DATA PROCESSING ADDENDUM

1.1. Unless otherwise defined herein, capitalized terms used in this Addendum shall have the meanings set forth in the Agreement, the Australian Privacy Act 1988 (Cth), and the New Zealand Privacy Act 2020, as applicable.

1.2. "Applicable Privacy Laws" means the Australian Privacy Act 1988 (Cth), the New Zealand Privacy Act 2020, and any other laws or regulations in Australia or New Zealand applicable to the processing of Personal Information under the Agreement.

1.3. "Service" means the product provided by the Processor, Nulla, for compiling embodied carbon calculations for construction projects.

1.4. "Personal Information" has the meaning given in the Applicable Privacy Laws, and generally refers to information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

1.5. "Controller Data" means all data and content that the Controller provides or uploads to the Processor through the Nulla Service, including Bills of Quantities (BQ/BOQ) or other project documents linked to the Controller's use of the Service. Controller Data may contain Personal Information and remains the property of the Controller at all times.

2.1. Purpose of Processing

The Processor shall process data provided by the Controller ("Controller Data"), including any Personal Information contained therein, solely for the purpose of providing the Nulla Service. This includes:

1. Ingesting and processing Material Take-off Quantities documents (e.g., BOQ, BQ, cost plan, BIM quantity schedule) supplied by the Controller;
2. Mapping line items to materials and associated embodied-carbon coefficients from generic or EPD databases;
3. Generating and delivering embodied-carbon calculations and analytical insights; and
4. Storing and displaying processed results for the Controller's ongoing access, reporting, and use within the Service dashboard.

2.2. Nature of Processing and Data Minimisation

1. During processing, the Service automatically removes or masks any information that could identify specific clients, projects, or locations contained within uploaded documents.
2. The Processor retains only the line-item and quantity data required for material mapping and carbon-coefficient analysis.
3. Each Controller's processed data and outputs are visible only to that Controller and its authorised users; no Controller Data is accessible to other Controllers.
4. The Controller Data, including material takeoff data, shall not be used to train any artificial intelligence models, machine learning systems, or other generative models. The Processor may only use anonymised and aggregated data, stripped of all identifying elements and incapable of re-identification, solely for the purpose of improving the Nulla Service, provided that no individual Controller or project can be identified.

2.3. Duration of Processing: Processing shall continue for the term of the Controller's subscription to the Service or as required to fulfil the purposes above, unless otherwise required by Applicable Privacy Laws.

2.4. Categories of Personal Information: Personal Information may include names, contact details, professional titles, or other identifying information embedded within uploaded documents, to the extent such data exists.

2.5. Data Residency: All compute operations, databases and file storage supporting the Service are hosted and operated exclusively within Australia (Sydney region). Network traffic may pass through the nearest Point of Presence ("PoP") for routing or security purposes, but no Controller Data is stored or processed outside Australia.

2.6. No Overseas Transfer: The Processor does not transfer or replicate Controller Data outside Australia except where required by law or expressly authorised in writing by the Controller.

3.1. Lawful Processing: The Processor shall process Controller Data only on documented instructions from the Controller and in accordance with this Addendum, unless required to do so by Applicable Privacy Laws to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information.

3.2. Confidentiality: The Processor shall ensure that persons authorised to process the Controller Data have committed themselves to confidentiality or are under an appropriate statutory or contractual obligation of confidentiality.

3.3. Security: The Processor shall implement and maintain appropriate technical and organisational measures to protect Controller Data. These measures include but are not limited to:

1. Encrypting all data transmissions via HTTPS (TLS 1.2).
2. Protecting data at rest through encryption, strict data retention policies, and secure storage from established providers.
3. Adhering to SOC2 requirements for access controls and audit log maintenance.
4. Establishing a process to regularly test and evaluate the effectiveness of security measures.

3.4. Assistance to Controller: The Processor shall, taking into account the nature of the processing, provide reasonable assistance to the Controller to enable the Controller to comply with its obligations under Applicable Privacy Laws, including:

1. Responding to requests for access to and correction of Personal Information from data subjects (consistent with APP 12, APP 13, IPP 6, and IPP 7).
2. Fulfilling the Controller's obligations regarding Privacy Impact Assessments (if applicable).

3.5. Notifiable Data Breach Notification: The Processor shall notify the Controller without undue delay (and in any event, within 48 hours of becoming aware) upon becoming aware of a privacy breach (as defined under Applicable Privacy Laws) affecting Controller Data that is likely to be an eligible data breach under the Australian Notifiable Data Breaches (NDB) scheme or a notifiable privacy breach under the New Zealand Privacy Act 2020. The Processor shall provide the Controller with sufficient information to enable the Controller to meet its notification obligations under Applicable Privacy Laws.

3.6. Deletion or Return of Data: Upon the Controller's written request, the Processor shall, at the Controller's choice, delete or return all Controller Data to the Controller and delete existing copies unless Applicable Privacy Laws require storage of the Personal Information.

3.7. Demonstration of Compliance: The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this Addendum and, upon reasonable notice, allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, to the extent such audits are necessary to verify compliance with Applicable Privacy Laws.

4.1. The Controller warrants that it has all necessary rights, consents, and permissions (including any required notifications under APP 5 and IPP 3) to provide the Controller Data, including any Personal Information, to the Processor for processing in accordance with this Addendum and the Agreement.

4.2. The Controller shall ensure that its instructions for the processing of Controller Data comply with Applicable Privacy Laws.

4.3. The Controller shall be responsible for the accuracy, quality, and legality of the Controller Data provided to the Processor for the delivery of the Service.

6.1. This Addendum shall remain in force for as long as the Processor processes Controller Data on behalf of the Controller under the Agreement.

6.2. Termination of the Agreement shall automatically terminate this Addendum.

7.1. Governing Law and Jurisdiction. This Addendum shall be governed by and construed in accordance with the laws of Australia. Any disputes arising out of or in connection with this Addendum shall be subject to the exclusive jurisdiction of the courts of Victoria, Australia.

7.2. Entire Agreement. This Addendum, together with the Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements and understandings, whether written or oral.

7.3. Order of Precedence. In the event of any conflict or inconsistency between the terms of this Addendum and the Agreement, the terms of this Addendum shall prevail with respect to the subject matter of data processing.