This Addendum is entered into between Donna Technologies Pty Ltd (ACN 691 287 457) of Australia (Donna) and the customer identified in the Order Form (the Customer). It supplements and forms part of the Platform Agreement and any Order Form or statement of work executed under it. Capitalised terms used but not defined in this Addendum have the meanings given in the Platform Agreement.

Where the Customer engages Donna in connection with a Space involving an End Client, the Customer remains the controller (or equivalent) in respect of all Personal Information loaded to or generated within that Space, unless the parties expressly agree otherwise in writing. Donna acts as a processor (or equivalent) on the Customer’s documented instructions.

Privacy contact

Questions about this Addendum, requests to exercise data subject rights routed through Donna, or notifications of any suspected Personal Data Breach should be sent to privacy@bydonna.ai.

1.Definitions

The following definitions apply to this Addendum. Defined terms not set out below take their meaning from the Platform Agreement.

Data Protection Laws means all laws and regulations applicable to a party’s processing of Personal Information in connection with the Platform, including (a) the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) and Part IIIC (the Notifiable Data Breaches scheme); (b) the General Data Protection Regulation (EU) 2016/679 (the GDPR) and any Member State law made under or supplementing it; (c) the United Kingdom General Data Protection Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland (the UK GDPR) and the Data Protection Act 2018; (d) the Federal Act on Data Protection of Switzerland as revised on 1 September 2023 (the FADP); (e) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (the CCPA) and the consumer privacy statutes of Virginia, Colorado, Connecticut, Utah, Texas, Oregon and other US states of like effect; and (f) any successor, replacement or implementing legislation, in each case as in force from time to time.

Personal Information means any information about an identified or reasonably identifiable individual that is processed by Donna on the Customer’s behalf in connection with the Platform. References in this Addendum to Personal Data have the same meaning. Customer Personal Informationmeans Personal Information forming part of Customer Data.

Processing (and process, processed) means any operation or set of operations performed on Personal Information, whether or not by automated means, including collection, recording, organisation, storage, retrieval, consultation, use, disclosure by transmission, alignment, restriction, erasure or destruction.

Sub-processor means any third party engaged by Donna to process Customer Personal Information in the course of providing the Platform (including the AI Subprocessors named in Annex 3).

Supervisory Authority means any independent public authority responsible for monitoring the application of a Data Protection Law, including the Office of the Australian Information Commissioner (the OAIC), the Information Commissioner’s Office of the United Kingdom (the ICO), the Federal Data Protection and Information Commissioner of Switzerland (the FDPIC), and the lead Member State data protection authority identified by Donna for GDPR purposes.

SCCs means the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced from time to time. UK IDTA means the United Kingdom International Data Transfer Addendum issued by the ICO under section 119A of the Data Protection Act 2018, or the UK Addendum to the EU SCCs, in each case as in force from time to time.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Information transmitted, stored or otherwise processed by Donna or a Sub-processor. Eligible Data Breach has the meaning given in Part IIIC of the Privacy Act 1988 (Cth).

The terms controller, processor, data subject, special categories of personal data, third country and international organisation have the meanings given in the GDPR. The terms APP entity, collect, disclose, holds, overseas recipient, permitted general situation and sensitive information have the meanings given in the Privacy Act 1988 (Cth). The terms business, service provider, contractor, sale, share and sensitive personal information have the meanings given in the CCPA.

2.Roles, scope and instructions

2.1 Roles of the parties

For the purposes of this Addendum, the parties acknowledge and agree that, in relation to the Customer Personal Information processed under the Platform Agreement, the Customer is the controller (and the disclosing APP entity, business, or equivalent) and Donna is the processor (and the recipient APP entity, service provider, or equivalent). Where the Customer is itself a processor acting on the documented instructions of a further controller (for example, a law firm acting for a corporate client), Donna acts as a sub-processor and the further controller is treated as the controller for the purposes of the SCCs Module 3.

2.2 Scope

This Addendum applies only to Customer Personal Information processed by Donna in its capacity as a processor in connection with the Platform. It does not apply to (a) Personal Information processed by Donna as a controller in its own right, for example for billing, account administration, security, fraud prevention, product improvement on aggregated and de-identified telemetry, or compliance with Donna’s own legal obligations, which is governed by the Donna Privacy Policy at /legal/privacy-policy; or (b) information that is not Personal Information.

2.3 Documented instructions

Donna processes Customer Personal Information only on the Customer’s documented instructions, including with regard to transfers of Personal Information to a third country or international organisation, unless required to do otherwise by a law to which Donna is subject. The Platform Agreement, this Addendum, the Order Form and the Customer’s use of the Platform constitute the Customer’s complete documented instructions at the date of the Order Form. Additional or different instructions must be agreed in writing and may be subject to additional charges or timing.

2.4 Spaces architecture

The parties acknowledge that the Platform is organised around Spaces. Personal Information of an End Client that is uploaded to or generated within a Space is processed by Donna on the instruction of the Customer who created or administers the Space. The Customer is responsible for the lawful basis on which it provides such Personal Information to Donna and for any onward disclosure to End Clients within the Space.

2.5 Notification of conflicting instructions

Donna will inform the Customer if, in its opinion, an instruction infringes any Data Protection Law. Such notification is given without legal advice and is without prejudice to Donna’s right to suspend processing of the offending instruction pending resolution.

3.Australian Privacy Principles compliance

3.1 APP 1: open and transparent management

Donna maintains a written privacy management programme, an externally accessible privacy policy, and internal privacy procedures that are reasonably designed to ensure compliance with the APPs. Donna will provide reasonable assistance to the Customer in maintaining the Customer’s own APP 1 compliance, including by providing information about the Platform reasonably necessary for the Customer’s APP 5 collection notices.

3.2 APP 6: use and disclosure

Donna will use and disclose Customer Personal Information only for the primary purpose of providing the Platform to the Customer in accordance with the Customer’s instructions, or for a related purpose that is permitted under the APPs and that the Customer has authorised in this Addendum or the Platform Agreement.

3.3 APP 8 and section 16C: cross-border disclosure

The Customer acknowledges and authorises that, in providing the Platform, Donna will disclose Customer Personal Information to overseas recipients located in the regions and jurisdictions identified at /legal/data-transfers-addendum and to the Sub-processors listed at /legal/subprocessors. Donna will take such steps as are reasonable in the circumstances to ensure that those overseas recipients do not breach the APPs in relation to that information, including by binding each Sub-processor to written terms imposing data protection obligations no less onerous than those imposed on Donna under this Addendum.

The Customer is responsible for taking such reasonable steps and providing such notice to data subjects as it considers appropriate to satisfy its own obligations under APP 5 and APP 8.1 in respect of those overseas disclosures, including any reliance on the section 16C accountability provision.

3.4 APP 11: security and retention

Donna will take such steps as are reasonable in the circumstances to protect Customer Personal Information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Those steps are described in Section 6 and Annex 2. Customer Personal Information will be retained, returned or destroyed in accordance with Section 16.

3.5 APP 12 and APP 13: access and correction

Donna will provide reasonable assistance to the Customer to enable the Customer to respond to access and correction requests from data subjects in accordance with APP 12 and APP 13, including by surfacing administrative tooling within the Platform that allows authorised Customer personnel to retrieve, export and amend Customer Personal Information held in a Space.

5.Confidentiality

Donna ensures that any natural person acting under its authority and having access to Customer Personal Information processes it only on the Customer’s instructions, unless required to do otherwise by a law to which that person is subject. Each employee, contractor or other person to whom Donna grants access to Customer Personal Information is bound by written confidentiality undertakings or an equivalent statutory or professional duty of confidentiality.

Access to Customer Personal Information is granted on a strict need-to-know basis and is reviewed on at least a quarterly cadence. Confidentiality obligations imposed on personnel survive termination of their engagement with Donna.

6.Security measures

Donna implements and maintains appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk presented by the processing of Customer Personal Information, including the risks referred to in Article 32(2) of the GDPR. Those measures are described in detail in Annex 2 and summarised at /security.

Donna’s security programme is built around an information security management system aligned to ISO/IEC 27001, with controls mapped to SOC 2 (Trust Services Criteria), the Australian Cyber Security Centre Information Security Manual, and the IRAP assessment framework. Customer Personal Information at rest is encrypted using AES-256 (with envelope encryption keyed in Azure Key Vault), and in transit using TLS 1.2 or higher with modern cipher suites. Tenants are logically isolated by Space and by Customer; data-plane endpoints for production data services are not publicly reachable.

Donna engages a qualified independent third party to perform penetration testing of the Platform at least annually, follows a documented secure software development lifecycle for changes to the Platform, and operates a formal business continuity and disaster recovery programme with the recovery objectives set out in Annex 2 and the Support and Service Levels addendum at /legal/support-and-service-levels.

7.Sub-processors

7.1 General authorisation

The Customer grants Donna a general authorisation to engage Sub-processors to process Customer Personal Information for the purposes of providing the Platform. The Sub-processors authorised at the date of this Addendum are listed in Annex 3 and on the live Sub-processors page at /legal/subprocessors.

7.2 Notice of additions

Before engaging a new Sub-processor or replacing an existing Sub-processor, Donna will provide the Customer with at least thirty (30) days advance notice by updating the Sub-processors page and, if the Customer has subscribed to the Sub-processor update notification, by email to the privacy contact recorded for the Customer.

7.3 Right to object

The Customer may object on reasonable data-protection grounds to Donna’s engagement of a new Sub-processor by notice to privacy@bydonna.ai within the notice period. The parties will work in good faith to resolve the objection, including by reviewing the Sub-processor’s certifications and contractual commitments and, where reasonably practicable, identifying an alternative Sub-processor. If the objection cannot be resolved within thirty (30) days of the Customer’s objection, the Customer may, as its sole and exclusive remedy, terminate the affected service component on written notice. No refund or pro-rata repayment is owed in respect of services already rendered.

7.4 Flow-down obligations and liability

Donna enters into a written agreement with each Sub-processor that imposes data protection obligations no less onerous, in substance, than those set out in this Addendum, including in particular the obligations of Article 28(3) of the GDPR. Donna remains fully responsible to the Customer for the performance of each Sub-processor’s obligations to the same extent as Donna would be liable if performing the services directly under this Addendum, subject to the limitations of liability in the Platform Agreement.

8.International transfers

Donna’s standard hosting footprint is Australia and the United States, and Donna does not currently host Customer Data at rest in the European Economic Area, the United Kingdom or Switzerland. Where, in the unusual case described in section 5 of the Data Transfers Addendum at /legal/data-transfers-addendum, Customer Personal Information subject to the GDPR, the UK GDPR or the FADP nonetheless reaches Donna and is exported to a country that has not been the subject of an adequacy decision (or equivalent), the transfer is governed by the mechanisms described in that Addendum and the elections summarised in Annex 4 to this Addendum.

The parties incorporate by reference the EU SCCs in Module 3 (processor to processor) for any such transfer, completed as set out in Annex 4. Where Personal Information subject to the UK GDPR or the FADP is transferred, Donna will execute the UK International Data Transfer Agreement or the Swiss-adapted EU SCCs on a per-engagement basis as set out in section 5 of the Data Transfers Addendum. To the extent of any conflict, the SCCs prevail over this Addendum on cross-border specifics by operation of their own overriding-effect clauses.

9.Assistance with data subject requests

Taking into account the nature of the processing, Donna will assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer’s obligations to respond to requests from data subjects to exercise their rights under applicable Data Protection Laws, including rights of access, rectification, restriction, erasure, portability, objection and the right not to be subject to automated decision-making.

The Platform provides administrative tooling that allows authorised Customer personnel to retrieve, export, correct or delete Customer Personal Information held within a Space. Where a request cannot be satisfied through that tooling, Donna will provide reasonable additional assistance, taking into account the information available to Donna and the time, effort and cost involved.

If Donna receives a request directly from a data subject in respect of Customer Personal Information, Donna will not respond to the request other than to acknowledge receipt and to refer the data subject to the Customer, unless Donna is required to respond by a law to which it is subject.

10.Personal Data Breach and Notifiable Data Breach

10.1 Initial notice

Donna will notify the Customer of any Personal Data Breach affecting Customer Personal Information without undue delay and in any event no later than forty-eight (48) hours after Donna becomes aware of the breach. The parties acknowledge that this notification window is intentionally tighter than the timeframe required of Donna as a processor under the GDPR, the UK GDPR or the FADP, and is designed to provide the Customer with sufficient time to satisfy its own seventy-two (72) hour notification window to a Supervisory Authority where applicable.

10.2 Content of notice

The initial notice will include the information then known to Donna and reasonably necessary to enable the Customer to assess the breach, including (a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of records concerned; (b) the name and contact details of the Donna privacy contact; (c) a description of the likely consequences of the Personal Data Breach; and (d) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and to the extent that, it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay. Donna will supplement the initial notice as more information becomes available.

10.3 Notifiable Data Breach cooperation

Where the Personal Data Breach may give rise to an Eligible Data Breach under Part IIIC of the Privacy Act 1988 (Cth), Donna will cooperate in good faith with the Customer’s assessment under section 26WH and, if the Customer determines that an Eligible Data Breach has occurred, with the Customer’s notification to the OAIC and to affected individuals under sections 26WK and 26WL.

10.4 No public statement

Other than as required by law or by an order of a Supervisory Authority or court of competent jurisdiction, Donna will not make any public statement concerning a Personal Data Breach affecting Customer Personal Information, or identify the Customer in any public statement concerning the breach, without the Customer’s prior written authorisation (such authorisation not to be unreasonably withheld or delayed).

10.5 Records

Donna will maintain a written record of all Personal Data Breaches affecting Customer Personal Information, including the facts relating to the breach, its effects and the remedial action taken, in a form sufficient to enable the Customer to demonstrate compliance with Article 33(5) of the GDPR.

11.Audits and information rights

11.1 Standard reports

Donna will make available to the Customer, on reasonable request and subject to confidentiality undertakings in a form reasonably acceptable to Donna, copies of its current SOC 2 Type II report, its ISO/IEC 27001 certificate and statement of applicability, and its most recent independent penetration test summary. Where the Customer’s information rights under Article 28(3)(h) of the GDPR or an equivalent provision can reasonably be satisfied by those reports, the Customer agrees that they constitute the primary mechanism for demonstrating compliance.

11.2 Customer audits

Where the Customer reasonably considers that the standard reports referred to in clause 11.1 are insufficient, or where a Supervisory Authority requires it, the Customer may, on at least thirty (30) days written notice, conduct an audit of Donna’s processing of Customer Personal Information. Audits will be conducted (a) no more than once in any twelve (12) month period, except where reasonably required following a Personal Data Breach or a documented Supervisory Authority instruction; (b) remotely, save where on-site access is reasonably necessary; (c) during normal business hours and in a manner that does not unreasonably interfere with Donna’s operations; (d) by the Customer or by an independent qualified third-party auditor agreed in writing by the parties (such agreement not to be unreasonably withheld); and (e) under written confidentiality undertakings.

11.3 Costs and limits

Customer audits are conducted at the Customer’s expense. Donna reserves the right to refuse access to information or facilities where access would, in Donna’s reasonable opinion, breach a duty of confidence to another customer, create a risk to information security, or compromise other customers’ data. Audit findings will be shared with Donna and the parties will discuss any recommended remediation in good faith.

12.Government access requests

Donna will not voluntarily disclose Customer Personal Information to any government, law enforcement or regulatory authority. If Donna receives a legally binding request for disclosure of Customer Personal Information from a public authority, Donna will:

review the request for legal validity and ensure that any disclosure is limited to what is strictly necessary to comply with the request;
challenge the request through available judicial and administrative channels where Donna considers, after consultation with appropriate counsel, that the request is unlawful, overbroad or otherwise inconsistent with the Customer’s rights or with applicable Data Protection Laws;
where lawful, and on a best-efforts basis, notify the Customer of the request before responding so that the Customer may seek protective relief; and
publish, on at least an annual basis, a transparency report setting out the aggregate number and nature of binding government access requests received during the reporting period.

The commitments in this Section 12 are intended to operate consistently with, and where applicable to supplement, Clause 14 (Local laws and obligations in case of access by public authorities) and Clause 15 (Obligations of the data importer in case of access by public authorities) of the EU SCCs.

13.Processing required by law

If Donna is required by Australian law, the law of the European Union, the law of a Member State, the law of the United Kingdom, Swiss law or any other law to which it is subject to process Customer Personal Information otherwise than in accordance with the Customer’s instructions, Donna will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Donna will limit any such processing to what is strictly required by that law.

14.Obligations of the Customer

The Customer warrants and undertakes that, in respect of all Customer Personal Information that it provides to, or causes to be provided to, Donna under the Platform Agreement:

it has a lawful basis for the collection, use and disclosure of that Personal Information, including disclosure to Donna and to the Sub-processors and overseas recipients identified in this Addendum and at /legal/data-transfers-addendum;
it has provided all notices to data subjects, and has taken all such reasonable steps as are required of it under APP 5 and APP 8.1, the GDPR Articles 13 and 14, the UK GDPR, the FADP and any other applicable Data Protection Law in connection with the disclosure of Personal Information to Donna and the cross-border disclosures contemplated by this Addendum;
its instructions to Donna, including its configuration of Spaces, Authorised Users and access controls, comply with applicable Data Protection Laws;
it will keep the privacy contact details that it has nominated to Donna current, and will respond to Donna’s communications under this Addendum without undue delay;
it will configure and operate the Platform in a manner consistent with Donna’s published security guidance, and will not deliberately introduce sensitive information into a Space in a manner that exceeds the scope agreed in the Order Form; and
it will provide Donna with timely instructions in respect of the retention, deletion or return of Customer Personal Information at and after the end of the Term, in accordance with Section 16.

15.US state privacy obligations

To the extent that Donna processes Customer Personal Information that is subject to the CCPA or any analogous US state privacy statute, the parties acknowledge that Donna acts as a service provider, processor or contractor (as those terms are used in each statute) to the Customer.

Donna will not (a) sell or share Customer Personal Information; (b) retain, use or disclose Customer Personal Information for any purpose other than for the specific business purpose of providing the Platform under the Platform Agreement, including retaining, using or disclosing the Personal Information for a commercial purpose other than providing the Platform; (c) retain, use or disclose Customer Personal Information outside of the direct business relationship between the Customer and Donna; or (d) combine Customer Personal Information that Donna receives from, or on behalf of, the Customer with Personal Information that Donna receives from, or on behalf of, another person, or collects from its own interaction with a consumer, except as expressly permitted by the CCPA and analogous laws.

Donna will provide the level of privacy protection required by the CCPA and analogous laws and will notify the Customer if it determines that it can no longer meet its obligations under those laws. The Customer may, on reasonable written notice, take reasonable and appropriate steps to stop and remediate unauthorised use of Customer Personal Information by Donna.

The commitments in this Section 15 apply, with the necessary changes, to the consumer privacy statutes of Virginia (the VCDPA), Colorado (the CPA), Connecticut (the CTDPA), Utah (the UCPA), Texas (the TDPSA), Oregon (the OCPA) and any other US state law of like effect under which Donna acts as a processor in respect of Customer Personal Information.

16.Retention and deletion

On expiry or termination of the Platform Agreement, the Customer may, at its option, either retrieve Customer Personal Information through the Platform’s export tooling, or instruct Donna to return Customer Personal Information in the format and on the media reasonably specified by the Customer. The Customer’s right of retrieval and instruction is exercisable for a period of sixty (60) days after the effective date of expiry or termination (the Export Window).

Following the Export Window, Donna will securely delete Customer Personal Information from the production environment and will arrange for deletion from any backup or archive media in the ordinary course of Donna’s backup retention cycle, save to the extent that retention is required by a law to which Donna is subject. Donna will provide a written certificate of destruction on the Customer’s reasonable request.

Where Customer Personal Information is retained on the basis of a legal retention requirement, it will be processed only for the purpose, and for the duration, required by that law and will continue to be subject to the confidentiality and security obligations of this Addendum.

17.Liability

The liability of each party under or in connection with this Addendum is subject to, and forms part of, the aggregate limitations of liability set out in the Platform Agreement. Nothing in this Addendum increases or otherwise modifies those limitations, save that nothing in the Platform Agreement or this Addendum operates to limit a party’s liability arising from its wilful breach of this Addendum, its fraud, or any liability that cannot be limited under applicable law (including the rights of data subjects under Clause 12 of the EU SCCs).

18.Order of precedence

In the event of any conflict or inconsistency between this Addendum and the Platform Agreement (including the Service Terms at /legal/service-terms), this Addendum prevails to the extent that the conflict relates to a data protection matter. The EU SCCs and the UK IDTA prevail over this Addendum on cross-border specifics by operation of their own overriding-effect clauses, and any conflict between an Annex to this Addendum and the body of this Addendum will be resolved in favour of the body of this Addendum unless the Annex expressly states otherwise.

19.Term

This Addendum takes effect on the effective date of the Platform Agreement and continues in force for so long as Donna processes Customer Personal Information. Sections 5 (Confidentiality), 10 (Personal Data Breach), 11 (Audits), 12 (Government access), 16 (Retention and deletion), 17 (Liability) and 18 (Precedence), and any provision which expressly or by its nature is intended to survive, will survive termination of this Addendum.

Annex 1.Description of Processing

Parties

Data exporter: the Customer identified in the Order Form, in its capacity as controller (or, where Module 3 of the EU SCCs applies, as processor). Contact details are those recorded in the Order Form.

Data importer: Donna Technologies Pty Ltd (ACN 691 287 457), Australia. Privacy contact: privacy@bydonna.ai.

Categories of data subjects

The Personal Information transferred concerns the following categories of data subjects:

the Customer’s personnel, including lawyers, paralegals and administrators (Authorised Users);
End Clients of the Customer who participate in a Space, and their personnel, advisers and representatives;
counterparties, witnesses, deponents and other individuals named in documents loaded into a Space;
any other individual whose Personal Information the Customer chooses to load into the Platform.

Categories of Personal Information

The Personal Information transferred is determined and controlled by the Customer and may include:

identification and contact details (name, role, employer, email, phone, address);
professional details (job title, organisation, professional registration);
account and authentication data (user identifiers, hashed credentials, MFA factors, IP address, session metadata);
document content and metadata loaded into Spaces, which may include any category of Personal Information chosen by the Customer;
Inputs to and Outputs from the AI features of the Platform;
communications and collaboration metadata (messages, comments, audit logs, activity timestamps).

Special categories of data and sensitive information

The Customer may, on its own determination and at its own risk, load documents containing sensitive information or special categories of personal data, including health information, criminal records, information concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, or data concerning sex life or sexual orientation, where such information is relevant to the legal matter for which the Space has been created. Donna applies the additional safeguards described in Annex 2 to such information without making any representation that the Platform is certified for use with any specific category of sensitive information.

Frequency of the transfer

Continuous, for the duration of the Platform Agreement.

Nature of the processing

Hosting, storage, retrieval, indexing, search, structuring, AI-assisted analysis, transmission, presentation, audit logging, backup, deletion and other operations inherent in providing the Platform, in each case as described in the Platform Agreement and the Service Terms.

Purpose of the processing

To enable the Customer to use the Platform to collaborate with End Clients and colleagues on legal matters, to obtain AI-assisted analysis of documents and queries, and to maintain a record of those activities for the Customer’s own compliance and quality purposes.

Duration

For the duration of the Platform Agreement and the Export Window, after which Customer Personal Information is deleted in accordance with Section 16, save to the extent that retention is required by law.

Identity of competent supervisory authority

For transfers subject to the GDPR, the Irish Data Protection Commission (DPC). For transfers subject to the UK GDPR, the Information Commissioner’s Office (ICO). For transfers subject to the FADP, the Federal Data Protection and Information Commissioner (FDPIC). For Customer Personal Information held in Australia, the Office of the Australian Information Commissioner (OAIC).

Annex 2.Technical and Organisational Measures

Donna implements the following technical and organisational measures, in each case as appropriate to the nature, scope, context and purposes of the processing and to the risk to data subjects. The measures are kept under review and may be updated from time to time, provided that the level of protection is not materially reduced.

Identity and access

single sign-on via SAML 2.0 or OpenID Connect with the Customer’s identity provider, where configured;
multi-factor authentication for all Donna personnel and for Authorised Users where the Customer enables it;
role-based access control with least-privilege defaults and Space-scoped permissioning;
quarterly access reviews and joiners-movers-leavers process for Donna personnel;
privileged access administered through just-in-time elevation with session recording.

Encryption

AES-256-GCM encryption at rest for all Customer Personal Information, with envelope keys held in Azure Key Vault and rotated on a defined schedule;
TLS 1.2 or higher in transit for all data-plane and control-plane traffic;
customer-managed keys (CMK) available on the Enterprise tier on request, with key rotation under the Customer’s control;
field-level encryption applied to selected high-sensitivity attributes (for example, authentication factors).

Network

data services (storage accounts, Cosmos DB, Azure AI Search, Key Vault) reachable only via Private Endpoints; public data-plane access disabled;
tenant isolation enforced through Space and Customer scoping in every query path;
web application firewall and rate limiting at the edge; segmented production virtual networks.

Logging and monitoring

centralised log aggregation in a security information and event management (SIEM) platform;
365-day retention of security-relevant logs, with tamper-evident storage;
24x7 monitoring of security alerts, with documented runbooks and on-call escalation.

Vulnerability management

annual independent penetration test of the Platform by a qualified third party;
continuous static (SAST) and dynamic (DAST) application security testing in CI;
third-party dependency scanning with defined remediation service-levels by severity;
quarterly Sub-processor reviews covering certifications, incidents and material change.

Secure development lifecycle

peer code review for all production changes;
threat modelling for material new features and architectural changes;
segregated development, test and production environments;
infrastructure as code with reviewed and approved deployments.

Personnel security

pre-employment background checks where lawful;
written confidentiality undertakings as a condition of access;
mandatory security and privacy training on commencement and at least annually thereafter.

Incident response

documented and rehearsed incident response plan, reviewed at least annually;
24x7 on-call security engineering and incident command;
post-incident review with documented remediation and follow-up actions.

Business continuity and disaster recovery

tier-1 services target a recovery point objective (RPO) of one (1) hour and a recovery time objective (RTO) of four (4) hours;
geo-redundant backup of production data within the relevant macro-region;
annual business continuity exercise covering region-failure and data-loss scenarios.

Physical security

production data is hosted in Microsoft Azure data centres with physical, environmental and personnel controls assessed against ISO 27001 and SOC 2;
Donna does not operate its own data centres for production workloads.

Supplier security

documented Sub-processor due diligence covering security, privacy, business continuity and ethics;
contractual flow-down of the obligations in this Annex to all Sub-processors that process Customer Personal Information;
periodic re-assessment of Sub-processors based on risk and on material change.

Annex 3.Sub-processors

The current list of Sub-processors authorised to process Customer Personal Information is maintained at /legal/subprocessors and is updated in accordance with Section 7. The following table is a snapshot of the Sub-processors authorised at the date of this Addendum.

Sub-processor	Role	Processing location
Microsoft Corporation (Azure platform services)	Cloud hosting, identity, storage, database, search, key management, networking	AU East, AU Southeast, US East, EU North (Ireland)
Microsoft Corporation (Azure OpenAI Service)	Inference for selected AI features under enterprise terms with no model training on Inputs or Outputs	AU East, US East, EU North (Ireland)
OpenAI L.L.C.	Inference for selected AI features under API terms with no model training on Inputs or Outputs	United States
Anthropic PBC	Inference for selected AI features under API terms with no model training on Inputs or Outputs	United States
Mistral AI SAS	Inference for selected AI features under API terms with no model training on Inputs or Outputs	European Union (France)

AI training

Donna contracts with each AI Subprocessor to disable model training on Customer Inputs and Outputs and to disable abuse-monitoring retention beyond the period permitted under the relevant enterprise or API terms.

Annex 4.EU Standard Contractual Clauses (Decision (EU) 2021/914)

The parties incorporate by reference the EU SCCs into this Addendum. The Customer is the data exporter and Donna is the data importer. The parties make the following elections.

Item	Election
Module	Module 3 (processor to processor). The EU SCCs apply only in the unusual case where the Customer is itself a processor for a controller in the EEA and discloses EU-origin Personal Information to Donna for further processing. The Customer represents that it is authorised to enter into the EU SCCs in Module 3 on behalf of any such controller.
Clause 7 (Docking clause)	Applies. Additional parties may accede to the EU SCCs in accordance with Clause 7.
Clause 9(a) (Use of sub-processors)	Option 2 (general written authorisation) applies. The notice period for changes to the list of Sub-processors is thirty (30) days.
Clause 11(a) (Independent dispute resolution body)	Optional language not selected. The clause applies without the optional dispute body language.
Clause 17 (Governing law)	Option 1. The EU SCCs are governed by the laws of Ireland.
Clause 18(b) (Choice of forum and jurisdiction)	Disputes arising from the EU SCCs are to be resolved by the courts of Ireland.
Annex I.A (List of parties)	Data exporter and data importer as identified in Annex 1 to this Addendum.
Annex I.B (Description of transfer)	As set out in Annex 1 to this Addendum.
Annex I.C (Competent supervisory authority)	The Irish Data Protection Commission, save where the GDPR identifies a different lead supervisory authority for the Customer.
Annex II (Technical and organisational measures)	As set out in Annex 2 to this Addendum.
Annex III (List of sub-processors)	As set out in Annex 3 to this Addendum and as updated at /legal/subprocessors.

Questions

Donna’s privacy team is available at privacy@bydonna.ai. For cross-border transfer mechanics, the Sub-processor list and country-by-country processing locations, see the Data Transfers Addendum at /legal/data-transfers-addendum and the live Sub-processors page at /legal/subprocessors.

Data Processing Addendum