Data Processing Agreement

Effective Date: April 2025

This Data Processing Agreement ("DPA") forms part of and is subject to Ciphrix's Terms of Service and any applicable Master Subscription Agreement between Ciphrix Pty Ltd (ABN 27 674 772 493) and/or Ciphrix Inc., as applicable to the Customer's engagement ("Ciphrix"), and the customer ("Customer"). In the event of conflict, this DPA prevails over the Terms of Service with respect to data processing matters.

1. Definitions

Personal Data means any information relating to an identified or identifiable natural person processed by Ciphrix on behalf of the Customer in connection with the Platform.

Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

Platform means the Ciphrix compliance automation SaaS platform hosted at ciphrix.app.

Subprocessor means any third party engaged by Ciphrix to process Personal Data on its behalf in connection with the Platform.

2. Roles

The Customer is the data controller — it determines what Personal Data is input into the Platform and for what purpose. Ciphrix is the data processor — it processes Personal Data solely on the Customer's instruction and as necessary to provide the Platform.

3. What Ciphrix Processes

Ciphrix processes only the Personal Data that the Customer inputs into or generates through the Platform. This typically includes names, email addresses, and organisational details of the Customer's personnel using the Platform. Ciphrix does not require or request sensitive personal data and customers should not input it into the Platform.

4. How Ciphrix Processes It

Ciphrix processes Personal Data:

Only to provide, maintain, and support the Platform
Only on documented instructions from the Customer, as reflected in the Terms of Service and this DPA
Not for its own purposes, profiling, or marketing
In accordance with applicable privacy law, including the Australian Privacy Act 1988 (Cth)

5. Data Hosting and Transfers

Customer data is hosted on AWS infrastructure in the United States, unless otherwise agreed in writing in a Master Subscription Agreement.

AI-powered features of the Platform rely on third-party AI service providers based in the United States. By using these features, the Customer acknowledges that relevant data may be processed by those providers in the United States.

Customers who require data residency in a specific region should contact Ciphrix prior to entering into a subscription agreement.

6. Security

Ciphrix maintains appropriate technical and organisational measures to protect Personal Data against unauthorised access, loss, or disclosure. Details of Ciphrix's security posture, certifications, and controls are available at the Trust Center: trust.ciphrix.com.

7. Breach Notification

In the event of a confirmed Personal Data breach, Ciphrix will notify the Customer without undue delay and within 72 hours of becoming aware that a breach has occurred. Notification will be provided to the primary contact on the Customer's account and will include, to the extent known, the nature of the breach, categories of data affected, and steps being taken.

The 72-hour period commences upon Ciphrix confirming that a breach has occurred — not upon detection of a security anomaly or suspected incident.

8. Subprocessors

Ciphrix uses third-party subprocessors to deliver the Platform. A current list of subprocessors is maintained and updated at the Trust Center: trust.ciphrix.com.

Ciphrix will provide reasonable notice of material changes to its subprocessor list. Continued use of the Platform following such notice constitutes acceptance. Customers who object to a new subprocessor may terminate the subscription in accordance with the Terms of Service.

9. Data Retention and Deletion

Ciphrix retains Customer Personal Data for the duration of the subscription. Customers may export and delete their own data at any time using the Platform's built-in tools.

On termination of the subscription, Ciphrix will delete Customer Personal Data within 60 days, unless retention is required by law. Customers are responsible for exporting any data they wish to retain prior to termination.

Customers may request deletion of specific Personal Data at any time by contacting support@ciphrix.com.

10. Data Subject Rights

Where a Customer's end user exercises a data subject right (access, correction, deletion, portability) in relation to Personal Data processed through the Platform, Ciphrix will assist the Customer in responding to the extent reasonably practicable, given the nature of the processing.

11. Governing Law

This DPA is governed by the laws of Victoria, Australia, consistent with the Terms of Service.

Ciphrix's practices are consistent with the principles of the Australian Privacy Act 1988 (Cth). For customers based in India, Ciphrix's data handling is consistent with the principles of the Digital Personal Data Protection Act 2023 (DPDP). For customers based in the EU/UK, this DPA is intended to satisfy the requirements of GDPR Article 28.