This DPA forms part of and is incorporated into the Online Master Services & Subscription Terms at https://uncapt.com/terms for Uncapt's provision of the Services to Customer. Capitalised terms not defined here have the meaning in the Agreement.
1.1 This DPA forms part of and is incorporated into the Online Master Services & Subscription Terms at https://uncapt.com/terms (or a separately executed master agreement, the "Agreement") for Uncapt's provision of the Services to Customer.
1.2 Capitalised terms not defined here have the meaning in the Agreement.
1.3 If there is any conflict between this DPA and the Agreement on privacy/security matters, this DPA prevails. Otherwise, the Agreement governs (including limitations of liability and dispute resolution).
APPs means the Australian Privacy Principles under the Privacy Act.
Eligible Data Breach has the meaning in the Privacy Act 1988 (Cth).
Health Information has the meaning in the Privacy Act and applicable State health records laws.
Personal Information has the meaning in the Privacy Act 1988 (Cth).
Privacy Act means the Privacy Act 1988 (Cth), including the Notifiable Data Breaches (NDB) scheme.
Processing/Process means any operation performed on Personal Information, including collection, storage, use, disclosure, access, correction, erasure, and transfer.
Security Incident means unauthorised access to or unauthorised disclosure of Personal Information or loss of Personal Information in Uncapt's possession or control that may give rise to risk of harm; for EU/UK data, has the meaning of "personal data breach" under GDPR.
Subprocessor means a third party engaged by Uncapt to Process Personal Information on Uncapt's behalf in connection with the Services.
3.1 Roles
For Personal Information that Customer provides or makes available to Uncapt in connection with the Services:
- Customer acts as the APP entity (and, where applicable, "controller" under GDPR/UK GDPR).
- Uncapt acts as a "processor/service provider" and will Process Personal Information only on Customer's documented instructions, unless required by law.
3.2 Customer Instructions
The Agreement, applicable Order/SOW, and Customer's use/configuration of the Services constitute Customer's documented instructions. Uncapt will promptly inform Customer if, in Uncapt's opinion, an instruction infringes Applicable Law.
3.3 Purpose Limitation
Uncapt will Process Personal Information only (a) to provide, secure, support, maintain and improve the Services (including de-identified analytics/Insight Data), (b) to meet legal obligations, and (c) as otherwise instructed by Customer in writing.
4.1 Lawful Provision
Customer is responsible for ensuring that its instructions are lawful and that it has provided all notices and obtained all consents/authorisations required under Applicable Law (including for Health Information and sensitive information).
4.2 Accuracy; Minimisation
Customer will ensure Personal Information it supplies is accurate and limited to what is necessary for the Services.
4.3 Configuration; Access
Customer manages user provisioning, access controls, and safe/regulated use in its environment.
5.1 Confidentiality
Uncapt will ensure its personnel with access to Personal Information are bound by confidentiality obligations and receive data protection training appropriate to their roles.
5.2 Security
Uncapt will implement and maintain appropriate technical and organisational measures to protect Personal Information against unauthorised access, use, modification or disclosure and against loss (Security Measures), aligned to recognised practices (ISO 27001‑aligned). A summary is at https://uncapt.com/legal/security and Annex C.
5.3 Privacy by Design
Uncapt will take reasonable steps to implement privacy-by-design principles in the operation of the Services, appropriate to the nature, scope and context of Processing.
5.4 Assistance
Taking into account the nature of Processing and information available to Uncapt, Uncapt will provide reasonable assistance to Customer to: (a) respond to individuals' requests to access or correct Personal Information (or, where applicable, data subject rights under GDPR/UK GDPR), (b) investigate and respond to Security Incidents and Eligible Data Breaches, and (c) conduct privacy impact assessments or consultations with regulators, where required by law.
5.5 Records
Uncapt will maintain records of Processing of Personal Information it handles on behalf of Customer, to the extent required by law.
6.1 General Authorisation
Customer generally authorises Uncapt to engage Subprocessors to provide the Services.
6.2 List; Notification
A list or description of Subprocessors (and hosting locations) is available on request. Uncapt will provide prior notice of material changes. Customer may object on reasonable data-protection grounds within 10 Business Days of notice.
6.3 Addressing Objections
If Customer objects, the parties will discuss in good faith. Uncapt may (a) not use the proposed Subprocessor for Customer's data, (b) propose reasonable alternatives, or (c) allow Customer to suspend/terminate the affected Services (with a pro‑rated refund of any prepaid, unused fees).
6.4 Flow‑down; Liability
Uncapt will impose obligations on Subprocessors that are no less protective than this DPA and remains responsible for their performance.
7.1 Data Residency
Hosting regions and the Deployment model are as specified in the Order. Uncapt will not transfer Personal Information outside agreed regions without Customer's documented instructions.
7.2 APP 8 (Australia)
Where Personal Information is disclosed to an overseas recipient at Customer's instruction, Uncapt will take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to the information, or otherwise obtain Customer's consent where appropriate.
7.3 EU/UK Personal Data (if applicable)
For Processing subject to EU/UK GDPR, the EU/UK Transfer Addendum in Annex D applies, and the parties will implement appropriate transfer mechanisms (e.g., EU SCCs (2021/914) with the UK Addendum).
8.1 Notification
Uncapt will notify Customer without undue delay after confirming a Security Incident affecting Personal Information Processed for Customer. For Australian Eligible Data Breaches, Uncapt will notify as soon as practicable and provide information to support Customer's assessment under the NDB scheme.
8.2 Cooperation
Uncapt will investigate the Security Incident, take appropriate remediation steps, and provide Customer with reasonable cooperation and information, including: (a) the nature of the incident, (b) the categories of Personal Information and individuals affected (to the extent known), (c) likely consequences, (d) measures taken or proposed, and (e) contact details. Uncapt will assist Customer with notifications to OAIC and affected individuals, if required by law.
8.3 Communications
Customer controls external communications/notifications unless otherwise required by law or regulator. Uncapt will not make public statements regarding the incident that identify Customer without Customer's prior written approval (unless legally required).
9.1 Requests
If Uncapt receives requests directly from individuals (or data subjects) relating to Personal Information it Processes on Customer's behalf, Uncapt will (a) promptly forward the request to Customer, and (b) not respond except as instructed by Customer or required by law.
9.2 Complaints/Regulators
Uncapt will promptly notify Customer of any inquiries or correspondence from regulators concerning Customer's Personal Information and cooperate as reasonably required.
10.1 During the Term
Customer may export Personal Information via available export functions during the term.
10.2 Termination
Upon termination/expiry of the Services, and subject to payment of amounts due, Uncapt will, upon Customer's written request within 30 days, return a commercially reasonable export of Personal Information in standard machine‑readable format (e.g., JSON/CSV). Thereafter, Uncapt will delete Personal Information in its active systems and place backups into a secure, restricted state, purging in accordance with standard retention cycles.
10.3 Certification
Upon Customer's written request, Uncapt will certify completion of deletion (to the extent technically feasible) or explain any legal/technical constraints that require retention (e.g., legal holds, system backups).
11.1 Method
No more than once in any 12‑month period (unless required by regulator/law or following a material Security Incident), Customer may audit Uncapt's compliance with this DPA via: (a) Uncapt's written responses to reasonable security/privacy questionnaires; (b) independent audit reports or certifications (e.g., ISO 27001‑aligned summaries); and (c) a remote review meeting with Uncapt's security personnel.
11.2 On‑site Audits
On‑site audits are permitted only where required by regulator/law or for cause following a material Security Incident, subject to: (i) reasonable prior notice (at least 30 days where possible); (ii) confidentiality; (iii) reasonable limits on frequency/duration/scope to avoid disruption; and (iv) execution of Uncapt's site access and confidentiality terms.
11.3 Costs
Each party bears its own costs. If an audit requires material time/assistance beyond ordinary course, Customer will reimburse Uncapt's reasonable, documented costs.
12.1
The parties agree that the exclusions and limitations of liability in the Agreement apply to this DPA. Nothing in this DPA expands Uncapt's liability beyond the Agreement.
12.2
For clarity, where the Agreement carves out breaches of privacy/security obligations from the general cap (e.g., a 2x cap), that carve‑out applies here as specified in the Agreement.
13.1
This DPA takes effect on the Effective Date of the first Order that references it and continues for as long as Uncapt Processes Personal Information on behalf of Customer under the Agreement.
13.2
Sections that by their nature should survive (including confidentiality, deletion/return, liability, and audit rights initiated during the term) will survive termination.
14.1 Governing Law
This DPA is governed by the laws of New South Wales, Australia and subject to the jurisdiction provisions in the Agreement. For EU SCCs/UK Addendum in Annex D, the governing law and forum are as specified in that Annex for those transfer instruments only.
14.2 Order of Precedence
If this DPA conflicts with the EU SCCs/UK Addendum in Annex D, the SCCs/Addendum prevail for EU/UK personal data transfers.
Annex A — Processing Details
A1. Subject matter and purpose of Processing: Provision, operation, support and improvement of the Uncapt Reasoning Platform and related Services for Customer, including hosting, storage, analysis, knowledge graph operations, decision‑support outputs, safety gating, audit logging, and related technical/operational support.
A2. Duration of Processing: For the term of the Agreement and any data return/deletion period, plus retention required by law or documented Customer instruction.
A3. Nature of Processing: Collection, storage, retrieval, analysis, transformation, structuring, inference/decision‑support, transmission, display, deletion, and backup.
A4. Types/Categories of Personal Information: Identification and contact data, account and access data, case/workflow data, knowledge graph instance data, support/ticketing metadata.
A5. Sensitive Information: Health Information or other sensitive information as defined by the Privacy Act, if Customer elects to include it in the Services.
A6. Categories of Data Subjects: Customer's personnel and end‑users, Customer's clients/patients/participants, other individuals whose Personal Information Customer inputs or makes available.
A7. Locations of Processing: Primary hosting/processing regions as stated in the Order (e.g., Australia). Support and certain subprocessors may operate from other jurisdictions.
Annex B — Approved Subprocessors
Current list or link: [Insert URL to subprocessor list] or attach a list here with: Entity name; Country; Purpose (hosting, analytics, email delivery, support tooling, etc.); Data categories; Safeguards; Contact.
Uncapt will update this Annex or posted list when adding/changing material Subprocessors.
Annex C — Technical and Organisational Measures (Security)
Uncapt maintains an information security program aligned to recognised practices (ISO 27001‑aligned). Key measures include:
- C1. Governance and Risk: ISMS with defined policies, risk assessments, security awareness training, background checks.
- C2. Access Control and Identity: RBAC, least privilege, MFA, centralised identity, periodic access reviews, secure key management.
- C3. Physical and Environmental: Reputable cloud providers, logical separation, network segmentation, hardened bastion hosts.
- C4. Data Protection: Encryption in transit and at rest, data minimisation, tenant isolation, secure disposal, backup and restoration testing.
- C5. Application and Development Security: Secure SDLC, code review, dependency management, vulnerability scanning and remediation.
- C6. Logging and Monitoring: Centralised logging, alerting, incident response runbooks, periodic tabletop exercises.
- C7. Third‑Party/Vendor Management: Security due diligence for Subprocessors, contractual security and privacy obligations.
- C8. Customer Responsibilities: Base infrastructure, network security, IAM/SSO, OS patching, backups, endpoint protections, physical security.
Annex D — EU/UK International Transfer Addendum (Optional)
This Annex applies only where Customer or its Affiliates are subject to EU GDPR and/or UK GDPR and Uncapt Processes personal data subject to those laws, including cross‑border transfers from the EEA/UK to a country not deemed adequate.
The parties agree that the European Commission's Standard Contractual Clauses (SCCs) for international transfers of personal data (Decision 2021/914) are incorporated by reference, with Module 2 (Controller to Processor) or Module 3 (Processor to Processor) as applicable.
Annex E — Contact Points for Privacy & Security
Uncapt Privacy/Security Contact: privacy@uncapt.com (or info@uncapt.com)
Customer Contact: As specified in the applicable Order/SOW
Change Log
v1.0 (15-Jul-2024): Initial publication aligned to AU Privacy Act, NDB scheme, with optional EU/UK transfer addendum.
Last updated: 15-Jul-2024