Data Processing Agreement

Introduction and Purpose

This Data Processing Agreement ("DPA") forms part of the agreement between Daring Flow ("Processor") and the customer entity identified in the associated account ("Controller"), and supplements the Terms of Service and Privacy Policy for the Ogadu service.

This DPA applies where the Controller uses Ogadu to process personal data of individuals (such as the Controller's own customers, employees, students, or other data subjects) and where such processing is subject to the EU General Data Protection Regulation (GDPR), UK GDPR, or other applicable data protection legislation that requires a data processing agreement.

Definitions

In this DPA:

• "Controller" means the Ogadu customer who determines the purposes and means of processing personal data
• "Processor" means Daring Flow, operating the Ogadu service
• "Personal Data" has the meaning given in GDPR Article 4(1)
• "Processing" has the meaning given in GDPR Article 4(2)
• "Sub-processor" means a third party engaged by the Processor to process Personal Data on the Controller's behalf
• "Data Subject" means the individual to whom Personal Data relates
• "Services" means the Ogadu service as described in the Terms of Service
• "GDPR" means Regulation (EU) 2016/679
• "UK GDPR" means the retained EU law version of GDPR as applicable in the United Kingdom

Roles and Scope

3.1 The parties acknowledge that in relation to the processing of personal data of the Controller's end users and third parties within the Service:

• The Controller is the data controller
• Daring Flow is the data processor

3.2 In relation to Daring Flow's own users' account data and billing data (collected by Daring Flow for its own operational purposes), Daring Flow acts as a data controller in its own right, as described in the Privacy Policy.

3.3 This DPA applies to Personal Data that the Controller uploads, inputs, or generates within the Ogadu Service in connection with the Controller's own business operations.

Controller's Obligations

The Controller represents and warrants that:

• 4.1
  It has a lawful basis for processing the Personal Data it inputs into the Service, and for engaging Daring Flow as a processor
• 4.2
  It will provide appropriate privacy notices to its data subjects informing them that their data may be processed via Ogadu and Daring Flow
• 4.3
  It will comply with all applicable data protection laws in its use of the Service
• 4.4
  It will not input special categories of personal data (as defined in GDPR Article 9) into the Service without implementing appropriate safeguards and ensuring a lawful basis under Article 9 exists
• 4.5
  It will promptly inform Daring Flow of any Data Subject request received in relation to data processed through the Service

Processor's Obligations

Daring Flow agrees to:

• 5.1
  Process only on documented instructions: Process Personal Data only in accordance with the Controller's instructions, which are established by the Controller's use of the Service's features. These Terms and this DPA constitute the Controller's documented instructions. We will inform the Controller if we believe an instruction infringes applicable data protection law
• 5.2
  Confidentiality: Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations
• 5.3
  Security: Implement technical and organisational measures to protect Personal Data as described in Section 9 of this DPA and in the Privacy Policy
• 5.4
  Sub-processors: Only engage sub-processors as listed in Section 7, or with prior written notice to the Controller
• 5.5
  Data Subject rights: Assist the Controller in responding to Data Subject requests, to the extent technically feasible within the Service
• 5.6
  Data breach notification: Notify the Controller without undue delay (and within 72 hours where possible) upon becoming aware of a Personal Data breach affecting data processed under this DPA
• 5.7
  Data Protection Impact Assessments (DPIAs): Provide reasonable assistance to the Controller where a DPIA is required under GDPR Article 35
• 5.8
  Deletion on termination: Upon termination of the Services or at the Controller's written request, delete or return Personal Data and delete existing copies, unless retention is required by applicable law. Account and data deletion procedures are as described in the Privacy Policy
• 5.9
  Audit and compliance: Make available information reasonably necessary to demonstrate compliance with this DPA. We will accommodate reasonable audit requests subject to reasonable notice and at the Controller's cost

International Data Transfers

6.1 Personal Data processed under this DPA is stored primarily in the EU (AWS Frankfurt region).

6.2 Where Personal Data is transferred outside the EU/EEA (for example, through globally distributed infrastructure of AWS or Stripe), such transfers are subject to appropriate safeguards including Standard Contractual Clauses (SCCs) and applicable transfer mechanisms maintained by those providers.

6.3 To the extent that Daring Flow transfers Personal Data from the EU/EEA to Australia, such transfer is subject to the EU Standard Contractual Clauses, which are hereby incorporated by reference into this DPA. The parties agree to execute any required SCC documentation upon request.

Sub-processors

The Controller grants general authorisation to Daring Flow to engage the following sub-processors:

• 7.1
  Daring Flow will notify the Controller of any intended changes to sub-processors by updating this DPA and providing 14 days' notice by email or in-Service notification
• 7.2
  The Controller may object to a new sub-processor on reasonable data protection grounds within 14 days of notice. If the parties cannot resolve the objection, the Controller may terminate the Service and receive a refund of unused purchased credits
• 7.3
  Daring Flow maintains data processing agreements with each sub-processor that impose obligations no less protective than those in this DPA

Data Subject Rights Assistance

8.1 Upon request and within 30 days, Daring Flow will provide reasonable assistance to help the Controller respond to Data Subject requests, including:

• Confirmation of what Personal Data is held relating to a specified Data Subject
• Export of Personal Data in a readable format where technically feasible
• Deletion of Personal Data beyond what the Controller can perform directly via the Service interface

8.2 The Controller acknowledges that many Data Subject rights (access, deletion, export) can be exercised directly by the user or by the Controller using the Service's built-in administrative features.

Security Measures

Daring Flow implements and maintains the following technical and organisational security measures:

Duration and Termination

10.1 This DPA is effective from the date the Controller first uses the Service and continues until the earlier of:

• Termination of the Controller's account
• Written termination by either party with 30 days' notice

10.2 Upon termination, Daring Flow will delete Personal Data in accordance with Section 5.8, subject to any legal retention obligations.

Governing Law

This DPA is governed by the laws of New South Wales, Australia, unless mandatory provisions of EU or UK data protection law require otherwise. The parties submit to the jurisdiction of the courts of New South Wales.

Order of Precedence

In the event of conflict between this DPA and the Terms of Service or Privacy Policy, this DPA shall prevail in respect of the processing of Personal Data subject to GDPR or UK GDPR.

Contact

For all DPA-related enquiries, to request a signed copy, or to exercise rights under this DPA: