Data Processing Agreement

This Data Processing Agreement (DPA) forms part of the Terms of Service or other written or electronic agreement (the Agreement) between Cerberius Pty Ltd, an Australian company with ABN 57686421152 (Cerberius, Processor) and the customer entity that has subscribed to Cerberius’s services (Customer, Controller).

This DPA applies where and to the extent that Cerberius processes Personal Data on behalf of the Customer as a Processor in the course of providing the Services under the Agreement. This DPA shall be effective for the term of the Agreement.

1. Definitions

For the purposes of this DPA:

  • Applicable Data Protection Law means all laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to:
    • the General Data Protection Regulation (EU) 2016/679 (GDPR);
    • the UK General Data Protection Regulation, as tailored by the Data Protection Act 2018 (UK GDPR);
    • the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
    • the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA); and
    • any other applicable national, state, or international data protection laws or regulations relevant to the Customer or the Data Subjects whose data is being processed.
  • Controller has the meaning given to it in Applicable Data Protection Law, or if not defined, means the entity that determines the purposes and means of the processing of Personal Data (in this DPA, typically the Customer).
  • Data Subject has the meaning given to it in Applicable Data Protection Law, or if not defined, means an identified or identifiable natural person.
  • EEA means the European Economic Area.
  • Personal Data has the meaning given to it in Applicable Data Protection Law, or if not defined, means any information relating to a Data Subject that is processed by Cerberius on behalf of the Customer under the Agreement.
  • Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  • Processing (and Process, Processes, Processed ) has the meaning given to it in Applicable Data Protection Law, or if not defined, means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means.
  • Processor has the meaning given to it in Applicable Data Protection Law, or if not defined, means the entity that Processes Personal Data on behalf of the Controller (in this DPA, typically Cerberius).
  • Services means the services provided by Cerberius to the Customer under the Agreement.
  • Standard Contractual Clauses or SCCs means, as applicable for the relevant transfer:
    • (i) for transfers subject to the GDPR: the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"); and/or
    • (ii) for transfers subject to the UK GDPR: the International Data Transfer Agreement ("UK IDTA") or the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses ("UK Addendum") issued by the UK Information Commissioner’s Office, as applicable.
  • Sub-processor means any third party engaged by Cerberius to Process Personal Data on behalf of the Customer.
  • Switzerland means the Swiss Confederation.
  • UK means the United Kingdom.

Other capitalized terms not defined herein shall have the meaning set forth in the Agreement.

2. Roles and Scope of Processing

  • 2.1. Roles of the Parties: The Customer is the Controller of Personal Data, and Cerberius is the Processor of Personal Data.
  • 2.2. Customer’s Instructions: Cerberius shall only Process Personal Data on behalf of and in accordance with the Customer’s documented lawful instructions, including as set out in the Agreement, this DPA, and as necessary to provide the Services. The Customer's instructions for the Processing of Personal Data shall comply with Applicable Data Protection Law. The Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
  • 2.3. Details of Processing: The subject-matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1 (Details of Processing) to this DPA.
  • 2.4. Cerberius as Controller: Cerberius may process certain data as a Controller for its own legitimate business operations, such as billing, account management, service improvement (using aggregated/anonymized data), and legal compliance, as described in Cerberius’s Privacy Policy. This DPA does not apply to such processing.

3. Confidentiality

Cerberius shall ensure that its personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Security Measures

Cerberius shall implement and maintain appropriate technical and organizational measures designed to protect the Personal Data against Personal Data Breaches and to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures are further described in Annex 2 (Security Measures) to this DPA.

5. Sub-processing

  • 5.1. Authorized Sub-processors: Customer provides a general authorization to Cerberius to engage Sub-processors to Process Personal Data in connection with the provision of the Services. A list of current Sub-processors is available at [Link to Your Sub-processor List Page, e.g., cerberius.com/subprocessors] ("Sub-processor List"). Cerberius shall keep this list updated.
  • 5.2. New Sub-processors: Cerberius shall provide Customer with at least [e.g., 15-30] days' prior written notice of any intended new Sub-processor (e.g., via email or by updating the Sub-processor List). Customer may object to the appointment of a new Sub-processor within [e.g., 10-15] days after being notified, provided such objection is based on reasonable data protection grounds. If Customer objects, Cerberius will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor. If Cerberius is unable to make available such change within a reasonable period of time, either party may terminate the applicable portion of the Services which cannot be provided by Cerberius without the use of the objected-to new Sub-processor.
  • 5.3. Sub-processor Obligations: Cerberius shall enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA. Cerberius shall remain liable for any breach of this DPA caused by an act, error, or omission of its Sub-processors.

6. Data Subject Rights

Taking into account the nature of the Processing, Cerberius shall provide reasonable assistance to the Customer, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (such as rights of access, rectification, erasure, restriction, portability, and objection). Customer is primarily responsible for responding to Data Subject requests. If Cerberius receives a request directly from a Data Subject, Cerberius will, where appropriate, direct the Data Subject to make their request to the Customer.

7. Personal Data Breach Notification

Cerberius shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Customer. Such notification shall, at a minimum: (a) describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the Personal Data Breach; and (d) describe the measures taken or proposed to be taken by Cerberius to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available, and further information shall, as it becomes available, subsequently be provided without undue delay.

8. Data Protection Impact Assessments and Prior Consultation

Taking into account the nature of Processing and the information available to Cerberius, Cerberius shall provide reasonable assistance to the Customer in ensuring compliance with its obligations under Applicable Data Protection Law in relation to data protection impact assessments and prior consultation with supervisory authorities, where such assistance is necessary and relates to the Processing of Personal Data by Cerberius.

9. International Data Transfers

  • 9.1. General: Cerberius is headquartered in Australia. Personal Data Processed by Cerberius may be transferred to, stored, and processed in Australia and other countries where Cerberius or its Sub-processors operate. Customer acknowledges that such transfers may occur as necessary for Cerberius to provide the Services.
  • 9.2. Transfers from the EEA, UK, and Switzerland to Cerberius in Australia (or other non-adequate third countries):
    • To the extent that the Processing of Personal Data by Cerberius involves a transfer of Personal Data originating from the EEA, UK, or Switzerland to Cerberius in Australia (or another country not recognized by the relevant authorities as providing an adequate level of data protection), such transfers shall be governed by the applicable Standard Contractual Clauses, which shall be deemed incorporated into this DPA.
    • For the purposes of the EU SCCs:
      • Module Two (Controller to Processor) will apply where Customer is a Controller and Cerberius is a Processor.
      • Module Three (Processor to Processor) will apply where Customer is a Processor acting on behalf of a third-party Controller, and Cerberius is a Sub-processor to the Customer.
      • Clause 7 (Docking clause) will apply.
      • Clause 9(a) (Use of sub-processors): Option 2 (General written authorisation) will apply, and the time period for prior notice of Sub-processor changes will be as set out in Section 5.2 of this DPA.
      • Clause 11(a) (Redress): The optional language will not apply.
      • Clause 13(a) (Supervision): The competent supervisory authority shall be determined in accordance with GDPR.
      • Clause 17 (Governing law): Option 1 will apply. The Clauses shall be governed by the law of an EU Member State in which the data exporter is established (if applicable) or the law of Ireland if the data exporter is not established in the EU.
      • Clause 18(b) (Choice of forum and jurisdiction): Disputes shall be resolved before the courts of an EU Member State in which the data exporter is established (if applicable) or the courts of Ireland if the data exporter is not established in the EU.
      • Annex I and II of the EU SCCs shall be populated with the information in Annex 1 and Annex 2 of this DPA respectively.
      • Annex III of the EU SCCs (List of Sub-processors) shall be the Sub-processor List maintained by Cerberius.
    • For the purposes of the UK IDTA or UK Addendum: The relevant UK transfer mechanism will apply to transfers of Personal Data subject to the UK GDPR, with necessary details completed by reference to this DPA and its Annexes.
    • Transfer Impact Assessments: The parties acknowledge that they may need to conduct a transfer impact assessment ("TIA") or similar analysis to evaluate the level of protection afforded to Personal Data in the destination country and to implement supplementary measures if necessary to ensure an essentially equivalent level of protection as provided under Applicable Data Protection Law. Cerberius will reasonably cooperate with Customer in such assessments.
  • 9.3. Transfers from Australia by Cerberius to Overseas Sub-processors: If Cerberius transfers Personal Data originating from Australia to a Sub-processor located overseas, Cerberius will take reasonable steps as required by APP 8.1 to ensure that the overseas recipient does not breach the APPs in relation to the information, or will ensure the transfer is otherwise compliant with APP 8.
  • 9.4. Other Jurisdictions: For transfers from other jurisdictions, Cerberius will comply with applicable legal requirements for cross-border data transfers.

10. Deletion or Return of Personal Data

Upon termination of the Agreement or at the Customer’s written request, Cerberius shall, at the choice of the Customer, delete or return all Personal Data to the Customer, and delete existing copies unless Applicable Data Protection Law or other applicable law requires storage of the Personal Data. Cerberius shall provide such deletion or return within a reasonable timeframe, typically not exceeding [e.g., 60-90] days, unless otherwise agreed.

11. Audit Rights

Cerberius shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (who is not a competitor of Cerberius and is bound by confidentiality obligations). Such audits shall be conducted during normal business hours, upon reasonable prior notice (e.g., at least 30 days), and subject to Cerberius’s reasonable security and confidentiality procedures. Audits shall be limited to once per year, unless a Personal Data Breach or specific legal requirement necessitates more frequent audits. Customer shall bear its own costs and any reasonable costs incurred by Cerberius in relation to such an audit. Cerberius may satisfy this obligation by providing relevant third-party audit reports or certifications (e.g., SOC 2, ISO 27001) where available.

12. General Terms

  • 12.1. Precedence: In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall prevail with regard to the subject matter of data protection. To the extent of any conflict between this DPA and any applicable SCCs, the SCCs shall prevail.
  • 12.2. Modification: This DPA may only be modified by a written amendment signed by both parties, except that Cerberius may update the Sub-processor List and Annex 2 (Security Measures) as described herein, provided such updates do not materially degrade the security of the Services.
  • 12.3. Governing Law and Jurisdiction: This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of New South Wales, Australia, without regard to its conflict of law principles. The parties irrevocably agree that the courts of New South Wales, Australia shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA, subject to any mandatory provisions of Applicable Data Protection Law or the SCCs which may require a different governing law or jurisdiction (e.g., as specified in Section 9.2 for SCCs).

Annex 1: Details of Processing

This Annex forms part of the DPA and describes the Processing of Personal Data.

A. List of Parties

Data exporter (Controller):

Customer, as defined in the Agreement.

Contact details: As provided by Customer during account registration or in the Agreement.

Activities relevant to the data transferred under these Clauses: Use of Cerberius Services as described in the Agreement.

Role: Controller.

Data importer (Processor):

Cerberius Pty Ltd.

Address: [Your Company Registered Address, Australia]

Contact person’s name, position and contact details: [Your DPO or Privacy Contact, e.g., privacy@cerberius.com]

Activities relevant to the data transferred under these Clauses: Provision of the Services to Customer as described in the Agreement.

Role: Processor.

B. Description of Transfer / Processing

Categories of data subjects whose personal data is transferred:

  • End-users or customers of the Customer (e.g., individuals whose IP addresses are looked up, whose email addresses are validated, or whose data is included in prompts for classification).
  • Employees, contractors, or other representatives of the Customer who use the Services or whose data is submitted by Customer to the Services.

Categories of personal data transferred:

  • Data submitted by Customer to Cerberius APIs, which may include:
    • IP addresses.
    • Email addresses.
    • Text prompts or other content submitted for classification, which may incidentally contain names, contact details, or other personal identifiers if included by the Customer.
  • Account registration and contact information of Customer’s representatives (e.g., name, email, phone number if provided).
  • Technical information related to the use of Services (e.g., API request logs, IP addresses of Customer systems accessing the API, user-agent strings).

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

  • Cerberius does not intentionally collect or require sensitive data (e.g., as defined under GDPR Article 9, such as health data, racial or ethnic origin) for the provision of its core Services. If Customer submits such data (e.g., within a text prompt), Customer is responsible for ensuring it has a lawful basis and has implemented appropriate safeguards. Cerberius applies its standard security measures as described in Annex 2. Customer should not submit sensitive data unless strictly necessary for the agreed purpose and having considered the risks.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

  • Continuous basis, as Customer uses the Services.

Nature of the processing:

  • Collection, storage, retrieval, analysis, validation, classification, use, disclosure (to authorized Sub-processors or as instructed by Customer), and deletion of Personal Data as necessary to provide the Services, for technical support, billing, and to meet Cerberius's obligations under the Agreement and this DPA.

Purpose(s) of the data transfer and further processing:

  • To provide the Cerberius Services as subscribed by the Customer, including IP lookups, email validation, and prompt classification.
  • To provide technical support and maintenance for the Services.
  • To manage billing and account administration.
  • To comply with Customer's documented instructions.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

  • Personal Data will be retained for the duration of the Agreement and as specified in Section 10 of this DPA and Cerberius's Privacy Policy (e.g., API usage logs up to 90 days, account data for the duration of the account activity).

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

  • The subject matter, nature, and duration of processing by Sub-processors will be consistent with the provision of the specific services they are engaged for (e.g., cloud hosting, payment processing) and will be for the duration necessary to provide those services to Cerberius in support of the Services to Customer, as detailed in the Sub-processor List.

C. Competent Supervisory Authority (for SCCs where applicable)

For the purpose of the EU SCCs (Clause 13), the competent supervisory authority will be the authority of the EU Member State in which the data exporter (Customer) is established. If the data exporter is not established in the EU, it will be the Irish Data Protection Commission (DPC), or another supervisory authority agreed by the parties and permitted under the SCCs. For the UK IDTA/Addendum, the competent supervisory authority is the UK Information Commissioner's Office (ICO).

Annex 2: Security Measures

Cerberius implements and maintains the following technical and organizational security measures to protect Personal Data:

(This section remains largely the same as the previous DPA, as security measures are generally universal. Ensure it accurately reflects your practices.)

  • 1. Access Control:
    • Physical access controls to premises and facilities.
    • Logical access controls to systems and data, including role-based access, unique user IDs, strong password policies, and multi-factor authentication where appropriate.
    • Procedures for granting, modifying, and revoking access.
  • 2. Encryption:
    • Encryption of Personal Data in transit (e.g., using TLS/SSL).
    • Encryption of Personal Data at rest where appropriate (e.g., for database backups, sensitive configuration data).
  • 3. Data Minimization and Confidentiality:
    • Policies and procedures to limit the collection and processing of Personal Data to what is necessary for the provision of Services.
    • Confidentiality agreements or obligations for personnel with access to Personal Data.
  • 4. System Security and Resilience:
    • Regular patching and vulnerability management for systems.
    • Network security measures (e.g., firewalls, intrusion detection/prevention systems where appropriate).
    • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
    • Regular backups and disaster recovery/business continuity plans.
  • 5. Monitoring and Logging:
    • Logging of system access and activity relevant to security.
    • Monitoring for security events and anomalies.
  • 6. Incident Management:
    • Procedures for detecting, responding to, and recovering from security incidents, including Personal Data Breaches, as outlined in Section 7 of this DPA.
  • 7. Personnel Security:
    • Security awareness training for relevant personnel.
    • Background checks for personnel with access to sensitive systems or data, where permitted by law.
  • 8. Sub-processor Management:
    • Due diligence process for selecting Sub-processors.
    • Contractual requirements for Sub-processors to implement appropriate security measures.

Cerberius may update or modify these Security Measures from time to time, provided that such updates and modifications do not result in a material degradation of the overall security of the Services purchased by the Customer.

Annex 3: List of Sub-processors

The current list of Sub-processors engaged by Cerberius is maintained at: Sub-processors

Last updated: 2024-05-11