Privacy Policy

This Data Processing Addendum (“DPA”) forms part of the agreement between Customer (“Controller”) and Ecodia Pty Ltd (“Processor”) for the provision of the Services. It applies to the extent Processor processes Personal Data subject to the GDPR and/or UK GDPR on behalf of Controller.

Capitalised terms not defined here have the meaning given in the main agreement. In case of conflict, this DPA prevails over the agreement to the extent of the conflict regarding data protection.

• Data Protection Laws: EU GDPR, UK GDPR, and any national implementing laws.
• Personal Data, Processing, Data Subject, etc. have the meanings in the GDPR.
• Customer Data: Personal Data provided to Processor by or on behalf of Controller via the Services.
• Subprocessor: another processor engaged by Processor to process Customer Data.
• Restricted Transfer: a transfer of Personal Data to a country outside the EEA/UK without an adequacy decision.

Controller appoints Processor to process Customer Data as described in Annex I solely for the purpose of providing and improving the Services, performing the agreement, and as otherwise documented by Controller’s written instructions.

• Controller is responsible for the accuracy, quality, and lawfulness of Customer Data and the means by which Controller acquired it.
• Processor shall inform Controller if it cannot follow an instruction due to legal or technical reasons.

• Processor shall process Customer Data only on documented instructions from Controller, including with respect to transfers.
• Processor will promptly notify Controller if, in Processor’s opinion, an instruction infringes Data Protection Laws.
• Where Processor is required by law to process Customer Data, it shall inform Controller before processing unless prohibited.

• Processor shall ensure persons authorised to process Customer Data are bound by confidentiality obligations.
• Processor shall ensure such persons receive appropriate privacy and security training.

Controller authorises Processor to engage Subprocessors listed in Annex III and at /legal/subprocessors, subject to a written contract imposing data protection obligations no less protective than those in this DPA.

• Processor will provide advance notice of new Subprocessors and allow reasonable objection for legitimate reasons.
• Processor remains responsible for Subprocessor performance.

For Restricted Transfers, the parties agree the applicable Standard Contractual Clauses (“SCCs”) are incorporated by reference as follows:

• EEA: EU Commission Decision (EU) 2021/914 (Controller-to-Processor, Module Two).
• UK: UK International Data Transfer Addendum to the EU SCCs (as issued by the ICO).

The details of the transfer and the Technical and Organisational Measures are set out in Annex I and Annex II. Where there is a conflict between this DPA and the SCCs, the SCCs prevail for restricted transfers.

Processor shall implement and maintain appropriate technical and organisational measures (“TOMs”) to protect Customer Data as described in Annex II, taking into account the state of the art, costs, nature, scope, context and purposes of processing, and the risks to Data Subjects.

• Access control: role-based access, MFA for staff, least privilege, revocation on separation.
• Encryption: in transit (TLS) and at rest for primary data stores where feasible.
• Resilience: backups, tested restore, fault isolation, and monitoring/alerting.
• Development: secure SDLC, code review, dependency scanning, secrets management.
• Physical & cloud security: reputable cloud providers with audited facilities.
• Awareness: regular security and privacy training for personnel.

• Processor shall, to the extent possible, assist Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection).
• Processor shall promptly forward any request it receives directly to Controller without responding, unless authorised.

• Processor shall make available information necessary to demonstrate compliance with this DPA.
• Upon reasonable prior notice, Controller may conduct audits (including inspections) no more than annually, or following a Security Incident, during business hours, and subject to confidentiality and safe access requirements.
• Processor may satisfy audit obligations by providing independent third‑party reports (e.g., SOC 2, ISO 27001) where available.

• Processor shall notify Controller without undue delay after becoming aware of a Security Incident affecting Customer Data.
• Notification shall include information known at the time, including the nature of the incident, likely consequences, and measures taken or proposed to address it.
• Processor will cooperate with Controller to investigate, mitigate, and fulfil any notification obligations.

• At termination or upon Controller’s written request, Processor shall delete or return all Customer Data and delete existing copies, unless law requires storage.
• Backups shall be overwritten in accordance with standard retention cycles.

• Processor shall assist Controller with data protection impact assessments and prior consultations with supervisory authorities where required, taking into account the nature of processing and information available.
• Processor shall maintain records of processing activities as required by law.

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the main agreement, except to the extent prohibited by Data Protection Laws or the SCCs.

This DPA commences on the effective date of the agreement and terminates automatically upon deletion of all Customer Data by Processor, subject to survival of provisions which by their nature continue (e.g., confidentiality).

A. List of Parties

• Controller: The Customer identified in the agreement (contact details as provided in account/admin portal).
• Processor: Ecodia Pty Ltd, legal@ecodia.au.

B. Description of Processing

• Subject Matter: Provision of the Ecodia platform and related services.
• Duration: For the term of the agreement plus standard backup retention.
• Nature & Purpose: Hosting, storage, analytics, communications, and functionality necessary to provide the Services.
• Types of Personal Data: Account identifiers, contact details, profile data, submission media, activity logs, team/quest participation, and technical metadata. Special category data is not intentionally collected.
• Categories of Data Subjects: Customer’s users (e.g., youth, staff, partners), prospective users invited by Customer, and individuals appearing in submitted content where permitted.
• Authorized Processing Instructions: As described in the agreement, this DPA, and documented written instructions from Controller.

The Processor maintains layered Technical and Organisational Measures appropriate to risk, including but not limited to:

• Organisation of Information Security: security policy, roles and responsibilities, personnel vetting and training.
• Asset Management: inventory, data classification, secure disposal.
• Access Control: authentication, MFA for privileged access, least privilege, session management.
• Cryptography: TLS in transit; encryption at rest for primary data stores where feasible; key management.
• Physical Security: reputable cloud providers with audited facilities and environmental controls.
• Operations Security: change management, logging/monitoring, malware protection, vulnerability management.
• Communications Security: network segmentation, firewalling, secure endpoints.
• Development & CI/CD: code review, dependency scanning, SAST/DAST where appropriate, secrets management.
• Supplier Relationships: due diligence and DPAs with subprocessors; continuous review.
• Incident Management: formal incident response with detection, containment, eradication, recovery, and lessons learned.
• Business Continuity: backups, tested restores, disaster recovery plans, RPO/RTO objectives.
• Testing: periodic security assessments and penetration testing (internal/external).

The current list of authorised Subprocessors is maintained at /legal/subprocessors. Controller may subscribe to change notifications as described on that page.

Notices under this DPA should be sent to connect@ecodia.au. For security incidents, contact

This DPA is not legal advice. Controllers should consult their counsel for specific compliance needs.