Data Processing Agreement

Last Updated: February 23, 2026

1. Scope and Purpose

This Data Processing Agreement ("DPA") supplements the Terms of Service and any other agreement ("Agreement") between This Is Also ("Processor", "we", "us") and you ("Controller", "you") governing the use of our services.

This DPA applies where This Is Also processes personal data on behalf of a controller in the course of providing custom design services. This includes situations where you, as a service client, provide personal data relating to your own customers, website visitors, or employees that This Is Also handles in order to deliver the agreed services (for example, customer lists, content for website builds, or project materials containing personal information).

This DPA does not apply to personal data that This Is Also collects and controls independently (such as website analytics or newsletter subscriptions). The processing of such data is governed by our Privacy Policy.

This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between this DPA and the Agreement regarding the processing of personal data, this DPA shall prevail.

2. Definitions

In this DPA, the following terms have the meanings set out below. Where not defined here, terms have the meanings given in the GDPR (Regulation (EU) 2016/679) or the Agreement.

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom the personal data relates.
• "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
• "SCCs" means the Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914.

3. Processor Obligations

As Processor, This Is Also shall:

1. Instructions: Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organization, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.
2. Confidentiality: Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex A of this DPA.
4. Sub-processor management: Not engage another processor without prior general or specific written authorization of the Controller, subject to the terms in Section 6 of this DPA.
5. Data subject requests: Assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights.
6. Compliance assistance: Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor.
7. Data deletion or return: At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data, as further detailed in Section 11.
8. Audit support: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, as further detailed in Section 10.

4. Controller Obligations

As Controller, you shall:

1. Lawful instructions: Ensure that your instructions to the Processor regarding the processing of personal data comply with all applicable data protection laws.
2. Appropriate notice: Provide appropriate notices to Data Subjects regarding the processing of their personal data, including any required disclosures about the use of processors.
3. Lawful basis: Ensure that you have established a lawful basis for the processing of personal data as required under applicable data protection laws before providing such data to the Processor.
4. Data quality: Ensure the accuracy, quality, and legality of personal data provided to the Processor.
5. Data subject requests: Notify the Processor promptly of any Data Subject requests received, and respond to and resolve such requests in a timely manner with the assistance of the Processor as described in this DPA.

5. Details of Processing

6. Sub-Processor Management

The Controller grants the Processor general written authorization to engage sub-processors for the processing of personal data under this DPA.

The Processor shall:

1. Provide the Controller with at least 30 days' prior written notice of any intended changes to the list of sub-processors, including the addition or replacement of sub-processors.
2. Provide the Controller with a 14-day objection period from the date of notification. If the Controller raises a reasonable objection, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected portion of the services without penalty.
3. Impose on each sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA.
4. Remain fully liable to the Controller for the performance of each sub-processor's obligations. A sub-processor's failure to fulfil its data protection obligations shall be treated as a failure by the Processor.

The current list of authorized sub-processors is set out in Annex B of this DPA.

7. Data Subject Rights

The Processor shall:

1. Promptly notify the Controller (within 3 business days) if it receives a request from a Data Subject to exercise their rights under applicable data protection law.
2. Not respond to such requests directly unless authorized by the Controller or required by applicable law.
3. Assist the Controller by implementing appropriate technical and organizational measures, insofar as possible, to enable the Controller to fulfill its obligations to respond to Data Subject requests.
4. Provide such assistance within reasonable timeframes to enable the Controller to meet its statutory response deadlines.

8. Data Breach Response

In the event of a Data Breach affecting personal data processed under this DPA, the Processor shall:

1. Notify the Controller within 48 hours of becoming aware of the breach, using the contact details provided by the Controller.
2. Provide the following information (to the extent available at the time of notification, with additional details provided as they become known):
   • The nature of the Data Breach, including the categories and approximate number of Data Subjects and personal data records affected;
   • The likely consequences of the breach;
   • The measures taken or proposed to address the breach, including measures to mitigate its adverse effects;
   • The name and contact details of a point of contact for further information.
3. Take immediate steps to contain the breach and minimize its impact on affected Data Subjects.
4. Cooperate with the Controller and provide reasonable assistance in the Controller's investigation and response to the breach, including any notifications required under GDPR Articles 33 and 34.
5. Document all Data Breaches, including the facts surrounding the breach, its effects, and the remedial actions taken. Documentation shall be retained for a minimum of 36 months.

9. International Transfers

The Processor shall not transfer personal data outside the European Economic Area ("EEA") or the United Kingdom ("UK") unless one of the following safeguards is in place:

1. The destination country has been granted an adequacy decision by the European Commission or the UK Secretary of State (as applicable);
2. Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914 are in effect;
3. Binding Corporate Rules approved by a competent supervisory authority are in place; or
4. Another valid transfer mechanism recognized under Articles 46 or 49 of the GDPR applies.

Australia does not currently hold an adequacy decision from the European Commission. Where personal data is transferred from the EEA to Australia, the Standard Contractual Clauses (Module 2: Controller to Processor) shall apply as the appropriate transfer mechanism. Supplementary measures including encryption in transit and at rest, access controls, and data minimization are implemented as described in Annex A.

10. Audit Rights

The Controller may audit the Processor's compliance with this DPA subject to the following conditions:

1. The Controller shall provide at least 30 days' advance written notice of any audit request.
2. Audits shall be conducted during normal business hours (AEST/AEDT) and shall not unreasonably interfere with the Processor's operations.
3. Any third-party auditor must be bound by confidentiality obligations and a non-disclosure agreement no less protective than those in the Agreement.
4. The Controller may conduct no more than one audit per 12-month period, unless a Data Breach has occurred or a supervisory authority requires an additional audit.
5. The Controller bears all costs associated with any audit it initiates, including the Processor's reasonable costs of cooperation.
6. The Processor may satisfy audit requests by providing relevant certifications, audit reports, or other documentation that reasonably demonstrates compliance, before an on-site audit is required.

11. Data Deletion and Return

Upon termination or expiry of the Agreement:

1. The Processor shall, at the Controller's election, delete or return all personal data to the Controller within 30 days of termination.
2. All copies of personal data in the Processor's active systems shall be deleted within 90 days of termination.
3. Personal data in backup systems shall be deleted within 90 days through normal backup rotation processes.
4. The Processor shall certify deletion in writing upon the Controller's request.
5. The Processor may retain personal data to the extent required by applicable law, provided that the Processor shall ensure the confidentiality of such data and shall not actively process it for any other purpose.

12. Liability

Liability under this DPA is subject to the limitations set out in the Agreement. Each party's total aggregate liability arising out of or in connection with this DPA shall not exceed two (2) times the total fees paid or payable by the Controller to the Processor under the Agreement during the twelve (12) months preceding the event giving rise to the claim, or AUD $10,000, whichever is greater.

Each party shall indemnify the other against all costs, claims, damages, and expenses (including reasonable legal fees) incurred by the other party in connection with any breach of this DPA by the indemnifying party, subject to the liability cap above.

Nothing in this section limits liability for fraud, wilful misconduct, or any liability that cannot be excluded under applicable data protection law or the Australian Consumer Law.

13. Duration and Termination

This DPA shall remain in effect for the term of the Agreement. Obligations under this DPA that by their nature should survive termination shall continue to apply after termination, including obligations related to data deletion and return, confidentiality, breach notification, audit rights, and sub-processor management.

14. Governing Law

This DPA is governed by the laws of Queensland, Australia, consistent with the governing law of the Agreement. To the extent that this DPA relates to the processing of personal data subject to the GDPR, it shall be interpreted in accordance with the GDPR and relevant guidance from European data protection authorities, including the European Data Protection Board.

Annex A: Technical and Organizational Measures (TOMs)

The Processor implements and maintains the following technical and organizational measures to protect personal data:

A.1 Encryption

• All data in transit is encrypted using TLS 1.2 or higher.
• Data at rest is encrypted using hosting provider encryption (Vercel's infrastructure uses AES-256).
• Encryption keys are managed through the hosting provider's secure key management practices.

A.2 Access Controls

• Role-based access control is enforced across all systems containing personal data.
• Multi-factor authentication (MFA) is required for administrative access to all systems.
• Individual user accounts are used for all access (no shared credentials).
• The principle of least privilege is applied to all access grants.
• Access rights are reviewed regularly and revoked promptly upon role change or engagement completion.

A.3 Application Security

• Secure development practices are followed, including code review and version control.
• Dependencies are scanned for known vulnerabilities.
• Input validation is implemented across all data entry points.

A.4 Monitoring

• Security logging is enabled for access to systems containing personal data.
• Incident alerting is configured for anomalous access patterns or security events.
• Audit logs are maintained for access to and modifications of personal data.

A.5 Data Minimization

• Only personal data necessary for the specified processing purpose is collected and processed.
• Regular reviews are conducted to identify and remove unnecessary data.
• Data is not retained beyond the period required for its stated purpose.

A.6 Availability

• Infrastructure is hosted on Vercel's redundant, geographically distributed systems.
• Automated backups are performed by the hosting provider.
• Business continuity measures are in place to ensure timely recovery from disruption.

A.7 Security Assessments

• Regular security assessments are conducted to identify and address vulnerabilities.
• Security practices are reviewed and updated in response to emerging threats and changes in the processing environment.

Annex B: List of Sub-processors

The following sub-processors are authorized to process personal data under this DPA as of the effective date:

This list is maintained and updated by This Is Also. Changes to this list are communicated in accordance with Section 6 of this DPA.