Data Processing Addendum

DATA PROCESSING ADDENDUM

(Schedule to The AI Dojo Platform – Software as a Service Terms of Use)

Last updated: 26/11/2025

This Data Processing Addendum (DPA) forms part of the AI Dojo Platform – Software as a Service Terms of Use (Terms) between:

AI.DOJO PTY LTD (ABN 69 692 535 587) (we, us, our)

and

the customer entity that enters into the Terms (Customer, you),

(each a party and together the parties).

If there is any conflict between this DPA and the rest of the Terms, this DPA prevails to the extent of the conflict in relation to the processing of personal information or personal data.



1. Definitions

Australian Privacy Law means the Privacy Act 1988 (Cth) and the Australian Privacy Principles, as amended or replaced from time to time.

Customer Data has the meaning given in the Terms and includes any personal information or personal data contained in that data. Once Customer Data is de-identified in accordance with applicable laws so that it can no longer reasonably identify you or any individual, it is no longer considered Customer Data under this DPA.

Data Protection Laws means all laws relating to privacy, data protection and the handling of personal information or personal data that apply to the processing under this DPA, which may include, as applicable, Australian Privacy Law, the EU GDPR, the UK GDPR, and any equivalent laws in other jurisdictions.

EU GDPR means Regulation (EU) 2016/679.

Instructions means the documented instructions from you that set out how we are permitted to process Customer Data, as described in this DPA, the Terms and your configuration and use of the Platform.

Personal Information has the meaning given in Australian Privacy Law.

Personal Data has the meaning given in the EU GDPR or UK GDPR, as applicable.

Platform has the meaning given in the Terms.

Terms such as Processing, Controller, Processor, Data Subject and Supervisory Authority have the meanings given in the applicable Data Protection Laws.

References to personal information or personal data include both Personal Information under Australian law and Personal Data under other Data Protection Laws.

Capitalised terms not defined here have the meaning given in the Terms or the Privacy Policy.



2. Roles of the Parties

2.1 Controller and Processor relationship

To the extent that we process personal information contained in Customer Data on your behalf, you are (or act on behalf of) a Controller and we act as your Processor or service provider.

2.2 Independent controllers

Where we process personal information for our own purposes (for example, account administration, billing, fraud prevention and compliance with our own obligations), we act as an independent controller and this DPA does not apply to that processing.



3. Subject Matter, Nature, Purpose and Duration of Processing

3.1 Subject matter

We process personal information contained in Customer Data for the limited purpose of providing, maintaining, securing and supporting the Platform in accordance with the Terms, this DPA and your Instructions.

3.2 Nature and purpose

Processing may include:

  • receiving, storing and hosting Customer Data
  • generating Outputs through AI models and workflows
  • transmitting Customer Data and Outputs as necessary to provide the Platform and configured integrations
  • support, troubleshooting, maintenance and security
  • compliance with legal and regulatory obligations

3.3 Types of personal information

Customer Data may include:

  • identification and contact details for Authorised Users
  • information contained in prompts, messages and uploaded documents

  • technical and usage data (IP address, device details, logs)

    We do not require Sensitive Data for use of the Platform.

3.4 Categories of data subjects

Personal information in Customer Data may relate to:

  • Authorised Users
  • your employees, contractors, clients, customers or suppliers
  • any individuals or entities whose data you choose to include

3.5 Duration

We process Customer Data for the duration of the Terms and Subscription Term, and for any additional period permitted or required under the Terms (including for backups, dispute resolution and legal obligations).


4. Instructions

4.1 Processing only on Instructions

We process Customer Data only:

  • on your documented Instructions (as set out in the Terms, this DPA and your configuration), and
  • as required by applicable law.

4.2 Changes to Instructions

You may request changes in writing. We are not required to follow Instructions that are:

  • technically infeasible
  • incompatible with the Platform
  • unlawful or in breach of third-party terms

If an Instruction appears to breach Data Protection Laws, we will notify you where lawful and practical.




5. Customer Responsibilities

5.1 Lawful basis and transparency

You are responsible for:

  • ensuring you have a lawful basis to collect and process Customer Data
  • providing all required notices to Data Subjects
  • ensuring your submission of Customer Data complies with law and the Terms

5.2 Data minimisation

You must ensure Customer Data is accurate, relevant and limited to what is necessary. The AI Dojo Platform does not require Sensitive Data.

5.3 Configuration and integrations

You are responsible for:

  • your configuration of the Platform
  • your privacy settings
  • any third-party integrations or services you connect

5.4 Misuse and misconfiguration

We are not responsible for data protection or security issues arising from your misuse, misconfiguration, insecure practices, or the behaviour of third-party services you connect.




6. Our Data Protection Obligations

6.1 Compliance

We will process Customer Data in accordance with Data Protection Laws that apply to us as your Processor.

6.2 Security

We will implement and maintain appropriate technical and organisational measures designed to protect Customer Data against unauthorised access, modification or disclosure, loss or misuse, having regard to:

  • the nature of the Customer Data;
  • the harm that might result from a breach; and
  • the state of available security measures and their cost.

These measures include, at a minimum:

  • encryption in transit;
  • access controls and role-based permissions;
  • secure hosting environments in reputable data centres located primarily in Australia; and
  • monitoring for unusual or unauthorised activity.

You acknowledge that no method of transmission or storage is completely secure and we cannot guarantee absolute security.

6.3 Confidentiality

We will ensure that our personnel who have access to Customer Data are bound by appropriate confidentiality obligations (whether by contract or professional obligation) and only process Customer Data in accordance with this DPA and our Instructions.

6.4 Use of Customer Data

We will not:

  • use Customer Data to train or improve any foundation or general-purpose AI models
  • sell Customer Data; or
  • use Customer Data for advertising or marketing to third parties.

  • We may use deidentified and aggregated information derived from Customer Data for analytics, service improvement and security, provided it cannot reasonably be used to identify you or any individual or entity.


7. Sensitive Data

7.1 No requirement to submit Sensitive Data

The Platform is not designed to process Sensitive Data and we do not monitor Customer Data for Sensitive Data.

7.2 Your responsibility

If you submit Sensitive Data to the Platform:

  • you remain solely responsible for ensuring that the collection and processing of that Sensitive Data complies with Data Protection Laws; and
  • you must ensure that you have all necessary consents and notices in place.

7.3 Indemnity

As set out in the Terms, to the extent permitted by law, you indemnify us for any third-party claim arising from our hosting or processing of Sensitive Data that you or your Authorised Users choose to provide.




8. Sub-processors

8.1 Authorised sub-processors

You authorise us to engage third parties (sub-processors) to support the provision of the Platform, including:

  • hosting and infrastructure providers;
  • artificial intelligence inference providers (such as foundation model vendors);
  • analytics, security and monitoring providers; and
  • support and customer service contractors.

A current list or description of key categories of sub-processors may be made available on our website or on request.

8.2 Sub-processor obligations

We will ensure sub-processors:

  • are bound by written agreements requiring data protection commitments, and
  • meet security standards appropriate to the processing

We remain responsible for their acts and omissions.

8.3 Changes to sub-processors

Where required by law, we will notify you of material changes and allow reasonable objections. If a required sub-processor cannot be replaced and you object reasonably, either party may terminate the affected services and we will refund any prepaid Fees required by law.



9. International Processing and Data Location

9.1 Primary data location

In accordance with the Terms, Customer Data is stored primarily in data centres located in Australia.

9.2 Overseas processing

Certain processing activities may involve the temporary processing or transmission of Customer Data outside Australia, including:

  • inference requests to third party AI model providers; and
  • integrations, workflows or features that you configure which require overseas processing.

We do not intentionally store Customer Data outside Australia except:

  • where you expressly configure an integration, workflow or feature that requires such storage; or
  • where we are legally required to do so.

9.3 Safeguards for overseas transfers

Where Customer Data is processed or transmitted overseas, we will take reasonable steps to ensure that any overseas recipients handle personal information in a manner that is consistent with Australian Privacy Law and other applicable Data Protection Laws, which may include:

  • contractual commitments; and
  • technical measures such as encryption, pseudonymisation or access controls.

9.4 EU / UK transfers (if applicable)

If we transfer personal data subject to the EU GDPR or UK GDPR to a country that has not been recognised as providing an adequate level of protection, we will ensure that such transfer is subject to appropriate safeguards under the relevant Data Protection Laws (for example, the use of standard contractual clauses or an equivalent mechanism), unless an exemption applies.



10. Assistance with Data Subject Requests

10.1 Your responsibility

Where we process personal information contained in Customer Data on your behalf, you are primarily responsible for handling any request from a Data Subject (e.g. a request for access, correction, deletion or objection).

10.2 Our assistance

Taking into account the nature of the processing and the functionality of the Platform, we will provide reasonable assistance to you, at your cost if the assistance is significant, to help you respond to Data Subject requests where required by applicable Data Protection Laws, including by:

  • making available tools or features within the Platform to search, export, correct or delete Customer Data; or
  • providing reasonable information about the Customer Data we hold and how it is processed.

If we receive a Data Subject request directly and can identify the relevant Customer, we will, where lawful and reasonably practicable:

  • notify you; and

  • refer the Data Subject to you, unless we are legally required to respond directly.


11. Assistance with Security and Compliance

11.1 Security incidents

If we become aware of a Security Incident involving Customer Data (being a confirmed unauthorised access, disclosure, loss or misuse of Customer Data within our systems), we will:

  • investigate the Security Incident;
  • take reasonable steps to mitigate its effects and prevent recurrence; and
  • notify you without undue delay (and in any event within the time required by applicable law), providing information that we are reasonably able to disclose, taking into account any law enforcement or security restrictions.

11.2 Notifiable data breaches

Where a Security Incident constitutes a notifiable data breach under Australian Privacy Law or other applicable Data Protection Laws, we will:

  • comply with our obligations to assess and notify the relevant authorities; and
  • where required by law, work with you in good faith regarding any notifications to affected individuals.

11.3 Your obligations

You are responsible for:

  • assessing whether a Security Incident involving Customer Data requires notification to any regulator or individual (to the extent such assessment depends on information you hold); and
  • complying with any such notification obligations that apply to you.

11.4 Data protection impact assessments

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to you (at your cost, where appropriate) in:

  • carrying out data protection impact assessments; and
  • consulting with supervisory or regulatory authorities,

where this is required by applicable Data Protection Laws and relates to our processing of Customer Data on your behalf.



12. Audits and Information

12.1 Information on request

On your reasonable request, we will make available information necessary to demonstrate our compliance with this DPA, which may include:

  • descriptions of our security controls and certifications (if any); and
  • summaries of relevant third‑party audit reports, subject to confidentiality obligations.

12.2 Audits

If Data Protection Laws give you a direct audit right against us, you agree that:

  • you will first seek the information described in clause 12.1 and explore any alternative methods to address your audit needs;
  • any audit will be limited to once per year (unless required more frequently by law or following a material Security Incident), during normal business hours, upon at least 30 days’ prior written notice;
  • you will conduct the audit (or have it carried out by an independent third party that is not our competitor and that is bound by appropriate confidentiality obligations); and
  • you will minimise any disruption to our operations and protect the confidentiality and security of our systems and data.

You are responsible for all costs associated with any audit, unless otherwise required by law.



13. Return and Deletion of Customer Data

13.1 At end of Subscription

Upon termination or expiry of your Subscription, and subject to the Terms:

  • your and your Authorised Users’ access to the Platform will cease; and
  • you may export Customer Data from the Platform by requesting it from us.

13.2 Deletion and de‑identification

Subject to back‑ups and legal obligations, we will, within a reasonable period after termination or expiry of your Subscription and completion of any data export you request:

  • delete Customer Data; or
  • de‑identify Customer Data so that it can no longer reasonably be used to identify you or any individual.

13.3 Retention for legal purposes

We may retain copies of Customer Data to the extent required by law or for the establishment, exercise or defence of legal claims, in which case we will continue to protect the retained Customer Data in accordance with this DPA and applicable Data Protection Laws.



14. Miscellaneous

14.1 Order of precedence

In the event of any conflict or inconsistency between:

  • this DPA,
  • the Terms, and
  • our Privacy Policy,

the following order of precedence will apply in relation to the processing of Customer Data: (1) this DPA; (2) the Terms; (3) the Privacy Policy.

14.2 Changes to this DPA

We may update this DPA in accordance with the change mechanism in the Terms. If you do not agree to a material change, you may terminate your Subscription in accordance with the Terms.

14.3 Governing law

This DPA is governed by the same law as the Terms (currently, the laws of Victoria, Australia). The parties submit to the jurisdiction of the courts described in the Terms.