These documents are drafts pending legal review and are not legal advice. Bracketed [values] are placeholders to be completed before launch.

Data Processing Addendum

Last updated: [DATE]

This Data Processing Addendum ("DPA") forms part of the Terms of Service between JES WEB PTY LTD ("Processor", "we") and the customer organisation ("Controller", "you") for CardIndexer (the "Service"). It applies where we process personal data on your behalf.

1. Roles

For personal data you submit to the Service, you are the Controller and we are the Processor. Each party will comply with applicable data protection laws, including the Australian Privacy Act 1988 (Cth) and, where applicable, the EU/UK GDPR.

2. Scope and purpose of processing

  • Subject matter: provision of the Service.
  • Nature and purpose: hosting, storing, and processing card metadata and usage records to help you track where cards are used.
  • Data subjects: your authorised users and personnel.
  • Categories of data: names, email addresses, authentication identifiers, card metadata (label, brand, last four, expiry), and usage records. We do not process full card numbers, CVV, or PINs.

3. Our obligations

We will: (a) process personal data only on your documented instructions, including as set out in the Terms and this DPA; (b) ensure persons authorised to process data are bound by confidentiality; (c) implement appropriate technical and organisational security measures; (d) assist you, taking into account the nature of processing, with data subject requests and with your security, breach, and impact-assessment obligations; and (e) make available information necessary to demonstrate compliance.

4. Sub-processors

You authorise us to engage the sub-processors listed at Sub-processors. We will impose data protection obligations on sub-processors substantially similar to those in this DPA, and remain responsible for their performance. We will give notice of intended changes so you may object on reasonable grounds.

5. International transfers

Where personal data is transferred outside its country of origin, we will ensure an appropriate transfer mechanism is in place (for example Standard Contractual Clauses) where required by law.

6. Security and breach notification

We maintain the security measures described in our Privacy Policy. We will notify you without undue delay after becoming aware of a personal data breach affecting your data and provide information reasonably available to us.

7. Return and deletion

On termination, we will delete or return personal data as described in the Terms, subject to retention required by law.

8. Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable request and subject to confidentiality, respond to reasonable audit enquiries.

9. Contact

Data protection enquiries: [privacy@cardindexer.com]. JES WEB PTY LTD, [registered address].