Data Processing Agreement
Last Reviewed Date: April 2025
This Data Processing Agreement (“DPA”) applies where Felix Software Pty Ltd (“Company”) processes Personal Data received from, or on behalf of, Enterprise Customer. This DPA supersedes all previous versions, including without limitation all versions of the Company's "Data Processing Standards" that may have been provided with the Principal Agreement.
To the extent this DPA applies, it is incorporated into and forms part of the Company's Terms of Use with the Enterprise Customer (“Principal Agreement”). In the event of a conflict between the provisions of this DPA and the Principal Agreement, this DPA will prevail to the extent of the conflict or inconsistency.
The Enterprise Customer acknowledges that the Company may update this DPA from time to time on reasonable notice.
WHEREAS
- The Company makes its Services available to Enterprise Customers.
- The Enterprise Customer wishes to use the Services and, in the course of using the Services, the Personal Data of the Organisation, its employees or other individuals may be entered into or uploaded to the Services for the purpose of enabling the Company to provide the Services or perform its obligations under or in connection with the Principal Agreement or Enterprise Customer's instructions.
- The Company agrees to process Personal Data provided by or on behalf of the Enterprise Customer in accordance with the terms and conditions the DPA and the Principal Agreement.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
Definitions and Interpretation
- Unless otherwise defined herein, capitalized terms and expressions used in this DPA have the following meanings:
- "Controller" has the meaning given to that term (or an equivalent term) under the GDPR;
- "Data Protection Laws” means applicable laws and regulations in respect of the collection, use and handling of personal data in force at any time in any jurisdiction, which includes (without limitation) Australia's Privacy Act 1988 (Cth) and the GDPR;
- "Data Subject" means an identified or identifiable natural person, and includes any person defined as a data subject or a similar term under the GDPR;
- “GDPR” means:
- when used in the context of United Kingdom residents, means the UK General Data Protection Regulation as implemented by the Data Protection Act 2018 (UK); and
- when used in the context of European Union residents, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 for the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC;
- "Enterprise Customer" means asset owners and general contractors who have engaged the Company to provide the Services under the Principal Agreement and to assist the Enterprise Customer in procurement and vendor management.
- "Personal Data" has the meaning given to that term (or an equivalent term) in the applicable Data Protection Laws;
- "Personal Data Breach" has the meaning given to that term (or an equivalent term) under the applicable Data Protection Laws;
- "Processing" has the meaning given to that term (or an equivalent term) under the applicable Data Protection Laws;
- “Services” means the platform for facilitating the vendor relationship management, electronic tendering / quoting and other related procurement activities and the associated services provided by the Company to the Enterprise Customer;
- "Standard Contractual Clauses" means:
- in the context of European Union residents, the European Union's standard contractual clauses for data transfers from Controllers or Processors in the European Union to Controllers or Processors established outside the European Union, Commission implementing decision (EU) 2021/914 including as amended or replaced from time to time; or
- in the context of United Kingdom residents, the United Kingdom standard contractual clauses for compliance with the restricted transfer rules in the GDPR, issued or amended in accordance with section 119A of the Data Protection Act 2018 (UK);
- "Subprocessor” means any person appointed by or on behalf of the Company to process Personal Data on behalf of the Enterprise Customer in connection with the Principal Agreement, including the subprocessors specified in the Trust Centre;
- “User Data” means any Personal Data provided to the Company by the Enterprise Customer or on behalf of the Enterprise Customer (including by a Vendor User) under or in connection with the Principal Agreement; and
- "Vendor User” means entities (including their authorised users) who supply (or who have supplied, or who propose to supply) goods or services or information to Enterprise Customer, and whom Enterprise Customer have invited to provide information relating to the Vendor User's products, services, information or compliance.
- If a capitalised term is used but not defined in this DPA, the meaning given to that term under the Principal Agreement will apply.
2. Processing of User Data
The parties acknowledge and agree that:
- the Company will act as a Processor of the User Data and the obligations set out in this DPA do not apply to the Company in its capacity as a Controller; and
- the Enterprise Customer as the Controller provides instructions to the Company about the processing of the User Data.
The Company will comply with all applicable Data Protection Laws in the Processing of User Data.
The Enterprise Customer instructs the Company to Process the User Data:
- to enable the Company to perform its obligations and exercise its rights under the Principal Agreement, applicable Order Forms, including (without limitation) the Company's obligations to provide the Services to the Enterprise Customer;
- in accordance with the Enterprise Customer's further lawful written instructions; or
- as required by applicable laws, in which case the Company will notify the Enterprise Customer of such requirement prior to Processing the User Data, unless such notification is prohibited by the applicable laws.
If the Company determines (acting reasonably) that the Enterprise Customer's instructions will or is likely to result in a breach of Data Protection Laws, the Company may promptly inform the Enterprise Customer of such risk. In such circumstances, the parties acknowledge and agree that any failure by the Company to comply with the Enterprise Customer's instructions will not constitute a breach of this DPA by the Company.
The Company will take reasonable steps to ensure that each of its employees, agents or contractors that are authorised to access the User Data:
- are subject to the more stringent of: 2.5.1.1 confidentiality obligations no less onerous than those set out in clause 10 of this DPA when handling User Data; or
- statutory obligations of confidentiality; and
- may only access the User Data:
- on a need-to-know basis; and
- as necessary for the purposes of the Principal Agreement and to comply with the applicable laws in the context of that employee's, agent's or contractor's (as applicable) duties to the Company.
The Company will not:
- sell or commercialise the User Data without first anonymising it in such a manner that cannot be identified and Personal Data can no longer be attributed to a specific Data Subject; or
- use, hold or disclose the User Data for any purpose or in any manner other than as set out in the Principal Agreement and this DPA.
The Enterprise Customer acknowledges and agrees that the Company is not responsible for:
- ensuring the Enterprise Customer‘s compliance with the applicable Data Protection Laws including in its capacity as the Controller towards User Data or other Personal Data; or
- procuring any consent, authorisation or any agreement from the Enterprise Customer's vendors to enable the Company to Process the User Data.
3. Enterprise Customer warranties
The Enterprise Customer warrants that:
- it has obtained all necessary consents and authorisations, or has otherwise established a legitimate legal basis to enable the Company to Process the User Data; and
- any instructions provided to the Company in respect of User Data will not cause the Company to breach the applicable Data Protection Laws.
4. Security
The Company will implement and maintain appropriate technical and organisational measures to protect the User Data from a Personal Data Breach, having regard to the state of the art, the costs of implementation and the nature of the User Data, the scope, context and purposes of Processing and, as appropriate, the Standard Contractual Clauses and the measures referred to in Article 32(1) of the GDPR (collectively, the "Security Measures").
The Company will regularly (at least once annually) review the effectiveness and appropriateness of its Security Measures.
The Company may update or modify the Security Measures from time to time, provided such updates do not materially adversely affect the security of the User Data.
5. Subprocessors
The Enterprise Customer authorises the Company to use and continue to use the Subprocessors already engaged as at the date of this DPA.
Without limiting clause 5.1, the Enterprise Customer authorises the Company to appoint (and permit each Subprocessor appointed in accordance with this clause 5.2 to appoint) Subprocessors provided that:
- the Company provides the Enterprise Customer reasonable prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor;
- each Subprocessor is subject to obligations no less onerous than those set out in this DPA in respect of Processing User Data, including an obligation to comply with the applicable Data Protection Laws; and
- the Company agrees that it is responsible for all acts and omissions of its Subprocessors.
The Enterprise Customer may object to the appointment of a Subprocessor by providing the Company written notice within 7 days of receiving notice of such appointment, and which will include the Enterprise Customer's reasonable grounds of objection. Upon the Company's receipt of the Enterprise Customer's objection, the parties will work together in good faith to resolve the Enterprise Customer’s concerns regarding the proposed Subprocessor.
6. Data Subject Rights
If the Company receives a request from a Data Subject to exercise their rights under the applicable Data Protection Laws, the Company will:
- promptly notify the Enterprise Customer of such request and provide the Enterprise Customer all information regarding the Data Subject's request; and
- provide the Enterprise Customer all reasonable assistance required by the Enterprise Customer to respond to such Data Subject requests.
The Enterprise Customer acknowledges and agrees that the Company is not responsible for responding to requests received from Data Subjects, other than to acknowledge receipt of the request.
7. Personal Data Breach
If the Company becomes aware of an actual or suspected Personal Data Breach affecting User Data, the Company will:
- promptly (and subject to the notice requirements under the applicable Data Protection Law) notify the Enterprise Customer of such Personal Data Breach; and
- provide the Enterprise Customer any assistance reasonably required by the Enterprise Customer to fulfill its obligations under Data Protection Laws applicable to the Personal Data Breach, including (without limitation) by providing the Enterprise Customer any information regarding the Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
The Company will make reasonable efforts to conduct data protection impact assessments, and prior consultations with Supervising Authorities (as defined under the GDPR) or other competent data privacy authorities, if requested by the Enterprise Customer or as otherwise required under the applicable Data Protection Laws.
9. Deletion of User Personal Data
Subject to clause 9.2, upon termination or expiry of the Principal Agreement, the Company will (according to data retention rules) return or delete all User Data in the Company's possession or control.
The Company may retain User Data to the extent required by the Company to:
- make the User Data available to the Enterprise Customer for download or extraction, after which the Company will promptly delete all User Data (including any copies); or
- comply with applicable laws and only for such period as required by applicable laws.
If the Company retains User Data in accordance with clause 9.2 above, the Company's obligations under this DPA in respect of Processing Personal Data will apply to such retained User Data and will survive termination or expiry of the Principal Agreement.
10. Confidentiality
The Company will keep all User Data confidential and will not disclose such User Data to any third party without the Enterprise Customer's prior written consent.
The Enterprise Customer acknowledges and agrees that the Company is not in breach of clause 10.1, if the Company discloses User Data:
- as permitted under this DPA (including pursuant to clauses 2.2 and 5); or
- as required by applicable law or any court order, and provided the Company notifies the Enterprise Customer of the required disclosure prior to making such disclosure, unless notification is prohibited by the applicable law or under the court order.
11. Audit rights
The Enterprise Customer may from time to time and at its own cost (not more than once annually) conduct an audit on the Company to verify the Company's compliance with this DPA or the applicable Data Protection Laws, by providing the Company at least 14 days' prior written notice.
If the Enterprise Customer requests any such audit, the Company will provide any assistance reasonably required by the Enterprise Customer to conduct the audit, including (without limitation) by providing the Enterprise Customer access to any records relevant to the Company's Processing of Enterprise Customer Data or the Company's premises within normal business hours.
12. Liability
In the event the Company is found liable under or in connection with this DPA, the Company's liability subject to the limitations set out in the Principal Agreement.
The Enterprise Customer indemnifies the Company for any breach of the warranties under clause 3.