Effective date: January 1, 2025.
This Global Data Processing Addendum (“DPA”) forms part of the Smartpath Terms of Service. It governs Smartpath Pty Ltd’s processing of Personal Information/Personal Data on behalf of the Customer, in accordance with applicable privacy and data protection laws globally, including the Privacy Act 1988 (Cth), the EU GDPR, the UK GDPR, and relevant U.S. state privacy laws (CCPA/CPRA, etc.).
1. Roles and Scope
Customer acts as Controller (or organisation responsible under Privacy Laws) and Smartpath acts as Processor or Service Provider. Processing is limited to what is necessary to deliver the Services as described in the Terms of Service and Order Form.
2. Smartpath Obligations
Smartpath will:
• Process Personal Data only on Customer’s documented instructions.
• Ensure confidentiality of persons authorised to process the data.
• Implement appropriate technical and organisational measures for security.
• Assist Customer with data subject requests and impact assessments.
• Notify Customer without undue delay of any Personal Data Breach.
• Delete or return data upon termination, unless retention is required by law.
• Make available information necessary to demonstrate compliance.
3. Subprocessors
Smartpath may engage Subprocessors to provide the Services. A current list is available on Smartpath’s website. Smartpath will notify Customer in advance of new Subprocessors and will impose equivalent obligations on them. Smartpath remains responsible for their performance.
4. International Transfers
Smartpath may transfer Personal Data globally as required to provide the Services. Transfers will be protected by appropriate safeguards:
• For EU: EU Standard Contractual Clauses (Controller–Processor, 2021/914/EU) apply.
• For UK: International Data Transfer Addendum (IDTA) or UK Addendum to the EU SCCs applies.
• For US: Smartpath will implement appropriate contractual, technical, and organisational protections and will process Personal Data consistent with Customer instructions.
5. Security Measures
Smartpath maintains administrative, technical and physical safeguards to protect Personal Data, including encryption in transit and at rest, access controls, least privilege, vulnerability management, incident response, logging and monitoring, backups and disaster recovery, and employee security awareness training. Target RTO: 24 hours; RPO: 24 hours.
6. Audit
Smartpath will provide audit summaries (e.g., independent assessments or SOC/ISO reports) upon request. Customer may perform an on-site audit once per 12 months if required by law, subject to confidentiality and reasonable notice.
7. Data Subject Rights
Smartpath will assist Customer in responding to requests from individuals exercising rights under applicable Privacy Laws, including access, correction, deletion, portability, and objection rights.
8. Retention and Deletion
Smartpath will retain Personal Data only for the duration of the Services and will delete it within 60 days after termination, subject to legal retention obligations. Deletion confirmation will be available on request.
9. Liability and Governing Law
This DPA is governed by the same law as the applicable Smartpath Terms of Service unless otherwise required by applicable Privacy Laws.
Annex A – EU/EEA Addendum
Applies when Customer or data subjects are in the EEA. The EU GDPR applies, and the Standard Contractual Clauses (2021/914/EU) are incorporated by reference. Smartpath acts as the data importer; Customer is the data exporter. Module Two (Controller–Processor) applies.
Annex B – UK Addendum
Applies when Customer or data subjects are in the UK. The UK GDPR and Data Protection Act 2018 apply. The International Data Transfer Addendum (IDTA) or UK Addendum to the EU SCCs is incorporated by reference.
Annex C – U.S. Addendum
Applies when Customer or data subjects are in the United States. Smartpath acts as a “Service Provider” under applicable U.S. state privacy laws. Smartpath will not sell, share, or disclose Personal Information for purposes other than providing the Services, and will comply with CCPA/CPRA, Virginia CDPA, Colorado CPA, Connecticut DPA, and similar state laws as applicable.
Annex D – Technical and Organisational Measures
Measures include encryption in transit and at rest; MFA for privileged access; least privilege; network segmentation; secure software development; logging and monitoring; vulnerability management; annual penetration testing; backups; business continuity; and vendor risk management.