Data Protection
This Data Protection Addendum ("DPA") forms part of, and is incorporated into, the agreement under which Paniani Products Pty Ltd trading as AtlasDT provides software, marketplace, consulting, sourcing, project, supplier-management, procurement, or related services to a customer ("Customer"). This DPA applies only to the extent AtlasDT processes Customer Personal Data on behalf of Customer.
1. Definitions
In this DPA:
- Applicable Data Protection Law means all laws, regulations and binding guidance applicable to the processing of personal data under the Agreement, including, where relevant, the Privacy Act 1988 (Cth), the Australian Privacy Principles, the EU GDPR, the UK GDPR and related implementing legislation.
- Customer Personal Data means personal data processed by AtlasDT on behalf of Customer in connection with the Services.
- Data Subject, Personal Data, Controller, Processor, Sub-processor, and Personal Data Breach have the meanings given by Applicable Data Protection Law, or the closest equivalent meaning where those terms are not expressly defined.
- Security Incident means any confirmed or reasonably suspected unauthorised access to, disclosure of, alteration of, loss of, or destruction of Customer Personal Data.
2. Roles of the parties
- As between the parties, Customer is the Controller (or equivalent deciding party) and AtlasDT is the Processor, except where AtlasDT independently determines the purposes and means of processing, in which case AtlasDT acts as an independent controller for that processing.
- Customer warrants that it has all rights, consents, notices and other lawful bases necessary to provide Customer Personal Data to AtlasDT and to instruct AtlasDT to process it under the Agreement.
3. Scope and processing instructions
- AtlasDT will process Customer Personal Data only:
- to provide, secure, support and improve the Services;
- to fulfil documented instructions from Customer;
- as necessary to comply with applicable law; and
- as otherwise expressly permitted under the Agreement and this DPA.
- If AtlasDT believes an instruction infringes Applicable Data Protection Law, AtlasDT may suspend the relevant processing and notify Customer.
- Customer appoints AtlasDT to engage Sub-processors in accordance with clause 7.
4. AtlasDT processor obligations
- AtlasDT will ensure that personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.
- AtlasDT will implement and maintain reasonable and appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
- AtlasDT will not sell Customer Personal Data or share it for cross-context behavioural advertising except as expressly instructed by Customer and permitted by law.
- AtlasDT will maintain records and practices reasonably sufficient to demonstrate compliance with this DPA.
5. Security measures
AtlasDT will maintain security measures appropriate to the nature of the Services and the risk presented by the processing. Depending on the Services purchased and AtlasDT's technical environment from time to time, such measures may include:
- access controls based on least privilege;
- multi-factor authentication for administrative accounts where practicable;
- network and endpoint monitoring;
- logging and audit trails for key system events;
- encryption in transit and, where appropriate, at rest;
- segregation of customer environments and permissions;
- vulnerability management and patching processes;
- backup and recovery procedures;
- secure supplier and contractor onboarding; and
- incident response procedures.
6. Security incident notification
- AtlasDT will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data and, where reasonably possible, within {{SECURITY_INCIDENT_NOTICE_HOURS|72}} hours of confirmation.
- The notification will include, to the extent known at the time:
- the nature of the incident;
- the categories of affected data and data subjects;
- the likely consequences;
- the containment and remediation steps taken or proposed; and
- a contact point for follow-up.
- AtlasDT's notification of a Security Incident is not an admission of fault or liability.
7. Sub-processors
- Customer grants AtlasDT general written authorisation to appoint Sub-processors to support the Services, including infrastructure, analytics, hosting, communications, customer support, identity, payments, logistics, and professional advisers.
- AtlasDT will impose data protection obligations on each Sub-processor that are no less protective than the material obligations in this DPA, taking into account the nature of the services performed by that Sub-processor.
- AtlasDT remains responsible for the performance of its Sub-processors to the extent required by Applicable Data Protection Law.
8. International data transfers
- Customer acknowledges that AtlasDT, its affiliates, suppliers and Sub-processors may process Customer Personal Data in Australia and other countries where AtlasDT or its Sub-processors operate.
- Where Applicable Data Protection Law requires transfer safeguards, the parties agree to cooperate in implementing appropriate transfer mechanisms, including contractual safeguards and supplementary security measures where appropriate.
9. Assistance with data subject requests and compliance
- Taking into account the nature of the processing, AtlasDT will provide reasonable assistance to Customer to enable Customer to respond to requests from data subjects to access, correct, delete, restrict, port or object to the processing of their personal data, to the extent required by law.
- AtlasDT will provide reasonable assistance to Customer with data protection impact assessments, prior consultations with regulators, breach notifications, and other compliance obligations, provided Customer reimburses AtlasDT's reasonable costs where the assistance goes beyond the Services ordinarily included in the Agreement.
10. Audits and information rights
- Upon reasonable written request no more than once in any 12-month period, AtlasDT will provide information reasonably necessary to demonstrate compliance with this DPA.
- Where that information is insufficient and Customer has a reasonable basis for concern, Customer may conduct an audit, or appoint an independent auditor bound by confidentiality, during normal business hours and with at least 30 days' prior written notice.
- Audits must not unreasonably interfere with AtlasDT's business, compromise the security of other customers, or require AtlasDT to disclose confidential information unrelated to Customer.
11. Deletion and return of data
- Upon termination or expiry of the Agreement, AtlasDT will, at Customer's election and subject to technical feasibility, either return or delete Customer Personal Data within a reasonable period, unless retention is required by law, for backup integrity, dispute resolution, fraud prevention, security logs, or enforcement of legal rights.
- Where data is retained for these limited purposes, AtlasDT will continue to protect it in accordance with this DPA.
12. Controller-to-controller processing
Certain processing carried out by AtlasDT may occur as an independent controller, including account administration, billing, security logging, fraud prevention, service analytics, legal compliance, and direct communications relating to the business relationship. Such processing is governed by AtlasDT's Privacy Policy, not this DPA.
13. Liability and order of precedence
- Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, except to the extent prohibited by Applicable Data Protection Law.
- If there is a conflict between this DPA and the Agreement in relation to the processing of Customer Personal Data, this DPA prevails to the extent of the conflict.
14. Annex 1 — subject matter and duration of processing
| Item | Description |
|---|---|
| Subject matter | Provision of AtlasDT software, marketplace functionality, supplier onboarding, sourcing support, consulting, project delivery, procurement support, and related support services. |
| Duration | For the term of the Agreement and any permitted retention period thereafter. |
| Nature of processing | Collection, storage, organisation, review, retrieval, transmission, matching, hosting, support, analytics, and deletion of customer-related information. |
| Purpose | To provide the Services, manage customer accounts, facilitate supplier-buyer workflows, and perform support, security and compliance functions. |
| Categories of data subjects | Customer personnel, supplier personnel, buyer personnel, end users, contractors, authorised representatives, and other individuals whose information is submitted to the Services. |
| Categories of personal data | Names, business contact details, login credentials, account metadata, transaction records, support requests, communications, project data, supplier onboarding materials, shipping or billing contact details, and other data uploaded by or for Customer. |
| Sensitive data | Only where expressly agreed in writing and supported by appropriate controls. |
15. Annex 2 — minimum security commitments
- Role-based access management and password policies.
- Reasonable authentication controls for privileged access.
- Encryption for public-network transmission of personal data.
- Documented incident response and recovery procedures.
- Security awareness obligations for relevant personnel.
- Reasonable vendor due diligence for material Sub-processors.