Data Processing Agreement

In this Data Processing Agreement (DPA), 'Controller' refers to the entity that determines the purposes and means of processing personal data, and 'Processor' refers to ecodia Pty Ltd, which processes data on behalf of the Controller. 'Personal Data', 'Processing', and 'Data Subject' have the meanings given in the Australian Privacy Act 1988 and, where applicable, the EU General Data Protection Regulation. This DPA forms part of the service agreement between ecodia and the Controller.

This DPA applies to all personal data processed by ecodia on behalf of the Controller in connection with the provision of the ecodia platform. Processing activities include storage, retrieval, analysis, and display of user data as described in the service agreement. ecodia will only process personal data in accordance with the Controller's documented instructions and applicable law.

ecodia will process personal data solely for the purposes specified in this DPA and the service agreement. We will not process personal data for any other purpose without the prior written consent of the Controller. All processing will be carried out in accordance with applicable data protection legislation and the security measures described in this agreement.

ecodia implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing. These measures include encryption of data in transit and at rest, role-based access controls, regular vulnerability assessments, and staff training on data protection. We regularly review and update our security measures to address evolving threats.

ecodia may engage sub-processors to assist with data processing, subject to the Controller's prior written consent. We maintain an up-to-date list of sub-processors, which is available in our Subprocessors List document. ecodia will ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

ecodia will assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection law. We will promptly notify the Controller of any data subject requests received directly and will not respond to such requests without the Controller's authorisation, unless required by law. Technical and organisational measures are in place to facilitate the fulfilment of these requests.

In the event of a personal data breach, ecodia will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include a description of the nature of the breach, the categories and approximate number of affected data subjects, and the measures taken or proposed to address the breach. ecodia will cooperate fully with the Controller in investigating and remediating any breach.

This DPA remains in effect for the duration of the service agreement between ecodia and the Controller. Upon termination, ecodia will, at the Controller's election, return or securely delete all personal data within 90 days, unless retention is required by applicable law. Obligations relating to confidentiality and data protection survive termination of this agreement.