Oncord Data Processing Addendum
This Data Processing Addendum ("Addendum") forms part of the Oncord Terms of Use ("Agreement") between:
Oncord Pty Ltd ("Oncord" or "Data Processor"), a company incorporated in Australia; and
The Subscriber, as defined in the Agreement ("Subscriber" or "Data Controller").
This Addendum applies to the processing of Personal Data by Oncord on behalf of the Subscriber pursuant to the Agreement.
Oncord’s contact information is as follows:
Oncord Pty Ltd ACN 116 347 909
Scott McNaught, Director
c/o Dundas Lawyers, Level 13, Icon Place, 270 Adelaide Street, Brisbane, QLD 4000
Telephone: 1300 787 970 | Email: service@oncord.com
1. Definitions
1.1 In this Addendum, the following terms have the meanings set out below:
(a) "Applicable Data Protection Law" means all privacy and data protection laws applicable to the processing of Personal Data under this Addendum, including but not limited to the GDPR, UK GDPR, and Australian Privacy Principles.
(b) "Controller" means the natural or legal person which determines the purposes and means of processing Personal Data.
(c) "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
(d) "GDPR" means the EU General Data Protection Regulation 2016/679.
(e) "Personal Data" means any information relating to a Data Subject.
(f) "Processor" means a natural or legal person which processes Personal Data on behalf of the Controller.
(g) "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
(h) "Sub-processor" means any Processor engaged by Oncord to process Personal Data on behalf of the Subscriber.
2. Processing of Personal Data
2.1 The parties acknowledge that:
- Subscriber is the Controller of Personal Data processed under this Addendum
- Oncord is the Processor acting on Subscriber's behalf
- The processing will be carried out in accordance with Subscriber's documented instructions and this Addendum
2.2 Oncord will process Personal Data only:
- For the purposes of providing the Services under the Agreement
- In accordance with Subscriber's documented instructions
- As required by applicable laws
2.3 If Oncord believes any instruction infringes Applicable Data Protection Law, it will promptly inform Subscriber.
3. Security and Confidentiality
3.1 Oncord will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit and at rest
- Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems
- Regular testing and evaluation of security measures
- Access controls and authentication requirements
- Personnel security and training
3.2 Oncord will ensure that persons authorized to process Personal Data:
- Have committed to confidentiality obligations
- Have received appropriate data protection training
- Process Personal Data only as instructed by Subscriber
4. Sub-processing
4.1 Subscriber authorizes Oncord to engage Sub-processors provided that Oncord:
- Maintains an up-to-date list of Sub-processors on its website
- Gives Subscriber at least 30 days' prior notice of any changes to Sub-processors
- Imposes data protection obligations on Sub-processors that are no less onerous than those in this Addendum
- Remains liable for any breach of this Addendum caused by its Sub-processors
4.2 If Subscriber objects to a new Sub-processor within 14 days of notification, the parties will discuss the objection in good faith. If no resolution is reached, either party may terminate the Agreement on 30 days' written notice.
5. Data Subject Rights
5.1 Oncord will assist Subscriber in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law by:
- Providing appropriate technical and organizational measures
- Forwarding any requests received directly from Data Subjects
- Providing relevant information to help Subscriber respond to requests
5.2 Oncord will not respond directly to Data Subject requests without Subscriber's prior authorization.
6. Security Incidents
6.1 In the event of a Security Incident, Oncord will:
- Notify Subscriber without undue delay
- Provide reasonable information about the incident
- Take steps to mitigate any harmful effects
- Cooperate with Subscriber's reasonable investigations
- Assist Subscriber in meeting any notification obligations
7. International Transfers
7.1 Oncord will not transfer Personal Data outside the country in which the Subscriber is located unless:
- The transfer is to a country deemed to provide adequate protection
- Appropriate safeguards are in place (such as Standard Contractual Clauses)
- The transfer is necessary for the performance of the Agreement
7.2 Where Standard Contractual Clauses apply, they are deemed incorporated into this Addendum.
8. Audits
8.1 Oncord will:
- Make available information necessary to demonstrate compliance
- Allow for and contribute to audits conducted by Subscriber or its auditor
- Provide ISO 27001 certification reports upon request
8.2 Audits will be:
- Conducted during regular business hours
- Subject to reasonable notice (minimum 30 days)
- Conducted no more than once per year unless required by law
- At Subscriber's expense unless non-compliance is found
9. Return or Deletion of Data
9.1 Upon termination of the Agreement, Oncord will:
- Return or delete all Personal Data as instructed by Subscriber
- Retain copies only as required by applicable law
- Ensure any retained data remains protected under this Addendum
10. General Provisions
10.1 This Addendum will remain in effect until termination of the Agreement.
10.2 Changes required by Applicable Data Protection Law will be negotiated in good faith.
10.3 If any provision is invalid or unenforceable, the remaining provisions remain in effect.
10.4 This Addendum is governed by the same law and jurisdiction as the Agreement.
Annex A: Details of Processing
Categories of Data Subjects:
- Subscribers
- Employees
- Suppliers
- Other business contacts
Types of Personal Data:
- Contact information
- Account details
- Transaction data
- Usage data
- Other data provided by Subscriber
Processing Operations:
- Storage
- Organization
- Analysis
- Transmission
- Deletion
Duration: For the term of the Agreement plus any additional period required by law or as agreed between the parties.