This Data Transfers Addendum (the “Addendum”) is entered into between Donna Technologies Pty Ltd (ACN 691 287 457) (“Donna”) and the Customer that has accepted the Donna Platform Agreement (the “Customer”). It forms part of, and is governed by, the Platform Agreement and the Data Processing Addendum (the “DPA”). Capitalised terms not defined in this Addendum have the meanings given to them in the Platform Agreement, the DPA or the Privacy Policy.

At a glance

Donna’s standard hosting footprint is Australia and the United States. The Customer does not elect, and Donna does not represent that the Customer may elect, the region in which its tenancy resides. Where Personal Information collected in Australia is disclosed to an overseas recipient, the accountability framework in section 16C of the Privacy Act 1988 (Cth) applies and Donna takes the reasonable steps described in section 4. Where, in the unusual case described in section 5, Personal Information subject to the GDPR, the UK GDPR or the Swiss FADP reaches Donna, the EU Standard Contractual Clauses Module 3 (the “EU SCCs”), the UK International Data Transfer Agreement (the “UK IDTA”) or the Swiss-adapted EU SCCs are executed on a per-engagement basis. Donna maintains a written transfer impact assessment that addresses the supplementary measures described in section 7.

1.Scope

This Addendum applies whenever Donna or any of its Subprocessors processes Personal Information in a country other than the country in which the data subject’s information was originally collected, including by accessing that information remotely from such a country. It applies regardless of whether the export results from Donna’s allocation of the tenancy to an Azure region outside the data subject’s home jurisdiction, from Donna’s routing of inference traffic to a model hosted in another region, or from a Subprocessor’s operation (for example, by replicating logs into a centralised observability tenancy).

This Addendum does not apply to processing that is intra-jurisdictional, in the sense that the data subject’s home country and the country of processing are the same. Personal Information of an Australian data subject hosted in Sydney and accessed only from Australia is not within scope, although the Australian Privacy Principles continue to apply on their own terms. Personal Information of a German data subject hosted in Dublin and accessed only from the European Economic Area (the “EEA”) is not within scope, although the GDPR continues to apply on its own terms.

This Addendum is read together with the DPA and is binding on the parties from the Effective Date set out at the top of this page, or such later date as the Customer accepts the Platform Agreement.

2.Order of precedence

If there is any conflict between the documents that govern a particular cross-border transfer, the following order of precedence applies, with the higher-listed document prevailing to the extent of the conflict:

a set of Standard Contractual Clauses or an International Data Transfer Addendum that the parties have separately executed in original signed form for a specific transfer;
this Addendum;
the DPA;
the Platform Agreement; and
the Privacy Policy.

Despite the order set out above, this Addendum is to be interpreted, where reasonably possible, in a manner that gives effect to applicable Data Protection Laws and to the rights of data subjects. Where a provision of this Addendum is, or becomes, inconsistent with a mandatory requirement of Data Protection Laws, the mandatory requirement prevails and the parties will negotiate in good faith to bring this Addendum into compliance without otherwise altering the commercial bargain.

Nothing in this Addendum is intended to derogate from any data subject right that is conferred by Data Protection Laws and that cannot lawfully be excluded by contract.

3.Recipient countries and processing locations

The table below summarises the countries in which Personal Information processed through the Platform is, or may be, located. The list reflects the standard configuration of the Platform on the Effective Date. The Customer does not elect the region of residency for its Customer Data; Donna allocates each tenancy to an Azure region under its standing hosting policy, and may from time to time vary the configuration on prior notice. The authoritative current list of Subprocessors and their locations is mirrored at /legal/subprocessors.

Country	Recipient	Role	Processing activity	Safeguard
Australia	Microsoft Australia (Azure Australia East / Australia Southeast); Donna personnel based in Australia.	Hosting Subprocessor; controller/processor personnel.	At-rest storage of Customer Data for Customers allocated to Australian residency by Donna. Operational access by Donna personnel.	Intra-jurisdictional for Australian data subjects. APP 11 security obligations apply to Donna directly.
United States	Microsoft Corporation (Azure US East and other US regions); OpenAI, L.L.C.; Anthropic, PBC.	Hosting and AI inference Subprocessors.	At-rest storage where Donna has allocated US residency to the tenancy. Inference traffic where US-based models are in use for the tenancy.	APP 8 reasonable steps and section 16C accountability for Australian-origin Personal Information. Service-provider commitments under the CCPA for California-origin Personal Information. Supplementary measures described in section 7.
France	Mistral AI SAS.	AI inference Subprocessor.	Inference traffic for tenancies whose configuration includes Mistral models. Inference is brief, ephemeral and subject to the no-training and no-retention conditions described in the DPA.	APP 8 reasonable steps for Australian-origin Personal Information. Where Donna processes EU-origin Personal Information on a Customer’s instruction (for example, where the Customer is itself a processor for an EU controller), the EU SCCs Module 3 framework described in section 5 applies to the Donna-to-Mistral leg.

The recipient table is operational rather than legal. The legal effect of any export to a country listed above is governed by the corresponding section of this Addendum, by the DPA and, where applicable, by separately executed transfer instruments. Donna will update this table from time to time to reflect changes in its hosting and Subprocessor footprint, with notice to Customers as required by the DPA.

4.Australian outbound disclosures

Where Personal Information collected in Australia is disclosed by Donna to an overseas recipient, Australian Privacy Principle 8 applies. Donna takes the steps that are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information.

Section 16C accountability

The Customer acknowledges that, under section 16C of the Privacy Act 1988 (Cth), an act or practice of an overseas recipient is taken to be an act or practice of Donna for the purposes of the Privacy Act, except where one of the limited statutory exceptions applies. Donna manages this accountability through Subprocessor selection, written contractual obligations imposed on each overseas recipient, the technical and organisational measures described in the DPA, and ongoing oversight including the transfer impact assessment described in section 8.

Customer authorisation of Subprocessors

By engaging with the Platform and accepting the DPA, the Customer authorises Donna to disclose Personal Information to the Subprocessors listed at /legal/subprocessors and in section 3 of this Addendum, in the locations identified, for the purpose of providing the Platform. That authorisation is a documented instruction for the purposes of the DPA and an authorisation by the Customer for the purposes of APP 8.1 and any equivalent state or territory law that imposes restrictions on disclosure to overseas recipients.

Reasonable steps taken

The reasonable steps Donna takes in the circumstances include:

entering into written agreements with each overseas recipient that bind it to standards of handling no less protective than the Australian Privacy Principles, and that expressly prohibit the recipient from using Personal Information for purposes unconnected with the Platform;
flowing down the prohibitions on training of AI models, abuse-monitoring retention limits, and confidentiality obligations contained in the DPA and the Privacy Policy;
applying the encryption, access control, network isolation and audit-logging measures described in the DPA and at /security, and requiring overseas recipients to maintain measures of comparable substance;
maintaining the transfer impact assessment described in section 8, which is updated periodically to reflect changes in the law of recipient countries and in the Subprocessor landscape; and
maintaining a documented Subprocessor change-management process, with prior notice to Customers and a right of objection as set out in the DPA.

Australian transparency table

The following table summarises the recipient countries to which Donna currently discloses Australian-origin Personal Information in the ordinary operation of the Platform, and the safeguard relied on for each. It is provided for transparency and should be read together with section 3 and with the Subprocessors page.

Country	Recipient	Purpose	Safeguard
United States	Microsoft Corporation; OpenAI, L.L.C.; Anthropic, PBC.	AI inference where US-based models are in use for the tenancy. At-rest hosting where Donna has allocated US residency to the tenancy.	APP 8 reasonable steps; section 16C accountability; written contracts; encryption in transit and at rest; supplementary measures (section 7).
France	Mistral AI SAS.	AI inference for tenancies whose configuration includes Mistral models.	APP 8 reasonable steps; section 16C accountability; written contracts; intra-EEA storage at the inference recipient.

State and territory health information laws

Where the Health Records and Information Privacy Act 2002 (NSW) or the Health Records Act 2001 (Vic) applies to Customer Data, the Customer remains the relevant health service provider or organisation for the purposes of those Acts and for the cross-border transfer rules under those Acts. Donna assists the Customer to comply, including by maintaining the safeguards described in this Addendum.

5.EU, UK and Swiss outbound transfers

Donna’s standard hosting footprint is Australia and the United States. Donna does not currently host Customer Data at rest in the European Economic Area, the United Kingdom or Switzerland. The unusual case in which Personal Information subject to the GDPR, the UK GDPR or the Swiss FADP nonetheless reaches Donna is dealt with in this section. The framework set out below activates only on a per-engagement basis; nothing in this section deems Donna to be processing EU, UK or Swiss Personal Information by default.

EU SCCs Module 3 framework for sub-processor inference

Where the Customer is itself a processor for a third-party controller in the EEA and, in performance of that processor role, discloses EU-origin Personal Information to Donna for further processing, Donna and the Customer are taken to have entered into the Standard Contractual Clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the “EU SCCs”) in Module 3 (processor-to-processor), completed on the following selections: Clause 7 (docking) is enabled; Clause 9(a) (sub-processors) operates on Option 2 with thirty (30) days’ notice; Clause 11(a) optional language is not selected; Clause 17 governing law is Option 1 (Ireland); Clause 18(b) forum is the courts of Ireland; the competent supervisory authority is the Irish Data Protection Commission. The Annexes to the EU SCCs are completed by reference to Annex 1 of the DPA (description of processing), Annex 2 of the DPA (technical and organisational measures), and the Subprocessor list at /legal/subprocessors. Where required, Donna will execute physical counterparts of the EU SCCs on the Customer’s reasonable request.

Inference traffic to Mistral AI in France

Mistral AI SAS is established in France. Where Donna routes inference traffic to Mistral on a Customer’s instruction, the legal characterisation depends on the origin of the Personal Information. Where the Personal Information is Australian-origin, the disclosure is governed by section 4 (APP 8 reasonable steps and section 16C accountability). Where the Personal Information is EU-origin, the disclosure is intra-EEA at the recipient and the EU SCCs Module 3 framework above applies between Donna and the Customer (and, as a back-to-back matter, between Donna and Mistral). Where the Personal Information is US-origin, no separate transfer instrument is required on the export leg into France.

UK and Swiss transfer instruments on request

Where Personal Information subject to the UK GDPR or the Swiss FADP reaches Donna in circumstances requiring a transfer instrument, Donna will execute, on a per-engagement basis, the UK International Data Transfer Agreement issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018(the UK IDTA), or the Swiss-adapted EU SCCs (substituting the FADP for the GDPR, the Federal Data Protection and Information Commissioner for the EU supervisory authority, and preserving Swiss data subjects’ rights of action in the Swiss courts). Customers requiring those instruments should contact privacy@bydonna.ai before transferring the relevant Personal Information.

6.Onward transfers

Donna engages a small number of Subprocessors to deliver the Platform. The current list, including each Subprocessor’s legal name, function and country of processing, is published at /legal/subprocessors. The principal categories are:

Cloud infrastructure and Azure OpenAI: Microsoft Corporation, including its regional affiliates, providing hosting in the Azure regions described in section 3 and access to the Azure OpenAI Service.
Frontier AI models: OpenAI, L.L.C. and Anthropic, PBC, both established in the United States, providing inference under enterprise agreements that prohibit training on Customer Data and that adopt zero or short-window retention configurations where available.
European frontier AI models: Mistral AI SAS, established in France, providing inference under equivalent enterprise terms.
Cloud infrastructure sub-sub-processors: the underlying datacentre, networking, content-delivery, identity and operational tooling that Microsoft and the other Subprocessors use to deliver their services. These are governed by the Subprocessors’ own published lists and contractual frameworks.

Flow-down of safeguards

Donna’s contracts with each Subprocessor flow down obligations no less protective than those Donna accepts under the DPA and this Addendum. The flow-down covers, in particular:

the processing limitations and confidentiality obligations contained in the DPA, including the prohibition on training of AI models on Customer Data;
the technical and organisational measures described in Annex 2 of the DPA, calibrated to the role of the relevant Subprocessor;
the cross-border transfer instruments described in this Addendum, including the EU SCCs and the UK IDTA, on the basis that the Subprocessor is a sub-processor under Donna and is bound to maintain the safeguards back-to-back; and
the cooperation, audit and incident-notification obligations described in the DPA, to the extent reasonably necessary for Donna to discharge its own obligations to the Customer.

SCCs flowing through Donna

Where the EU SCCs apply between the Customer and Donna, Donna will use reasonable efforts to put in place, with each Subprocessor that is established in a non-adequate country, EU SCCs in the Module that corresponds to the Subprocessor’s role (typically Module 3, processor-to-processor). The same approach is taken for the UK IDTA and for the Swiss-adapted EU SCCs. The Customer will, on request, be provided with a copy of the relevant transfer instrument, with redactions for commercially sensitive terms not material to the transfer assessment.

7.Government access requests and supplementary measures

Donna recognises that the lawfulness of cross-border transfers depends not only on the existence of a transfer instrument but also on the practical ability of the data importer to comply with that instrument in the jurisdiction in which it operates. This is the framework reflected in the judgment of the Court of Justice of the European Union in Data Protection Commissioner v Facebook Ireland and Schrems (Case C-311/18, “Schrems II”), and in equivalent guidance issued by the Information Commissioner’s Office and the FDPIC.

Approach to government access requests

Donna has adopted, and requires its Subprocessors to adopt, the following commitments in relation to requests for access to Personal Information by governmental, regulatory or law-enforcement bodies:

Donna will assess each request for validity, scope and proportionality. Donna will decline a request that does not bind it, that is overbroad, or that is unlawful in the country of receipt.
Where a request is binding and lawful, Donna will provide only the minimum amount of Personal Information necessary to comply, and will use available legal mechanisms to narrow the request where it is excessive.
Donna will challenge requests that appear unlawful or that conflict with applicable Data Protection Laws, including by seeking judicial review where reasonably available.
Donna will, to the maximum extent permitted by law, push back against gag orders, non-disclosure obligations and similar restrictions, so that Donna is able to notify the affected Customer of the request as soon as practicable.
Where Donna is permitted to notify the Customer, it will do so promptly. Where Donna is not permitted to notify, it will use commercially reasonable efforts to obtain a waiver of that restriction and will notify the Customer as soon as it lawfully may.
Donna publishes, or will publish, periodic transparency information about the volume and nature of government access requests it receives, consistent with applicable law.

Supplementary technical measures

In addition to the contractual and organisational measures described above, Donna applies the following supplementary technical measures to reduce the practical risk of unauthorised access:

Customer Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256, with customer-managed keys available on supported plans. Encryption keys are managed in dedicated key vaults and are not exportable to recipient countries other than the country of the relevant Azure region.
Inference traffic is minimised in content. The Platform sends to AI Subprocessors only the data necessary for the requested inference, with extraneous metadata stripped at the egress boundary.
Donna maintains tenant isolation and identity-based service-to-service authentication using managed identities. There are no stored shared secrets in production, which materially reduces the risk surface in the event of a request directed to a Subprocessor.
Plaintext access by Donna personnel to Customer Data requires a documented operational need, multi-factor authentication, just-in-time elevation, and is logged in immutable audit trails reviewed by the security team.
Subprocessor contracts require contractual transparency reporting in respect of government access, to the extent permitted by the Subprocessor’s home law.

Practical assessment of recipient countries

Donna has assessed the laws of each recipient country identified in section 3 against the practical ability of Donna and its Subprocessors to comply with the obligations owed under the EU SCCs, the UK IDTA, the Swiss-adapted EU SCCs and the APP 8 framework. The assessment supports Donna’s view that, taken together with the supplementary measures described in this section 7, the safeguards set out in this Addendum provide a level of protection essentially equivalent to that required by the applicable Data Protection Laws. The assessment is documented in the transfer impact assessment described in section 8.

8.Transfer impact assessments

Donna maintains a written transfer impact assessment (the “TIA”) covering each cross-border transfer identified in section 3. The TIA addresses, for each recipient country:

the categories of Personal Information transferred and the purpose of the transfer;
the legal framework of the recipient country, including any laws that confer rights of access on public authorities, and the scope of any limitations or safeguards;
the practical experience of Donna and its Subprocessors with government access requests, including the volume, nature and outcome of such requests;
the supplementary technical, contractual and organisational measures applied by Donna to mitigate any risks identified; and
the conclusion as to whether, taken together, the safeguards provide a level of protection essentially equivalent to that required by the applicable Data Protection Laws.

The TIA covers transfers to the United States (Microsoft Corporation, OpenAI and Anthropic), to France (Mistral AI), and to any other recipient country identified in section 3 from time to time. Where Donna engages a Subprocessor in Singapore or another jurisdiction not currently listed, the TIA will be updated to include that jurisdiction before the engagement begins.

The TIA is reviewed and refreshed at least annually, and on any material change in the law of a recipient country, in the practical experience of access requests, or in the Subprocessor footprint. A redacted summary of the TIA is available to Customers on request, subject to a confidentiality undertaking, so that the Customer can perform its own assessment of the transfer.

9.Suspension of transfers

Without limiting any right that the Customer or any data subject has under the EU SCCs, the UK IDTA, the Swiss-adapted EU SCCs or any applicable law, the Customer may suspend one or more transfers of Personal Information to Donna or to a Subprocessor in the circumstances contemplated by Clause 14 of the EU SCCs (or the equivalent provision of the UK IDTA), including where the Customer reasonably considers, on the basis of objective evidence, that the transfer has become unlawful in the recipient country.

Where the Customer suspends a transfer under this section, Donna will cooperate with the Customer to give effect to the suspension, including by:

disabling the relevant Subprocessor or the relevant regional configuration of the Platform, to the extent operationally feasible;
assisting the Customer to migrate to an alternative configuration of the Platform that does not require the suspended transfer, where one is reasonably available; and
returning or deleting the affected Personal Information in accordance with the DPA, where the suspension cannot be cured.

Donna will also notify the Customer if Donna itself becomes unable to comply with its obligations under the EU SCCs, the UK IDTA, the Swiss-adapted EU SCCs or this Addendum, and will work with the Customer in good faith to identify a remediation. Where no remediation is reasonably available, the Customer may terminate the affected portion of the Platform Agreement on the basis set out in the DPA, without penalty.

10.Execution and incorporation

This Addendum is incorporated into the Platform Agreement and is deemed to have been executed by the Customer and by Donna on the Customer’s acceptance of the Platform Agreement (or, if later, on the Customer’s first use of a configuration of the Platform that triggers a cross-border transfer within scope of this Addendum). No additional signature is required for the Addendum, the EU SCCs, the UK IDTA or the Swiss-adapted EU SCCs to take effect.

On request, Donna will execute physical counterparts of the EU SCCs, the UK IDTA or the Swiss-adapted EU SCCs, completed as set out in this Addendum, for the Customer’s record-keeping or for production to a supervisory authority. The Customer may countersign the same counterparts. The execution of physical counterparts does not alter the substantive terms of this Addendum or the underlying transfer instruments.

Where the Customer, or a controller for which the Customer acts as processor, requires a form of execution other than that described in this section, the parties will negotiate in good faith to accommodate that requirement, provided that any divergence from the standard form is documented in a separate written instrument signed by authorised signatories of each party.

11.Defined terms

Capitalised terms used in this Addendum have the meanings given to them in the Platform Agreement, the DPA or the Privacy Policy. The following defined terms are used with particular frequency in this Addendum:

Customer means the entity that has accepted the Donna Platform Agreement and that is identified as the customer in the corresponding order form.
Customer Data means the Personal Information and other data uploaded to, generated within, or otherwise made available through the Platform by or on behalf of the Customer, as further defined in the Platform Agreement and the DPA.
Data Protection Laws means all laws and binding regulations applicable to the processing of Personal Information in the relevant jurisdiction, including the Privacy Act, the GDPR, the UK GDPR, the FADP, the California Consumer Privacy Act and equivalent laws of other US states, and any subordinate instruments made under them.
EU SCCs means the Standard Contractual Clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.
Personal Informationmeans information that is “personal information” under the Privacy Act, “personal data” under the GDPR or the UK GDPR, “personal data” under the FADP, “personal information” under the California Consumer Privacy Act, or any equivalent term under another applicable Data Protection Law, as the context requires.
Subprocessor means a third party engaged by Donna to process Personal Information in connection with the provision of the Platform, as further described in the DPA and at /legal/subprocessors.
UK IDTAmeans the International Data Transfer Agreement issued by the Information Commissioner under section 119A of the Data Protection Act 2018, as amended or replaced from time to time. References in this Addendum to the “UK Addendum” are to the UK Addendum to the EU SCCs issued by the same authority.

Headings in this Addendum are for convenience only and do not affect interpretation. References to a statute, regulation or instrument include any amendment, replacement or consolidation of it from time to time. Where a provision of this Addendum confers a right, power or discretion on Donna, it does so without prejudice to the equivalent rights conferred on Donna by the Platform Agreement, the DPA or applicable law.