Get Started Get Started
Home > Legal > Data Processing Addendum

Oncord Data Processing Addendum

This Data Processing Addendum (Addendum) forms part of the Oncord Terms of Use (Agreement) between:

Oncord Pty Ltd ACN 116 347 909 incorporated under the laws of Australia (Oncord, Company, Data Processor, Our, Us and other similar terms);

The Subscriber (Subscriber or Data Controller), as defined in the Agreement.

This Addendum applies to the processing of Personal Data by Oncord as the Data Processor on behalf of the Subscriber and Data Controller.

Oncord’s contact information is as follows:

Oncord Pty Ltd ACN 116 347 909
Scott McNaught, Director
c/o Dundas Lawyers, Level 13, Icon Place, 270 Adelaide Street, Brisbane, QLD 4000
Telephone: 1300 787 970 | Email: service@oncord.com

1. Definitions and interpretation

Capitalised terms and expressions used in this Addendum mean:

  1. Addendum means this Data Processing Addendum and all Schedules.
  2. Company Personal Data means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement.
  3. Contracted Processor means a Sub-processor.
  4. Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
  5. Data Transfer means:
    1. a transfer of Company Personal Data from the Company to a Contracted Processor; or
    2. an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two (2) establishments of a Contracted Processor,
    in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).
  6. EEA means the European Economic Area.
  7. EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
  8. GDPR means EU General Data Protection Regulation 2016/679.
  9. Services means the Subscribers use of the Platform provided by Oncord pursuant to the Terms of Service.
  10. Sub-processor means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

The terms, Commission, Controller, Data Subject, Member State, Personal Data, Personal Data Breach, Processing and Supervisory Authority have the same meaning as in the GDPR, and their cognate terms will be construed accordingly.

2. Processing of Personal Data

2.1 The parties acknowledge that:

  • Subscriber is the Controller of Personal Data processed under this Addendum
  • Oncord is the Processor acting on Subscriber's behalf
  • The processing will be carried out in accordance with Subscriber's documented instructions and this Addendum

2.2 Oncord will process Personal Data only:

  • For the purposes of providing the Services under the Agreement
  • In accordance with Subscriber's documented instructions
  • As required by applicable laws

2.3 If Oncord believes any instruction infringes Applicable Data Protection Law, it will promptly inform Subscriber.

3. Security and Confidentiality

3.1 Oncord will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest;
  • Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems;
  • Regular testing and evaluation of security measures;
  • Access controls and authentication requirements;
  • Personnel security and training

3.2 Oncord will ensure that persons authorized to process Personal Data:

  • Have committed to confidentiality obligations;
  • Have received appropriate data protection training;
  • Process Personal Data only as instructed by Subscriber

4. Sub-processing

4.1 Subscriber authorizes Oncord to engage Sub-processors provided that Oncord:

  • Maintains an up-to-date list of Sub-processors on its website
  • Gives Subscriber at least 30 days' prior notice of any changes to Sub-processors
  • Imposes data protection obligations on Sub-processors that are no less onerous than those in this Addendum
  • Remains liable for any breach of this Addendum caused by its Sub-processors

4.2 If Subscriber objects to a new Sub-processor within 14 days of notification, the parties will discuss the objection in good faith. If no resolution is reached, either party may terminate the Agreement on 30 days' written notice.

5. Data Subject Rights

5.1 Oncord will assist Subscriber in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law by:

  • Providing appropriate technical and organizational measures
  • Forwarding any requests received directly from Data Subjects
  • Providing relevant information to help Subscriber respond to requests

5.2 Oncord will not respond directly to Data Subject requests without Subscriber's prior authorization.

6. Security Incidents

In the event of a Security Incident, Oncord will:

  • Notify Subscriber without undue delay;
  • Provide reasonable information about the incident;
  • Take steps to mitigate any harmful effects;
  • Cooperate with Subscriber's reasonable investigations;
  • Assist Subscriber in meeting any notification obligations.

7. International Transfers

7.1 Oncord will not transfer Personal Data outside the country in which the Subscriber is located unless:

  • The transfer is to a country deemed to provide adequate protection
  • Appropriate safeguards are in place (such as Standard Contractual Clauses)
  • The transfer is necessary for the performance of the Agreement

7.2 Where Standard Contractual Clauses apply, they are deemed incorporated into this Addendum.

8. Audits

8.1 Oncord will:

  • Make available information necessary to demonstrate compliance;
  • Allow for and contribute to audits conducted by Subscriber or its auditor;
  • Provide ISO 27001 certification reports upon request

8.2 Audits will be:

  • Conducted during regular business hours;
  • Subject to reasonable notice (minimum 30 days);
  • Conducted no more than once per year unless required by law;
  • At Subscriber's expense unless non-compliance is found

9. Return or Deletion of Data

9.1 Upon termination of the Agreement, Oncord will:

  • Return or delete all Personal Data as instructed by Subscriber
  • Retain copies only as required by applicable law
  • Ensure any retained data remains protected under this Addendum

10. General Provisions

10.1 This Addendum will remain in effect until termination of the Agreement.

10.2 Changes required by Applicable Data Protection Law will be negotiated in good faith.

10.3 If any provision is invalid or unenforceable, the remaining provisions remain in effect.

10.4 This Addendum is governed by the same law and jurisdiction as the Agreement.

Annexure A: Details of Processing

Categories of Data Subjects:

  • Subscribers
  • Employees
  • Suppliers
  • Other business contacts

Types of Personal Data:

  • Contact information
  • Account details
  • Transaction data
  • Usage data
  • Other data provided by Subscriber

Processing Operations:

  • Storage
  • Organization
  • Analysis
  • Transmission
  • Deletion

Duration: For the term of the Agreement plus any additional period required by law or as agreed between the parties.

Annexure B: Security Measures

  1. The data processor will establish a procedure for allowing access to personal data and restricting such access. The data processor will ensure that access to personal data is strictly limited to those individuals who "need to know" or need to access the personal data and as strictly necessary for the purpose of providing the service and will keep a record of the persons authorized to access the personal data subject of the agreement.
  2. The data processor will take all steps reasonably necessary to ensure the reliability of the individuals who may have access to personal data and will ensure that each such individual:
    (i) is informed of the confidential nature of the personal data;
    (ii) has received appropriate training on their responsibilities; and
    (iii) is subject to written confidentiality undertakings and written security protocols.
  3. The data processor will implement physical measures to ensure that access to the personal data is granted only to authorized users.
  4. The data processor will maintain and implement sufficient and appropriate (based on the type of personal data and its sensitivity) environmental, physical, and logical security measures with respect to the personal data and to the data processor’s system infrastructure, data processing system, communication means, terminals, system architecture, hardware, and software, in order to prevent penetration and unauthorized access to data controller’s personal data or to data controller’s systems or communication lines between data processor and data controller.
  5. The data processor will list all components (infrastructure and software) used to process the personal data subject to this agreement, including computer systems, communication equipment, and software. The data processor will use such a list to continuously monitor such components and identify weaknesses and risks for the purpose of implementing appropriate security measures to mitigate them.
  6. The data processor will act in accordance with an appropriate written information security policy and working procedures that comply with the security requirements under this annex and data protection legislation, including with respect to backup and recovery procedures. The data processor will review its security policies and operating procedures periodically.
  7. The data processor will implement an automatic control mechanism for verifying access to systems containing personal data, which will include, among others, the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access, and if access was granted or denied. The data processor will periodically monitor the information from the control mechanism, and list issues and irregularities and the measures taken to handle them.
  8. The data processor will perform security risk assessments of critical systems containing personal data, at least once every 12 months.
  9. The data processor will not disclose personal data through a public communications network or via the internet, without using industry-standard encryption methods.