DATA PROCESSING ADDENDUM

1.1. Unless otherwise defined herein, capitalized terms used in this Addendum shall have the meanings set forth in the Agreement, the Australian Privacy Act 1988 (Cth), and the New Zealand Privacy Act 2020, as applicable.

1.2. "Applicable Privacy Laws" means the Australian Privacy Act 1988 (Cth), the New Zealand Privacy Act 2020, and any other laws or regulations in Australia or New Zealand applicable to the processing of Personal Information under the Agreement.

1.3. "Personal Information" has the meaning given in the Applicable Privacy Laws, and generally refers to information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

1.4. "Service" means the product provided by the Processor, Nulla, for compiling embodied carbon calculations for construction projects.

2.1. The Processor shall process Controller Data, including any Personal Information contained therein, solely for the purpose of providing the Service to the Controller, which includes:

1. Ingesting and processing Material Takeoff Quantities Documents (e.g., BOQ, BQ, BIM off-take).
2. Mapping line items to materials and their associated carbon coefficients from generic databases and the Processor's EPD database.
3. Compiling and generating embodied carbon calculations for submitted construction projects.
4. Providing analytical insights and functionalities related to material mapping and embodied carbon calculations within the Service.
5. Storing materials and carbon mapping output data for the Controller's ongoing access, reporting and further enhancement of the calculations.

2.2. The duration of processing shall be for the term of the Controller's subscription to the Service, and as long as necessary to fulfill the purposes outlined in Section 2.1, or as required by Applicable Privacy Laws.

2.3. The categories of data subjects whose Personal Information may be processed include individuals whose data is contained within the Controller Data (e.g., project managers, architects, employees of the Controller or its clients, if such data is present in the takeoff documents).

2.4. The categories of Personal Information processed may include, but are not limited to, names, contact information, professional roles, and any other Personal Information embedded within the Material Takeoff Quantities Documents.

3.1. Lawful Processing: The Processor shall process Personal Information only on documented instructions from the Controller and in accordance with this Addendum, unless required to do so by Applicable Privacy Laws to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information.

3.2. Confidentiality: The Processor shall ensure that persons authorized to process the Personal Information have committed themselves to confidentiality or are under an appropriate statutory or contractual obligation of confidentiality.

3.3. Security: The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Information, ensuring compliance with Australian Privacy Principle 11 (APP 11) and New Zealand Information Privacy Principle 5 (IPP 5). These measures include but are not limited to:

1. Encrypting all data transmissions via HTTPS (TLS 1.2).
2. Protecting data at rest through encryption, strict data retention policies, and secure storage from established providers.
3. Adhering to SOC2 requirements for access controls and audit log maintenance.
4. Establishing a process to regularly test and evaluate the effectiveness of security measures.

3.4. Assistance to Controller: The Processor shall, taking into account the nature of the processing, provide reasonable assistance to the Controller to enable the Controller to comply with its obligations under Applicable Privacy Laws, including:

1. Responding to requests for access to and correction of Personal Information from data subjects (consistent with APP 12, APP 13, IPP 6, and IPP 7).
2. Fulfilling the Controller's obligations regarding Privacy Impact Assessments (if applicable).

3.5. Notifiable Data Breach Notification: The Processor shall notify the Controller without undue delay (and in any event, within 48 hours of becoming aware) upon becoming aware of a privacy breach (as defined under Applicable Privacy Laws) affecting Controller Data that is likely to be an eligible data breach under the Australian Notifiable Data Breaches (NDB) scheme or a notifiable privacy breach under the New Zealand Privacy Act 2020. The Processor shall provide the Controller with sufficient information to enable the Controller to meet its notification obligations under Applicable Privacy Laws.

3.6. Deletion or Return of Data: Upon the Controller's written request, the Processor shall, at the Controller's choice, delete or return all Personal Information to the Controller and delete existing copies unless Applicable Privacy Laws require storage of the Personal Information.

3.7. Demonstration of Compliance: The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this Addendum and, upon reasonable notice, allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, to the extent such audits are necessary to verify compliance with Applicable Privacy Laws.

4.1. The Controller warrants that it has all necessary rights, consents, and permissions (including any required notifications under APP 5 and IPP 3) to provide the Controller Data, including any Personal Information, to the Processor for processing in accordance with this Addendum and the Agreement.

4.2. The Controller shall ensure that its instructions for the processing of Personal Information comply with Applicable Privacy Laws.

4.3. The Controller shall be responsible for the accuracy, quality, and legality of the Personal Information provided to the Processor.

5.1. The Controller generally authorizes the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other sub-processors, thereby giving the Controller the opportunity to object to such changes on reasonable grounds related to data protection within 14 days of notification. If the Controller objects, the Parties will work in good faith to resolve the objection. If the objection cannot be resolved, the Controller may terminate the Agreement subject to its terms.

5.2. Where the Processor engages a sub-processor for carrying out specific processing activities on behalf of the Controller, the Processor shall impose equivalent data protection obligations as set out in this Addendum on that sub-processor by way of a written contract. The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

6.1. The Processor acknowledges that any transfer of Personal Information outside of Australia or New Zealand (as applicable) constitutes a cross-border disclosure. The Processor shall ensure that any such cross-border disclosure is made in compliance with Australian Privacy Principle 8 (APP 8) and New Zealand Information Privacy Principle 12 (IPP 12). This may include:

1. Taking reasonable steps to ensure that the overseas recipient does not breach the APPs or IPPs in relation to the information; or
2. Ensuring that the overseas recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that is substantially similar to the APPs or IPPs; or
3. Obtaining the Controller's express consent to the cross-border disclosure after the Controller has been informed that such consent removes the Processor's obligations under APP 8 or IPP 12.

6.2. The Processor primarily stores and processes data within Australia and New Zealand. If data is transferred to other regions, such transfers will be to countries with privacy laws deemed adequate by the relevant authorities, or will rely on appropriate contractual safeguards.

8.1. This Addendum shall remain in force for as long as the Processor processes Personal Information on behalf of the Controller under the Agreement.

8.2. Termination of the Agreement shall automatically terminate this Addendum. Sections 3.6, 3.7, and 6.1 of this Addendum shall survive termination.

9.1. Governing Law and Jurisdiction. This Addendum shall be governed by and construed in accordance with the laws of Australia. Any disputes arising out of or in connection with this Addendum shall be subject to the exclusive jurisdiction of the courts of Victoria, Australia.

9.2. Entire Agreement. This Addendum, together with the Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements and understandings, whether written or oral.

9.3. Order of Precedence. In the event of any conflict or inconsistency between the terms of this Addendum and the Agreement, the terms of this Addendum shall prevail with respect to the subject matter of data processing.