and processes Customer Personal Information on Australian-owned infrastructure located in Australia (primary hosting in Sydney and backup in Melbourne). WattleDB will not transfer Customer Personal Information outside Australia in the ordinary course of providing the Services. If any overseas handling ever becomes necessary, WattleDB will take reasonable steps in accordance with APP 8 and will notify the Customer beforehand where practicable.
WattleDB will notify the Customer without undue delay after becoming aware of a data breach affecting Customer Personal Information, and will provide information reasonably available to it to help the Customer assess the breach and meet its obligations under the Notifiable Data Breaches scheme. The parties will cooperate in good faith to investigate, contain and remediate the breach. Nothing in this section is an acknowledgement by WattleDB of fault or liability for a breach.
Taking into account the nature of the Services, WattleDB will provide reasonable assistance, including through the self-service features of the console, to help the Customer respond to requests from individuals to access, correct or delete their Personal Information, and to complaints and regulator enquiries. If WattleDB receives such a request directly relating to Customer Personal Information, it will, where lawful, refer the individual to the Customer rather than responding itself.
On expiry or termination of the Services, the Customer may export its Customer Data as described in the Terms. Following the export period, WattleDB will delete Customer Personal Information from active systems, with residual copies removed from backups in the ordinary backup-rotation cycle, except to the extent WattleDB is required by law to retain it (in which case it will continue to protect it under this DPA).
WattleDB will maintain records reasonably necessary to demonstrate its compliance with this DPA and will, on reasonable written request and subject to confidentiality, provide the Customer with information reasonably required to verify that compliance. Any on-site audit rights, if agreed, will be set out in a separate written agreement and conducted so as not to compromise the security or confidentiality of other customers' data.
This DPA is subject to the Terms of Service, including the limitations of liability in them. If there is any conflict between this DPA and the Terms in relation to the handling of Customer Personal Information, this DPA prevails to the extent of the conflict. This DPA is governed by the laws of New South Wales, Australia. For any question about this DPA, contact:
Privacy Officer — RR Sols Pty Ltd (trading as WattleDB)
ABN 56 672 722 486
Email: privacy@wattledb.com.au · Legal: legal@wattledb.com.au
Post: Bardia NSW 2565, Australia