Project Brain

DPA

Data Processing Addendum

#Project Brain — Data Processing Addendum

Effective date: 26 May 2026 Last updated: 26 May 2026 Version: 1.0

This Data Processing Addendum (DPA) forms part of the Project Brain Terms of Use (the Agreement) between Project Brain Pty Ltd (ABN: TBC), of Suite 302, 13/15 Wentworth Avenue, Sydney NSW 2000 (Project Brain, Processor, we), and the customer entity identified in the Order (Customer, Controller, you).

This DPA governs the processing of Personal Information by Project Brain on the Customer's behalf in connection with the Service.

If the Customer requires a signed copy, email legal@projectbrain.com.au. By accepting the Agreement and using the Service, the Customer is deemed to accept this DPA without signature, except where a signed copy is required by applicable law.

#1. Definitions

Capitalised terms used but not defined here have the meaning given in the Agreement. In this DPA:

  • Applicable Data Protection Law means all laws relating to the protection of Personal Information that apply to the processing under this DPA, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), the UK General Data Protection Regulation (UK GDPR), and any other applicable privacy or data protection law.
  • Data Subject means an identified or identifiable natural person to whom Personal Information relates.
  • EU SCCs means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914 of 4 June 2021.
  • Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information.
  • Personal Information has the meaning given in the Agreement and includes "personal data" under the GDPR/UK GDPR.
  • Processing has the meaning given under Applicable Data Protection Law. "Process", "processed", and "processes" are construed accordingly.
  • Restricted Transfer means a transfer of Personal Information from a jurisdiction whose laws restrict cross-border transfers (such as the EEA, UK, or Switzerland) to a jurisdiction that has not received an adequacy decision.
  • Sub-processor has the meaning given in the Agreement.
  • UK IDTA means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, version B1.0 in force from 21 March 2022.

#2. Scope and roles

#2.1 Scope

This DPA applies to all processing of Personal Information by Project Brain on behalf of the Customer in providing the Service.

#2.2 Roles

For Customer Data:

  • the Customer is the Controller (or, where the Customer itself acts as a processor for a third-party controller, the Customer is the controller's authorised processor and Project Brain is a sub-processor); and
  • Project Brain is the Processor.

For Personal Information about the Customer's account administrators, billing contacts, and other business contacts that Project Brain collects directly, Project Brain is an independent Controller (see the Privacy Policy).

#2.3 Customer responsibilities

The Customer warrants that:

(a) it has a lawful basis to provide Personal Information to Project Brain and to authorise the processing described in this DPA; (b) it has provided all notices and obtained all consents required under Applicable Data Protection Law from Data Subjects; and (c) its instructions to Project Brain comply with Applicable Data Protection Law.

#3. Processing of Personal Information

#3.1 Documented instructions

Project Brain will process Personal Information only:

(a) on the documented instructions of the Customer, as set out in the Agreement, this DPA, the Order, and the Customer's use of the Service through its administrators and Authorised Users; and (b) as required by law (in which case Project Brain will, where lawful, notify the Customer before processing).

#3.2 Notification of unlawful instructions

Project Brain will notify the Customer without undue delay if, in its opinion, an instruction infringes Applicable Data Protection Law. Project Brain is not obliged to act on instructions it reasonably considers unlawful.

#3.3 Processing details

The subject matter, duration, nature, purposes, categories of Data Subjects, and categories of Personal Information processed are set out in Annex 1.

#4. Confidentiality and personnel

Project Brain ensures that personnel authorised to process Personal Information:

(a) are bound by appropriate confidentiality obligations (whether contractual or statutory) that survive termination of their engagement; (b) receive appropriate training on data protection and information security; and (c) access Personal Information only on a need-to-know basis.

#5. Security

Project Brain implements and maintains appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including those described in Annex 2. Project Brain reviews and updates these measures regularly to reflect evolving risks and standards.

The Customer acknowledges that the security measures in Annex 2 provide an appropriate level of security having regard to the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks for Data Subjects.

#6. Sub-processors

#6.1 General authorisation

The Customer grants Project Brain general written authorisation to engage Sub-processors to process Personal Information, subject to this clause 6.

#6.2 Current Sub-processors

A current list of Sub-processors is set out in Annex 3 and is updated from time to time.

#6.3 Sub-processor obligations

Project Brain will:

(a) carry out due diligence on Sub-processors before engagement; (b) impose on each Sub-processor written contractual obligations that are no less protective than this DPA in respect of Personal Information; and (c) remain liable to the Customer for the acts and omissions of each Sub-processor as if they were its own.

#6.4 Notice of changes and right to object

Project Brain will give the Customer at least 30 days' notice (which may be via in-product notification, email to the Customer's primary contact, or update to the Sub-processor list page) of any intended change to the Sub-processor list that materially affects the processing of the Customer's Personal Information.

The Customer may object to a change on reasonable data-protection grounds within 15 days of notice. The parties will discuss the objection in good faith. If Project Brain cannot reasonably accommodate the objection, the Customer may terminate the affected Order on written notice and Project Brain will refund any prepaid, unused Fees attributable to the period after termination.

#7. Data Subject rights

#7.1 Assistance

Taking into account the nature of the processing and the information available to Project Brain, Project Brain will assist the Customer, by appropriate technical and organisational measures and insofar as is possible, in fulfilling the Customer's obligations to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (including access, correction, deletion, restriction, portability, and objection).

#7.2 Requests received by Project Brain

If Project Brain receives a request directly from a Data Subject in respect of Customer Data, Project Brain will:

(a) not respond to the request other than to acknowledge it and refer the Data Subject to the Customer; and (b) where lawful, notify the Customer of the request without undue delay.

#7.3 Self-service tools

Project Brain provides self-service tools within the Service that allow the Customer to access, correct, export, and delete Customer Data. The Customer's use of these tools constitutes Project Brain's assistance under clause 7.1 in respect of those rights.

#7.4 Cost

Project Brain's assistance under this clause is included in the Fees, except where a request requires materially more effort than the self-service tools support, in which case Project Brain may charge a reasonable cost-based fee on prior notice.

#8. Personal Data Breach notification

#8.1 Notice to Customer

On becoming aware of a confirmed Personal Data Breach affecting the Customer's Personal Information, Project Brain will:

(a) notify the Customer without undue delay and in any event within 48 hours; and (b) provide the Customer with information reasonably necessary to enable the Customer to meet its own notification obligations, including (to the extent then known): the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed.

#8.2 Investigation and remediation

Project Brain will:

(a) investigate the Personal Data Breach; (b) take reasonable steps to contain, mitigate, and remediate it; and (c) cooperate with the Customer's reasonable requests for further information.

#8.3 No admission

A notification under this clause is not an admission of fault or liability.

#9. Data protection impact assessments and prior consultation

Project Brain will provide reasonable assistance to the Customer in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities required by Applicable Data Protection Law, taking into account the nature of the processing and the information available to Project Brain. This assistance is included in the Fees, except where it requires materially more than standard documentation, in which case Project Brain may charge a reasonable cost-based fee on prior notice.

#10. International transfers

#10.1 Default location

Customer Data is hosted in Australia (Sydney region, AWS ap-southeast-2). Project Brain will not transfer Customer Data outside Australia for primary processing or storage without notice.

#10.2 Transfers required to provide the Service

The Customer authorises transfers to and from countries where Project Brain or its Sub-processors operate to the extent reasonably necessary to provide the Service (for example, support, monitoring, and incident response from personnel located in Australia or other jurisdictions listed in Annex 3).

#10.3 EU/UK/Swiss transfers

Where the processing of Personal Information by Project Brain involves a Restricted Transfer from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the parties agree:

(a) the EU SCCs, Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor) as applicable, are incorporated into this DPA by reference and apply to that transfer with:

  • Clause 7 (docking clause): included;
  • Clause 9(a) (sub-processor authorisation): Option 2 — general written authorisation, with the notice period in clause 6.4 of this DPA;
  • Clause 11(a) (independent dispute resolution): optional language not included;
  • Clause 17 (governing law): the law of the Republic of Ireland;
  • Clause 18(b) (jurisdiction): the courts of the Republic of Ireland;
  • Annex I.A (parties): the Customer (data exporter) and Project Brain (data importer);
  • Annex I.B (description of transfer): Annex 1 of this DPA;
  • Annex I.C (competent supervisory authority): as determined under Clause 13 of the EU SCCs;
  • Annex II (technical and organisational measures): Annex 2 of this DPA;
  • Annex III (sub-processors): Annex 3 of this DPA;

(b) for transfers from the UK, the UK IDTA is incorporated into this DPA by reference. Tables 1, 2, and 3 are completed with the corresponding details from this DPA and the EU SCCs above; Table 4 (importer's right to terminate the IDTA): neither party may end the IDTA when the Approved IDTA changes; and

(c) for transfers from Switzerland, the EU SCCs apply with the amendments specified by the Swiss Federal Data Protection and Information Commissioner: references to GDPR are interpreted as references to the Swiss Federal Act on Data Protection (FADP), and references to EU Member State supervisory authorities are interpreted as the FDPIC.

#10.4 Conflict

If there is any conflict between this DPA and the EU SCCs or UK IDTA in respect of a Restricted Transfer, the EU SCCs or UK IDTA (as applicable) prevail.

#10.5 Supplementary measures

The parties acknowledge that Project Brain implements the supplementary measures described in Annex 2 to address risks identified in transfer impact assessments, including encryption in transit and at rest, access controls, and contractual challenge of overbroad government access requests.

#11. Audits

#11.1 Information and certifications

Project Brain will, on the Customer's reasonable written request and no more than once per 12-month period (unless required by a regulator or following a confirmed Personal Data Breach affecting the Customer's Personal Information), make available:

(a) a summary of its current security practices; (b) the most recent executive summary of any independent security assessment (such as a SOC 2 report, ISO 27001 certificate, or penetration test summary), subject to confidentiality; (c) responses to a reasonable security questionnaire; and (d) other information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

#11.2 On-site audits

The Customer's audit rights under Article 28(3)(h) of the GDPR/UK GDPR are satisfied by Project Brain's provision of information and certifications under clause 11.1. The Customer may request an on-site audit only where:

(a) required by a supervisory authority; or (b) following a confirmed Personal Data Breach materially affecting the Customer's Personal Information, where the information available under clause 11.1 is reasonably insufficient.

Any on-site audit is conducted at the Customer's cost during business hours, on at least 30 days' notice, by an independent auditor reasonably acceptable to Project Brain, subject to confidentiality and reasonable security restrictions. The audit must not unreasonably interfere with Project Brain's business and must not access Personal Information of other customers.

Physical audits of AWS data centres are not permitted; the parties rely on AWS's third-party attestations.

#12. Deletion and return of Personal Information

#12.1 During the Subscription Term

The Customer may export Customer Data at any time using self-service tools, in formats per the Agreement (JSON, CSV, and where applicable PDF).

#12.2 On termination

Following termination or expiry of the Agreement, Project Brain will:

(a) allow the Customer 30 days to export Customer Data; and (b) thereafter delete all Personal Information from production systems within a further 30 days, with deletion from rolling backups occurring in the ordinary course within 35 days of overwrite.

Project Brain may retain Personal Information for so long as required by law. Any retained Personal Information remains subject to the confidentiality and security obligations of this DPA.

#12.4 Certification

Project Brain will, on written request, provide written certification of deletion within 30 days of completion.

#13. Liability and precedence

#13.1 Liability cap

Each party's liability under this DPA is subject to the limits of liability in the Agreement. Liability under the EU SCCs and UK IDTA in respect of Restricted Transfers is not capped where capping is prohibited; otherwise, the Agreement's caps apply.

#13.2 Order of precedence

If there is any conflict between this DPA and the Agreement, this DPA prevails in respect of the processing of Personal Information. The EU SCCs and UK IDTA prevail over this DPA in respect of Restricted Transfers.

#14. Term and termination

This DPA takes effect on the effective date and continues for the term of the Agreement. The obligations under clauses 4, 5, 8, 10, 12, and 13 survive termination as necessary to fulfil their purpose.

#15. General

#15.1 Notices

Notices under this DPA are given in accordance with the Agreement. Privacy-specific notices may also be sent to privacy@projectbrain.com.au.

#15.2 Governing law and jurisdiction

This DPA is governed by the laws of New South Wales, Australia, except that for Restricted Transfers the governing law and jurisdiction provisions of the EU SCCs or UK IDTA (as applicable) prevail.

#15.3 Severability

If any provision of this DPA is held unenforceable, the remaining provisions continue in full force.

#15.4 No third-party beneficiaries

Except for Data Subjects' rights under the EU SCCs and UK IDTA, this DPA does not confer rights on any third party.

#Annex 1 — Description of processing

Subject matter of processing: Provision of the Project Brain software-as-a-service platform, including hosting, indexing, search, collaboration, document management, AI-assisted processing (summarisation, classification, search, generation), integration with third-party services authorised by the Customer, and related support.

Duration of processing: The term of the Agreement, plus the post-termination retention period set out in clause 12.

Nature of processing: Collection, recording, organisation, structuring, storage, retrieval, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure, and destruction.

Purposes of processing:

  • providing the Service to the Customer and its Authorised Users;
  • securing the Service and detecting and preventing fraud and abuse;
  • maintaining the Service (backups, disaster recovery, troubleshooting, support);
  • complying with legal obligations; and
  • producing aggregated and de-identified analytics consistent with the Privacy Policy.

Categories of Data Subjects:

  • the Customer's Authorised Users (employees, contractors, agents);
  • the Customer's clients, suppliers, and other business contacts whose details are uploaded to the Service;
  • where applicable to the Customer's use case, individuals whose data appears in project records (for example, site visitors, subcontractor personnel, building occupants).

Categories of Personal Information:

  • identification and contact details (name, email, phone, business address, job title, employer);
  • account and authentication data (credentials, session identifiers, role/permissions);
  • profile and preference data;
  • communications (messages, comments, support requests);
  • usage and log data (IP address, device identifiers, timestamps, feature usage);
  • content uploaded by the Customer that may contain Personal Information (project documents, photos, drawings, records); and
  • billing and payment data (limited to the categories described in the Privacy Policy).

Special categories / sensitive information: Not solicited. The Customer must not upload sensitive information without an appropriate lawful basis and consent. Where the Customer's lawful use case requires sensitive information, the parties will agree additional safeguards in writing.

Frequency of processing: Continuous for the duration of the Agreement.

Retention: As set out in clause 12 and the Privacy Policy.

#Annex 2 — Technical and organisational measures

Project Brain implements the following measures, reviewed at least annually:

#Governance

  • Documented information security policies aligned with ISO 27001 / SOC 2 control families.
  • Privacy and security responsibilities assigned to an accountable officer.
  • Annual risk assessments and treatment plans.
  • Vendor risk management for Sub-processors.

#Access control

  • Role-based access control with least-privilege defaults.
  • Multi-factor authentication (MFA) for all personnel with production access.
  • Single sign-on (SSO) available to the Customer.
  • Quarterly access reviews; immediate revocation on role change or departure.
  • Audit logging of administrative access to Customer Data.

#Encryption

  • TLS 1.2 or higher for data in transit on public networks.
  • AES-256 (or equivalent) for data at rest, including primary storage, backups, and indexes.
  • Key management via cloud provider key management service with rotation policies.

#Network and infrastructure security

  • Hosted on Amazon Web Services (Sydney, ap-southeast-2) with multi-AZ redundancy.
  • Network segmentation between environments and tenants.
  • Web application firewall and DDoS protection.
  • Hardened operating system images; automated patching of high-severity vulnerabilities within defined SLAs.
  • Continuous vulnerability scanning; quarterly third-party penetration testing.

#Application security

  • Secure software development lifecycle (SSDLC) including peer code review, static analysis, and dependency scanning.
  • Tenant isolation enforced at the application and data layers.
  • Input validation, output encoding, and protection against the OWASP Top 10.
  • Secrets management with no secrets in source code.

#Monitoring and incident response

  • Centralised logging with integrity protections.
  • 24/7 monitoring and alerting for security and availability.
  • Documented incident response plan, tested annually.
  • Personal Data Breach notification per clause 8.

#Business continuity

  • Daily encrypted backups retained on a rolling 35-day schedule.
  • Documented disaster recovery plan with defined recovery objectives.
  • Annual disaster recovery testing.

#Personnel

  • Background checks for personnel with production access, where lawful.
  • Confidentiality obligations as a condition of employment or engagement.
  • Annual security and privacy awareness training; role-based training for engineering and support personnel.
  • Joiner/mover/leaver process to manage access changes.

#Physical security

  • Physical security of data centres is provided by AWS under its compliance program (including ISO 27001, SOC 1/2/3, PCI DSS, IRAP/PROTECTED).
  • Project Brain corporate offices restrict physical access through electronic access control.

#AI-specific measures

  • AI processing performed within Project Brain's AWS environment or under contracts that prohibit Sub-processors from using Customer Data to train their own foundation models.
  • Customer Data is not used to train foundation models made available to other customers or the public.
  • Tenant-scoped model training is isolated to the Customer's tenant.
  • Account administrators may disable AI features per the Privacy Policy.

#Supplementary measures for Restricted Transfers

  • Strong end-to-end encryption with provider-managed keys.
  • Pseudonymisation where compatible with the processing purpose.
  • Documented government access request procedure: assess each request for lawfulness, challenge overbroad or unlawful requests, minimise disclosure, and notify the Customer where lawful.

#Annex 3 — Sub-processors

The list below identifies Sub-processors that may process Personal Information on Project Brain's behalf. The most current list is maintained at [Project Brain — Sub-processor List] (provided on request to privacy@projectbrain.com.au) and updated when material changes occur.

Sub-processorService providedLocation of processing
Amazon Web Services, Inc. (AWS)Cloud hosting, indexed data storage, AI model inference infrastructureAustralia (Sydney, ap-southeast-2)
Stripe Payments Australia Pty LtdPayment processingAustralia (with controller in the US)
Email delivery provider (TBC)Transactional and notification emailTBC
Customer support platform (TBC)Helpdesk and ticketingTBC
Error and performance monitoring (TBC)Application monitoring and crash reportingTBC
Product analytics (TBC)Aggregated usage analyticsTBC

Other Sub-processors are engaged where the Customer authorises an integration with a third-party service (for example, Gmail, Microsoft 365 / Outlook / OneDrive / Teams, Dropbox, Xero, Procore). Those services act as independent controllers or processors of the Customer's choosing and are not Project Brain Sub-processors for the purposes of this Annex.

#Contact

Project Brain Pty Ltd — Privacy Officer Suite 302, 13/15 Wentworth Avenue Sydney NSW 2000 Australia

privacy@projectbrain.com.au legal@projectbrain.com.au security@projectbrain.com.au