Data Processing Agreement
Culture Pressure Map™ | Mind Culture Life Australia PTY LTD
Effective date: The date on which the Customer accepts these terms during account creation. Template last updated: 23 May 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
Processor: Mind Culture Life Australia PTY LTD (ACN 679 068 501) ("MCL", "we", "us")
Controller / Customer: The organisation that has entered into a subscription agreement with MCL ("Customer", "you")
2. Definitions
- Applicable Data Protection Laws means the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Notifiable Data Breaches scheme, and, where applicable, other privacy laws applying to the Customer.
- Personal Information has the meaning given in the Privacy Act 1988 (Cth).
- Processing means any operation performed on Personal Information including collection, storage, use, disclosure, transmission, or deletion.
- Sub-processor means any third party engaged by MCL to process Personal Information.
- Data Breach means unauthorised access, loss, disclosure, or destruction of Personal Information.
3. Scope and relationship
3.1 The Customer is the controller (and accountable entity under the Privacy Act) of Personal Information it submits or directs to the Service.
3.2 MCL is the processor, acting on documented instructions from the Customer.
3.3 This DPA applies to Personal Information processed through the Culture Pressure Map™ Service.
4. Processing details
4.1 Subject matter: Provision of the Culture Pressure Map™ SaaS platform for workplace culture diagnostics.
4.2 Duration: For the term of the subscription.
4.3 Nature and purpose: Hosting, storing, processing, analysing, and displaying Customer Data in order to provide the Service.
4.4 Categories of data subjects: Customer's employees, contractors, and other persons invited to take assessments.
4.5 Categories of Personal Information:
| Category | Examples |
|---|---|
| Identification | Name, email, role (for Customer administrators only) |
| Behavioural | Survey responses (de-identified by default) |
| Technical | IP address, device and browser data, session data |
| Sensitive (where collected) | Experiences of bullying, harassment, psychological wellbeing — de-identified |
5. MCL's obligations
MCL will:
5.1 Process Personal Information only on documented instructions from the Customer (as set out in the subscription agreement, these Terms, or written instructions).
5.2 Ensure personnel authorised to process Personal Information are bound by appropriate confidentiality obligations.
5.3 Implement appropriate technical and organisational measures to protect Personal Information (see Schedule 1 — Security Measures).
5.4 Assist the Customer in responding to data subject requests (access, correction, deletion).
5.5 Notify the Customer of any Data Breach without undue delay and in any event within 72 hours of becoming aware.
5.6 Provide reasonable assistance to the Customer in complying with its obligations under the Notifiable Data Breaches Scheme.
5.7 On termination, delete or return all Personal Information within 30 days unless required to retain it by law.
5.8 Maintain records of processing activities as required by law.
5.9 Make available information necessary to demonstrate compliance, including audit reports, on reasonable request.
6. Customer's obligations
The Customer:
6.1 Warrants that it has a lawful basis and all necessary consents to submit Personal Information to the Service.
6.2 Is responsible for providing privacy notices to its employees and respondents as required by law.
6.3 Will not instruct MCL to process Personal Information in breach of any applicable law.
6.4 Will securely manage its own access credentials.
6.5 Will respond to data subject requests directed to it; where necessary, MCL will reasonably assist.
7. Sub-processors
7.1 The Customer authorises MCL to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database and authentication | Sydney, Australia |
| Vercel Inc. | Application hosting | Sydney, Australia (edge: global) |
| Stripe Inc. | Payment processing | USA |
| SendGrid / Twilio | Transactional email | USA |
| Amazon Web Services | Backup storage | Sydney, Australia |
7.2 MCL will give the Customer at least 30 days' notice of any changes to this list, during which the Customer may object on reasonable privacy grounds.
7.3 MCL remains liable for the acts and omissions of sub-processors under this DPA.
7.4 All sub-processors are bound by written agreements imposing equivalent data protection obligations.
8. International transfers
8.1 Customer Data is primarily stored in Australia (Sydney region).
8.2 Some sub-processors (Stripe, SendGrid) process limited data in the United States. Where this occurs:
(a) MCL ensures the recipient is bound by terms substantially similar to those in this DPA; or (b) Another lawful basis under APP 8 applies.
8.3 The Customer consents to such transfers where required to provide the Service.
9. Data subject rights
9.1 If MCL receives a request from a data subject to access, correct, or delete Personal Information, MCL will promptly forward the request to the Customer without responding, unless the Customer instructs otherwise.
9.2 MCL will provide reasonable assistance (including technical tools) to enable the Customer to respond within required timeframes.
10. Data Breaches
10.1 MCL maintains an incident response plan.
10.2 MCL will notify the Customer within 72 hours of becoming aware of a Data Breach affecting the Customer's Personal Information.
10.3 MCL's notification will include:
(a) description of the nature and scope of the breach; (b) categories and approximate number of data subjects and records affected; (c) likely consequences; (d) measures taken or proposed to address the breach; (e) contact for further information.
10.4 MCL will cooperate with the Customer to comply with the Notifiable Data Breaches scheme.
11. Audits
11.1 MCL will make available evidence of compliance via:
(a) independent third-party audit reports (e.g. ISO 27001, SOC 2) as they become available; (b) responses to reasonable written security questionnaires; (c) documentation of technical and organisational measures.
11.2 If the Customer reasonably requires an on-site audit, MCL will cooperate, subject to reasonable notice (at least 30 days), confidentiality obligations, and the Customer bearing its own costs.
12. Deletion and return of data
12.1 On termination of the subscription, the Customer may export Customer Data via the Service within 30 days.
12.2 After 30 days, MCL will delete or irreversibly anonymise Customer Data, except where required to retain it by law.
12.3 Backup copies will be deleted within 90 days of account deletion.
13. Liability
Liability under this DPA is governed by the limitation of liability provisions of the Terms of Service.
14. General
14.1 This DPA supplements the Terms of Service. In the event of conflict relating to Personal Information, this DPA prevails.
14.2 Governing law: New South Wales, Australia.
14.3 Amendments must be in writing.
Schedule 1 — Security Measures
Physical security
- Data centres with 24/7 security, biometric access controls, CCTV
- Redundant power, fire suppression, environmental controls
Network security
- TLS 1.2+ for all data in transit
- Web application firewall (WAF)
- DDoS protection
- Network segmentation and VPN access to production
Access control
- Role-based access control (RBAC)
- Two-factor authentication for all administrative access
- Least-privilege principle
- Quarterly access reviews
Encryption
- AES-256 at rest
- TLS 1.2+ in transit
- Row-level security ensuring data isolation between customers
Application security
- OWASP Top 10 controls
- Input validation and output encoding
- SQL injection and XSS protection
- Regular dependency scanning
- Secure software development lifecycle
Monitoring and response
- 24/7 monitoring of critical systems
- Centralised logging
- Intrusion detection
- Documented incident response plan
- Regular tabletop exercises
Personnel
- Background checks for staff with access to production data
- Confidentiality obligations in all employment contracts
- Privacy and security training (annual)
Business continuity
- Daily backups with 30-day rolling retention
- Disaster recovery plan with RPO ≤ 24 hours, RTO ≤ 48 hours
- Annual DR testing
Vulnerability management
- Quarterly vulnerability scans
- Annual third-party penetration testing
- Rapid patching of critical vulnerabilities (within 14 days)