Data Protection Addendum

1. Introduction

This Data Protection Addendum ("Addendum") is agreed upon between Portant PTY LTD., a NSW, Australia company ("Portant"), and the Customer, commencing on the date upon which the Customer duly registered to utilise the services provided by Portant. This Addendum governs the handling of Customer Personal Data by Portant in accordance with the agreement executed between Portant and the Customer concerning the provision of Portant's services (the "Terms and Conditions").

2. Terminology

Definitions include: "Associated Entity", "CCPA", "Customer Personal Data", "Privacy Legislation", "Data Individual", "EU Privacy Legislation", "Processing", "Personal Data", "Security Event", "Subprocessor", "External Subprocessor", and "EU–US Data Privacy Framework (DPF)". Capitalised terms not defined herein have the meanings in the Terms and Conditions.

3. General; Termination

This Appendix constitutes an integral part of the Terms and Conditions. Any liabilities under this Appendix are subject to the liability limitations in the Terms and Conditions. This Appendix will auto-terminate upon the termination or expiration of the Terms and Conditions.

4. Scope of this Addendum

This Addendum governs Portant's Processing of Customer Personal Data under the Terms and Conditions. Appendix A (EU Appendix) applies only to Processing governed by EU Privacy Legislation; Appendix B (California Appendix) applies only to Processing governed by the CCPA.

5. Role and Extent of Processing

Portant shall Process Customer Data exclusively in alignment with the Customer's directives. By entering the Terms and Conditions, the Customer instructs Portant to Process Customer Data for the provision of services and per any other written instructions acknowledged by Portant. Customer acknowledges that such instruction authorises Portant to Process Customer Data to fulfil its responsibilities under the Terms and Conditions, to abide by legal obligations, and to establish, exercise, or defend legal claims. Sources and Destinations (as directed by Customer through the services) are not Subprocessors of Portant; Customer solely bears responsibility for the Processing of Customer Personal Data by Sources and Destinations.

6. Subprocessing

Customer explicitly permits Portant to employ its Associated Entities as Subprocessors and to engage External Subprocessors. Portant shall formalise written agreements with each Subprocessor with data protection obligations substantially akin to this Appendix and remains accountable for compliance. Upon engaging a new External Subprocessor, Portant will notify Customer (e.g. via the Subprocessor Page and a message within Customer's Portant Workspace) at least ten (10) calendar days prior to the new Subprocessor Processing any Customer Personal Data, except where expedited engagement is necessary for safeguarding data or averting substantial disruption. If Customer objects in writing within five (5) calendar days due to justifiable data protection concerns, the parties will discuss; if unresolved, Customer may terminate the Terms and Conditions for convenience as its sole remedy.

7. Security

Portant shall establish and uphold technical and organisational safeguards to safeguard Customer Personal Data against Security Incidents, in line with Portant's security standards outlined in the Privacy and Security page. Upon confirmation of a Security Incident, Portant will inform the Customer promptly unless restricted by law. The Customer remains solely accountable for its use of the Services, including maintaining a suitable security level, securing account credentials, and conducting its own backups of Customer Data.

8. Data Subject Requests

Portant will, upon Customer's request (and at Customer's cost), provide necessary assistance to help Customer fulfil its obligations under Data Protection Laws concerning individuals' rights requests. Should Portant receive a request from a Data Subject regarding their Customer Personal Data, Portant will direct the Data Subject to submit their request to the Customer.

9. Return or Deletion of Data

Upon Customer's request following termination or expiration of the Terms and Conditions, Portant will delete all Customer Personal Data from Portant's systems within sixty (60) days. Portant may retain Customer Personal Data if mandated by law, with such data continuing to be governed by this Addendum.

Signed versions

If your organisation requires a signed version, you can review and sign them below (Powered by Portant):

• Global: Review and sign Portant General DPA or Download docx copy
• EU & UK: Review and Sign Portant SCCs + ICO addendum or Download docx copy

For full annexes (EU Annex, California Annex, UK Annex) and definitions, refer to the standard DPA document. This page summarises the key terms; the legally binding document is available for review and signature via the links above.