SaaS Terms of Use | → Data Processing Addendum

Please read this SaaS Terms of Use (Terms of Use) carefully. It governs Your commercial relationship with Us and sets out legally binding provisions which regulate Your use of Our website platform and the services that We make available through Our platform.

To assist You, We have prepared summaries of Our Terms of Use. Our summaries are in the right hand column below. The summaries are not a substitute for reading the operative provisions of Our Terms of Use (i.e those in the left hand column below). The operative provisions of Our Terms of Use are legally binding. Our summaries are not legally binding, and do not limit the scope or operation of the operative provisions.

Operative Provisions Summary

1. Acceptance and modification of these Terms of Use

1.1. You may only access, browse and use our website Platform and the Services that We make available through Our Platform if You accept and agree to these Terms of Use. By accessing, browsing and/or using Our Platform, and by submitting an Application Form to Us, You will be deemed to have confirmed that You have read and understand, and wholly and unconditionally agree to be legally bound by, and accept, these Terms of Use including the provisions of the documents incorporated into these Terms of Use (namely, Our Privacy Policy and if You are a Subscriber – the Application Form and Our Data Processing Addendum).
1.2. We may modify and/or replace these Terms of Use from time to time without notice (except where You are a Subscriber of Our Platform – in which case We will notify You of the update using the email address that You enter into Your Platform Account).
1.3. We will always upload the latest version of these Terms of Use to this webpage.
1.4. If You do not wish to accept these Terms of Use, You must not and cannot use the Platform, the Services, or any part of them.

You may only use the Platform if you agree to Our Terms of Use.
2. Definitions and Interpretation
2.1. Definitions

In these Terms of Use:
Australian Consumer Law means schedule 2 to the Competition and Consumer Act 2010 (Cth).
Application Form means an application form executed by You and Us for Your subscription to the Platform.
Business Day means Monday – Friday excluding public holidays in New South Wales.
Business Hours means 9:00am – 5:00pm AEST on Business Days.
Data Processing Addendum means the document accessible at: https://www.hexicomsoftware.com/saas-terms-of-use/#adden
GST has the meaning given by the A New Tax System (Goods and Services Tax) Act 1999 (Cth).
Insolvency Event means the occurrence of any of the following events in relation to a party (in each case, the relevant party):
(a) the relevant party ceases to (or is unable to) pay its creditors (or any class of them) in the ordinary course of business, or announces its intention to do so;
(b) a receiver, receiver and manager, administrator, liquidator or similar officer is appointed to the relevant party or any of its assets;
(c) the relevant party enters into, or resolves to, enter into, a scheme or arrangement, compromise or composition with any class of creditors;
(d) a resolution is passed or an application to a court is taken for the winding up, dissolution, official management or administration of the relevant party;
(e) any liquidator, receiver or manager enters into possession of any of the assets of the relevant party;
(f) a mortgagee, chargee or other holder of security, by itself or by or through an agent, enters into possession of all or any part of the assets of the relevant party;
(g) the relevant party applies for, consents to, or acquiesces in the appointment of a trustee or receiver in respect of the party or any of its property;
(h) except to reconstruct or amalgamate while solvent on terms approved by the other party to the SaaS Agreement, the relevant party enters into or resolves to enter into a scheme of arrangement, compromise or re-construction with its creditors (or any class of them) or with its members (or any class of them) or proposes a reorganisation, re-arrangement, moratorium or other administration of the party’s affairs; or
(i) anything having a substantially similar effect to any of the events specified above happens under the law of any applicable jurisdiction.
Intellectual Property Rights means all copyright, trademark rights, patent rights, and design rights, whether registered or unregistered, and all other rights to intellectual property as defined under article 2 of the convention establishing the World Intellectual Property Organization, and all rights to enforce any of the foregoing rights.
Moral Rights has the meaning given in the Copyright Act 1968 (Cth).
Non-Excludable Guarantee means a non-excludable guarantee implied by the Australian Consumer Law.
Personal Information has the meaning given in the Privacy Act 1988 (Cth).
Personal Property Securities Register means the Personal Property Securities Register established under the Personal Property Securities Act 2009 (Cth).
Platform means Our cloud based software platform owned and/or provided by Us specified in the Application Form and also includes the Services and any content, images, text and other information appearing on any page or screen of the website Platform and any source code and object code in the Platform. However, the Platform does not include Subscriber Data.
Platform Account means an account on the Platform that is setup when a Subscriber registers on the Platform or subscribes to the Services by agreeing to the terms of the SaaS Agreement in the Application Form.
Platform Services Description means the functionality of the Platform specified or referred to in or from the Application Form.
Privacy Policy means Our Privacy Policy located at: https://www.hexicomsoftware.com/privacy-policy/
Quotation means a document entitled “Quotation” executed by Us and issued to You;
Request for Quotation means a request made by You to Us for a Quotation;
SaaS Agreement has the meaning given in clause ‎18.7.
Services means the functionality and services specified or referred to in or from the Application Form.
Subscriber means a person, corporation or entity who subscribes to the Platform.
Subscriber Data has the meaning given in clause ‎7.1.
Terms of Use means the terms and conditions set out on this webpage as amended by Us from time to time.
We, Our and Us means Hexicom Software Pty Ltd (ABN 99 129 473 472) of PO Box 299 Berowra Heights, NSW 2082 Australia.
You means you, the person who accesses the Platform for any reason, whether or not you are a Subscriber of the Platform.

1.1. Interpretation

In these Terms of Use:
(a) Headings and underlinings are for convenience only and do not affect the construction of these Terms of Use.
(b) A provision of these Terms of Use will not be interpreted against a party because the party prepared or was responsible for the preparation of the provision, or because the party’s legal representative prepared the provision.
(c) Currency means the currency specified in the Application Form.
(d) A reference to a statute or regulation includes amendments thereto.
(e) A reference to a clause, subclause or paragraph is a reference to a clause, subclause or paragraph of these Terms of Use.
(f) A reference to a subclause or paragraph is a reference to the subclause or paragraph in the clause in which the reference is made.
(g) A reference to time is to time in NSW Australia.
(h) A reference to a person includes a reference to an individual, a partnership, a company, a joint venture, government body, government department, and any other legal entity.
(i) The words “includes”, “including” and similar expressions are not words of limitation.

Capitalised terms in these Terms of Use are defined in this clause.

2. Access and use of the Platform by unregistered users

2.1. Only Subscribers may access and use the Services. Please contact Us if You wish to become a Subscriber.

You can’t use most of the functionality provided by the Platform until You become a Subscriber.

3. Applications for subscription to the Platform

3.1. We reserve the right to accept or reject any person’s subscription to the Platform in Our absolute discretion.
3.2. If You submit an application to subscribe to the Platform, You:
(a) will be deemed to have irrevocably warranted that in the Application Form You provided truthful and accurate information only;
(b) will be deemed to have irrevocably warranted that You applied to become a Subscriber of the Platform on behalf of and with the authority and consent of any business entity that You entered into the Application Form;
(c) will be deemed to have irrevocably agreed to be jointly and severally liable for any breach of these Terms of Use by that business entity.
3.3. You must ensure that a valid email address for You is specified in the Application Form.
3.4. If any of Your contact details or other information which You provide in the Application Form change, You must promptly update those details in Your Platform Account with Your up-to-date details and information.
3.5. You must not provide Your Platform Account name or the password for Your Platform Account to any person. You agree and acknowledge that You shall be solely responsible for the confidentiality of Your username and password and any use of Your Platform Account (including unauthorised use).
3.6. You must immediately notify Us if You become aware of any unauthorised use of Your Platform Account.
3.7. You agree and acknowledge that if You become a Subscriber, You will have a non-exclusive, non-assignable, non-sublicensable, revocable right to access the Services for the Permitted Purpose expressly specified in the Application Form. You must not access the Services for any other purpose.

Your registration on Our Platform is subject to Our approval. You and your company are both responsible for your or their breach of Our Terms of Use and for the security of your login credentials.

4. Renewal

4.1. If You become a Subscriber, Your subscription to the Services commences on the Commencement Date specified in the Application Form.
4.2. If You become a Subscriber, Your subscription to the Services is for the Initial Term and will continue for subsequent consecutive terms of twelve (12) months (each a Renewal Term), until and unless this Agreement is terminated earlier:
(a) by either party providing at least thirty (30) days written notice prior to the expiry of the Initial Term or the then current Renewal Term, in which case where such notice is provided Your subscription to the Platform will terminate at the expiry of the Initial Term or the then current Renewal Term, as applicable; or
(b) otherwise in accordance with clause ‎16.

The SaaS Agreement will continue for 12 month periods after the Initial Term.

5. Service Charges

5.1. Each Subscriber must pay the fees and charges set out in the SaaS Agreement, or as otherwise agreed between Us and the Subscriber in writing, in consideration for the Subscriber’s subscription to the Services (“Service Charges”) monthly in advance, plus any GST that is applicable in respect of the supply of the Services to the Subscriber.
5.2. Any applicable GST and credit card surcharges must be payable at the same time as the Service Charges.
5.3. If You are a Subscriber, You must pay the Service Charges to Us each month, in advance, on or before the 28th day of the month.
5.4. You must pay all costs associated with accessing the Platform through the internet.
5.5. The Service Charges must be paid in accordance with the payment terms specified in the Application Form and must be setup as an automatic recurring monthly payment.
5.6. Without limiting Our rights and any other provision of these Terms of Use, if a Subscriber fails to pay the Service Charges in accordance with the requirements of the SaaS Agreement seven (7) days after it is due and payable, We may impose an administrative fee of $100.00 and that amount will be added to and be made due and payable in the monthly invoice issued by Us for the following month. We may also suspend and/or terminate the Subscriber’s access to the Services and its Subscriber Data hosted in the Services at any time and without notice, except where doing so would be contrary to applicable law.
5.7. A Subscriber may request additional Platform Accounts, Bandwidth Allocations and Data Storage Allocations by sending Us a written notice with their request. Any such additions will be considered and determined by Us in Our absolute discretion and any associated fees will be payable within 7 days of invoice.

Subscribers must pay any Set up fees and monthly Service Charges in advance by the 28th day of every month.
If You don’t pay Us, We may impose an administrative fee and/or suspend and/or terminate Your access to the Platform.

6. Custom Software Development

6.1. You may issue a Request for Quotation to Us at any time and from time to time with respect to any custom software development that You may require for the purposes of enhancing or modifying the Platform.
6.2. Requests for Quotation are invitations to treat.
6.3. We may issue a Quotation to You without first having received a Request for Quotation.
6.4. If You wish to accept a Quotation, You must follow the instructions on the Quotation that specify how the Quotation can be accepted. Quotations cannot be accepted in any other way.
6.5. Each accepted Quotation will constitute a separate agreement between You and Us.
6.6. We have no obligation to issue a Quotation or respond to a Request for Quotation.

You may request custom software development from us. We will consider your requests on a case by case basis.

7. Responsibility for and ownership of Subscriber Data

7.1. If You are a Subscriber, We agree that as between You and Us, You own all data that You upload into the Services (“Subscriber Data”).
7.2. You agree and acknowledge that:
(a) the Services and/or Your Subscriber Data may be hosted by Us or Our suppliers on hardware or infrastructure located in or outside Australia;
(b) We may change Our suppliers, including our hosting suppliers, who host the Services and/or Your Subscriber Data on our behalf at any time in Our absolute discretion (except where applicable law requires Us to obtain Your consent in relation to any such change);
(c) We may not own or operate the infrastructure upon which the Services and/or the Subscriber Data is hosted.
7.3. If You are a Subscriber, You warrant, agree and represent that:
(a) You will only upload, input and transfer Subscriber Data into and/or via the Services or disclose Subscriber Data to Us, which You are fully entitled and authorised to upload, input, transfer and disclose; and
(b) Your Subscriber Data and Our collection, use, storage and/or disclosure thereof in the course of providing the Services, will not breach any applicable law or right of any person.
7.4. If You are a Subscriber, You license us on an irrevocable, non-exclusive, royalty-free, worldwide basis to use and publish your Subscriber Data on the Platform as required by Us to provide the Services.
7.5. Each Subscriber is solely responsible for the accuracy, legality and quality of all its Subscriber Data and for obtaining any permissions, licenses, rights and authorisations necessary for Us to use, host, transmit, store and disclose the Subscriber Data in connection with the provision of the Services.
7.6. We backup Subscriber Data on a daily basis, and hold backups for several days after which time they are automatically destroyed.
7.7. If You are a Subscriber, You acknowledge that Your access to Your Subscriber Data that is hosted by the Services is subject to Your compliance with these Terms of Use, including payment of any applicable Service Charges.
7.8. You indemnify Us in respect of any loss and damage We or any of Our suppliers incur in respect of any claim that any of Your Subscriber Data is lost, unavailable or corrupted or the transmission, storage, disclosure, or access to any of Your Subscriber Data infringes the Intellectual Property Rights or other rights of any person or breaches any law, regulation, code or standard.

As between You and Us, You own the data that You upload into the Platform. You have to obtain consent, where relevant, before uploading it.

8. Availability of Services

8.1. Subject to clauses ‎8.2, ‎8.3 and ‎8.4, while You are a Subscriber of the Platform, We agree to use Our best endeavours to procure hosting of the Services and the Subscriber Data and to ensure that the Services are available.
8.2. The availability of the Services to You will be subject, in addition to any other provisions set out in these Terms of Use, to any bandwidth limitations, database size limitations, throughput limitations and other technical and non-technical limitations or restrictions set out in the Platform Services Description, and any planned and unplanned maintenance of the Platform and/or Our hosting providers.
8.3. You agree and acknowledge that the accessibility and use of the Platform, the Services and the Subscriber Data hosted by the Platform is highly dependent on the proper function of the Internet and any other computer and telecommunications networks and infrastructure upon which the Platform and/or Services and/or Subscriber Data operate, interface with or connect to, and that We are not responsible for any non-performance of the Platform associated with any of those matters.
8.4. Except in respect of any Non-Excludable Guarantee, We do not guarantee that the Platform, Services or Subscriber Data or access thereto will be uninterrupted or error-free and You release and indemnify Us in respect of any loss and damage that We may incur and/or claims and/or complaints You or your customers may have against Us in respect of any interruption, error or unavailability of the Platform, Services or any Subscriber Data.
8.5. We may update and enhance the Platform at any time without notice.

Our Platform might go offline from time to time.

9. Usage Restrictions

9.1. You may not make any use of the Platform except as permitted by these Terms of Use.
9.2. You may not do or authorise the commission of any act that would or might invalidate or be inconsistent with Our Intellectual Property Rights in the Platform.
9.3. Without limiting the foregoing provisions, You must not, under any circumstances, sell or resell access to the Platform or scrape, republish, mirror or otherwise rent, lend, lease, sell, redistribute, sublicense, copy or duplicate the Platform or any content You obtain via the Platform (other than Your Subscriber Data). In addition, You must not, nor may You permit any person to:
(a) copy, alter, modify, adapt, reproduce, republish, frame, translate, reverse assemble, reverse engineer, reverse compile, transfer, sell, licence, create derivative works from or enhance the Platform and/or any content in the Platform (except any of Your Subscriber Data) (except as expressly permitted by the Copyright Act 1968 (Cth));
(b) do any act that would or might invalidate or be inconsistent with Our Intellectual Property Rights or those of Our licensors;
(c) use the Platform in any way that infringes Our rights or the rights of any third party;
(d) use the Platform to create any product or service that competes with the Platform; or
(e) take any steps to circumvent any technological protection measure or security measures in the Platform.
9.4. You must not use the Platform or any part of the Platform in any way which is in breach of any statute, regulation, law or legal right of any person.
9.5. You must not use the Platform or any part of the Platform in breach of these Terms of Use.

We own the Platform and all IP in the Platform. You cannot infringe our IP rights.

10. Acceptable Use Policy

10.1. You agree that:
(a) using the Platform to violate all or any legal rights of any person or company or other entity in any jurisdiction is strictly prohibited by these Terms of Use;
(b) using the Platform in relation to crimes such as theft and fraud is strictly prohibited by these Terms of Use;
(c) using the Platform in breach of laws relating to the protection of copyright, trade secrets, patents or other intellectual property and laws relating to spam or privacy and whether such violation is by way of the installation or distribution of “pirated” software or otherwise, is strictly prohibited by these Terms of Use;
(d) introduction of malicious programs into Our network or servers (e.g., viruses, worms, Trojan horses, e-mail bombs) is strictly prohibited by these Terms of Use;
(e) revealing Your account password to others or allowing use of Your Platform Account by others is strictly prohibited by these Terms of Use;
(f) using another person’s name, username or password or otherwise attempting to gain access to the Platform Account of any other person is strictly prohibited by these Terms of Use;
(g) using the Platform to make fraudulent offers of goods or services is strictly prohibited by these Terms of Use;
(h) using the Platform to carry out security breaches or disruptions of network communication is strictly prohibited by these Terms of Use. Security breaches include, but are not limited to, accessing data of which You are not an intended recipient or logging into a server or account that You are not expressly authorized to access or corrupting any data. For the purposes of this paragraph, “security breaches” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes;
(i) using the Platform to execute any form of network monitoring which will intercept data not intended for You is strictly prohibited by these Terms of Use;
(j) using the Platform to circumvent user authentication or security of any of Our hosts, networks or accounts or those of Our customers or suppliers is strictly prohibited by these Terms of Use;
(k) using the Platform to interfere with or deny service to anyone is strictly prohibited by these Terms of Use;
(l) using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, any person’s use of the Platform is strictly prohibited by these Terms of Use;
(m) sending unsolicited email messages through or to users of the Platform in breach of the Spam Act 2003 (Cth) is strictly prohibited by these Terms of Use;
(n) using the Platform to send any form of harassment via email, or any other form of messaging, whether through language, frequency, or size of messages is strictly prohibited by these Terms of Use; and
(o) use of the Platform in breach of any person’s privacy (such as by way of identity theft or “phishing”) is strictly prohibited by these Terms of Use.

You cannot use the Platform for any illegal purpose or to violate any person’s legal rights.

11. Intellectual Property Rights

11.1. You agree and acknowledge that these Terms of Use do not transfer or assign any Intellectual Property Rights to You.
11.2. As between You and Us, except in respect of Your Subscriber Data, We own all Intellectual Property Rights in the Platform and in the Software underlying it.
11.3. You have no rights in the Platform or in any part of it or in any modification or enhancement thereof, other than the rights temporarily granted to You pursuant to these Terms of Use.
11.4. You agree that any Intellectual Property Rights in any comments that You may provide to Us in connection with the Platform or requests for new Platform features (each, an “Improvement Suggestion”) becomes Our sole and exclusive property immediately upon You uploading or posting that Improvement Suggestion to the Platform or otherwise providing the Improvement Suggestion to Us, and You hereby assign all Intellectual Property Rights in all and any such Improvement Suggestions to Us effective as soon as You provide each Improvement Suggestion to Us or upload or post an Improvement Suggestion to the Platform, pursuant to section 197 of the Copyright Act 1968 (Cth) and in equity. You consent to the infringement by Us and any third party We authorise, of all Moral Rights that You may have in any Improvement Suggestions.
11.5. You must not take any step to invalidate or prejudice Our (or Our licensors’) Intellectual Property Rights in the Platform or otherwise. Without limiting the foregoing provisions, You must not register any security interest or purchase money security interest on the Personal Property Securities Register, or otherwise encumber or charge Your rights in respect of Your Subscriber Data or with respect to the rights granted to You by these Terms of Use to use the Platform.

We own the Platform and all IP in the Platform. We also own all improvement suggestions that You make regarding the Platform.

12. Responsibility for other Subscribers

12.1. We do not accept responsibility for the conduct of any Subscribers of Our Platform.
12.2. If You believe that another Subscriber of Our Platform has breached these Terms of Use please contact Us.
12.3. We are not a party to any transaction for the supply of goods or services advertised by any Subscriber of the Platform. Before entering into any transaction with any other Subscriber of the Platform, You should carefully consider the applicable terms and conditions applicable to the transaction, obtain all appropriate advice and take all appropriate precautions.
12.4. Any dispute You have with another user of Our Platform is between You and the other user. You release Us from any claims that You may otherwise have against Us in relation to any conduct of any user of Our Platform and in respect of any content uploaded by or on behalf of any user into the Platform.
12.5. If We become aware of content that breaches our Acceptable Use Policy (i.e clause ‎10) We will remove the content and send an email to the person who uploaded or entered it explaining why it was removed. If You become aware of any content that You think breaches the Acceptable Use Policy set out in clause ‎10 above, please contact Us.

We cannot be held responsible for the conduct of Our Subscribers.

13. Responsibility for third party claims

13.1. You agree and acknowledge that You are solely responsible for and You indemnify Us in respect of any loss and damage We may incur in connection with any claims and/or complaints made by any third party where the claim is caused directly or indirectly by:
(a) Your misuse of the Platform; and/or
(b) Your goods and/or services and/or Your advertising and/or sales and/or marketing practices.

We are not responsible for any claims made by third parties.

14. Hyperlinks

14.1. We do not represent, recommend or endorse any websites to which We have linked from the Platform via hyperlink or otherwise.

We are not responsible for third party sites.

15. Liability

15.1. Except in respect of any Non-Excludable Guarantees, We do not represent that the information on the Platform is accurate, correct, up-to-date or error free.
15.2. The information on the Platform is not professional advice. You agree that You will seek all appropriate financial, legal and other advice as applicable before relying on any information You obtain from the Platform.
15.3. To the extent possible by law, We are not liable to You for any indirect, special or consequential loss or damage incurred by the other party, including liability for loss of profits, loss of business opportunity, loss of savings, or loss of data.
15.4. Except in respect of any Non-Excludable Guarantees, to the maximum extent permitted by law (and if permitted by law), We will not have any liability to You for any loss or damage howsoever incurred in relation to Your use of or inability to use the Platform, or with respect to any of the circumstances addressed in clause ‎13.1.
15.5. Any goods and services supplied by Us through the Platform (which for the avoidance of doubt, includes the Services supplied by Us, but does not include goods or services supplied by any user of the Platform to any person) may come with implied non-excludable guarantees which are regulated by the Australian Consumer Law. The extent of the implied guarantees depends on whether You are a ‘consumer’ of goods or services within the meaning of that term pursuant to the Australian Consumer Law as amended.
15.6. If the goods or services supplied by Us to You through the Platform (which for the avoidance of doubt, includes the Services supplied by Us, but does not include goods or services supplied by any user of the Platform to any person) are supplied to You in Your capacity as a ‘consumer’ of goods or services within the meaning of that term in the Australian Consumer Law as amended You will have the benefit of certain non-excludable guarantees in respect of those goods or services and nothing in these terms and conditions excludes or restricts or modifies any guarantee which pursuant to the Competition and Consumer Act 2010 (Cth) is so conferred. However, if the goods or services are subject to a non-excludable guarantee implied by the Australian Consumer Law and the goods or services are not ordinarily acquired for personal, domestic or household use or consumption, then pursuant to s 64A of the Australian Consumer Law, We limit Our liability for breach of any such non-excludable guarantee implied by the Australian Consumer Law (other than a guarantee implied by sections 51, 52 or 53 of the Australian Consumer Law) or expressly given by Us to You, in respect of each of the goods and services, where it is fair and reasonable to do so, at Our option, to one or more of the following:
(a) if the breach relates to goods:
(i) the replacement of the goods or the supply of equivalent goods;
(ii) the repair of such goods;
(iii) the payment of the cost of replacing the goods or of acquiring equivalent goods; or
(iv) the payment of the cost of having the goods repaired; and
(b) if the breach relates to services:
(i) the supplying of the services again; or
(ii) the payment of the cost of having the services supplied again.
15.7. Any warranty against defects provided by Us to You in Your capacity as a ‘consumer’ under the Australian Consumer Law is in addition to Your other rights and remedies under a law in relation to the goods or services to which the warranty relates.
15.8. Except in respect of any Non-Excludable Guarantees, all conditions, warranties and guarantees implied in these Terms of Use are excluded, to the extent possible by law.
15.9. To the extent that Our liability is not otherwise excluded by these Terms of Use, subject to any Non-Excludable Guarantees, Our liability to You is limited to the aggregate sum of the Service Charges paid by You to Us.
15.10. To the extent that Our liability is not otherwise excluded by these Terms of Use, subject to any Non-Excludable Guarantees, Our liability to You is limited, in the aggregate for all and any claims losses, liability, legal costs and any other liability whatsoever or however arising, to the amount of the Service Charges specified in the first Service Charges invoice that we issue to You.

Our liability is limited in a number of ways.

16. Termination

16.1. If You are not a Subscriber, We may terminate these Terms of Use and Your access to the Platform or any part of it at any time without notice.
16.2. If You are a Subscriber, We may terminate these Terms of Use and Your access to the Platform by notice to You:
(a) if You breach any term of these Terms of Use;
(b) if You object to any intended changes concerning the addition or replacement of Our subprocessors; or
(c) at any other time on thirty (30) days notice.
16.3. Termination of these Terms of Use and access to the Platform does not affect any accrued rights of either party.
16.4. Except in respect of termination pursuant to clause ‎16.2(a), if You are a Subscriber and We terminate these Terms of Use and/or Your access to the Services, We will refund to You any part of any Service Charges paid by You for access to the Services that You have paid to Us in advance in respect of a period of time that has not expired as at the date of termination.

We can terminate your access to the Platform under certain conditions.

17. Notices

17.1. Any notice issued to You from Us or from Us to You shall be in writing and sent by hand delivery, post or email. Where sent from Us to You, We shall use Your contact details for your Platform Account set out in the Application Form.
17.2. You may contact Us or send a notice to Us using Our contact email address support@hexicomsoftware.com.
17.3. Any notice issued by hand shall be deemed delivered upon delivery.
17.4. Any notice issued by post shall be deemed delivered six (6) Business Days after posting if posted domestically, or fifteen (15) Business Days after posting if posted internationally.
17.5. Any notice issued via email shall be deemed to be delivered upon receipt by the sender of an electronic read receipt or delivery receipt, or upon receipt of confirmation from the recipient that the recipient received the email.
17.6. We may send You email or other electronic messages concerning Your Platform Account and the Platform from time to time.

Notices between you and us are deemed to be delivered at different times, depending on how and when they are sent.

18. General

18.1. Other rights: All rights not expressly granted to Us in these Terms of Use are expressly reserved by Us.

We reserve our rights.

18.2. Amendment: These Terms of Use may be amended by Us at any time. If You are a Subscriber, We will notify You of the amendments by providing notice in writing, or via a notice on the Platform (Amendment Notice). If You do not agree with the Amendment Notice, You must notify Us by written notice of that fact within seven (7) days of the date of the Amendment Notice (Objection Notice). If You and Us are unable to resolve the objection within seven (7) days from the date of the Objection Notice (Dispute Resolution Period), either party may terminate the SaaS Agreement for its convenience by written notice within seven (7) days of the expiry of the Dispute Resolution Period. We may withdraw an Amendment Notice prior to the expiry of the Dispute Resolution Period – if We do so You may not terminate the Agreement pursuant to this clause.

We can change these Terms of Use at any time. If You are unhappy about the changes, You can terminate your subscription.

18.3. Assignment: You may not assign, transfer, license or novate Your rights or obligations under these Terms of Use without Our prior written consent. We may assign, transfer, licence or novate Our rights or obligations under these Terms of Use at any time, subject to Our Privacy Policy.

You cannot transfer your rights under these Terms of Use unless we approve the transfer. We can transfer our right and obligations at any time.

18.4. Severability: If any part of these Terms of Use is deemed invalid by a court of competent jurisdiction, the remainder of these Terms of Use shall remain enforceable.

If part of these Terms of Use are not legally binding, the rest still are.

18.5. Relationship: You and Us are independent contracting entities and these Terms of Use do not create any relationship of partnership, joint venture, fiduciary, or employer and employee or otherwise.

We are not partners, employers or employee or any other special commercial relationship.

18.6. Australian Consumer Law: The exclusions and limitations of liability set out in these Terms of Use shall apply to the fullest extent permissible at law, but We do not exclude or limit liability which may not be excluded or limited by law. Without limiting the foregoing provisions, We do not exclude liability under the Australian Consumer Law which is prohibited from being excluded.

Our liability is only limited to the extent permitted by law.

18.7. Entire Agreement: These Terms of Use, the Application Form, the Privacy Policy and the Data Processing Addendum constitute the entire agreement between You and Us (collectively, the SaaS Agreement) and to the extent possible by law, supersede all prior understandings, representations, arrangements and agreements between You and Us regarding its subject matter.

These Terms of Use, the Application Form, Privacy Policy and Data Processing Addendum set out our entire agreement.

18.8. Jurisdiction: The SaaS Agreement will be interpreted in accordance with the laws in force in New South Wales. You and Us irrevocably submit to the non-exclusive jurisdiction of the courts situated in New South Wales.

These Terms of Use will be subject to the law of New South Wales.

Data Processing Addendum

PARTIES

Hexicom Software Pty Ltd ABN 99 129 473 472 of PO Box 299 Berowra Heights NSW 2082 Australia (“Hexicom”)

The subscriber of Hexicom’s Platform specified in the Application Form in the SaaS Agreement to which this Data Processing Addendum (“Addendum”) is incorporated into.

RECITALS

A. Hexicom agrees, or has agreed, to provide, and the Subscriber agrees, or has agreed to engage Hexicom, to provide the Subscriber with access to Hexicom’s online platform (collectively, the “Platform”) under a SaaS Agreement (the “Agreement”).
B. This Addendum addresses a number of compliance matters for the purposes of Data Protection Laws.
C. In addition, this Addendum outlines how Hexicom and the Subscriber will approach actual, potential or suspected data breaches that may occur from time to time with respect to personal information and/or personal data under the Agreement ‘held’ by both Hexicom and the Subscriber (“Jointly Held Personal Information”) pursuant to the Agreement for the purposes of The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (“NDB Law”) and/or the General Data Protection Regulation (GDPR) (EU) 2016/679 (the “GDPR”).

THE PARTIES AGREE AS FOLLOWS:

1. Definitions and Interpretation

1.1. Definitions

In this Addendum:
(a) any words starting with a capital letter shall have the meanings given to them in the Agreement unless otherwise defined in this Addendum;
(b) Hexicom and the Subscriber will each be referred to as a “party” and together the “parties”;
(c) “end user” means any person who accessed the Platform using the Subscriber’s subscription to the Platform;
(d) “Subscriber Personal Data” means personal data and/or personal information entered by the Subscriber into the Platform;
(e) the words “controller”, “consent”, “processor”, “data subject”, “personal data”, “processing”, “processed”, “special categories of personal data”, “Data Protection Officer” and “process” shall have the meanings given to them in the GDPR;
(f) the word “held” (and other forms of that word) has the meaning that ‘held’ is given in the Privacy Act 1988 (Cth) (the “Privacy Act”);
(g) “personal information” has the meaning given in the Privacy Act.

1.2 Interpretation

(a) The rules of interpretation set out in the Agreement will apply to this Addendum, except where inconsistent with Data Protection Laws, in which case the interpretation provisions of the relevant Data Protection Laws will prevail.
(b) The recitals to this Addendum form part of its operative binding terms.

1.3 References to GDPR

In this Addendum, any provision which refers to an obligation of a party to comply with the GDPR, or the right of a party under the GDPR, only applies to the extent that the GDPR applies to the processing pursuant to Article 3 of the GDPR. The parties have agreed that if Hexicom processes personal data of the Subscriber or any end user on behalf of the Subscriber and such processing is regulated by the GDPR (where the processing is within the territorial scope of the GDPR as set out in Article 3 thereof) (“GDPR Data”), this Addendum will govern Hexicom’s and the Subscriber’s commercial relationship for the purposes of the GDPR.

2. Term of this Addendum

2.1. This Addendum will apply for the Term of the Agreement and will automatically and immediately terminate upon termination or expiry of the Agreement for any reason.

3. Compliance with Data Protection Laws

3.1. Each party hereby agrees that it will comply with its obligations under all Data Protection Laws, including by collecting, holding, disclosing and otherwise processing personal data only in accordance with those laws and by maintaining all records and information required by any such laws.
3.2. The Subscriber must not provide instructions to Hexicom with respect to Subscriber Personal Data which contravene any Data Protection Laws. Hexicom will not have any obligation to process any such instructions or to process any personal data on behalf of the Subscriber if doing so would contravene any Data Protection Laws.
3.3. The Subscriber must provide Hexicom with any information and otherwise cooperate with Hexicom, to the extent reasonably required by Hexicom to comply with its obligations under Data Protection Laws.
3.4. Each party must take reasonable steps to ensure that its employees, agents and contractors comply with Data Protection Laws.

4. The GDPR

4.1. With respect to the processing of Subscriber Personal Data by Hexicom (as a processor) on behalf of the Subscriber (as controller) within the scope of the GDPR, Hexicom shall, at a minimum retain a record of all categories of processing activities carried out on behalf of the Subscriber by Hexicom, containing:

(a) the name and contact details of Hexicom and of the Subscriber and, where applicable, Hexicom’s or the Subscriber’s representative, and the data protection officer;
(b) the categories of processing carried out on behalf of the Subscriber;
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.

4.2. In addition, with respect to GDPR Data, Hexicom agrees that:

(a) it will only process the personal data only on documented instructions from the Subscriber, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which Hexicom is subject; in such a case, Hexicom shall inform the Subscriber of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) it will ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) it will take all measures required pursuant to Article 32 of the GDPR;
(d) it will respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
(e) taking into account the nature of the processing, it will assist the Subscriber by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Subscriber’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
(f) it will assist the Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to Hexicom;
(g) at the choice of the Subscriber, it will delete or return all the personal data to the Subscriber after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data;
(h) it will make available to the Subscriber all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the Subscriber.

5. Processing duration and de-identification

5.1. Hexicom may only process Subscriber Personal Data during the Term of the Agreement, and following the Agreement only for the purposes of deleting or returning Subscriber Personal Data to the Subscriber or complying with applicable law.
5.2. Following termination of the Agreement and subject to this clause ‎5, at the choice of the Subscriber, Hexicom must delete or return to the Subscriber all Subscriber Personal Data in Hexicom’s possession or control. Where the Subscriber requires that personal data to be returned, it must be returned to the Subscriber after the end of the provision of services relating to Hexicom’s processing thereof (“Processing Conclusion Date”), and Hexicom must thereafter delete all then remaining existing copies of that personal data in Hexicom’s possession or control as soon as reasonably practicable, but in any event not more than thirty (30) days after the Processing Conclusion Date, unless applicable law requires Hexicom to retain the personal data. For the purposes of complying with those applicable laws, Hexicom must notify the Subscriber of that requirement and only use such retained data for such purposes.
5.3. Notwithstanding clause ‎5.2, where the Subscriber Personal Data is not GDPR Data and is personal information for the purposes of the Privacy Act, within the thirty (30) day period following the Processing Conclusion Date instead of destroying the personal information Hexicom may take all reasonable steps in the circumstances to de-identify the applicable Subscriber Personal Data where it no longer needs it for any purpose for which it may be used in accordance with this Addendum or its Privacy Policy and the information is not contained in a Commonwealth record and Hexicom is not required by Australian law (or a court or tribunal order) to retain it.

6. Responsibility for consents, authorisations and approvals

6.1. The Subscriber warrants and represents that it consents to, approves and authorises, and that it has or will obtain (and will in any event, maintain for the Term of the Agreement) any other necessary consents, approvals and authorisations including any consents and authorisations of end users, and those of third party controllers where the Subscriber is a processor), with respect to any Subscriber Personal Data, to the extent that such consents, approvals and authorisations are necessary for Hexicom to process that personal data for the purposes of the Agreement pursuant to Data Protection Laws.
6.2. Without limiting the foregoing provisions, the Subscriber hereby warrants and represents to Hexicom that all end users have authorised the Subscriber to appoint Hexicom as a processor (or sub-processor) where such authorisation is required by Data Protection Laws in order for Hexicom to lawfully process Subscriber Personal Data.

7. Subscriber processing instructions

7.1. Hexicom acknowledges that it will not process any GDPR Data in its capacity as a processor, except pursuant to the Subscriber’s instructions (including with respect to data transfers) unless applicable law to which Hexicom is subject requires other processing of that personal data by Hexicom, in which case Hexicom will inform the Subscriber of that legal requirement (unless that law prohibits Hexicom from doing so on important grounds of public interest).
7.2. Hexicom may assume that the Subscriber’s final and complete documented instructions to Hexicom to act as a processor on the Subscriber’s behalf with respect to the processing of Subscriber Personal Data are constituted by the following (“Subscriber Instructions”):

(a) the Agreement (including this Addendum incorporated into the Agreement);
(b) the act of the Subscriber uploading and/or entering of any personal data into the Platform;
(c) the act of the any end users’ uploading and/or entering of any personal data into the Platform;
(d) any settings selected, and/or configurations made, by the Subscriber or any end users in the Platform;
(e) any reasonable written instructions provided by the Subscriber to Hexicom; and
(f) the Subscriber and relevant end users using the functionality of the Platform to issue instructions to process personal data, such as, to delete personal data, export personal data or transfer personal data to a subprocessor.

7.3. Hexicom is not required to comply with the instructions of the Subscriber with respect to the processing of personal data, where complying with the instructions would contravene any applicable law.

8. Whose personal data will Hexicom process?

8.1. The Platform are designed only to be used to process personal data of end users.
8.2. However, the Platform will automatically process any personal data uploaded or entered into it. Hexicom may elect not to analyse all or any personal data uploaded or entered into the Platform. It is the Subscriber’s responsibility to ensure that only personal data of individuals that the Platform is designed to process is uploaded or entered into the Platform.

9. Types of Personal Data that will be processed

9.1. The types of personal data that will be processed by Hexicom in connection with the Agreement is Subscriber Personal Data, namely:

(a) names
(b) telephone numbers
(c) mobile numbers
(d) email addresses
(e) credit card details
(f) tax file numbers
(g) bank account details
(h) postal addresses
(i) residential addresses
(j) business addresses.

9.2. The Platform will also process any other personal information that end users voluntarily enter or upload into the Platform.
9.3. Hexicom will process the types of personal data referred to in this clause on behalf of the Subscriber in Hexicom’s capacity as a processor in order to provide the Subscriber and its end users with the functionality of the Platform.
9.4. The operations and sets of operations that will be performed by Hexicom on personal data or on sets of personal data (whether or not by automated means) will include collecting, recording, organising, structuring, storage, adaptation or alteration, modification, copying, duplication, replication, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, but only as required for the purposes of the Agreement.

10. Processing of Special Categories of Personal Data

10.1. Hexicom and the Subscriber each agree that the Platform is not to be used for processing of special categories of personal data without the prior written consent of both Hexicom and the Subscriber. The Subscriber must not, and must procure that all end users will not, enter or upload any personal data that falls within the scope of special categories of personal data into the Platform. Special categories of personal data are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation as provided in paragraph 1 of Article 9 of the GDPR.
10.2. Notwithstanding subclause 1, Hexicom may process any Personal Data when necessary for the establishment, exercise or defence of legal claims or in any of the other circumstances referred to in paragraphs 2 and 3 of Article 9 of the GDPR.

11. Security

11.1. The technical and organisational measures that Hexicom has implemented, and will continue to implement for the Term to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage are as follows:

• Hexicom performs security testing (including penetration testing of the Platform), and maintains other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management, multi-factor authentication and firewalls;
• Hexicom requires all of its employees and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements;
• Hexicom has a Data Breach Response Plan in place;
• Hexicom has data backup, archiving and disaster recovery processes in place;
• Hexicom has processes in place to ensure integrity and resilience of systems, servers and personal data.

11.2. The Subscriber warrants and represents that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of personal data by Hexicom as referred to in this Addendum, and the risks to individuals), the security measures referred to in subclause 1 provide a level of security appropriate to the risk in respect of the personal data to be processed by Hexicom on behalf of the Subscriber pursuant to the Agreement.

12. Confidentiality

12.1. Hexicom must ensure that its personnel, appointed by Hexicom to process personal data entered into and/or uploaded into the Platform by the Subscriber and/or any end user and/or captured by Hexicom from them or their use of the Platform or interaction with Hexicom, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

13. Sub-processing

13.1. Hexicom will only engage new third parties to process GDPR Data for Hexicom to process as a processor on behalf of the Subscriber (“subprocessors”) if the Subscriber has authorised Hexicom to do so pursuant to a specific or general written authorisation from the Subscriber.
13.2. As at the date of this Addendum, Hexicom is authorised to continue to engage the subprocessors already engaged by Hexicom to process GDPR Data. In addition, it is specifically authorised to engage any hosting providers deemed appropriate by Hexicom to host Subscriber Personal Data.
13.3. In the case of a general written authorisation, Hexicom shall inform the Subscriber of any intended changes concerning the addition or replacement of Hexicom’s subprocessors, thereby giving the Subscriber the opportunity to object to such changes. If the Subscriber objects to such changes, the parties must meet (physically or by telephone or online) within seven (7) days of the objection to discuss the changes. If the parties are unable to resolve any dispute about the changes, Hexicom may terminate the Agreement.

14. Cooperation between Hexicom and the Subscriber

14.1. Any request made by any end user or by any data subject pursuant to any Data Protection Law whose data is held by Hexicom on behalf of the Subscriber, where such request is made directly to Hexicom, is to be referred to the Subscriber and the Subscriber must action any such request.
14.2. If Hexicom is obliged to provide cooperation to the Subscriber pursuant to the GDPR or any other Data Protection Laws, all such cooperation will be at the cost of the Subscriber payable at Hexicom’s standard rates then in effect, except where charging a fee for such cooperation is prohibited by Data Protection Laws.

15. Data breaches

15.1. Each party must comply with its obligations set out in the Annexure to this Addendum in relation to any data breach of Jointly Held Personal Information held or otherwise processed for the purposes of the Agreement, where the party is required to do so pursuant to Data Protection Laws.
15.2. All time spent by Hexicom complying with subclause 1 will be at the cost of the Subscriber payable at Hexicom’s standard rates then in effect, except where the cause of any applicable breach of Jointly Held Personal Information was caused by Hexicom’s breach of Data Protection Laws or its obligations under the Agreement.

16. Indemnity

16.1. Each party (the first party) must indemnify the other party from and against any loss or damage incurred by the other party as a result of the first party’s breach of this Addendum.

17. Relationship of the parties

17.1. Each party hereby agrees for the purposes of this Addendum and the GDPR that, as between them, Hexicom is the processor and the Subscriber is the controller, in connection with any processing of GDPR Data carried out by Hexicom on behalf of the Subscriber, as contemplated by this Addendum.
17.2. However, the parties also hereby agree that Hexicom has a legitimate interest in using any data entered into and/or uploaded into the Platform by end users, and/or otherwise collected by Hexicom for Hexicom’s own legitimate purposes (including for billing and product development, and for the purpose of enforcing Hexicom’s rights) – and to the extent that Hexicom uses such data for those purposes, Hexicom will be the controller for the purposes of the GDPR and any other Data Protection Laws.
17.3. Where Hexicom is not a processor in connection with Subscriber Personal Data, it will process that personal data in accordance with its Privacy Policy and all Data Protection Laws.

18. General

18.1. Amendment: Hexicom may amend this Addendum by written notice to the Subscriber (“Amendment Notice”) if and to the extent the amendment is necessary to comply with Data Protection Laws or any amendments made to them, or the requirements of any applicable supervisory, government or regulatory authority, or to implement any standard clauses or comply with any certification or code of conduct approved by the European Commission or issued pursuant to the GDPR.
18.2. Assignment: Neither party may assign, transfer, license or novate its rights or obligations under this Addendum without the prior written consent of the other party (not to be unreasonably withheld).
18.3. Severability: If any provision of this Addendum is deemed invalid by a court of competent jurisdiction, the remainder of this Addendum shall remain enforceable. If a provision of this Addendum conflicts with any Data Protection Law affecting the parties’ commercial relationship, that provision will be severed and the remainder of this Addendum will remain enforceable.
18.4. Relationship: The parties are independent contractors and this Addendum does not create any relationship of partnership, joint venture, or employer and employee or otherwise.
18.5. Counterparts: This Addendum may be executed in counterparts provided that no binding agreement shall be reached until the executed counterparts are exchanged.
18.6. Entire Agreement: This Addendum including the attached Annexure and any terms implied herein by any applicable Data Protection Laws constitute the entire agreement between the parties and to the extent possible by law, supersedes all prior understandings, representations, arrangements and agreements between the parties, regarding its subject matter.
18.7. Jurisdiction and Governing law: This Addendum will be governed by and construed in accordance with the law of New South Wales. To the extent this Addendum is inconsistent with any other provision of the Agreement, this Addendum shall prevail.

Annexure – Agreed Data Breach Procedures

1. Actions to be taken for the purposes of the Privacy Act

1.1. If there is a suspected, potential or actual eligible data breach of Subscriber Personal Data (“Breach”), the party that detects the Breach (the “Detecting Party”) must immediately notify the other party of the Breach by email with full particulars of the Breach to the other party using the contact details set out in the Application Form.
1.2. Upon the Detecting Party detecting the Breach, it must also carry out the following actions:

(a) Step 1: Contain and assess the data breach. The Detecting Party must conduct a preliminary assessment and/or investigation to determine whether or not there has been a data breach or whether one is likely to occur, and then contain the Breach by removing the cause of the Breach to prevent further unauthorised access or disclosure or loss of information. If the Detecting Party is aware of reasonable grounds for suspecting a Breach occurred, the Detecting Party must immediately lock down any potential avenues for further similar data breaches whether or not it is ultimately proven that a suspected data breach actually occurred. In some cases, it may be impossible to determine whether there has been a data breach, particularly where relevant records confirming the breach have been destroyed or are otherwise unavailable. Even so, the Detecting Party must immediately lock down any potential avenues for further data breaches. Similarly, the Detecting Party must do everything possible to prevent the data breach from occurring. The Detecting Party is to engage all relevant IT, security and managerial personnel to remove the cause of any suspected or potential data breaches. Where an actual data breach has occurred, the Detecting Party must similarly engage all relevant IT, security and managerial personnel to remove the cause of the breach. Once the cause of the Breach has been removed, the Detecting Party must determine if a data breach has occurred that requires notification under the NDB Law. The NDB Law requires that only eligible data breaches must be notified. If the Detecting Party becomes aware of reasonable grounds that indicate that there has been an eligible data breach, the Breach is required to be notified to the relevant individuals at risk of serious harm and the Australian Information Commissioner.

(b) Step 2: Notify insurers. Each party must promptly notify its insurers from which it has obtained any Cyber Liability Insurance policy of the Breach.

(c) Step 3: Determine if an eligible data breach has occurred. For the purposes of the NDB Law and this Addendum, an eligible data breach occurs if the following 3 criteria are satisfied:
(i) there is unauthorised access to or unauthorised disclosure of Jointly Held Personal Information, or a loss of Jointly Held Personal Information;
(ii) the Breach is likely to result in serious harm to one or more individuals; and
(iii) the Detecting Party has not been able to prevent the likely risk of serious harm with remedial action.
The Detecting Party must consider the above criteria when determining whether an eligible data breach has occurred. For the purposes of the NDB scheme, serious harm is deemed to have occurred or be likely to occur if a reasonable person would consider that it has so occurred or is likely to occur. Serious harm is not defined in the Privacy Act, but in the context of a Breach it may include among other things serious psychological, physical, emotional, financial or reputational harm. Some of the matters that may inform a decision that serious harm has occurred include the sensitivity of the Jointly Held Personal Information that was the subject of the Breach, the type of Jointly Held Personal Information lost, accessed or disclosed, and whether the Jointly Held Personal Information was encrypted.

If the Detecting Party suspects that a Breach may have occurred, it must take all reasonable steps to ensure that an assessment is completed expeditiously and in any event within thirty (30) days after it becomes aware of the reasonable grounds to suspect that there may have been an eligible data breach for the purpose of the NDB Law. The Detecting Party must keep the other party informed at all times while the Detecting Party is undertaking any assessment of a suspected eligible data breach, and must notify the other party if the Detecting Party becomes aware of reasonable grounds that indicate that an actual eligible data breach has occurred with full particulars of the eligible data breach.

(d) Step 4: remedial action. Under the NDB Law, where there is an eligible breach of Jointly Held Personal Information, a party must use its best endeavours to take positive steps to address the eligible breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. In circumstances where personal information is lost but the remedial action removes the likelihood of it causing serious harm, the NDB Law provides that the eligible data breach will be taken to have not occurred. The parties agree that if a Breach occurs involving Jointly Held Personal Information, the Subscriber and Hexicom must each use their respective best endeavours to take positive steps to address the Breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. Each party must keep the other party informed at all times while that remedial action is being undertaken, and must notify the other party if the remedial action has removed the likelihood of the Breach causing serious harm. If Hexicom forms the opinion in its absolute discretion that the Subscriber has not completed an expeditious assessment of the Breach and/or has not expeditiously carried out remedial action that may result in the Breach not being likely to cause serious harm, Hexicom may notify the Subscriber that Hexicom requires the Subscriber to notify the Breach pursuant to paragraph (e) below (“Notification Demand”). If Hexicom issues a Notification Demand, the Subscriber must notify all relevant individuals and the Office of the Information Commissioner pursuant to paragraph (e) below within twenty-four (24) hours of the Notification Demand (time being of the essence) notwithstanding that paragraph may require the notifications to be issued within a different period of time.
(e) If an eligible data breach of Jointly Held Personal Information has occurred for the purposes of the NDB Law (that has not been remedied in accordance with paragraph (d)), the Subscriber must as soon as possible:
(i) notify the Australian Information Commissioner of the eligible data breach; and
(ii) notify relevant individuals of whom the Jointly Held Personal Information relates to of the eligible data breach,
in accordance with the NDB Law.

2. Action to be taken by the Subscriber for the purposes of the GDPR

2.1. This clause 2 only applies to GDPR Data held or otherwise processed by Hexicom as a processor on behalf of the Subscriber.
2.2. In the case of a personal data breach, Hexicom must notify the Subscriber of a data breach that it becomes aware of without undue delay. The Subscriber shall without undue delay and, where feasible, not later than seventy two (72) hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 of the GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
2.3. Where the notification to the supervisory authority is not made within seventy two (72) hours, it shall be accompanied by reasons for the delay.
2.4. The notification referred to in subclauses 2 and 3 shall at least:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach; and
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

2.5. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
2.6. The Subscriber shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with Article 33 of the GDPR.
2.7. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Subscriber shall communicate the personal data breach to the data subject without undue delay as required under Article 34 of the GDPR.
2.8. The communication to the data subject referred to in subclause 7 shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the GDPR.
2.9. The communication to the data subject referred to in subclause 7 shall not be required if any of the following conditions are met:

(a) the Subscriber has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
(b) the Subscriber has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in subclause 7 is no longer likely to materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

2.10. If the Subscriber has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in subclause 9 are met.