Data Processing Annex

This Data Processing Annex (DPA) forms part of the Terms, and it applies to the processing of your personal information by Chirp Labs Pty Ltd (ACN 675 585 387) (Chirp) in the provision of its Services.

1. Compliance Responsibilities

1.1 Each party must comply with the applicable Privacy Law, in respect of any Personal Information that:

• (a) one party discloses to the other party; or
• (b) comes into the possession or control of a party by any means, including through use of the Services.

1.2 Without limiting clause 1.1 of this DPA, the Client must ensure that its own privacy policy and any other statements in relation to how it handles the Personal Information of Data Subjects accurately reflects its collection, use, storage and disclosure of that information.

1.3 Without limiting clause 1.1 of this DPA, the Client must only collect, use, store and disclose the Personal Information of Data Subjects that it receives from Chirp, or otherwise has access to in connection with the Services, for the purposes of: (a) customer relationship management, sales pipeline management, and account management; (b) business-to-business marketing and communications; (c) customer service and support; (d) analytics, reporting, and business intelligence; and (e) complying with any related obligations arising under Privacy Law.

1.4 Without limiting clause 1.1 of this DPA, the Client must obtain and maintain all necessary Consents, and provide all necessary notices, relevant to:

• (a) its (and each Authorised User's) use of the Services, including those in relation to collection, use, disclosure, processing, storage, amendment and deletion of Personal Information of any individual whose Personal Information may be provided to Chirp directly or indirectly;
• (b) Chirp's disclosure, at the Client's direction, of Personal Information;
• (c) Chirp's (and Chirp's third-party suppliers') collection, use, disclosure, processing, storage, amendment and deletion of Personal Information in connection with the Services; and
• (d) the use of Automated Decision-Making in connection with the Services, including obtaining any specific consent required by Privacy Laws for decisions based solely on automated processing that produce legal or similarly significant effects (if any).

1.5 Subject to any legal requirements, if a party receives a request from a Data Subject for access to or correction of their Personal Information, or a request to exercise rights related to Automated Decision-Making (including rights to obtain human intervention, express their point of view, or contest a decision), where such information is in the possession or control of the other party, it must notify the other party and such other party must promptly undertake the correction or provide such access as required by Privacy Law.

1.6 To the extent permitted by applicable law, the parties agree that Chirp makes no warranties as to the suitability of the Services with regards to the Client's privacy obligations at Privacy Law or contract, and it is the Client's sole responsibility to determine whether the Services is appropriate for the Client.

1.7 At the request of the Client, Chirp shall provide evidence of its compliance with this clause 1 of this DPA. Where possible, Chirp shall provide such evidence to the Client using its own information or information sourced from its third-party auditors or certification providers that assess Chirp's policies and technical and organisational measures using an appropriate and accepted control standard or framework and assessment procedure (which includes, without limitation, ISO 27001 standards) and provide a report or summary thereof to the Client. To the extent that such information does not fully address the relevant issue, the Client may itself or via its appointed representative conduct an audit of Chirp, subject to:

• (a) restrictions on the disclosure of third-party information;
• (b) the Client providing at least 20 days' prior written notice; and
• (c) minimising disruption to Chirp's business.

1.8 The Client acknowledges that the Services incorporate artificial intelligence and machine learning features, and agrees to the following terms regarding such AI-powered features:

• (a) the Services include AI-powered features such as lead scoring, predictive analytics, customer segmentation, and automated insights generation;
• (b) Chirp may use Client Data in aggregated and de-identified form to improve and train AI models for the Services, and clause 2.6 permits Chirp to use data of Authorised Users to enhance its proprietary database, which includes AI model development;
• (c) the Client remains responsible for decisions made using AI-generated outputs and must comply with applicable Privacy Laws regarding Automated Decision-Making, including providing Data Subjects with information about automated processing where required; and
• (d) Chirp makes no warranties regarding the accuracy or reliability of AI-generated scores, predictions, or recommendations.

2. Processor Responsibilities

2.1 To the extent that Chirp processes Personal Information on behalf of the Client, Chirp shall comply with the requirements of this clause 2 of this DPA.

2.2 The scope of the Personal Information processing carried out by Chirp under the Services is restricted to such processing as is required for Chirp in connection with the Services, to provide support to the Services, for analytical purposes (using aggregated data), in accordance with clause 1.8 above, and as set out in the Privacy Policy. The types of Personal Information that may be processed are as described in the Appendix to this DPA.

2.3 Chirp confirms that, when acting as processor for the Client in relation to Personal Information, Chirp shall:

• (a) only process Personal Information on the documented instructions of the Client (which shall include the provision of Services) unless required to process that Personal Information for other purposes by applicable law. Where such a requirement is placed on Chirp it shall provide prior notice to the Client unless the relevant law prohibits the giving of notice on important grounds of public interest;
• (b) not sell or share (as "sell or share" is defined by the California Consumer Protection Act with respect to Personal Information) the Personal Information except as instructed by the Client;
• (c) not retain, use, or disclose the Personal Information for any purpose other than supplying the Services;
• (d) not retain, use, or disclose the Personal Information outside of the direct business relationship between the parties;
• (e) not combine the Personal Information with Personal Information received from sources other than the Client where and to the extent prohibited by Privacy Law;
• (f) inform the Client if, in its opinion, the Client's instructions would be in breach of Privacy Law;
• (g) provide reasonable assistance to the Client to respond to requests from individuals exercising their rights under Privacy Law, including rights related to Automated Decision-Making (such as the right to human intervention, the right to an explanation of automated decisions, and the right to contest automated decisions), taking into account the nature of the processing and the information available to Chirp;
• (h) provide reasonable assistance to the Client, at the Client's expense, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information and taking into account the nature of the processing and the information available to Chirp; and
• (i) provide reasonable assistance to the Client to conduct and document a privacy impact assessment (and any related consultations) where required under Privacy Law and taking into account the nature of the processing and the information available to Chirp. If this requires Chirp to take additional steps beyond those directly imposed on Chirp by Privacy Law, the Client shall pay Chirp for the reasonable costs of taking those additional steps.

2.4 On termination of the Services, and at the option of the Client, Chirp shall promptly return or delete the Client's Personal Information. Chirp may retain a copy of the Client's Personal Information where required by law but must delete it when that legal obligation ceases to apply.

2.5 Chirp shall not make a Restricted International Transfer of Personal Information unless in accordance with Privacy Laws.

2.6 The Client acknowledges and agrees that:

• (a) Chirp may process and store Client Data in Australia and the United States, and may transfer Client Data between these jurisdictions as necessary for the provision of the Services;
• (b) such transfers are authorised by the Client for the purpose of receiving the Services;
• (c) Chirp will implement appropriate safeguards for such transfers as required by Privacy Laws, which may include standard contractual clauses, adequacy determinations, or other lawful transfer mechanisms; and
• (d) Chirp's sub-processors listed in the Appendix may process Client Data in the jurisdictions specified, and Chirp will ensure such sub-processors provide adequate protection for Personal Information.

2.7 Upon reasonable request, Chirp shall provide the Client with information about the safeguards in place for international transfers of Personal Information.

3. Data Security

3.1 Chirp shall implement commercially reasonable technical and organisational measures designed to protect Client Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. Such measures may include, without limitation:

• (a) ensuring any of its employees or agents or other persons to whom it provides access to Client Data are obliged to keep it confidential;
• (b) the use of pseudonymisation and encryption of Client Data, where appropriate;
• (c) measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of Chirp's systems and services;
• (d) measures designed to restore the availability and access to Client Data in a timely manner in the event of a physical or technical incident;
• (e) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Client Data; and
• (f) assisting the Client to comply with its own data security obligations under Privacy Law. If this requires Chirp to take additional steps beyond those directly imposed on Chirp by Privacy Law, the Client shall pay Chirp for the reasonable costs of taking those additional steps.

3.2 Chirp shall notify the Client without undue delay (in any event within 72 hours) should it become aware of a security breach leading to the accidental or unauthorised loss, alteration or disclosure of Client Data (Security Breach). Chirp shall use commercially reasonable efforts to promptly:

• (a) provide reasonable information needed by the Client for the Client to comply with Privacy Law, including a description of the nature of the Security Breach, the volume and type of Client Data affected, the categories and approximate number of individuals concerned and the likely consequences of the Security Breach; and
• (b) take reasonable measures designed to address the Security Breach, mitigate its effects and prevent further breaches, and provide details of those measures to the Client.

4. Use of Subcontractors

The Appendix to this DPA lists all sub-processors used as at the date the Account is entered into. Chirp may give the Client prior notice of any intended addition to or replacement of those subcontractors, or Chirp may update any list of subcontractors on its website. Chirp shall use reasonable efforts to ensure that it has a written contract with any subcontractors that it engages to process Personal Information in connection with the Services that complies with Privacy Law and is not materially less protective of Personal Information than the Licence Agreement.

5. Notification to Regulator and Affected Individuals

If a security breach occurs and the Client wishes to notify the relevant regulator and/or affected individuals, any correspondence or notification to be sent by the Client to the relevant regulator (and affected individuals, if applicable) that names Chirp or refers to the Services must, to the extent permitted by Privacy Law, be in a form approved by Chirp in advance with Chirp given a reasonable period to reply.

6. Definitions

In this DPA:

Agreement means this Data Processing Annex, the Terms and also includes the relevant Account (if any).

Authorised Users means the employees and staff members of the Client whom the Client has authorised to use the Service.

Automated Decision-Making means processing that involves using Personal Information to make decisions about Data Subjects solely by automated means without human intervention.

Client Data means Personal Information provided by the Client or an Authorised User to Chirp, and for which the Client remains responsible under Privacy Law.

Consent means any consents or approvals required by law to be collected from any Data Subjects.

Data Subject means any natural person in respect of which either party processes their Personal Information.

Personal Information has the same meaning as in the Privacy Laws.

Privacy Laws mean the Privacy Act 1988 (Cth) and the Australian Privacy Principles, as well as any other applicable U.S. state or federal privacy or data protection laws.

Privacy Policy means our Privacy Policy available at https://www.trychirp.com/privacy-policy.

Restricted International Transfer means a transfer of Personal Information by Chirp to a country which does not provide an adequate level of protection for Personal Information as required by Privacy Laws.

Services means the use of our online service, including any support services, as described in the Terms.

Terms means the Chirp terms of use, as updated from time to time.

---

Appendix – Personal Information Processing

Data Subject: Authorised Users of the Client, and business contacts of the Client.

Personal Information processed:

• Full name
• Company
• Title
• Address
• Email address
• Telephone number or contact details
• Payment details
• Social media handles
• Communications of Authorised Users of the Client with their business prospects

Purpose: Provision of the Services.

Sub-processors:

Name	Data Processed	Location of Processing	Contact
Amazon Web Services	All data	West Virginia, Sydney	Level 37, 2/26 Park St, Sydney NSW 2000 · 1800 571 894
Stripe Payments Australia Pty Ltd	Company data, Payment details	Australia, USA	Level 7, 222 Exhibition Street, Melbourne VIC 3000