Mortar AI Data Processing Agreement (DPA)
1. Introduction
This Data Processing Agreement (“DPA”) is entered into as part of the Service Agreement (“Agreement”) between:
• Mortar AI Pty Ltd, a company incorporated in Australia, with its registered office at [Mortar AI’s Address] (hereinafter “Mortar” or “Processor”), and
• The entity identified as “Client” in the Agreement (hereinafter “Client” or “Controller”).
Each of Mortar and the Client may be referred to as a “Party” and collectively as the “Parties.”
Effective Date: [Insert Date]
This DPA governs the processing of personal data by Mortar on behalf of the Client in connection with the provision of services under the Agreement.
2. Definitions
2.1. “Applicable Data Protection Laws”: All laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the Australian Privacy Act 1988 (Cth), the EU General Data Protection Regulation (GDPR), the UK GDPR, the ISO 27001, and other applicable data protection laws and regulations.
2.2. “Client Data”: Any electronic data, including Personal Data, submitted to Mortar by the Client or collected, used, and processed by Mortar on behalf of the Client or via the Client’s digital properties.
2.3. “Controller”: The natural or legal person, public authority, agency, or other body that determines the purposes and means of processing Personal Data.
2.4. “Processor”: The natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller.
2.5. “Personal Data”: Any information relating to an identified or identifiable natural person (“Data Subject”) that is processed by Mortar on behalf of the Client under the Agreement.
2.6. “Processing”: Any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
2.7. “Security Incident”: Any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
2.8. “Sub-processor”: Any third party engaged by Mortar to process Personal Data on behalf of the Client in connection with the Agreement.
3. Purpose and Scope of Data Processing
3.1. Purpose: Mortar shall process Personal Data solely to provide the Services under the Agreement, which may include data consolidation, marketing automation, email journey management, paid media activation, and other related services, as detailed in Annex A (Processing Activities).
3.2. Instructions for Processing: The Client instructs Mortar to process Personal Data to perform the Services as specified in the Agreement. Mortar shall not process Personal Data for any other purpose unless required to do so by law, in which case Mortar shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.3. Categories of Data Subjects: The categories of Data Subjects whose Personal Data will be processed by Mortar include, but are not limited to:
- Users of the Client’s websites, applications, or other digital properties.
- Clients’ customers and prospects.
- Employees, agents, contractors, and representatives of the Client.
3.4. Types of Personal Data: The types of Personal Data to be processed are listed in Annex A (Processing Activities).
3.5. Duration of Processing: Mortar will process Personal Data for the duration of the Agreement, or until deletion or return of the Personal Data in accordance with the terms of this DPA.
4. Obligations of the Processor (Mortar)
4.1. Compliance with Laws: Mortar shall comply with Applicable Data Protection Laws and will process Personal Data in accordance with this DPA and the Client’s documented instructions.
4.2. Technical and Organizational Security Measures: Mortar shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Such measures are described in detail in Annex B (Technical and Organizational Security Measures).
4.3. Confidentiality: Mortar shall ensure that all personnel authorized to process Personal Data are subject to a duty of confidentiality and have received appropriate training on their responsibilities.
4.4. Data Subject Rights: Mortar shall promptly notify the Client if it receives a request from a Data Subject to exercise any rights under Applicable Data Protection Laws (e.g. rights of access, rectification, erasure, restriction, data portability, or objection). Mortar shall assist the Client in responding to such requests at the Client’s expense.
4.5. Data Protection Impact Assessments (DPIA): If Mortar believes that its processing of Personal Data may result in a high risk to the rights and freedoms of Data Subjects, Mortar shall promptly inform the Client and provide reasonable assistance, at the Client’s expense, with any data protection impact assessments and consultations with data protection authorities as required by Applicable Data Protection Laws.
4.6. Security Incidents: Mortar shall notify the Client without undue delay upon becoming aware of a Security Incident. Mortar shall provide the Client with sufficient information to allow the Client to meet any obligations to report or inform Data Subjects of the Security Incident under Applicable Data Protection Laws.
4.7. Sub-processing: The Client authorizes Mortar to engage Sub-processors to assist in processing Personal Data for the Permitted Purpose, provided that Mortar:
Maintains an up-to-date list of Sub-processors at [insert URL] and updates the Client of any changes.
Ensures Sub-processors are bound by data protection obligations compatible with those in this DPA.
Remains liable for the actions or omissions of Sub-processors.
4.8. International Data Transfers: Mortar shall not transfer Personal Data outside the Australia or any other jurisdiction with adequate data protection laws without the Client’s prior written consent unless such transfer is conducted under the EU General Data Protection Regulations (GDPR) standards or another recognized adequacy mechanism.
4.9. Return or Deletion of Personal Data: Upon termination or expiry of the Agreement, Mortar shall, at the Client’s choice, securely delete or return all Personal Data to the Client and delete all existing copies unless retention is required by applicable law. shall process Personal Data solely to provide the Services under the Agreement, which may include data consolidation, marketing automation, email journey management, paid media activation, and other related services, as detailed in Annex A (Processing Activities).
5. Obligations of the Controller (Client)
5.1. Lawful Basis for Data Processing: The Client confirms that it has obtained all necessary consents and lawful bases required under Applicable Data Protection Laws to collect, process, and transfer Personal Data to Mortar.
5.2. Accuracy of Data: The Client shall ensure that Personal Data provided to Mortar is accurate, complete, and up-to-date to the best of its knowledge. The Client shall inform Mortar without delay if any such data needs to be rectified or updated.
5.3. Instructions for Processing: The Client shall provide documented instructions to Mortar regarding the processing of Personal Data and shall ensure that its instructions comply with Applicable Data Protection Laws.
5.4. Data Subject Requests: The Client is responsible for managing and responding to all Data Subject requests related to Personal Data processed by Mortar under this DPA.
5.5. Data Minimization: The Client shall ensure that the Personal Data provided to Mortar is limited to what is necessary in relation to the purposes for which it is processed.
6. Audits and Certifications
6.1. Audit Rights: The Client shall have the right to request audits of Mortar’s processing activities by an independent auditor. Such audits shall be subject to the following conditions:
- The Client shall provide at least 30 days’ notice.
- Audits shall be conducted during regular business hours, in a manner that does not disrupt Mortar’s operations.
- The Client shall bear all costs associated with such audits.
6.2. Certifications: Mortar shall maintain certifications such as ISO 27001 and other relevant industry certifications. Upon request, Mortar shall provide copies of its certifications or audit reports to the Client.
7. Liability and Indemnification
7.1. Limitation of Liability: Each Party’s liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except where such limitations are prohibited by Applicable Data Protection Laws.
7.2. Indemnification: The Client agrees to indemnify and hold Mortar harmless against any claims, damages, losses, and expenses arising from the Client’s failure to comply with its obligations under this DPA or Applicable Data Protection Laws.
8. Governing Law and Jurisdiction
8.1. This DPA shall be governed by and construed in accordance with the laws of South Australia.
8.2. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of South Australia.
9. Term and Termination
9.1. This DPA shall remain in effect as long as Mortar processes Personal Data on behalf of the Client under the Agreement.
9.2. Upon termination or expiration of the Agreement, Mortar shall cease all processing of Personal Data and, at the Client’s option, either delete or return all Personal Data in its possession to the Client. This DPA shall be governed by and construed in accordance with the laws of South Australia.
8.2. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of South Australia.
Annex A: Processing Activities
| Category | Details |
|---|---|
| Services Provided | Data consolidation, marketing automation, email journey management, paid media activation, and related services. |
| Types of Personal Data | Name, email address, phone number, IP address, location data, engagement data (clicks, opens), transaction history, and other marketing data. |
| Categories of Data Subjects | Users of digital properties (websites, apps), customers, prospects, employees, agents, contractors, and representatives of the Client. |
| Processing Duration | For the duration of the Agreement, or as required by law. |
Annex B: Technical and Organisational Security Measures
- Access Control: Restrict access to Personal Data based on role, with multi-factor authentication and strict access controls.
- Data Encryption: Encrypt Personal Data in transit using industry standard protocols
- Incident Response: Maintain a documented incident response plan and conduct regular incident response drills.
- Regular Audits: Perform internal and external security audits, including vulnerability assessments and penetration testing.
- Training: Conduct regular data protection and security training for all personnel with access to Personal Data.
- Data Minimization: Ensure that Personal Data is only retained as necessary for the purposes defined in this DPA.
- Backup and Recovery: Implement robust backup and disaster recovery procedures to protect Personal Data.
Data Protection Officer Contact: Mortar has appointed a Data Protection Officer (DPO) who can be contacted at [email protected]. The DPO is available to respond to any data protection or privacy-related questions or requests within 3-4 business days. This DPA shall remain in effect as long as Mortar processes Personal Data on behalf of the Client under the Agreement.