Data Processing Agreement

Effective Date: January 15, 2025

Company: GEVADE PTY LTD (ABN: 87 638 447 097)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between GEVADE PTY LTD ("Processor") and the customer ("Controller") for the provision of GEVADE CRM services.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data
• Controller: The entity that determines the purposes and means of processing
• Processor: GEVADE PTY LTD, processing data on behalf of the Controller

3. Scope and Purpose

This DPA applies to the processing of personal data by GEVADE PTY LTD in connection with the provision of CRM services, including:

• Contact management and customer data
• Communication records and interactions
• Sales pipeline and opportunity data
• Analytics and reporting data

4. Data Processing Principles

GEVADE PTY LTD will process personal data:

• Only on documented instructions from the Controller
• For the specific purposes outlined in this agreement
• In accordance with applicable data protection laws
• With appropriate technical and organizational measures

5. Security Measures

We implement appropriate security measures including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security assessments and updates
• Staff training on data protection
• Incident response procedures

6. Data Transfers

Personal data is primarily stored and processed in Australia. Any international transfers will be conducted with appropriate safeguards in accordance with applicable laws.

7. Data Subject Rights

We will assist the Controller in responding to data subject requests, including:

• Access to personal data
• Rectification of inaccurate data
• Erasure of personal data
• Data portability
• Objection to processing

8. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the Controller without undue delay
• Provide all relevant information about the breach
• Assist with any required notifications to authorities
• Implement measures to address the breach

9. Data Retention and Deletion

Personal data will be:

• Retained only as long as necessary for the agreed purposes
• Deleted or returned upon termination of services
• Securely destroyed in accordance with our data retention policy

10. Audits and Compliance

The Controller may conduct audits to verify compliance with this DPA, subject to reasonable notice and confidentiality obligations.

11. Liability and Indemnification

Each party will be liable for damages caused by its breach of applicable data protection laws, subject to the limitations set out in the main Terms of Service.

12. Contact Information

For questions about this DPA or data processing practices:

GEVADE PTY LTD
Data Protection Officer: privacy@gevade.com
ABN: 87 638 447 097
South Australia, Australia