Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Subscriber Agreement between Optible Ventures Pty Ltd trading as Optible AI ABN 76 659 316 202 ("Optible", "we", "us") and the entity agreeing to these terms ("Subscriber", "you") for use of the Optible platform and services ("Services").

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that Optible processes on your behalf.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Data Protection Laws" means the Australian Privacy Act 1988, GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy laws.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
"Subprocessor" means any third party engaged by Optible to process Personal Data on your behalf.

2. Roles and Scope

2.1 Roles. You are the Controller. Optible is the Processor. We process Personal Data only to provide the Services.
2.2 Processing Details.

• Categories of Data: Names, email addresses, organisation details, grant application content, and usage data

• Data Subjects: Your employees, end users, and grant applicants

• Purpose: Providing AI-powered grant assessment, document processing, and related services

• Duration: For the term of the Subscriber Agreement plus any retention period required by law

2.3 Your Responsibilities. You warrant that you have obtained all necessary consents and have a lawful basis for providing Personal Data to us.

3. Processing Instructions

3.1 Optible will process Personal Data only on your documented instructions, unless required by law.
3.2 We will inform you if we believe an instruction violates Data Protection Laws.
3.3 The Services include AI-powered features. AI processing follows the same data protection standards as all other processing. Personal Data is not used to train AI models.

4. Confidentiality

4.1 All personnel processing Personal Data are bound by confidentiality obligations.
4.2 We restrict access to Personal Data to personnel who need it to perform the Services.

5. Security

5.1 We implement appropriate technical and organisational measures to protect Personal Data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)

• Access controls and authentication

• Regular security assessments

• Incident response procedures

5.2 Full security details are available at trust.optible.ai.
5.3 Optible maintains SOC 2 Type II and ISO 27001:2022 certifications.

6. Subprocessors

6.1 You authorise Optible to engage Subprocessors to process Personal Data.
6.2 The current list of Subprocessors is maintained at trust.optible.ai/subprocessors.
6.3 We will notify you of new Subprocessors at least 14 days before engagement via email or Trust Centre update. You may object within that period by notifying us at security@optible.ai with reasonable grounds.
6.4 Optible ensures all Subprocessors are bound by data protection obligations equivalent to this DPA.

7. Data Subject Rights

7.1 Optible will assist you in responding to data subject requests (access, rectification, erasure, portability, objection) by providing relevant functionality within the Services or reasonable cooperation.
7.2 If we receive a request directly, we will redirect the data subject to you unless legally required to respond.

8. Security Incidents

8.1 We will notify you of any Security Incident without undue delay, and where feasible, within 72 hours of becoming aware.
8.2 Notification will include: nature of the incident, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
8.3 We will cooperate with your investigation and regulatory notification obligations.

9. Audits

9.1 On reasonable request (no more than annually), Optible will provide information necessary to demonstrate compliance with this DPA.
9.2 This may include: SOC 2 reports, ISO 27001 certificates, penetration test summaries, and completed security questionnaires.
9.3 On-site audits require 30 days notice, must not interfere with operations, and are at your cost.

10. International Transfers

10.1 Data Residency. Optible processes Personal Data across the following locations:
Regional (Australia, EU, or US based on your subscription):

• Grant applications and supporting documents

• Assessment data and AI-generated outputs

• Organisation and workspace data

Australia:

• Authentication data (user accounts, login credentials)

• Billing and subscription information

European Union:

• Product analytics and feature usage

• Error monitoring and diagnostics

Global edge network:

• Request routing and security (no persistent storage)

10.2 Transfer Mechanisms. Where Personal Data is transferred to countries without an adequacy decision:

• EU/EEA: EU Standard Contractual Clauses (Module 2: Controller to Processor), incorporated by reference and deemed executed upon acceptance of this DPA

• UK: UK International Data Transfer Addendum to the EU SCCs

• Other: Appropriate safeguards as required by applicable law

10.3 Supplementary Measures. All transfers are protected by encryption in transit and at rest, access controls, and equivalent contractual obligations on subprocessors.

11. CCPA/CPRA (California)

11.1 To the extent Optible processes Personal Data subject to CCPA/CPRA, Optible acts as a "Service Provider."
11.2 We will not sell or share Personal Data, retain or use it for purposes other than providing the Services, or combine it with other data except as permitted by CCPA/CPRA.
11.3 We will notify you if we can no longer meet our Service Provider obligations.

12. Data Deletion

12.1 Upon termination of the Subscriber Agreement, or upon your written request, Optible will delete or return Personal Data within 90 days.
12.2 You may request data return in a commonly used, machine-readable format.
12.3 We may retain Personal Data as required by law, in which case we will isolate and protect it.

13. Liability

13.1 Each party's liability under this DPA is subject to the limitations in the Subscriber Agreement.
13.2 You acknowledge that AI-assisted assessments are tools to support decision-making. Final decisions remain your responsibility.

14. General

14.1 Precedence. If there is a conflict between this DPA and the Subscriber Agreement regarding data protection, this DPA prevails.
14.2 Updates. We may update this DPA to reflect changes in law or our practices. Material changes will be notified 30 days in advance.
14.3 Contact. For data protection enquiries: security@optible.ai
14.4 Governing Law. This DPA is governed by the laws of South Australia.
Acceptance. This DPA is effective upon execution of the Subscriber Agreement, acceptance via the Platform, or continued use of the Services after the effective date.

15. Contact

For questions about these Terms, contact us at:

Optible Ventures Pty Ltd
ABN 76 659 316 202
Stone & Chalk, Lot Fourteen, Adelaide, South Australia, Australia
security@optible.ai