Data Processing Agreement

Preamble

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Customer" or "Controller") and Young Milton Pty Ltd ABN 72 695 772 313 trading as Ask Arthur ("Ask Arthur" or "Processor") for the provision of the Ask Arthur scam-detection platform (the "Service").

This is a template. To execute, complete the variables in Schedule A and return a signed copy to brendan@askarthur.au. Ask Arthur will counter-sign and return within 5 business days. Where this template conflicts with a customer-specific DPA negotiated and counter-signed by both parties, the customer-specific DPA prevails.

1. Definitions

2. Roles & Scope

The Customer is the Controller and Ask Arthur is the Processor in respect of Customer Data. Each party is independently responsible for compliance with applicable privacy laws, including (without limitation) the Privacy Act 1988 (Cth) and the Australian Privacy Principles, the GDPR where the Customer or Customer Data is in scope, and the UK Data Protection Act 2018.

2.1 Subject matter and duration

Ask Arthur processes Customer Data for the purpose of providing the Service for the duration of the underlying agreement, and for the additional retention periods set out in clause 9.

2.2 Categories of data subjects and Personal Information

The categories of data subjects and Personal Information are set out in Schedule A.

3. Processor Obligations

Ask Arthur will:

• process Customer Data only on the documented instructions of the Customer, including as set out in the underlying agreement and the Service's configuration options;
• maintain the technical and organisational measures described in Schedule B;
• ensure that personnel authorised to access Customer Data are bound by appropriate confidentiality obligations;
• notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of an Eligible Data Breach affecting Customer Data;
• provide reasonable assistance to the Customer in responding to data subject requests received under the Privacy Act 1988 (Cth) or GDPR Articles 12–22;
• at the Customer's choice, return or delete Customer Data on termination of the Service in accordance with clause 9;
• make available, on request, the information necessary to demonstrate compliance with this DPA, including the security overview and most recent third-party assessments under NDA.

4. Sub-Processors

The Customer authorises Ask Arthur to engage the Sub-Processors listed at askarthur.au/trust (the "Sub-Processor List") for the purposes described.

Ask Arthur will give the Customer at least 30 days' notice before engaging any new Sub-Processor with access to Customer Data. Notice will be given by updating the Sub-Processor List and, where the Customer has subscribed, sending an email to the Customer's designated privacy contact.

The Customer may object to a new Sub-Processor on reasonable grounds within the notice period. If the parties cannot agree a resolution, the Customer's sole remedy is to terminate the affected portion of the Service for convenience.

5. International Transfers

Customer Data is processed primarily in Australia (Sydney). Where transfer to a Sub-Processor outside Australia is necessary, Ask Arthur ensures equivalent protection through one or more of:

• contractual safeguards with the Sub-Processor that obligate it to comply with the Australian Privacy Principles;
• where applicable, the European Commission Standard Contractual Clauses or the UK International Data Transfer Addendum;
• independent certifications held by the Sub-Processor (e.g. SOC 2, ISO 27001).

The current location of each Sub-Processor is published in the Sub-Processor List.

6. Security

Ask Arthur implements and maintains the technical and organisational measures set out in Schedule B, which the parties acknowledge are appropriate to the nature, scope, context and purposes of the processing and the risk to Customer Data. Ask Arthur reviews these measures at least annually and updates them to reflect material changes in risk.

7. Data Subject Rights

Where a data subject contacts Ask Arthur directly, Ask Arthur will redirect the request to the Customer without responding to the substance of the request, unless legally required to do otherwise. The Customer may use the self-service endpoints published in the Service to fulfil access and erasure requests for individuals whose accounts the Customer administers.

8. Audit

Ask Arthur will provide, on reasonable written request and not more than once in any 12-month period (or more frequently if required by a regulator or following an Eligible Data Breach):

• the most recent Security Overview document and any third-party assessment reports it then holds;
• responses to a reasonable security questionnaire (e.g. SIG Lite, CAIQ) under NDA;
• where the foregoing is insufficient and the Customer is a regulated entity with an enforceable audit obligation, an on-site or remote audit at the Customer's expense, conducted on at least 30 days' written notice and during business hours.

9. Return & Deletion

On termination of the Service, the Customer may export Customer Data via the Service's data export endpoints for a period of 30 days. After 30 days, Ask Arthur will delete Customer Data from live systems. Backup copies are retained for up to 7 days under point-in-time recovery and are then automatically expired. Aggregated, de-identified data that no longer constitutes Personal Information may be retained indefinitely for the purpose of improving the Service.

10. Notification of Eligible Data Breach

Where Ask Arthur becomes aware of an Eligible Data Breach affecting Customer Data, Ask Arthur will notify the Customer without undue delay and in any event within 72 hours of becoming aware. The notification will include, to the extent then known:

• the nature of the breach, including the categories and approximate number of data subjects and records concerned;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach and mitigate its effects;
• the contact point for further information.

The Customer remains responsible for any notification to the Office of the Australian Information Commissioner under Part IIIC of the Privacy Act 1988 (Cth), and to supervisory authorities and data subjects where the GDPR applies, except to the extent the Customer expressly delegates this responsibility in writing.

11. General

11.1 Order of precedence

In the event of conflict between this DPA and the underlying agreement, this DPA prevails to the extent of the conflict in respect of the processing of Customer Data.

11.2 Governing law

This DPA is governed by the laws of New South Wales, Australia. The parties submit to the non-exclusive jurisdiction of the courts of New South Wales.

11.3 Liability

Liability under this DPA is subject to the limitations and exclusions in the underlying agreement.

11.4 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remainder of the DPA continues in force.

Schedule A — Description of Processing

Schedule B — Technical & Organisational Measures

Ask Arthur implements the following measures, summarised here and described in detail in the Security Overview document available at askarthur.au/trust/security-overview.

This document is a template for vendor due diligence. It does not become binding until counter-signed by both parties.

Signature Page

By signing below, the parties agree to be bound by this Data Processing Agreement.