POPIA Policy

Our Data Security Policy

Omnisient is ISO27001 certified. This enables us to deliver a secure data Platform and Software designed with the required features to adapt to Data Protection Legislation and to allow our clients to manage their data uploads and collaboration in compliance with the regulatory environment.

1. Definitions

  • “Client” means any user of the Platform, acting in a professional capacity, a legal entity under private/public law, or a physical person acting in a professional capacity, excluding persons acting in a consumer capacity. A legal entity will be represented by a physical person, duly authorized for that purpose.
  • “CCPA” means the California Consumer Privacy Act and its Regulations, as amended from time to time, and includes the California Privacy Rights Act (CPRA).
  • “Confidential Information” means any information or data of any nature, tangible or intangible, oral or in writing and in any format or medium, which by its nature or content is or ought reasonably to be identifiable as confidential and/or proprietary to the Disclosing Party and/or its Affiliates and/or which is provided or disclosed in confidence, and which the Disclosing Party or any person acting on behalf of the Disclosing Party may disclose or provide to the Receiving Party or which may come to the knowledge of the Receiving Party by whatsoever means. Without limitation, the Confidential Information of the Disclosing Party will include the following even if it is not marked as being ‘confidential’, ‘restricted’ or ‘proprietary’ (or any similar designation):

    • information relating to the Disclosing Party’s business activities, business relationships, products, services, processes, data, and Staff;
    • information contained in or constituting or relating to the Disclosing Party’s systems, machinery, hardware or software, networks, telecommunications services and facilities, including Third Party Products, and associated Material, and information or incidents concerning faults or defects therein;
    • the Disclosing Party’s commercial, financial and market information (including valuations and forecasts), methodologies, formulae and trade secrets;
    • the Disclosing Party’s technical and scientific information, demonstrations, plans, designs, drawings, processes, process maps, functional and technical requirements and specifications and the data relating thereto;
    • Intellectual Property that is proprietary to the Disclosing Party or that is proprietary to a third party, including but not limited to Third Party Products and data relating to the customers of the Disclosing Party; and
    • business process outsourcing knowledge of the Disclosing Party and information relating to the Disclosing Party’s current and existing strategic objectives, strategy documents and plans for both its existing and future information technology, processing, business processing and business process outsourcing;
    • Confidential Information excludes information or data which:

      • is lawfully in the public domain at the time of disclosure thereof to the Receiving Party; or
      • subsequently becomes lawfully part of the public domain by publication or otherwise; or
      • is or becomes available to the Receiving Party from a source other than the Disclosing Party which is lawfully entitled without any restriction on disclosure to disclose such Confidential Information to the Receiving Party; or
      • is disclosed pursuant to a requirement or request by operation of law, regulation or court order but then only to the extent so disclosed and then only in the specific instance and under the specific circumstances in which it is obliged to be disclosed;
      • provided that:

        • the onus will at all times rest on the Receiving Party to establish that such information falls within such exclusions; and
        • the information disclosed will not be deemed to be within the foregoing exclusions merely because such information is embraced by more general information in the public domain or in a Party’s possession; and
        • any combination of features will not be deemed to be within the foregoing exclusions merely because individual features are in the public domain or in a Party’s possession, but only if the combination itself is in the public domain or in a Party’s possession;
      • The determination of whether the information is Confidential Information will not be affected by whether or not such information is subject to or protected by, common law or statute related to copyright, patent, trademarks or otherwise; or which can be obtained by examination, testing, visual inspection or analysis, including without limitation, scientific, business or financial data, know-how, formulae, processes, designs, sketches, photographs, plans, drawings, specifications, sample reports, models, customer lists, price lists, studies, findings, computer software, inventions or ideas; or analyses, concepts, compilations, studies and other material prepared by or in possession or control of a Receiving Party, which contain or otherwise reflect or are generated from any such information as is specified in this definition.
    • “Data Protection Legislation” means any data protection, privacy or data breach notification legislation that is in force and may be applicable to the Parties from time to time, including, without limitation: POPIA; the GDPR; the UK GDPR and UK Data Protection Act 2018; the CCPA and any other applicable U.S. federal or state privacy laws; the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles; the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados – “LGPD”, Law No. 13.709/2018); and any other similar laws in any jurisdiction in which either Party is established, processes Personal Information, or to which the Personal Information relates.
    • “Documentation” means any documentation, user manuals, any enhancements, modifications or upgrades thereto, which stipulates the usage guidelines, functional specifications and/or limitations of the Software and Services prepared, supplied and/or delivered by Omnisient to the Client pursuant to this Standard Terms and Conditions;
    • “GDPR” means the European Union General Data Protection Regulation 2016/679, and for the purpose of this Standard Terms and Conditions includes the UK retained version of the GDPR (“UK GDPR”) and any successor legislation;
    • “Improvements” means any adaptation, change, development, enhancement or modification to any aspect of the Software and/or its related Intellectual Property;
    • “Intellectual Property” means any intangible creation that is the product of human intellect and includes intellectual property rights derived therefrom, such as (without limitation) all rights in and to any know-how, methodologies, patents, copyright, moral rights, designs, trademarks, trade names and domain names, service marks, rights in get-up, rights in goodwill or to sue for passing off, source codes, inventions, computer software, data, database rights, rights in confidential information, trade secrets and rights of a similar character whether registered or capable of registration and all applications and rights to apply for the protection of any of the same anywhere in the world or other industrial or intellectual property rights, whether registered or not and whether or not capable of being registered and any application for any of the aforementioned;
    • “Licence” means the right to use the Software and the associated Intellectual Property in terms of the Standard Terms and Conditions and may be any one of the following: (i) Freemium, which is an open license that ensures free access to data, and reuse of data without financial  or other restrictions other than copyright; (ii) a standard Platform and Software license for use of the Software; (iii) Customised license requiring specific terms prepared by our legal department with agreed variables concerning the conditions under which the Software may be used.
    • “Omnisient” means Omnisient (RF) (PTY) Ltd, registration number: 2014/187691/07 a company duly incorporated in accordance with the company laws of South Africa, and having its principal place of business situated at Great Westerford, Unit SG110, 240 Main Road, Rondebosch, Cape Town 7700, and which, for certain activities, may act through its Affiliates, including Omnisient entities incorporated in the United States (including the State of Delaware), the United Kingdom, the European Union, Australia and Brazil, as notified to the Client from time to time, email: [email protected];
    • “Platform” means the Omnisient data collaboration platform consisting of the Omnisient Anonymization Tools for the onboarding of de-identified customer data and the Omnisient Web App for the management of data collaborations with other parties;
    • “POPIA” means the South African Protection of Personal Information Act 4 of 2013, as may be amended from time to time;
    • “Services” means the services accessible via the Licence of Omnisient or specific work requested by a Client and agreed from time to time;
    • “Software” means the Platform, which makes available the Services to the Client, from the Effective Date, as well as any Improvements thereto, all of which will be set out in this Standard Terms and Conditions and the Documentation from time to time;
    • “Standard Terms and Conditions” means Omnisient’s standard terms and conditions, as in force between Omnisient and the Client from time to time, which incorporate this Data Security Policy. 

2. Data Protection

  • The Parties acknowledge that, depending on the configuration and use of the Platform and the jurisdictions involved, Data Protection Legislation may apply to data submitted by the Client to the Platform, including where such data constitutes Personal Information or other information that is protected under applicable laws. Where the Client uploads only properly de-identified or anonymised data, such data may fall outside the scope of certain Data Protection Legislation; however, the Client remains solely responsible for ensuring that any de-identification or anonymisation complies with applicable standards and is effective in the relevant jurisdictions. See Schedule A.
  • The Client undertakes, within the scope of the Licence, to install and run in its own environment the Software on all Personal Information to de-identify and anonymise the Personal Information prior to uploading of any data and information through the Omnisient Anonymisation App to the Platform so that such data no longer qualifies as Personal Information. The Client represents and warrants that such de-identification and anonymisation will be carried out in a manner that is consistent with, and sufficient to meet, the requirements of all applicable Data Protection Legislation (including, where relevant, GDPR, UK GDPR, POPIA, LGPD, the Australian Privacy Act and U.S. state privacy laws).
  • The terms below will have the meanings as defined in Data Protection Legislation applicable to the Client, and cognate expressions will have corresponding meanings:
    • “Data Subject” means the person to whom Personal Information relates, and includes both natural or, where permitted by applicable law, juristic persons;
    • “Operator” means a person who Processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party; and, where applicable under GDPR, UK GDPR, LGPD, the Australian Privacy Act or U.S. state privacy laws, has an equivalent meaning to “processor”, “service provider”, “contractor” or similar regulated processing role;
    • “Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
      • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and the birth of the person;
      • information relating to the education or the medical, financial, criminal or employment history of the person;
      • any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
      • the biometric information of the person;
      • the personal opinions, views or preferences of the person;
      • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
      • the views or opinions of another individual about the person; and
      • the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person;
      • and includes any “personal data”, “personally identifiable information”, “protected health information” or similar defined term under applicable Data Protection Legislation;
    • “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
        • the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
        • dissemination by means of transmission, distribution or making available in any other form; or
        • merging, linking, as well as restriction, degradation, erasure or destruction of information,
        • and “Process”, “Processes” and “Processed” will have the corresponding meanings;
    • “Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information, and, where applicable under other Data Protection Legislation, has an equivalent meaning to “controller”, “business” or similar regulated role.
    • The Parties agree that any breach of these provisions will be considered a material breach of the Standard Terms and Conditions.
    • For purposes of Data Protection Legislation, Omnisient will, where and to the extent that it receives or otherwise Processes Personal Information on behalf of the Client, be an Operator mandated by the Client to Process Personal Information in terms of this Standard Terms and Conditions for purposes of rendering the Services to the extent that Personal Information is received by Omnisient as a result of the fail-safe mechanism in Omnisient’s Software identifying Personal Information in the Client’s data, and will comply with all requirements relating to Operators as prescribed by the Data Protection Legislation applicable to the Client. For the avoidance of doubt, Omnisient will not independently determine the purposes and essential means of Processing such Personal Information.
    • Omnisient agrees that the Client will own the Personal Information at all times and agrees to Process Personal Information received from the Client as a result of this Standard Terms and Conditions in a manner that is adequate, relevant and not excessive for purposes of providing the Services as stated in this Standard Terms and Conditions and only as authorised and specified in terms of this Standard Terms and Conditions unless the Client provides written consent to Omnisient to Process the Personal Information for any other purpose. Omnisient will not “sell”, “share” or otherwise Process Personal Information for its own purposes in a way that would make Omnisient a “business” or “controller” in its own right under applicable Data Protection Legislation, except where expressly agreed in writing with the Client and permitted by law.
    • Omnisient will not share Personal Information received in terms of this Standard Terms and Conditions with third parties without the Client’s written consent, after which Omnisient will enter into a written agreement with the further Operator/service provider that includes similar provisions as set out herein and ensures that such third party provides at least the same level of data protection as is required under this Data Security Policy and applicable Data Protection Legislation. Omnisient will remain responsible for the performance of such further Operators/service providers in relation to their Processing of Personal Information on behalf of the Client.
    • Omnisient will notify the Client without undue delay after becoming aware and where there are reasonable grounds to believe, within the discretion of Omnisient, that the Personal Information belonging to the Client has been accessed or acquired by any unauthorised person. Such notification will contain, to the extent known and permitted by law, the nature of the breach, the categories and approximate number of affected Data Subjects and Personal Information records concerned, the likely consequences of the breach and the measures taken or proposed to address the breach, in line with applicable Data Protection Legislation (including GDPR, UK GDPR, POPIA, LGPD, the Australian Privacy Act and relevant U.S. state laws).
    • Omnisient warrants that it will take appropriate technical and organisational measures to prevent loss of, damage to, unauthorised destruction of, or unauthorised access to Personal Information Processed on behalf of the Client in order to establish and maintain the security safeguards as required by Data Protection Legislation. Such measures will take into account the nature of the Processing, the categories of Personal Information, the state of the art, the costs of implementation and the risks to the rights and freedoms of Data Subjects, and may include, without limitation, pseudonymisation and encryption, access controls, regular testing of security measures, and policies and training for staff with access to Personal Information.
    • The Client hereby indemnifies and holds Omnisient harmless against any claim by or liability arising out of Omnisient’s performance of the Services and its other obligations in accordance with the terms of this Standard Terms and Conditions and any instructions given to it by the Client from time to time, to the extent that such claims do not arise as a result of Omnisient’s wilful and/or negligent acts or omissions. Where required by applicable Data Protection Legislation (including, without limitation, certain consumer privacy laws in the United States, GDPR, UK GDPR and LGPD), nothing in this clause will be interpreted or applied so as to relieve Omnisient of, or indemnify Omnisient against, its own independent obligations and liabilities imposed directly on it by such legislation.
    • Unless otherwise agreed, Omnisient will permanently destroy, delete or return all Personal Information inadvertently received from the Client as a result of this Standard Terms and Conditions immediately upon becoming aware of it and will inform Client accordingly; or at any time requested by the Client should Client becomes aware of such an incident. Where deletion is not feasible due to legal or regulatory retention obligations, Omnisient will continue to protect such Personal Information in accordance with this Data Security Policy and applicable Data Protection Legislation and will restrict any further Processing to that which is strictly required by law.
    • Where the Client provides Omnisient with Personal Information, albeit by accident, the Client represents and warrants that it has provided all necessary notices and obtained all necessary consents, authorisations and legal bases (including, where applicable, reliance on legitimate interests or performance of a contract) and indemnifies Omnisient from any claim, harm, damage or loss suffered as a result of Omnisient having, Processing or providing this Personal Information of or relating to other parties to a third party in rendering the Services to the Client. Omnisient will Process any such Personal Information strictly in accordance with the Client’s documented instructions, save where otherwise required by applicable law.
  • In addition to the above undertakings:
    • each Party is responsible for complying with its respective obligations under applicable Data Protection Legislation governing the collecting, Processing and sharing of Personal Information and will, by its actions or omissions, not place the other Party in breach of any Data Protection Legislation; and
    • each Party undertakes to implement measures to detect and/or prevent unauthorised access to its information technology systems and particularly in respect of protecting the integrity of and preventing unauthorised access to any Confidential Information and Personal Information which such a Party may have in its possession or control.
    • The Client may, on reasonable notice, investigate the steps that Omnisient is taking to comply with any applicable Data Protection Legislation relating to the Processing of Personal Information of the Client. The cost of any such investigation will be at the expense of the Client. Omnisient will co-operate with any investigation initiated and will give the independent investigator reasonable and timeous access to Omnisient’s premises and any necessary documentation or other information requested by such third party, subject always to Omnisient’s confidentiality, security and data protection obligations owed to other clients and third parties. Any investigation will be on reasonable written notice to Omnisient and will as far as possible not impact the business operations of Omnisient.
    • The Parties warrant that they will fully comply with any relevant statutory obligations contained in Data Protection Legislation, with which they further warrant that they are fully conversant with, and when Processing Personal Information within the scope of this Standard Terms and Conditions. Where Omnisient is required under applicable Data Protection Legislation (including GDPR, UK GDPR, LGPD and similar laws) to provide reasonable assistance to the Client in responding to Data Subject requests, data protection impact assessments, consultations with supervisory authorities or similar obligations, Omnisient will provide such assistance to the extent reasonably necessary and appropriate, taking into account the nature of the Processing and the information available to Omnisient, and the Client will reimburse Omnisient’s reasonable costs of providing such assistance where permitted by law.

Schedule A – Data Protection Schedule (Jurisdiction-Specific Terms)

This Data Protection Schedule (“Schedule”) forms part of and is incorporated into the Standard Terms and Conditions between Omnisient and the Client (the “Agreement”). Capitalised terms used but not defined in this Schedule have the meanings given in the Agreement and/or the Data Security Policy.

To the extent Omnisient Processes Personal Information on behalf of the Client and such Processing is subject to specific Data Protection Legislation listed below, the corresponding Section of this Schedule will apply in addition to the Agreement and the Data Security Policy. In the event of conflict between this Schedule and the Agreement or the Data Security Policy in relation to the Processing of Personal Information, this Schedule will prevail.

1. European Union / European Economic Area and United Kingdom

1.1 Application

This Section 1 applies where and to the extent Omnisient Processes Personal Information on behalf of the Client that is subject to GDPR and/or UK GDPR.

1.2 Roles of the Parties

(a) The Client is the “controller” and Omnisient is the “processor” as those terms are used in GDPR and UK GDPR, in respect of any Personal Information Processed by Omnisient on behalf of the Client under the Agreement.

(b) Omnisient will Process such Personal Information only on the documented instructions of the Client, including with respect to transfers of Personal Information to a third country or an international organisation, unless Omnisient is required to do so by EU, Member State or UK law to which Omnisient is subject. In such a case, Omnisient will inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

1.3 Subject Matter, Duration, Nature and Purpose of Processing; Types of Data; Categories of Data Subjects

(a) Subject matter: The Processing of Personal Information in connection with the provision of the Services under the Agreement.

(b) Duration: For the term of the Agreement and any additional period required to delete or return Personal Information in accordance with the Agreement and this Schedule, or to comply with applicable law.

(c) Nature and purpose: Hosting, storage, analysis, pseudonymisation/anonymisation, transmission, and other Processing operations necessary to provide the Platform and Services (including fail-safe detection and remediation of Personal Information mistakenly included in Client data).

(d) Types of Personal Information: As determined by the Client at its discretion and as uploaded or otherwise made available to Omnisient in connection with the Services, which may include the categories listed in the definition of “Personal Information” in the Data Security Policy.

(e) Categories of Data Subjects: Individuals whose Personal Information is included in data sets provided or made available by the Client or its authorised users, such as customers, prospects, employees, contractors or other end users.

1.4 Processor Obligations (GDPR/UK GDPR, Article 28)

Omnisient will:

(a) ensure that persons authorised to Process Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(b) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in the Data Security Policy;

(c) taking into account the nature of the Processing, assist the Client by appropriate technical and organisational measures, insofar as possible, to fulfil the Client’s obligations to respond to requests to exercise Data Subject rights under Chapter III of GDPR or equivalent provisions of UK GDPR;

(d) assist the Client in ensuring compliance with the Client’s obligations regarding security of Processing, personal data breach notifications, data protection impact assessments and prior consultations with supervisory authorities, in each case taking into account the nature of Processing and the information available to Omnisient;

(e) at the choice of the Client, delete or return all Personal Information to the Client after the end of the provision of Services relating to Processing and delete existing copies unless EU, Member State or UK law requires storage of the Personal Information; and

(f) make available to the Client all information reasonably necessary to demonstrate compliance with this Section 1 and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client, in accordance with the audit provisions in the Data Security Policy and the Agreement.

1.5 Sub-processors

(a) The Client hereby grants Omnisient a general written authorisation to engage sub-processors in connection with the Services, including Omnisient Affiliates and third-party service providers.

(b) Omnisient will inform the Client of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Client the opportunity to object on reasonable grounds relating to data protection within a reasonable time period. If the Client reasonably objects, the Parties will work together in good faith to find an alternative solution. If no solution is found, the Client may, as its sole and exclusive remedy, terminate the affected Services on written notice.

(c) Omnisient will impose data protection obligations on each sub-processor that are no less protective than those set out in this Schedule and will remain liable to the Client for the performance of the sub-processor’s obligations.

1.6 International Transfers

(a) To the extent Omnisient Processes Personal Information subject to GDPR in a country outside the EEA that has not been recognised as providing an adequate level of protection, or subject to UK GDPR in a country outside the UK that is not covered by an adequacy regulation, Omnisient and the Client will ensure that such transfers are made in compliance with applicable Data Protection Legislation.

(b) Where required, the Parties agree that the then-current standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (the “EU SCCs”) and/or the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner (the “UK Addendum”), as applicable, are hereby incorporated by reference into the Agreement as if set out in full, with Omnisient acting as “processor/data importer” and the Client as “controller/data exporter”. If and to the extent the EU SCCs or UK Addendum conflict with this Schedule, the EU SCCs or UK Addendum will prevail.

(c) The Parties may agree in writing to use other appropriate safeguards (such as binding corporate rules or an alternative set of standard contractual clauses) to legitimise relevant transfers, in which case such safeguards will form part of this Schedule.

2. United States (Including Delaware and Other States)

2.1 Application

This Section 2 applies where and to the extent Omnisient Processes Personal Information on behalf of the Client that is subject to U.S. federal or state privacy laws, including but not limited to the CCPA/CPRA and similar state privacy laws.

2.2 Roles of the Parties

(a) In relation to Personal Information subject to U.S. state consumer privacy laws (including California), the Client is the “business”, “controller” or equivalent and Omnisient acts as a “service provider”, “contractor” and/or “processor”, as those terms are defined in the relevant laws.

(b) Omnisient will Process such Personal Information only for the limited and specific purposes of providing the Services and as otherwise permitted under applicable law and the Client’s documented instructions.

2.3 Service Provider / Contractor Restrictions

To the extent required by applicable U.S. state privacy laws, Omnisient:

(a) will not “sell” or “share” Personal Information (as those terms are defined under the CCPA/CPRA and equivalent terms under other state laws);

(b) will not retain, use, or disclose Personal Information (i) for any purpose other than the business purposes specified in the Agreement, including for any commercial purpose other than those business purposes, or as otherwise permitted by applicable law; (ii) outside of the direct business relationship between Omnisient and the Client; or (iii) as otherwise prohibited by applicable law;

(c) will not combine Personal Information received from the Client with Personal Information that Omnisient receives from or on behalf of another person or collects from its own interactions with the Data Subject, except as permitted by applicable law (for example, for the purposes of detecting data security incidents or protecting against fraudulent or illegal activity), or as otherwise authorised by the Client in writing;

(d) will comply with all applicable obligations imposed on service providers/contractors/processors under U.S. state privacy laws and provide the same level of privacy protection as is required of the Client under such laws;

(e) grants the Client the right, upon reasonable written notice, to take reasonable and appropriate steps to ensure that Omnisient uses the Personal Information in a manner consistent with the Client’s obligations under applicable U.S. state privacy laws, including by exercising the audit rights set out in the Agreement and this Schedule; and

(f) will notify the Client if Omnisient determines that it can no longer meet its obligations as a service provider/contractor/processor under applicable U.S. state privacy laws, in which case the Client may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorised use of Personal Information, including by terminating the relevant Services.

2.4 Consumer / Data Subject Requests

Taking into account the nature of the Processing and to the extent required by applicable U.S. state privacy laws, Omnisient will provide reasonable assistance to the Client in responding to verifiable consumer requests (including requests to know, access, correct, delete or opt-out), by:

(a) notifying the Client of requests received directly by Omnisient relating to the Client’s Personal Information; and

(b) implementing the Client’s instructions for fulfilment of such requests where reasonably technically feasible and legally required.

3. Australia

3.1 Application

This Section 3 applies where and to the extent Omnisient Processes Personal Information on behalf of the Client that is subject to the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”).

3.2 Roles of the Parties

(a) The Client is responsible for ensuring its own compliance with the Australian Privacy Act and the APPs, including providing any required notices to, and obtaining consents from, individuals whose Personal Information is disclosed to Omnisient.

(b) Omnisient acts as a data processor on behalf of the Client and will Process such Personal Information only for the purposes of providing the Services and in accordance with the Client’s instructions and the Agreement.

3.3 Overseas Disclosure and APP 8

(a) The Client acknowledges that Omnisient may Process Personal Information in, and transfer Personal Information to, locations outside Australia, including to Omnisient Affiliates and sub-processors as described in the Agreement and this Schedule.

(b) To the extent the Australian Privacy Act and APPs apply, the Client:

(i) authorises such overseas disclosures and transfers in connection with the Services; and

(ii) remains responsible, as between the Parties, for ensuring that any overseas disclosure complies with APP 8 and other applicable requirements (including by making appropriate disclosures in its privacy policy and notices).

3.4 Data Breach Notification

(a) Omnisient will notify the Client without undue delay upon becoming aware of an eligible data breach (or circumstances that may amount to an eligible data breach) involving Personal Information Processed on behalf of the Client, to the extent required by the Australian Privacy Act.

(b) Omnisient will provide such information and assistance as the Client may reasonably require to assess whether a notifiable data breach has occurred and to comply with any associated notification obligations, to the extent Omnisient has access to the relevant information and is permitted to disclose it.

4. Brazil

4.1 Application

This Section 4 applies where and to the extent Omnisient Processes Personal Information on behalf of the Client that is subject to the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados – LGPD, Law No. 13.709/2018).

4.2 Roles of the Parties

(a) For purposes of the LGPD, the Client will be deemed the “controller” and Omnisient the “operator” in relation to any Personal Information Processed under the Agreement.

(b) Omnisient will Process Personal Information strictly in accordance with the Client’s documented instructions and the lawful bases established by the Client under the LGPD.

4.3 Operator Obligations

Omnisient will:

(a) Process Personal Information only for legitimate, specific and explicit purposes communicated by the Client and in accordance with the LGPD and this Schedule;

(b) maintain records of Personal Information Processing operations it carries out on behalf of the Client, to the extent required by LGPD and applicable regulations;

(c) adopt security, technical and administrative measures capable of protecting Personal Information from unauthorised access and accidental or unlawful situations of destruction, loss, alteration, communication or any other inappropriate or unlawful Processing, as required by the LGPD; and

(d) notify the Client, within a reasonable period and without undue delay, of any security incident that may entail relevant risk or damage to Data Subjects, including the information necessary for the Client to comply with its own notification obligations to the Brazilian Data Protection Authority (ANPD) and affected Data Subjects, where required.

4.4 Data Subject Rights and Support to the Controller

Taking into account the nature of the Processing and the information available to Omnisient, Omnisient will assist the Client in fulfilling its obligations under the LGPD with respect to:

(a) responding to Data Subject requests to confirm the Processing, access, correct, anonymise, block, delete or port their Personal Information, or to obtain information about the sharing and Processing carried out; and

(b) making impact reports on the protection of Personal Information and consulting with the ANPD, where applicable, insofar as such assistance relates to Processing carried out by Omnisient on behalf of the Client.

4.5 International Transfers under LGPD

(a) To the extent Personal Information regulated by LGPD is transferred by Omnisient outside Brazil, Omnisient and the Client will ensure that the transfer occurs in compliance with the LGPD, including through: (i) the use of standard contractual clauses; (ii) global corporate rules; (iii) seals, certificates and codes of conduct; or (iv) any other mechanism recognised by the ANPD as ensuring an adequate level of data protection.

(b) The Parties may document and update the specific transfer mechanism(s) in an addendum or other written agreement, which will form part of this Schedule.

5. General

5.1 Costs of Assistance

Where Omnisient provides assistance to the Client under this Schedule beyond what is reasonably necessary to comply with Omnisient’s direct legal obligations, the Client will reimburse Omnisient’s reasonable, documented costs of providing such assistance, to the extent permitted by applicable law and as agreed in writing between the Parties.

5.2 Updates

Omnisient may update this Schedule from time to time to reflect changes in applicable Data Protection Legislation or in the Services, provided that such updates do not materially reduce the overall level of protection for Personal Information. Any material changes will be notified to the Client and, where required by law, agreed in writing.