Table of Contents

Definitions

Roles and Responsibilities

Scope of Processing and Instructions

Subprocessors

Data Security and Access Controls

Security Incidents and Data Breach Notification

Customer Requests, Regulatory Enquiries, and Cooperation

Audits and Security Information

Data Location and Cross-Border Disclosure

Data Export, Return, and Deletion

Government and Law Enforcement Requests

Priority and Conflicts

Liability

Changes to this DPA

Governing Law
Annex 1 — Details of Processing
Annex 2 — Technical and Organisational Measures (TOMs)
Annex 3 — Subprocessors and Locations
Annex 4 — Subprocessor Notice & Objection Procedure

1. Definitions

In this DPA:

APPs means the Australian Privacy Principles in Schedule 1 to the Privacy Act.

Customer Data means all data and content submitted to, stored in, transmitted through, or processed by the Services at the direction of the Customer, including Personal Information.

Customer Personal Information means Personal Information comprised in Customer Data.

Eligible Data Breach has the meaning given in Part IIIC of the Privacy Act.

Personal Information has the meaning given in the Privacy Act 1988 (Cth).

Privacy Act means the Privacy Act 1988 (Cth).

Security Incident means an event that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Information.

Services means the Employield platform and related services provided under the Agreement.

Subprocessor means a third party engaged by Employield to process Customer Personal Information on behalf of Employield in connection with the Services.

Process / Processing means handling Customer Personal Information in any way, including collecting, using, storing, disclosing, transferring, deleting, or accessing.

2. Roles and Responsibilities

2.1 Customer as controller. The Customer determines the purposes and means of processing Customer Personal Information and is responsible for ensuring lawful collection and provision of Customer Personal Information to Employield.

2.2 Employield as service provider / processor. Employield processes Customer Personal Information on behalf of the Customer to provide the Services and meet Employield’s obligations under the Agreement and this DPA.

2.3 Customer obligations. The Customer is responsible for:

providing appropriate workplace privacy notices to individuals (including employees and contractors);

obtaining consents where required by law;ensuring its use of the Services complies with the Privacy Act, APPs, workplace laws, and any applicable obligations; and

ensuring data entered is relevant, accurate, and not excessive for its purposes.

3. Scope of Processing and Instructions

3.1 Purpose limitation. Employield will process Customer Personal Information only:

to provide, maintain, support, and secure the Services;

to fulfil obligations under the Agreement and this DPA;

to respond to technical issues and service requests; and

as otherwise required by applicable law.

3.2 Documented instructions. The Customer instructs Employield through:

configuration and administrative settings within the platform; and

written instructions provided to Employield support (where applicable).

3.3 Unlawful instructions. If Employield reasonably believes an instruction would cause Employield to breach applicable law, Employield may:

notify the Customer; and

suspend or refuse that instruction to the extent necessary to comply with law.

3.4 Processing details. Processing details are set out in Annex 1.

4. Subprocessors

4.1 General authorisation. The Customer provides general authorisation for Employield to appoint Subprocessors.

4.2 Flow-down obligations. Employield will ensure Subprocessors are bound by written terms requiring them to protect

Customer Personal Information in a manner consistent with this DPA, to the extent applicable to their processing.

4.3 Responsibility. Employield remains responsible for the acts and omissions of its Subprocessors in connection with processing of Customer Personal Information.

4.4 Subprocessor list. Employield maintains an up-to-date list of Subprocessors in Annex 3 and/or at a publicly accessible URL:
[Insert URL: e.g., www.employield.com.au/legal/subprocessors]

4.5 Notice of changes. Employield will provide at least 14 days’ prior notice of adding or replacing a Subprocessor that will process Customer Personal Information by:

updating the Subprocessor list; and

emailing the Customer’s nominated account owner/admin email on file.

4.6 Objection right. The Customer may object to a new Subprocessor on reasonable data protection grounds in accordance with Annex 4.

5. Data Security and Access Controls

5.1 Security program. Employield will implement and maintain appropriate technical and organisational measures to protect Customer Personal Information against Security Incidents, taking into account risk, sensitivity, and industry practice.

5.2 Minimum TOMs. Employield will maintain, at a minimum, the controls described in Annex 2 (Technical and Organisational Measures).

5.3 Confidentiality. Employield will ensure personnel authorised to process Customer Personal Information are subject to confidentiality obligations.

5.4 Customer-side security. The Customer is responsible for:

maintaining secure access controls and user permissions;

safeguarding login credentials;

promptly removing access for former employees and unauthorised users; and

using available security features provided by the platform.

6. Security Incidents and Data Breach Notification

6.1 Notification. Employield will notify the Customer as soon as practicable after becoming aware of a Security Incident affecting Customer Personal Information.

6.2 Information provided. Employield’s notification will include, to the extent known and available:

nature of the Security Incident (including systems affected);

categories of Customer Personal Information involved;

approximate number of affected individuals/records (if reasonably determinable);

likely consequences and risks; and

measures taken or proposed to contain and remediate.

6.3 Ongoing updates. Employield will provide reasonable updates as material information becomes available.

6.4 Cooperation (NDB). Employield will reasonably cooperate to support the Customer’s compliance obligations under the Notifiable Data Breaches (NDB) scheme, including providing information needed for assessment of whether an Eligible Data Breach has occurred.

6.5 External communications. Unless required by law, the Customer controls external communications and notifications to individuals/regulators. If Employield is referenced by name, the Customer will provide Employield a reasonable opportunity to review for accuracy.

7. Customer Requests, Regulatory Enquiries, and Cooperation

7.1 Data subject requests. Employield will provide reasonable assistance to enable the Customer to respond to access/correction requests, where technically feasible and subject to legal limitations.

7.2 Requests received by Employield. If Employield receives a request directly from an individual relating to Customer Personal Information, Employield will (where lawful and practicable) refer it to the Customer and not respond substantively unless authorised or required by law.

7.3 Regulatory enquiries. Employield will reasonably assist the Customer with enquiries from the OAIC or other competent regulators relating to processing under this DPA, where applicable.

8. Audits and Security Information

8.1 Security information. Upon written request, Employield will make available reasonable information about its security controls relevant to Customer Personal Information.

8.2 Audit scope limits. Any audit right is limited to what is reasonable and proportionate and must not:

compromise security of other customers;

require disclosure of unrelated confidential information; or

require direct access to production systems or third-party datacentres.

8.3 Frequency. Unless required by law or following a Security Incident, audits will be limited to once per 12 months with reasonable notice.

8.4 Costs. The Customer bears its own audit costs unless otherwise agreed in writing.

9. Data Location and Cross-Border Disclosure

9.1 Primary hosting. Customer Data is hosted on DigitalOcean infrastructure located in Sydney, Australia.

9.2 Cross-border. Some Subprocessors (such as payment or analytics providers) may process limited data outside Australia. Where Customer Personal Information is disclosed overseas, Employield will take reasonable steps to ensure safeguards consistent with APP 8.

10. Data Export, Return, and Deletion

10.1 Export. During the subscription term, the Customer may export Customer Data using available platform functionality or by written request, subject to reasonable verification.

10.2 Return/deletion on termination. Upon termination or expiry of the Agreement, Employield will, on written request and subject to the Agreement:

export/return Customer Data; and/or

delete Customer Data within a reasonable timeframe.

10.3 Legal retention. Employield may retain Customer Data where required by law. In that case, Employield will isolate the retained data and protect it from further processing except as required.

11. Government and Law Enforcement Requests

11.1 If Employield receives a legally binding request for access to Customer Personal Information, Employield will (where lawful) notify the Customer and provide reasonable details.

11.2 Employield may challenge unlawful or overbroad requests where appropriate and lawful.

12. Priority and Conflicts

If there is a conflict between this DPA and the Agreement regarding processing of Customer Personal Information, this DPA prevails to the extent of the conflict.

13. Liability

Liability under this DPA is subject to the limitation of liability provisions in the Agreement, to the maximum extent permitted by law.

14. Changes to this DPA

Employield may update this DPA from time to time to reflect changes in law, the Services, or industry practice. Updates will be published on the website and/or notified by email. Continued use of the Services after an update takes effect constitutes acceptance, unless prohibited by law.

15. Governing Law

This DPA is governed by the laws of Victoria, Australia, and the parties submit to the exclusive jurisdiction of the courts of Victoria.

Contact

Employield (ABN 93 966 972 320)
Email: [email protected]

ANNEX 1 — DETAILS OF PROCESSING

A. Parties
Customer (Controller): The subscribing organisation as identified in the Customer’s account.
Employield (Processor / Service Provider): Employield (ABN 93 966 972 320).

B. Categories of individuals

Employees (current and former)

Contractors and labour hire personnel

Candidates/applicants (if Customer inputs candidate data)

Managers/admin users (platform users)

C. Categories of Customer Personal Information

Identity/contact data (name, email, phone)

Employment details (role, location, start date, reporting line, team)

Performance data (reviews, goals, feedback, PDP/PIP records)

Engagement data (survey responses, commentary)

Learning data (assigned learning, completion status)

Time/attendance data (leave, timesheets, attendance records)

System metadata (user IDs, audit logs, access logs)

Sensitive information
Customer should avoid inputting sensitive information unless strictly necessary and lawful. If processed, Customer is responsible for appropriate notices/consents and lawful handling.

D. Purpose
To provide, maintain, and secure the Services under the Agreement.

E. Nature of processing
Collection, storage, organisation, retrieval, reporting, deletion, access control enforcement, and support actions.

F. Duration
For the term of the Agreement and any additional retention required by law or the Agreement.

ANNEX 2 — TECHNICAL AND ORGANISATIONAL MEASURES (TOMS) — MINIMUM CONTROLS

Employield maintains and will c

ontinue to maintain (at minimum) the following measures, appropriate to the Services:

1. Access Control

Role-based access control and least-privilege principles

Segregation of admin and standard user permissions

Controlled access to production systems

2. Authentication & Credential Security

Secure authentication mechanisms

Password policy controls (minimum length and complexity)

Support for additional authentication controls where available

3. Encryption

Encryption in transit using TLS/SSL

Encryption at rest where supported by the hosting/infrastructure configuration

4. Logging & Monitoring

System logging for administrative actions and access events

Monitoring for suspicious or anomalous behaviour where practicable

5. Secure Development & Change Control

Patch management and dependency updates

Controlled deployment processes

Separation of development/testing and production environments where practicable

6. Backup, Recovery, and Availability

Regular backups appropriate to platform needs

Recovery processes designed to restore availability in a timely manner after incidents

7. Personnel and Operational Security

Confidentiality obligations for personnel

Access restricted to authorised personnel

Security awareness practices

8. Data Minimisation and Separation

Logical separation of Customer environments/data within the platform

Controls to prevent unauthorised cross-customer access

Employield may update and improve these measures over time, provided it does not materially reduce the overall level of protection.

ANNEX 3 — SUBPROCESSORS AND LOCATIONS

Employield’s current Subprocessors include:

DigitalOcean — Cloud hosting / infrastructure
Location: Sydney, Australia
Purpose: Hosting and storage of platform data and infrastructure operations.

Stripe — Payment processing
Location: May involve processing outside Australia depending on Stripe operations
Purpose: Processing subscription payments and related billing events.

Google Analytics — Website analytics
Location: May involve processing outside Australia depending on Google operations
Purpose: Website usage analytics (not required for core platform operation).

Subprocessor list URL (public): [Insert URL]

ANNEX 4 — SUBPROCESSOR NOTICE & OBJECTION PROCEDURE

Employield will provide at least 14 days’ prior notice of adding or replacing a Subprocessor that will process Customer Personal Information by: updating the public Subprocessor list; and emailing the Customer’s nominated account owner/admin email.

The Customer may object by emailing [email protected] within the notice period, setting out reasonable data protection grounds.

Employield will work in good faith to address the objection, which may include: providing additional information about the Subprocessor’s safeguards; offering an alternative where commercially and technically feasible; or confirming that the Subprocessor will not process the Customer’s Personal Information (where feasible).

If the objection cannot be resolved and the Subprocessor is necessary to provide a material part of the Services, the Customer may terminate the affected part of the Services (or the Agreement) in accordance with the Agreement.