Data processing addendum
This Data Processing Addendum ("DPA") applies where Maivas processes personal information about your members, leads and other individuals on your behalf. It forms part of the Terms of Service between you ("Customer", "you") and Move Me Media Pty Ltd (ACN 699 626 385) ("Move Me Media", "we"). If there is a conflict on data-protection matters, this DPA prevails over the Terms.
This DPA is written to meet the requirements of the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles. Where you or your members are subject to other data-protection laws, contact us to agree any additional terms.
1. Roles
For the personal information inside your own connected systems (your members, leads and their records), you are the controller and we are your processor. We process that data only to provide the Service and only on your documented instructions, which include these Terms and your use of the Service. For your own account and business data, we act as controller under our Privacy Policy; that is outside this DPA.
2. Scope of processing
- Subject matter: providing the Maivas marketing service to you.
- Duration: for as long as you use the Service, plus the retention periods in the Privacy Policy.
- Nature and purpose: planning, producing and (after your approval) delivering marketing, and reading aggregated performance data from your connected systems.
- Types of data: primarily aggregated metrics and events. Where identifiable data is processed, it may include member and lead contact details and marketing engagement held in your connected systems.
- Categories of individuals: your members, leads, prospects and contacts.
3. Our obligations
We will:
- process personal information only on your instructions, and tell you if we believe an instruction breaches applicable privacy law;
- ensure people authorised to process the data are bound by confidentiality;
- apply appropriate technical and organisational security measures (see the Security and Data Handling page), including application-layer encryption of connection credentials, tenant isolation, access controls and audit logging;
- not sell the data, and not use it for our own purposes beyond providing and improving the Service as permitted by the Privacy Policy (de-identified, aggregated learning only); and
- not use the data to train general-purpose AI models.
4. Sub-processors
You authorise us to engage the sub-processors listed at Sub-processors to help provide the Service. We impose data-protection obligations on them consistent with this DPA and remain responsible for their performance. We will update that list before adding or replacing a sub-processor that handles personal information, and where the change is material we will notify account owners so you can object.
5. Assistance to you
Taking into account the nature of the processing, we will provide reasonable assistance to help you:
- respond to requests from individuals to access, correct or delete their data;
- meet your own security, breach-notification and (where applicable) impact-assessment obligations; and
- demonstrate compliance.
If we receive a request directly from one of your members about their data, we will not respond substantively ourselves; we will refer them to you and assist you as controller.
6. Data breaches
We will notify you without undue delay after becoming aware of a breach affecting your data, provide the information you reasonably need to meet your notification obligations, and cooperate to investigate and remediate.
7. International transfers
Some sub-processors are located overseas, including in the United States. Where personal information is processed overseas, we take reasonable steps to ensure it is handled consistently with the Australian Privacy Principles, including through contractual data-processing terms. Locations are noted on the Sub-processors page.
8. Return and deletion
On termination, or on your request, we will make your data available for export and then delete or return it within the period stated in the Privacy Policy, except where the law requires us to keep certain records. Encrypted connection credentials are deleted promptly when a connection is removed.
9. Audit
On reasonable notice, and no more than once a year unless a regulator or a breach requires otherwise, we will make available the information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality.
10. Contact
Data-protection matters: info@movememedia.com.au.