This Data Processing Agreement ("DPA") is an addendum to the Smartta AI Master Platform Agreement ("Agreement") between Smartplace Pty Ltd (ACN 639 781 678), trading as Smartta AI ("Smartta AI"), and the Customer.
1. Definitions
"Data Protection Laws" means:
(a) for Customers located in Australia: the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs");
(b) for Customers located in the European Economic Area or United Kingdom: the General Data Protection Regulation (EU 2016/679) ("GDPR") and the UK Data Protection Act 2018; and
(c) any other applicable data protection and privacy legislation in the jurisdiction in which the Customer operates.
"Personal Data" means information that identifies, or could reasonably identify, a natural person. Where the GDPR applies, this term has the meaning given to "personal data" in Article 4(1) of the GDPR. Where the Privacy Act applies, this term has the meaning given to "personal information" in section 6(1) of the Privacy Act.
"Data Breach" means any unauthorised access to, disclosure of, or loss of Personal Data. Where the Privacy Act applies, this includes an "eligible data breach" as defined in Part IIIC of the Privacy Act. Where the GDPR applies, this includes a "personal data breach" as defined in Article 4(12) of the GDPR.
Terms such as "Processing," "Controller," and "Processor" have the meanings ascribed to them in the GDPR. For Australian Customers, references to "Controller" mean the APP Entity that determines the purposes and means of processing, and references to "Processor" mean the APP Entity that processes Personal Data on behalf of the Controller.
2. Roles of the Parties
The parties acknowledge that for the provision of the Native Services, the Customer is the Data Controller and Smartta AI is the Data Processor. Smartta AI will process Personal Data only on behalf of and in accordance with the Customer's documented instructions.
3. Details of Processing
Subject Matter: The provision of the Services as described in the Agreement.
Duration: For the Subscription Term of the Agreement.
Nature and Purpose: To provide workforce management, time and attendance, compliance, and integration services, including data storage, transmission, and processing as initiated by the Customer.
Types of Personal Data: Names, email addresses, contact details, employment information, timesheet and attendance records, credential and qualification records, biometric data (where NoahFace facial recognition is enabled), and any other Personal Data the Customer elects to process via the Services.
Categories of Data Subjects: Employees, contractors, and End Customers of the Customer.
4. Data Location and Storage
Primary Location: All Customer Data is stored and processed in Australia, in the Amazon Web Services (AWS) ap-southeast-2 (Sydney) region.
Cross-Border Transfers: Smartta AI will not transfer Personal Data outside Australia without the Customer's prior written consent, except where required to provide the Services via sub-processors listed at Sub-processor Page. Where Personal Data is transferred to a sub-processor outside Australia, Smartta AI will ensure appropriate safeguards are in place, including:
(a) for transfers subject to the Privacy Act: compliance with APP 8 (cross-border disclosure of personal information); and
(b) for transfers subject to the GDPR: Standard Contractual Clauses (SCCs) or an adequacy decision under Article 45 of the GDPR.
5. Obligations of Smartta AI
Smartta AI agrees to:
(a) Implement and maintain appropriate technical and organisational measures to protect Personal Data, including:
- TLS 1.2+ encryption for all data in transit;
- AES-256 encryption at rest (AWS managed);
- Role-based access control and tenant-level data isolation;
- Daily automated backups stored in AWS S3; and
- Automated dependency scanning (GitHub Dependabot).
A summary of current security measures is maintained at Security & Compliance Overview.
(b) Ensure that personnel authorised to process Personal Data are subject to confidentiality obligations.
(c) Provide reasonable assistance to the Customer in responding to Data Subject access, correction, and deletion requests. For Australian Customers, this includes requests under APPs 12 and 13.
(d) Notify the Customer without undue delay and in any event within 72 hours of becoming aware of a confirmed Data Breach. The notification will include, to the extent known: the nature and scope of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.
(e) Where the Privacy Act applies and the breach is an eligible data breach, assist the Customer in complying with the notification obligations under Part IIIC of the Privacy Act (Notifiable Data Breaches scheme).
(f) Upon termination of the Agreement, provide the Customer with a 30-day period to export Customer Data. After the 30-day export period, Smartta AI will delete all Customer Data from production systems within 30 days, except where retention is required by law.
6. Sub-processors
Smartta AI is authorised to engage the sub-processors listed at Sub-processor Page. Before engaging a new sub-processor, Smartta AI will update the sub-processor list and notify the Customer by email at least 14 days before the new sub-processor begins processing Personal Data.
If the Customer has a reasonable objection to a new sub-processor, the Customer must notify Smartta AI in writing within 14 days of receipt of notice. The parties will discuss the objection in good faith. If the objection cannot be resolved, the Customer may terminate the affected Service without penalty by giving 30 days' written notice.
Smartta AI will impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
7. Smartta AI as a Data Controller
The parties acknowledge that for the specific processing activities of creating Aggregated Statistics (where not opted-out) and for AI/ML Model Training (where opted-in) as described in Annexure B (Data Usage Framework) of the Agreement, Smartta AI acts as an independent Data Controller. For such processing, Smartta AI is solely responsible for establishing a legal basis and complying with all obligations of a Data Controller under applicable Data Protection Laws.
8. Audit Rights
Upon reasonable written request (no more than once per 12-month period), and subject to reasonable confidentiality obligations, Smartta AI will make available to the Customer information necessary to demonstrate compliance with this DPA. This may be satisfied by:
(a) providing a copy of any relevant third-party audit report or certification (e.g. SOC 2 Type II, when available); or
(b) responding to a written questionnaire provided by the Customer.
If the Customer requires an on-site audit beyond the above, such audit will be at the Customer's expense, conducted during business hours, and subject to a mutually agreed scope and schedule.
9. Biometric Data (NoahFace)
Where the Customer enables NoahFace facial recognition as part of the Services, the following additional terms apply:
(a) Biometric data (facial recognition templates) is classified as sensitive information under the Privacy Act and as special category data under the GDPR.
(b) The Customer is responsible for obtaining all required consents from Data Subjects before enabling biometric data collection, including any consents required under applicable state or territory biometric information privacy legislation.
(c) Biometric data is processed by NoahFace Pty Ltd as a Resold Service. Data processing terms for NoahFace are governed by the Resold Service Addendum and NoahFace's Terms of Use.
(d) Upon termination, biometric data will be deleted in accordance with Section 5(f) of this DPA and the NoahFace data deletion obligations.
10. GDPR-Specific Provisions
The following provisions apply only where the GDPR governs the processing of Personal Data:
(a) Data Protection Impact Assessments. Smartta AI will provide reasonable assistance to the Customer in conducting data protection impact assessments (DPIAs) where required under Article 35 of the GDPR.
(b) Standard Contractual Clauses. Where Personal Data is transferred from the EEA or UK to Australia, the parties agree that the EU Standard Contractual Clauses (Module Two: Controller to Processor) apply, supplemented by any additional safeguards required by applicable law.
(c) Data Protection Officer. Enquiries regarding GDPR compliance may be directed to privacy@smartplace.ai.
11. Australian Privacy Act Provisions
The following provisions apply only where the Privacy Act 1988 (Cth) governs the processing of Personal Data:
(a) Smartta AI will not do any act or engage in any practice that would breach an Australian Privacy Principle if done or engaged in by the Customer.
(b) Smartta AI will take reasonable steps to ensure that any overseas recipient of Personal Data (via sub-processors) does not breach the APPs in relation to that information, in accordance with APP 8.1.
(c) Smartta AI will assist the Customer in complying with its obligations under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act), including the assessment of whether a data breach is an "eligible data breach" that requires notification to the Office of the Australian Information Commissioner (OAIC).