This Data Processing Schedule (this “DPS”) is between Vision6 (as defined below), and the customer agreeing to the Vision6 Terms & Conditions (the “Agreement”) (such customer, the “Customer”). This DPS supplements and forms part of the Agreement. This DPS governs the terms under which Vision6 will Process Customer Personal Data on behalf of any Customer that is located in the European Economic Area (“EEA”) or the United Kingdom (“UK”). In the event of any conflict or discrepancy between the Agreement and this DPS, this DPS shall prevail. In the event of any conflict or discrepancy between this DPS and the Standard Contractual Clauses, as applicable, the Standard Contractual Clauses shall prevail.
The parties to this DPS hereby agree to be bound by this DPS, as applicable, with effect from the date Customer accepted the Agreement (the “Effective Date”). Vision6 may amend this DPS from time to time due to changes in Data Protection Laws or as otherwise determined by Vision6 in its commercially reasonable discretion. Any amendment will only become effective upon notification to Customer (by email or by posting on Vision6’s website) and, if Customer does not agree to any such amendment, it should stop using the Services and contact Vision6 to cancel Customer’s account.
Under the Agreement, Customer has engaged Vision6 to provide Services to Customer. As a result of its provision the Services to Customer, Vision6 will store and process certain Personal Data of Customer as described below:
1. Definitions. For purposes of this DPS, the following capitalised terms shall have the meanings indicated below. Whenever the words “include”, “includes” or “including” are used in this DPS, they shall be deemed to be followed by the words “without limitation”. If a term is capitalised in this DPS but not defined, it has the meaning given to it in the Agreement.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Vision6” means Vision6 Pty Ltd ABN 23 099 766 499.
“Controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Customer Personal Data” means Personal Data provided by Customer to Vision6 for Processing on behalf of Customer pursuant to the Terms and Conditions.
“Data Protection Laws” means, with respect to a party, all laws and regulations of the EEA and UK that apply to such party’s performance of obligations and exercise of rights under this DPS, including the Regulation (EU) 2016/679 of 27 April 2016 and General Data Protection Regulation (the “GDPR”).
“Data Subject” means the identified or identifiable person to whom Personal Data relates
“Personal Data” means any information relating to a Data Subject.
“Process”, “Processed” or “Processing” means any operation or set of operations that is or are performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency or other body that Processes Customer Personal Data on behalf of the Controller.
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and implemented by the European Commission decision 2021/914, dated 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
“Sub-processor” means any Processor engaged by Vision6 or its Affiliates in connection with provision of the Services.
2. Processing of Personal Data
a) Roles of the Parties. The parties acknowledge and agree that with regard to Processing of Personal Data, Customer is either a Controller or a Processor and that Vision6 is a Processor.
b) Customer Obligations. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws, including that it shall have (i) obtained any necessary consents or provided any necessary notices, including notices to Data Subjects of the use of Vision6 as Processor (including where Customer is a Processor, by ensuring that the ultimate Controller does so), and (ii) a legitimate ground to disclose Customer Personal Data to Vision6 and enable the Processing of Customer Personal Data by Vision6 as set out in this DPS and as contemplated by the Agreement. Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which Customer acquired Personal Data. Customer acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from marketing or other disclosures of Personal Data, to the extent applicable under Data Protection Laws.
c) Vision6’s Processing of Personal Data. Vision6 shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes:
(i) Processing in accordance with the Agreement;
(ii) Processing initiated by individuals in their use of the Services (including any configuration of or use of any settings, features, or options in the Services by any individual acting on behalf of Customer); and
(iii) Processing to comply with other documented reasonable instructions provided by Customer where such instructions are consistent with this DPS and the Agreement.
If Vision6 becomes aware that any instruction by Customer violates Data Protection Laws, Vision6 agrees to inform Customer of its inability to comply as soon as reasonably practicable at the email address provided by Customer to Vision6. Vision6 shall not be liable for any claim brought by Customer or a Data Subject arising from any action or omission by Vision6 to the extent that such action or omission resulted from Customer’s instructions or breach of this DPS.
d) Details of Processing. The subject matter of the Processing of Personal Data under this DPS is the provision of Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the categories of Data Subjects and the types of Personal Data Processed pursuant to this DPS are set forth in Annex I attached hereto.
3. Vision6 Personnel. Vision6 shall ensure that its personnel who are authorised to Process Customer Personal Data have received appropriate training on their responsibilities and are subject to confidentiality obligations.
4. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vision6 shall in relation to Customer Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
5. Personal Data Breach. Vision6 shall notify Customer without undue delay upon Vision6 becoming aware of a breach of Customer Personal Data, providing Customer with sufficient information to allow each Customer to meet any obligations to report or inform Data Subjects of the breach of Personal Data under the Data Protection Laws.
6. Data Subject Rights. Upon receipt by Vision6 of a written request from a Data Subject seeking to exercise their rights under Data Protection Laws related to Customer Personal Data, Customer authorises Vision6 to direct such Data Subject to Customer. Taking into account the nature of the Processing, Vision6 shall, at Customer’s expense, assist Customer by appropriate technical and organisational measures, for the fulfilment of Customer’s obligation to respond to requests by Data Subjects to exercise their rights under Data Protection Laws (including, as applicable, the data subject access right, the right to rectification and erasure, the right to the restriction of processing, the right to data portability and the right to object to processing). Vision6 shall carry out a request from Customer to amend or correct any of Customer Personal Data to the extent necessary to allow Customer to comply with its responsibilities under Data Protection Laws. Vision6 shall carry out a request from Customer to block, transfer or delete any of Customer Personal Data to the extent necessary to allow Customer to comply with its responsibilities as a Controller, in each case unless otherwise permitted or required by Data Protection Laws.
7. Cooperation. Taking into account the nature of the Processing under the Agreement and the information available to Vision6, Vision6 shall, insofar as commercially practicable and at Customer’s expense, assist Customer in carrying out its obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
8. Return and Deletion of Customer Personal Data. Upon termination of the Processing of Customer Personal Data by Vision6 and at the written request of Customer, Vision6 shall either (i) delete all Customer Personal Data, or (ii) return all Customer Personal Data to Customer and delete existing copies, in each case unless otherwise permitted or required by Data Protection Laws.
9. Audits. Customer may request that Vision6 provide a certification or summary of an audit report that demonstrates compliance with its obligations under this DPS or Data Protection Laws. If such information is not reasonably sufficient to prove Vision6’s compliance with Data Protection Laws, Vision6 shall, subject to reasonable advance notice and during normal business hours, permit Customer or an independent third party authorised by Customer and that is not a competitor of Vision6, to carry out the audits and inspections of the processing of Customer Personal Data by Vision6. Vision6 may require the third to enter into a confidentiality agreement before permitting it to carry out an audit or inspection. Vision6 shall not be responsible for any costs or expenses relating in connection with any audit or inspection contemplated by this Section 9. The auditing party shall bear its own costs in relation to such an audit. The obligations set forth in this Section 9 shall only apply to Vision6 to the extent required by Data Protection Laws.
10. International Data Transfers.
a) It is acknowledged and agreed by Customer that Vision6, in providing the Services under the Agreement, transfers Customer Personal Data to its servers in Australia and anywhere else in the world where Vision6, its Affiliates and its Sub-processors maintain data processing operations.
b) Standard Contractual Clauses.
(i) The parties acknowledge and agree that all transfers of Customer Personal Data will be under the Standard Contractual Clauses and the relevant UK Addendum to the clauses. If Customer acts as a Controller, then Module 2 of the Standard Contractual Clauses shall apply. If Customer acts as a Processor for Customer Personal Data, then Module 3 of the Standard Contractual Clauses shall apply. The following terms in this Section shall apply to the Standard Contractual Clauses:
Annexes I, II and III to this DPS shall be deemed automatically incorporated into Annexes I, II and III of the Standard Contractual Clauses;
Section 1, Clause 7 of the Standard Contractual Clauses is intentionally omitted;
For the purposes of Section 2, Clauses 8.9(c) and (d) of the Standard Contractual Clauses, audits will be performed in accordance with Section 9 of this DPS;
For the purposes of Section 2, Clause 9 of the Standard Contractual Clauses, Customer consents to Vision6 appointing Sub-processors in accordance with Section 12 of this DPS;
For the purposes of Section 2, Clause 17, the governing law shall be the laws of the Republic of Ireland; and
For purposes of Section 2, Clause 18, the courts shall be the courts of the Republic of Ireland.
(ii) With respect to transfers to which the UK Data Protection Laws apply, the Standard Contractual Clauses shall apply and shall be deemed amended as specified by the UK Addendum attached hereto as Annex IV.
(iii) For data transfers governed by Swiss data protection laws, general and specific references in the Standard Contractual Clauses to “GDPR” or “EU” or “Member State Law” shall have the same meaning as the equivalent reference in Swiss data protection laws.
11. Indemnification. Customer agrees that it will indemnify and hold harmless Vision6 and its Affiliates on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Vision6 arising directly or indirectly from a breach of this DPS or any Data Protection Laws.
12. Sub-Processing
a) Customer acknowledges and agrees that Vision6 may retain an Affiliate or third party subcontractor as Sub-processors. Vision6 has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in this DPS with respect to the protection of Customer Personal Data to the extent applicable to the nature of the services provided by such Sub-processor.
b) Vision6 uses the following Sub-processors to process Customer Personal Data:
i. Google Analytics;
ii. Amazon;
iii. Eventbrite;
iv. Facebook;
v. FullStory;
vi. LeadsRx;
vii. Microsoft;
viii. Mixpanel;
ix. Sinch;
x. Slack;
xi. Stripe;
xii. Unlayer;
xiii. Userback;
xiv. Vitally;
xv. Xero; and
xvi. Zendesk.
13. Termination. Termination of this DPS shall be governed by the Agreement, mutatis mutandis.
14. Law and Jurisdiction. This DPS and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of Queensland and each party hereby submits to the jurisdiction of the federal or state courts located in Queensland.
ANNEX I
A. LIST OF PARTIES
Data exporter(s): The data exporter is Customer. Customer acts as a Controller or Processor.
Data importer(s): The data importer is Vision6, which acts as a Processor.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Customer Personal Data transferred concerns Customer’s customers, contacts, prospective customers, and website visitors.
Categories of personal data transferred: As applicable, name, contact information (e.g., email address, phone number, physical address), geographical data, device identification data, information from connected accounts authorised by Customer, and other Customer Personal Data processed pursuant to the Agreement. Depending on how Customer uses the Services, the following information could be inferred from Customer’s usage: business network and experience, educational data, financial data, and interests.
Sensitive data transferred (if applicable): The parties do not anticipate special categories of data being processed. Depending on how Customer uses the Services, some sensitive data may be inferred from Customer’s Usage.
The frequency of the transfer: Personal Data will be transferred on a continuous basis.
Nature of the processing: Customer determines the types of data they submit to Vision6 to process on their behalf in the course of using the Services pursuant to the Agreement.
Purpose(s) of the data transfer and further processing: Personal Data shall be processed to provide the Services to Customer.
The period for which the personal data will be retained: Data Processing will be for the term of the Agreement and for a reasonable period of time after the termination of the Agreement.
For transfers to (sub-) processors: Vision6 may engage Sub-processors to provide parts of the Services in compliance with the parties’ agreement.
C. COMPETENT SUPERVISORY AUTHORITY
Irish Data Protection Commission.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The technical organisational measures applicable to the Services being provided by Vision6 to Customer can be found at https://www.vision6.com.au/compliance-hub/data-security/.
ANNEX III
LIST OF SUB-PROCESSORS
See Section 12(b) of the Data Processing Schedule, which are applicable to the Services being provided to Customer.
ANNEX IV
UK ADDENDUM
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
For purposes of this UK Addendum, capitalised terms used but not defined herein shall have the meaning set forth in either the DPS or the UK Data Protection Act 2018, as applicable.
This UK Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
| Start date | Effective Date as defined in the attached DPS. |
| The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
|---|---|---|
| Parties’ details | Full legal name: Customer Trading name (if different): N/A Main address (if a company registered address): As designated in Customer’s account Official registration number (if any) (company number or similar identifier): N/A |
Full legal name: See definition of Vision6 in DPS; Trading name (if different): N/A Main address: TRANSPORT HOUSE, LEVEL 6 230 BRUNSWICK STREET FORTITUDE VALLEY, QUEENSLAND, 4006 AUSTRALIA ABN: 23 099 766 499 |
| Key Contact | Full Name (optional): Customer Job Title: N/A Contact details including email: As designated in Customer’s account |
Full Name (optional): Job Title: Vice President, Asia Pacific Contact details including email: contact_us@vision6.com.au |
| Signature (if required for the purposes of Section 2) | Exporter is deemed to have signed this UK Addendum as of Effective Date as defined in the DPS. | Importer is deemed to have signed this UK Addendum as of the Effective Date as defined in the DPS. |
Table 2: Selected SCCs, Modules and Selected Clauses
| Addendum EU SCCs | ☒ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date: Effective Date as defined in the DPS |
Table 3: Appendix Information
| Annex 1A: List of Parties: See Table 1 of this UK Addendum |
| Annex 1B: Description of Transfer: See Annex IB of the Standard Contractual Clauses |
| Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Annex II of the Standard Contractual Clauses |
| Annex III: List of Sub processors (Modules 2 only): See Section 12(b) of the DPS |
Table 4: Ending this Addendum when the Approved Addendum Changes
| Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: ☒ Importer ☐ Exporter ☐ neither Party |
Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
Last updated: 25 February 2025
