Data Processing Addendum (DPA)

1. Definitions

• Applicable Law:
  Means the Privacy Act 1988 (Cth) (including APPs 1–13 and the NDB scheme), EU GDPR, CCPA, and any other jurisdictional privacy laws. If a conflict arises, the Privacy Act 1988 (Cth) and the APPs prevail.
• Controller ("you", "your"):
  The entity determining purposes and means of processing.
• Processor ("WingSpanAi", "we", "us"):
  The service provider processing Personal Data on Controller's behalf.
• Personal Data:
  Information relating to an identified or identifiable natural person.
• Processing:
  Any operation on Personal Data (collection, storage, use, disclosure, erasure, etc.).
• Subprocessor:
  Any third party engaged by Processor under equivalent obligations.
• Data Protection Officer (DPO):
  Name: Riley Keppler (CTO)
  Email: privacy-officer@wingspanai.com.au

2. Roles & Scope

1. Roles. Controller is the data controller; Processor is the data processor.
2. Scope. Applies whenever Processor handles Controller's Personal Data.
3. Joint Controllership. For joint-controller scenarios, parties will maintain a transparent arrangement delineating respective obligations and liabilities.

3. Processing Instructions

1. Documented Instructions. Processor processes Personal Data only on Controller's documented instructions, unless required by law.
2. Notification. Processor will inform Controller if an instruction violates Applicable Law.
3. Purpose Limitation. Processor will not process Personal Data for purposes other than those specified.

4. Confidentiality

1. Confidentiality Obligations. Processor ensures persons authorized to process Personal Data are under confidentiality obligations.
2. Training. Processor provides training on privacy and data protection.

5. Security

1. Technical & Organisational Measures. Processor implements appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
2. Encryption & Access Controls. Security measures include encryption in transit and at rest, access controls, and regular security assessments.

6. Subprocessors

1. Authorisation. Processor may engage subprocessors under equivalent obligations.
2. List & Notification. The current list of subprocessors is available at /dpa/subprocessors. Processor will notify Controller of changes, giving Controller the opportunity to object.

7. Data Subject Rights

1. Assistance. Processor assists Controller in responding to data subject requests.
2. Notification. Processor promptly notifies Controller of any request received.

8. Breach Notification

1. Notification. Processor notifies Controller without undue delay after becoming aware of a Personal Data Breach.
2. Cooperation. Processor cooperates with Controller to investigate, mitigate, and remediate.

9. Cross-Border Transfers

1. Authorisation. Processor will not transfer Personal Data outside Australia (or the relevant jurisdiction) unless permitted by Applicable Law or with Controller's instructions.
2. Safeguards. Processor will implement appropriate safeguards for cross-border transfers.

10. Audit & Compliance

1. Audit Rights. Controller may audit Processor's compliance with this DPA, subject to reasonable notice and confidentiality.
2. Reports. Processor will provide information and reports as reasonably requested.

11. Data Return & Deletion

1. Return/Deletion. Upon termination, Processor will return or delete Personal Data as instructed by Controller, unless retention is required by law.
2. Certification. Processor will certify deletion upon request.

12. Contact