Data Processing Addendum
Version 1.0 โ Effective 23 March 2026
This Data Processing Addendum ("DPA") forms part of the Commercial License Agreement (the "Agreement") between McQuillen Interactive Pty. Ltd. (ABN 49 600 623 069) ("Licensor", "we", "us") and the entity that accepted the Agreement ("Licensee", "Customer", "you").
Capitalised terms not defined in this DPA have the meanings given in the Agreement.
1. DEFINITIONS
1.1 "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including (to the extent applicable): (a) the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles ("APPs"); (b) the EU General Data Protection Regulation 2016/679 ("GDPR"); (c) the UK General Data Protection Regulation as retained by the European Union (Withdrawal) Act 2018 ("UK GDPR"); (d) the California Consumer Privacy Act, Cal. Civ. Code ยง1798.100 et seq., as amended by the California Privacy Rights Act ("CCPA/CPRA"); and (e) any other data protection or privacy law applicable to the processing of Personal Data under this DPA.
1.2 "Controller" means the entity that determines the purposes and means of Processing Personal Data. Where Applicable Data Protection Law uses a different term (e.g., "APP entity" under the Privacy Act, "business" under the CCPA), the equivalent concept applies.
1.3 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates (or "consumer" under CCPA).
1.4 "Personal Data" means any information relating to a Data Subject that is processed by Licensor on behalf of Licensee in connection with the Service (or "personal information" under the Privacy Act or CCPA, as applicable).
1.5 "Processing" (and "Process") means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
1.6 "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA.
1.7 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced.
1.8 "Sub-Processor" means any third party engaged by Licensor to Process Personal Data on behalf of Licensee.
2. SCOPE AND ROLES
2.1 Applicability. This DPA applies only where Licensor Processes Personal Data on behalf of Licensee in the course of providing the Service under the Agreement. It does not apply to Personal Data that Licensor processes as a Controller in its own right (e.g., Licensee's account contact details, billing information, and website analytics), which is governed by Licensor's Privacy Policy at https://validibot.com/privacy.
2.2 Roles. For the purposes of this DPA:
(a) Licensee is the Controller (or "business" under CCPA) and Licensor is the Processor (or "service provider" under CCPA) with respect to Personal Data processed through the Service.
(b) Licensor will Process Personal Data only on behalf of, and in accordance with, the documented instructions of Licensee. The Agreement (including this DPA) constitutes Licensee's initial instructions. Licensee may provide additional written instructions consistent with the Agreement.
2.3 Details of Processing. The subject matter, duration, nature and purpose of Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1 to this DPA.
3. LICENSOR OBLIGATIONS
3.1 Documented Instructions. Licensor will Process Personal Data only in accordance with Licensee's documented instructions, unless required to do so by law to which Licensor is subject, in which case Licensor will inform Licensee of that legal requirement before Processing (unless the law prohibits such notification).
3.2 Confidentiality. Licensor will ensure that all personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory).
3.3 Security Measures. Licensor will implement and maintain appropriate technical and organisational measures to protect Personal Data, as described in Annex 2 to this DPA. Licensor may update these measures from time to time provided that the overall level of protection is not materially reduced.
3.4 Security Incident Notification. Licensor will notify Licensee without undue delay (and in any event within forty-eight (48) hours) after becoming aware of a Security Incident. The notification will include, to the extent reasonably available:
(a) A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected;
(b) The likely consequences of the Security Incident;
(c) The measures taken or proposed to address the Security Incident and to mitigate its effects; and
(d) The name and contact details of a point of contact for further information.
Licensor will cooperate with Licensee's reasonable requests in connection with Licensee's notification obligations under Applicable Data Protection Law.
3.5 Data Subject Requests. Licensor will promptly notify Licensee if it receives a request from a Data Subject to exercise rights under Applicable Data Protection Law (an access, rectification, erasure, portability, restriction, or objection request, or an opt-out or deletion request under CCPA). Licensor will not respond to such requests directly except on Licensee's documented instructions, unless required by law.
Licensor will provide Licensee with reasonable technical and organisational assistance to fulfil Licensee's obligation to respond to Data Subject requests.
3.6 Data Protection Impact Assessments. Licensor will provide Licensee with reasonable assistance in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law and to the extent that the relevant information is available to Licensor.
3.7 Deletion and Return. On termination or expiration of the Agreement, Licensor will, at Licensee's election:
(a) Return all Personal Data to Licensee in a commonly used, machine-readable format; or
(b) Delete all Personal Data and certify such deletion in writing.
Licensor will complete deletion or return within thirty (30) days of receiving Licensee's written instruction, unless Applicable Data Protection Law requires continued storage of the Personal Data. Any Personal Data retained under a legal obligation will continue to be protected under this DPA and will not be processed for any other purpose.
4. SUB-PROCESSORS
4.1 General Authorisation. Licensee provides a general authorisation for Licensor to engage Sub-Processors to Process Personal Data. The current list of Sub-Processors is available at https://validibot.com/legal/sub-processors.
4.2 Notification of Changes. Licensor will notify Licensee at least thirty (30) days before engaging a new Sub-Processor or replacing an existing one, by updating the Sub-Processor list and notifying Licensee at the email address associated with Licensee's account.
4.3 Objection Right. Licensee may object to a new Sub-Processor by notifying Licensor in writing within the thirty-day notice period. If Licensee objects on reasonable data protection grounds, the parties will discuss the concern in good faith. If the parties cannot resolve the objection within thirty (30) days, Licensee may terminate the affected Service by providing written notice, and Licensor will refund any prepaid fees for the unused portion of the terminated Service.
4.4 Sub-Processor Obligations. Licensor will enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those in this DPA. Licensor remains liable to Licensee for the acts and omissions of its Sub-Processors.
5. INTERNATIONAL DATA TRANSFERS
5.1 Processing Locations. Personal Data is primarily processed in Australia (Google Cloud Platform, Sydney region). Certain Sub-Processors process data in other jurisdictions as disclosed in the Sub-Processor list.
5.2 GDPR Transfers. To the extent that the Processing of Personal Data involves a transfer from the EEA to a country that does not benefit from an adequacy decision under GDPR Article 45, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated into this DPA by reference. For such transfers:
(a) The data exporter is Licensee and the data importer is Licensor;
(b) The details required by the SCCs are set out in Annex 1 and Annex 2 of this DPA;
(c) The governing law of the SCCs (Clause 17) is the law of the EU Member State in which the data exporter is established (or, if the data exporter is not established in an EU Member State, the law of Ireland);
(d) Disputes under the SCCs (Clause 18) will be resolved before the courts of the same jurisdiction as the governing law; and
(e) Annex 1 to this DPA serves as Annex I to the SCCs, and Annex 2 serves as Annex II.
5.3 UK Transfers. To the extent that the Processing involves a transfer from the United Kingdom that is not covered by an adequacy regulation under UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated into this DPA. The information required by Tables 1โ4 of the UK Addendum is as set out in Annex 1 and Annex 2.
5.4 Australian Privacy Act. Where the Privacy Act applies, Licensor will take reasonable steps to ensure that overseas recipients of Personal Data do not breach the APPs in relation to that data, consistent with APP 8. Licensor's Sub-Processor agreements impose obligations equivalent to those under this DPA on overseas Sub-Processors.
5.5 CCPA. To the extent the CCPA applies, Licensor certifies that it:
(a) Will not sell or share (as defined by CCPA) Personal Data received from Licensee;
(b) Will not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement, including any commercial purpose other than providing the Service;
(c) Will not retain, use, or disclose Personal Data outside of the direct business relationship between Licensor and Licensee; and
(d) Will comply with the CCPA and provide the same level of privacy protection as required by the CCPA.
Licensor will notify Licensee if it determines that it can no longer meet its CCPA obligations, and Licensee may take reasonable and appropriate steps to stop and remediate unauthorised use of Personal Data.
6. AUDIT RIGHTS
6.1 Information and Audit. Licensor will make available to Licensee all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Licensee or a qualified third-party auditor appointed by Licensee.
6.2 Audit Process. Audits under Section 6.1 will be conducted:
(a) With at least thirty (30) days' prior written notice;
(b) During normal business hours;
(c) In a manner that does not unreasonably disrupt Licensor's operations; and
(d) Subject to reasonable confidentiality obligations.
6.3 Third-Party Reports. To the extent Licensor maintains relevant third-party certifications or audit reports (e.g., SOC 2 Type II, ISO 27001), Licensor may satisfy an audit request by providing a copy of such reports, provided they are no more than twelve (12) months old and cover the scope of the audit request. This does not limit Licensee's right to request an audit where there is a reasonable basis to believe that Licensor is not complying with this DPA.
7. LIABILITY
7.1 The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, Licensor's total aggregate liability under this DPA is included within (and not in addition to) the liability caps in the Agreement.
8. TERM AND SURVIVAL
8.1 This DPA will remain in effect for as long as Licensor Processes Personal Data on behalf of Licensee. Sections 3.7 (Deletion and Return), 6 (Audit Rights), and 7 (Liability) will survive termination of this DPA.
9. CONFLICT
9.1 In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the Processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
ANNEX 1 โ DETAILS OF PROCESSING
A. List of Parties
| Controller (Data Exporter) | Processor (Data Importer) | |
|---|---|---|
| Name | Licensee, as identified in the Agreement | McQuillen Interactive Pty. Ltd. |
| Address | As specified in Licensee's account | Victoria, Australia |
| Contact | Licensee's account administrator | licensing@mcquilleninteractive.com |
| Role | Controller / Business | Processor / Service Provider |
B. Description of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of the Validibot cloud service |
| Duration | The term of the Agreement plus the data deletion period in Section 3.7 |
| Nature and purpose | Processing Customer Data to provide the Service, including storage, retrieval, computation, and display of validation data submitted by Licensee's users |
| Types of Personal Data | Email addresses, names, IP addresses, user agent strings, usage logs, and any personal data contained within validation data submitted by Licensee's users |
| Categories of Data Subjects | Licensee's employees, contractors, and end users who access the Service |
| Sensitive data | None. The Service is not designed to process special categories of data or sensitive personal information |
C. Competent Supervisory Authority
The competent supervisory authority is determined in accordance with GDPR Article 55 (or the equivalent under the applicable data protection law). Where Licensee is established in Australia, the relevant authority is the Office of the Australian Information Commissioner (OAIC).
ANNEX 2 โ TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Licensor maintains the following security measures. These may be updated from time to time; changes will not materially reduce the overall level of protection.
Infrastructure and Hosting
- All production services run on Google Cloud Platform (Sydney region, australia-southeast1) with data encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
- Application is deployed in isolated containers with role-based access controls.
- Network security is enforced through VPC firewalls and Cloud Armor rules.
Access Control
- Administrative access requires multi-factor authentication (MFA).
- Access to production systems is limited to authorised personnel on a need-to-know basis.
- Customer data is logically isolated between tenants.
Data Protection
- Database backups are encrypted and stored in the same region as the primary data.
- Payment card data is processed exclusively by Stripe (PCI-DSS Level 1 certified) and is never stored on Licensor's systems.
- Passwords are hashed using industry-standard algorithms (bcrypt/Argon2).
Monitoring and Incident Response
- Application and infrastructure logs are collected and monitored for anomalous activity.
- An incident response procedure is in place for identifying, investigating, and remediating Security Incidents.
Organisational Measures
- Confidentiality obligations are in place for all personnel with access to Personal Data.
- Sub-Processors are subject to written agreements imposing equivalent security obligations.
This DPA is not legal advice. It should be reviewed by a qualified legal professional before being relied upon. Regulatory requirements change; verify current requirements with authoritative sources.
McQuillen Interactive Pty. Ltd. (ABN 49 600 623 069). Governing law: Victoria, Australia.