Data Sub-Processor Agreement

Parties

This Data Sub-Processor Agreement (“Agreement“) is entered into between:

Sub-Processor: HtAG Analytics Pty Ltd (ACN 622 716 492) — Contact — htag.com.au

Controller: The individual or organisation identified in the applicable HtAG Analytics service intake or order form.


Preamble

This Agreement governs the processing of personal information submitted to HtAG Analytics via any service intake or order form that references this Agreement. It is made in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act.

By ticking the consent checkbox on the applicable service intake or order form and submitting a Service Order, the Controller agrees to be bound by the terms of this Agreement.


1. Definitions

Agreement — This Data Sub-Processor Agreement, including all Schedules.

APP — Australian Privacy Principles in Schedule 1 of the Privacy Act 1988 (Cth).

Controller — The individual or organisation submitting Personal Information of End Clients to the Sub-Processor via a Service Order. The Controller determines the purpose and means of collecting End Client personal information.

Data Breach — Any unauthorised access to, disclosure of, or loss of Personal Information likely to result in serious harm to any individual.

Data Subject — An identified or reasonably identifiable natural person whose Personal Information is processed — in most instances the End Client of the Controller.

End Client — A natural person whose personal and financial details are submitted by the Controller in a Service Order.

Personal Information — Information or opinion about an identified or reasonably identifiable individual (Privacy Act 1988 (Cth)). In this Agreement, includes all data in Schedule A.

Privacy Act — Privacy Act 1988 (Cth), as amended from time to time.

Processing — Any operation on Personal Information, including collection, storage, use, disclosure, or deletion.

Service Order — A request submitted via an HtAG Analytics service intake or order form, instructing the Sub-Processor to process End Client data to produce deliverables.

Deliverables — Reports, documents, data outputs, and related materials produced by the Sub-Processor in fulfilment of a Service Order.

Service — Any HtAG Analytics service that involves processing Personal Information on behalf of the Controller and that references this Agreement.

Sub-Processor — HtAG Analytics Pty Ltd, processing Personal Information on behalf of and under instruction of the Controller.

TOMs — Technical and Organisational Measures — security safeguards maintained by the Sub-Processor, detailed in Schedule B.


2. Scope and Purpose of Processing

2.1 This Agreement applies to all Processing of Personal Information by the Sub-Processor on behalf of the Controller in connection with the Service.

2.2 The Sub-Processor shall process Personal Information solely for:

  • Analysing the End Client’s profile, requirements, and related parameters submitted in a Service Order;
  • Generating Deliverables tailored to the End Client’s criteria;
  • Delivering Deliverables and associated materials to the Controller; and
  • Complying with applicable legal obligations.

2.3 The Sub-Processor shall not process Personal Information for any purpose beyond those specified without the prior written consent of the Controller, except where required by Australian law.


3. Obligations of the Controller

3.1 The Controller warrants and represents that:

  • It has lawfully collected the Personal Information of each End Client in accordance with the APPs;
  • It has notified each End Client that their information may be disclosed to HtAG Analytics for the purposes of the Service, in accordance with APP 5;
  • It has obtained any necessary consents from End Clients for disclosure of their Personal Information to the Sub-Processor;
  • It is authorised to submit the Personal Information and to instruct the Sub-Processor to process it; and
  • It will not submit sensitive information (as defined in the Privacy Act) unless explicitly required and with appropriate End Client consent.

3.2 The Controller shall promptly notify the Sub-Processor of any corrections required to Personal Information previously submitted, or upon becoming aware of any suspected Data Breach involving submitted data.

3.3 The Controller acknowledges that Deliverables are for informational purposes only and do not constitute financial advice under the Corporations Act 2001 (Cth). The Controller takes full responsibility for how Deliverables are communicated to End Clients.


4. Obligations of the Sub-Processor

4.1 The Sub-Processor shall:

  • Process Personal Information only on documented instructions from the Controller as expressed in each Service Order, and only for the purposes in this Agreement;
  • Ensure persons with access to Personal Information are under appropriate confidentiality obligations;
  • Implement and maintain the Technical and Organisational Measures in Schedule B;
  • Not disclose, sell, rent, or transfer Personal Information to any third party except as permitted under this Agreement or required by law;
  • Assist the Controller in responding to Data Subject access (APP 12) and correction (APP 13) requests;
  • Notify the Controller without undue delay upon becoming aware of a Data Breach; and
  • Delete or return all Personal Information upon completion of a Service Order, termination, or written request.

4.2 Where the Sub-Processor reasonably believes a Controller instruction would breach the Privacy Act, it shall inform the Controller and may suspend acting on that instruction until resolved.


5. Data Security

5.1 The Sub-Processor shall implement appropriate technical and organisational measures to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, having regard to: the state of the art; the cost of implementation; the nature and purpose of Processing; and risk of harm to Data Subjects.

5.2 Specific measures currently in place are set out in Schedule B. The Sub-Processor may update these measures provided any update does not materially reduce protection afforded to Personal Information.

5.3 Access to Personal Information is restricted to persons who require it to fulfil Service Orders and who are subject to appropriate confidentiality obligations.


6. Sub-Contracting and Approved Third Parties

6.1 The Controller acknowledges that the Sub-Processor may engage the following categories of sub-contractors:

  • Cloud infrastructure and hosting providers;
  • AI model and language model API providers used in generating Deliverables;
  • Property data and analytics vendors; and
  • Secure file delivery services.

6.2 Before engaging any new sub-contractor with access to Personal Information, the Sub-Processor shall: provide 14 days’ notice to the Controller; ensure the sub-contractor is bound by terms no less protective than this Agreement; and remain fully liable for that sub-contractor’s acts and omissions.

6.3 If the Controller reasonably objects to a new sub-contractor and the issue is not resolved within 14 days, the Controller may terminate this Agreement on 30 days’ written notice without penalty.


7. Data Breach Notification

7.1 Upon becoming aware of a Data Breach, the Sub-Processor shall notify the Controller within 72 hours and provide sufficient information to allow the Controller to meet its obligations under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act.

7.2 The notification shall include: the nature and scope of the breach; likely consequences; measures taken or proposed; and the Sub-Processor’s privacy contact details.

7.3 The Sub-Processor is not liable for a Data Breach caused by the Controller’s acts or omissions, including failure to safeguard login credentials or Deliverables once delivered.


8. Data Subject Rights

8.1 If the Sub-Processor receives a Data Subject request to exercise Privacy Act rights (access under APP 12 or correction under APP 13), it shall forward the request to the Controller within 5 business days and provide such assistance as required for the Controller to respond.

8.2 The Controller bears primary responsibility for responding to Data Subject requests under the Privacy Act.


9. Data Retention and Deletion

9.1 Retention periods are as follows:

  • Service Order intake data (name, contact, financial profile) — 90 days from Deliverable completion
  • Deliverables — 12 months from delivery, then deleted or anonymised
  • Aggregate, anonymised analytics (non-identifying) — Retained indefinitely

9.2 The Sub-Processor shall delete Personal Information earlier upon written request, subject to legal retention obligations. Written confirmation of deletion is provided within 14 business days.


10. Cross-Border Transfers

10.1 The Sub-Processor primarily processes Personal Information within Australia. Where information is transferred to or accessed from an overseas jurisdiction, the Sub-Processor shall comply with APP 8 and take reasonable steps to ensure overseas recipients do not breach the APPs.

10.2 The Controller consents to such transfers on the basis that the Sub-Processor will impose contractual protections equivalent to the APPs on any overseas provider.


11. Audit Rights

11.1 Upon not less than 30 days’ written notice and no more than once per calendar year, the Controller may request an audit of the Sub-Processor’s compliance during business hours at the Controller’s expense (unless a material breach is revealed).

11.2 As an alternative, the Sub-Processor may provide a written compliance report, third-party certification (e.g., ISO 27001), or other evidence of compliance agreed between the Parties.


12. Confidentiality

12.1 Each Party shall keep confidential all non-public information received in connection with this Agreement, including its terms, all Personal Information, all Deliverables, and all business information disclosed during the engagement.

12.2 Confidentiality obligations survive termination or expiry of this Agreement for five (5) years.


13. Liability and Indemnification

13.1 Each Party shall be liable to the other for direct losses arising from that Party’s material breach of this Agreement or violation of the Privacy Act.

13.2 The Sub-Processor’s aggregate liability shall not exceed total fees paid by the Controller in the 12 months preceding the event, except in cases of gross negligence, wilful misconduct, or non-excludable Privacy Act liability.

13.3 Neither Party shall be liable for indirect, consequential, incidental, or punitive losses, including loss of profits or data.

13.4 The Controller shall indemnify the Sub-Processor against claims arising from the Controller’s breach of this Agreement or failure to lawfully collect or disclose End Client Personal Information.


14. Term, Termination and General Provisions

14.1 This Agreement commences when the Controller accepts it via the applicable service intake or order form checkbox and continues until terminated. Either Party may terminate on 30 days’ written notice, or immediately upon the other Party’s material unremedied breach or insolvency.

14.2 Sections 9 (Retention), 12 (Confidentiality), and 13 (Liability) survive termination.

14.3 Governing Law. This Agreement is governed by the laws of New South Wales, Australia. The Parties submit to the exclusive jurisdiction of the courts of New South Wales.

14.4 Entire Agreement. This Agreement supersedes all prior agreements relating to its subject matter. Amendments require a written agreement signed by both Parties.

14.5 Notices. Notices shall be sent via the HtAG Analytics contact page or by email to the address provided there.

14.6 Severability. If any provision is held invalid or unenforceable, the remaining provisions continue in full force.

14.7 Force Majeure. Neither Party shall be in breach for failure or delay in performance arising from circumstances beyond its reasonable control.


Schedule A — Personal Information Categories and Processing Details

End Client Identity — First name, last name — Retained 90 days from Deliverable completion

End Client Contact — Email address, phone number — Retained 90 days from Deliverable completion

Controller Details — Controller name, organisation name — Retained 12 months from Deliverable completion

Financial Profile — Budget (min/max), investment horizon, equity release timeframe, risk profile, target rental yield — Retained 90 days from Deliverable completion

Investment Preferences — Geographic preference, investment objective, property type — Retained 90 days from Deliverable completion

Service Brief — Notes, supporting documents (up to 5 files) — Retained 90 days from Deliverable completion

Referral Information — Referral source (aggregate, non-personal use only) — Anonymised, retained indefinitely

Usage & Audit Logs — Form submission timestamp, IP address — Retained 12 months from submission

Note: HtAG Analytics does not collect or process sensitive information (health data, racial/ethnic origin, financial account numbers, or government identifiers) unless explicitly required for a Service Order and with the End Client’s express consent.


Schedule B — Technical and Organisational Measures (TOMs)

Access Control — Role-based access (RBAC); least-privilege principle; MFA required for all staff; no shared accounts.

Encryption — All data in transit via TLS 1.2+; data at rest AES-256 or equivalent; encrypted file delivery for Deliverables.

Infrastructure — Enterprise-grade cloud hosting (SOC 2 Type II or equivalent); regular vulnerability scanning; Web Application Firewall.

Data Minimisation — Only data strictly necessary for Deliverables collected; automated deletion enforces Schedule A retention limits.

Incident Response — Documented Data Breach Response Plan; designated privacy contact; 72-hour Controller notification obligation.

Third-Party Risk — Due diligence conducted on all sub-contractors; contractual privacy obligations imposed on all sub-contractors with data access.

Audit & Logging — Access to systems containing Personal Information is logged and monitored; logs retained 12 months.

Business Continuity — Regular backups with tested restoration procedures; documented business continuity plan covering data processing operations.


Acceptance

This Agreement is accepted by the Controller by ticking the consent checkbox on the applicable HtAG Analytics service intake or order form and submitting a Service Order. Checkbox acceptance constitutes a valid and binding agreement under the Electronic Transactions Act 1999 (Cth) (Sections 9 & 10) and Australian contract law.

A consent record — including timestamp (UTC), IP address, Agreement version, and Controller representative details — is retained at submission for a minimum of seven (7) years.


Questions about this Agreement? Contact us

HtAG Analytics Pty Ltd · ACN 622 716 492 · htag.com.au

This document was prepared for informational purposes. HtAG Analytics recommends obtaining independent legal advice before executing this Agreement.