Data Processing Addendum
Effective Date: 1 July, 2026
This Data Processing Addendum ("DPA") forms part of, and is subject to, the Support Fusion Terms of Service (the "Terms") between Support Fusion Pty Ltd (ACN 685 654 326) ("Support Fusion", "we", "us" or "our") and the customer agreeing to the Terms ("Customer" or "you"). This DPA applies to the extent Support Fusion processes Customer Personal Data on Customer's behalf in connection with the Services. In the event of a conflict between this DPA and the Terms with respect to the processing of Customer Personal Data, this DPA controls.
1. Definitions
Capitalised terms not defined in this DPA have the meanings given in the Terms. In this DPA:
"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Customer Personal Data under this DPA, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles, applicable US state privacy laws (including the California Consumer Privacy Act, as amended by the California Privacy Rights Act), and, to the extent applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR.
"Customer Personal Data" means personal information or personal data within Customer Data that Support Fusion processes on Customer's behalf in connection with the Services.
"Data Subject", "controller", "processor", "personal data" and "processing" have the meanings given under Applicable Data Protection Law; references to "service provider" and "business" have the meanings given under US state privacy laws.
"Sub-processor" means any third party engaged by Support Fusion to process Customer Personal Data in connection with the Services.
2. Roles and Scope of Processing
2.1 Roles
As between the parties, Customer is the controller (or business) and Support Fusion is the processor (or service provider) with respect to Customer Personal Data. Where Customer is itself a processor acting on behalf of a third-party controller, Support Fusion acts as a sub-processor.
2.2 Customer instructions
Support Fusion will process Customer Personal Data only (a) to provide, secure, support and maintain the Services in accordance with the Terms; (b) in accordance with Customer's documented instructions, including as set out in this DPA and the Terms; and (c) as required by law, in which case Support Fusion will, where lawful, inform Customer of the legal requirement before processing.
2.3 Subject matter and details
The subject matter, duration, nature and purpose of the processing, the types of Customer Personal Data and the categories of Data Subjects are described in Schedule 1.
2.4 Service provider status
Support Fusion will not (a) sell or share Customer Personal Data; (b) retain, use or disclose Customer Personal Data for any purpose other than the specific purpose of performing the Services, or otherwise outside the direct business relationship with Customer; or (c) combine Customer Personal Data with personal information from other sources except as permitted under Applicable Data Protection Law. Support Fusion certifies that it understands and will comply with these restrictions.
3. Confidentiality and Personnel
Support Fusion will ensure that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality and have received appropriate training on their data protection responsibilities.
4. Security
Support Fusion will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account the nature of the processing. These measures include those described in Schedule 2 and are consistent with the security commitments in the Terms and the Support Fusion Privacy Policy.
5. Sub-processors
5.1 Authorisation
Customer provides general authorisation for Support Fusion to engage Sub-processors to process Customer Personal Data, including the cloud hosting, payment processing, identity, monitoring, customer support and analytics providers described in the Privacy Policy.
5.2 Obligations
Support Fusion will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for each Sub-processor's performance of those obligations.
5.3 Changes
Support Fusion will make available a list of Sub-processors on request and will give Customer reasonable notice of the addition or replacement of a Sub-processor, with an opportunity to object on reasonable data protection grounds.
6. Assistance to Customer
6.1 Data Subject requests
Taking into account the nature of the processing, Support Fusion will provide reasonable assistance to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law. If Support Fusion receives such a request directly, it will, where permitted, refer the Data Subject to Customer.
6.2 Compliance assistance
Support Fusion will provide Customer with reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, in each case to the extent relating to the processing of Customer Personal Data and taking into account the information available to Support Fusion.
7. Personal Data Breach
Support Fusion will notify Customer without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data, and will provide Customer with information reasonably available to it to assist Customer in meeting its own notification obligations, including those relating to an eligible data breach under the Privacy Act 1988 (Cth).
8. Return and Deletion
On expiry or termination of the Subscription Term, Support Fusion will delete or return Customer Personal Data in accordance with Section 5.10 of the Terms, except to the extent retention is required by law or for legal and audit purposes, in which case Support Fusion will continue to protect that data in accordance with this DPA.
9. Audits
Support Fusion will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable confidentiality, security, frequency and notice conditions. Support Fusion may satisfy this obligation by providing third-party certifications or audit reports where available.
10. International Transfers
Where Support Fusion transfers Customer Personal Data to a jurisdiction not recognised as providing an adequate level of protection under Applicable Data Protection Law, the parties will put in place a lawful transfer mechanism required by that law, including, where applicable, the Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference and completed using the details in Schedule 1.
11. General
11.1 Term
This DPA takes effect on the Effective Date and continues for so long as Support Fusion processes Customer Personal Data under the Terms.
11.2 Liability
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms.
11.3 Precedence
Except as expressly modified by this DPA, the Terms remain in full force and effect.
Schedule 1 - Details of Processing
| Item | Detail |
|---|---|
| Subject matter | Routing of tickets and related records between Connected Systems via the Support Fusion integration platform. |
| Duration | For the duration of the Subscription Term and any legal/audit retention period thereafter. |
| Nature and purpose | Transient, in-memory reading and routing of ticket content; persistent processing of ticket reference numbers, routing metadata and Service-Generated Data, to provide and support the Services. |
| Types of Customer Personal Data | Identifiers and contact details within tickets (e.g. names, work email addresses, phone numbers); service request and incident content submitted by Customer or its end users; ticket reference numbers and routing metadata. |
| Categories of Data Subjects | Customer's Authorised Users; Customer's own personnel, end users and customers whose information appears in routed tickets. |
| Sensitive data | Not intended; any sensitive personal information is routed at Customer's election and risk per Section 5.5 of the Terms. |
Schedule 2 - Technical and Organisational Security Measures
| Measure | Description |
|---|---|
| Encryption | Encryption of Customer Personal Data in transit; transient in-memory processing of ticket content without persistent storage of ticket body content. |
| Access controls | Role-based access controls, authentication and least-privilege access for personnel and systems. |
| Network security | Network segmentation, firewalling and monitoring of the production environment. |
| Log masking | Masking or redaction of ticket free-text and configured sensitive fields in technical and diagnostic logs. |
| Sub-processor controls | Contractual data protection obligations imposed on Sub-processors; hosting in secure environments. |
| Personnel | Confidentiality obligations and data protection training for authorised personnel. |
| Resilience | Backup, logging and incident response processes designed to restore availability and detect security events. |