Legal

Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between Arjun Khurana t/a Get Crux (ABN 91 332 307 539) (“Processor”) and the entity or individual using the Service (“Controller”). This DPA supplements the Crux Terms of Service and Privacy Policy.

1.Definitions

“Personal Data” means any information relating to an identified or identifiable natural person included in Content uploaded to or processed by the Service.

“Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

“Controller” means the Account Holder who determines the purposes and means of processing Personal Data.

“Processor” means Arjun Khurana t/a Get Crux, which processes Personal Data on behalf of the Controller.

“Sub-processor” means a third party engaged by the Processor to assist in Processing.

2.Scope and Purpose

This DPA applies to the Processing of Personal Data by Get Crux in the course of providing the Service. The subject matter, nature, and purpose of Processing are the generation of marketing briefs from source material provided by the Controller. The types of Personal Data processed may include names, contact details, and any other personal information contained in uploaded Content.

3.Acceptance

This DPA is accepted by: (a) clicking “I agree” or similar during account registration; (b) continuing to use the Service after this DPA takes effect; or (c) executing a separate written agreement that incorporates this DPA by reference.

If you are entering into this DPA on behalf of an organisation, you represent that you have authority to bind that organisation.

4.Controller Obligations

The Controller agrees to: (a) ensure it has a lawful basis for providing Personal Data to Get Crux for Processing; (b) provide any required notices to and obtain any required consents from data subjects; (c) comply with applicable privacy laws in relation to Personal Data it provides; (d) not instruct Get Crux to process Personal Data in a way that would violate applicable law.

5.Processor Obligations

Get Crux agrees to: (a) process Personal Data only on documented instructions from the Controller, including as set out in the Terms of Service and this DPA; (b) ensure that persons authorised to process Personal Data are bound by confidentiality obligations; (c) implement and maintain appropriate technical and organisational security measures; (d) assist the Controller in fulfilling its obligations to respond to data subject requests; (e) make available all information necessary to demonstrate compliance with this DPA upon reasonable request.

6.Sub-processors

The Controller grants Get Crux general authorisation to engage sub-processors to assist in providing the Service. A current list of sub-processors is maintained in our Privacy Policy (Section 11). Get Crux will notify the Controller of any intended changes to sub-processors with reasonable advance notice. The Controller may object to a new sub-processor within 14 days of notice; if the parties cannot resolve the objection, the Controller may terminate the Service on written notice.

Get Crux imposes data protection obligations on all sub-processors at least equivalent to those in this DPA.

7.Security Measures

Get Crux implements technical and organisational measures to protect Personal Data, including: encryption of data in transit using TLS 1.2 or higher; encryption of data at rest; access controls limiting data access to authorised personnel; regular security assessments and monitoring; incident response procedures.

8.Data Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of data subjects, Get Crux will notify the Controller without undue delay and within 72 hours of becoming aware of the breach. Notification will include: the nature of the breach; the categories and approximate number of data subjects affected; the likely consequences; and the measures taken or proposed to address the breach.

9.Data Transfers

Some Personal Data may be transferred to, or accessed from, countries outside Australia in connection with sub-processing activities. Get Crux takes reasonable steps to ensure that any overseas recipients handle Personal Data in accordance with the Australian Privacy Principles. By accepting this DPA, the Controller consents to such transfers.

10.Deletion and Return of Data

Upon termination of the Service or written request by the Controller, Get Crux will delete or return Personal Data (at the Controller's election) within 90 days, except to the extent retention is required by applicable law. Get Crux will certify in writing that deletion has occurred upon request.

11.Liability and Indemnification

Each party's liability under this DPA is subject to the limitations set out in the Get Crux Terms of Service. Where both parties are responsible for a data breach or privacy violation, liability will be apportioned according to the degree of responsibility of each party. Nothing in this DPA limits any rights or remedies available under applicable privacy law that cannot be excluded by agreement.