Data Processing Agreement

For the purposes of this DPA, the following definitions apply:

• "Controller" means the entity that determines the purposes and means of Processing Personal Data, being the customer who has agreed to the Tork Terms of Service.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller, being JCorp Australia Pty Ltd (ABN: 51 694 095 513), trading as Tork.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
• "Personal Data" means any information relating to a Data Subject that is Processed by the Processor on behalf of the Controller through the Services.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• "Services" means the Tork AI governance platform and related services provided by the Processor to the Controller.
• "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR (EU) 2016/679, UK GDPR, CCPA, Australian Privacy Act 1988, and other applicable regulations.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679.

2.1 Subject Matter: This DPA governs the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Tork Services.

2.2 Duration: This DPA shall remain in effect for the duration of the Controller's use of the Services, and shall automatically terminate upon termination of the underlying Terms of Service, subject to the Processor's obligations regarding data deletion and return.

2.3 Effective Date: This DPA is effective as of [EFFECTIVE DATE] or the date the Controller first accesses the Services, whichever is later.

3.1 Nature of Processing: The Processor provides AI governance services that may involve Processing Personal Data submitted by the Controller through API calls, including:

• • PII detection and redaction
• • Content policy evaluation and enforcement
• • Compliance logging and audit trail generation
• • Real-time content filtering

3.2 Purpose of Processing: The Processor shall only Process Personal Data for the following purposes:

• • Providing the Services as described in the Terms of Service
• • Detecting and redacting Personal Data as instructed by the Controller
• • Generating compliance receipts and audit logs
• • Improving and maintaining the Services (using anonymized or aggregated data only)
• • Complying with legal obligations

The types of Personal Data Processed depend on the Controller's use of the Services and may include:

• • Identity Data: Names, usernames, government IDs (SSN, TFN, etc.)
• • Contact Data: Email addresses, phone numbers, postal addresses
• • Financial Data: Credit card numbers, bank account details, tax identifiers
• • Technical Data: IP addresses, device identifiers, API keys
• • Health Data: Medical records, health insurance information (if submitted by Controller)
• • Any other Personal Data: Submitted by the Controller through the Services

Note: The Processor's primary function is to detect and redact such Personal Data. The Processor does not retain the content of API calls beyond the time necessary to process the request, except as required for audit logging based on the Controller's plan settings.

Data Subjects may include, depending on the Controller's use of the Services:

• • End users of the Controller's applications or services
• • Customers of the Controller
• • Employees or contractors of the Controller
• • Business contacts and partners of the Controller
• • Any other individuals whose Personal Data is submitted to the Services by the Controller

The Processor agrees to:

• 6.1 Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
• 6.2 Ensure that persons authorized to Process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• 6.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• 6.4 Respect the conditions for engaging Sub-processors as set out in Section 8.
• 6.5 Assist the Controller in responding to Data Subject requests, taking into account the nature of the Processing.
• 6.6 Assist the Controller in ensuring compliance with data breach notification obligations.
• 6.7 Delete or return all Personal Data after the end of the Services, at the Controller's choice, and delete existing copies unless storage is required by law.
• 6.8 Make available all information necessary to demonstrate compliance and allow for audits.
• 6.9 Immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.

The Controller agrees to:

• 7.1 Ensure that the Processing of Personal Data has a valid legal basis under applicable Data Protection Laws.
• 7.2 Provide clear and lawful instructions to the Processor regarding the Processing of Personal Data.
• 7.3 Ensure that Data Subjects have been informed about the Processing and their rights.
• 7.4 Implement appropriate technical and organizational measures on its own systems.
• 7.5 Notify the Processor promptly of any Data Subject requests or complaints received directly.
• 7.6 Comply with all applicable Data Protection Laws in its use of the Services.
• 7.7 Not submit Personal Data to the Services that the Controller does not have the right to Process.

8.1 Authorization: The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object.

8.2 Current Sub-processors: The following Sub-processors are currently engaged:

8.3 Sub-processor Agreements: The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

9.1 The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise any of the following rights:

• • Right of access
• • Right to rectification
• • Right to erasure ("right to be forgotten")
• • Right to restriction of Processing
• • Right to data portability
• • Right to object
• • Rights related to automated decision-making

9.2 The Processor shall assist the Controller in responding to such requests, taking into account the nature of the Processing.

9.3 Any assistance provided by the Processor may be subject to reasonable fees where permitted by law.

The Processor implements the following technical and organizational security measures:

11.1 Notification Timeline: The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach.

11.2 Notification Content: The notification shall include:

• • Description of the nature of the breach
• • Categories and approximate number of Data Subjects affected
• • Categories and approximate number of Personal Data records affected
• • Name and contact details of the Processor's data protection contact
• • Description of likely consequences of the breach
• • Description of measures taken or proposed to address the breach

11.3 Cooperation: The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

11.4 Documentation: The Processor shall document all Personal Data Breaches, including the facts, effects, and remedial actions taken.

12.1 Upon termination of the Services or upon the Controller's request, the Processor shall, at the Controller's choice:

• • Return all Personal Data to the Controller in a commonly used format; or
• • Delete all Personal Data and certify such deletion in writing

12.2 The Processor may retain Personal Data to the extent required by applicable law, in which case it shall:

• • Inform the Controller of such requirement
• • Only Process such data for the purpose required by law
• • Maintain confidentiality of such data

12.3 The Controller acknowledges that Tork's Services are designed to minimize data retention. API request content is not stored beyond the time necessary to process the request, except for audit logs as configured by the Controller.

13.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Data Protection Laws.

13.2 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

13.3 Audit requests must be made with reasonable notice (minimum 30 days) and shall be conducted during normal business hours, at the Controller's expense.

13.4 The Processor may satisfy audit requests by providing:

• • SOC 2 Type II reports or equivalent certifications
• • Third-party audit reports
• • Responses to security questionnaires
• • Documentation of security measures and policies

14.1 Each party shall be liable for damages caused by Processing that infringes this DPA or Data Protection Laws only to the extent provided in the underlying Terms of Service.

14.2 The Processor shall indemnify the Controller for any direct damages arising from the Processor's breach of this DPA, subject to the limitations set forth in the Terms of Service.

14.3 The Controller shall indemnify the Processor for any damages arising from:

• • The Controller's instructions that infringe Data Protection Laws
• • The Controller's failure to comply with its obligations under this DPA
• • The Controller's unlawful Processing of Personal Data

14.4 Nothing in this DPA shall limit either party's liability for death, personal injury, fraud, or any other liability that cannot be limited by law.

15.1 The Controller acknowledges that the Processor may transfer Personal Data to countries outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions.

15.2 For transfers to countries without an adequacy decision, the Processor shall ensure appropriate safeguards are in place, including:

• • Standard Contractual Clauses (SCCs) approved by the European Commission
• • UK International Data Transfer Agreement or UK Addendum to SCCs
• • EU-US Data Privacy Framework certification (where applicable)
• • Other legally recognized transfer mechanisms

15.3 The parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference into this DPA for transfers requiring such clauses.

15.4 The Processor shall conduct Transfer Impact Assessments where required and implement supplementary measures as necessary to ensure an essentially equivalent level of protection.

16.1 This DPA shall commence on the Effective Date and continue until the termination of the underlying Terms of Service.

16.2 Upon termination, the provisions of this DPA relating to confidentiality, data deletion, and liability shall survive.

16.3 Either party may terminate this DPA if the other party materially breaches this DPA and fails to cure such breach within 30 days of written notice.

16.4 The Controller may terminate this DPA if the Processor can no longer provide appropriate safeguards for international data transfers.