This GDPR Data Processing Addendum (“DPA”) forms part of the Agreement between
Supply Scope Pty Ltd (ACN 650 495 668) (“SupplyScope”) and the Customer under the SupplyScope Terms and Conditions.
This DPA applies only to the extent SupplyScope Processes Personal Data on behalf of the Customer as a Processor within the meaning of the General Data Protection Regulation (“GDPR”).
1.1 Capitalised terms not defined in this DPA have the meanings given in the Agreement or the GDPR (as applicable).
1.1.1 “Agreement” means the SupplyScope Terms and Conditions (as amended or
supplemented from time to time), the applicable Order Form, and this DPA.
1.1.2 “Customer Personal Data” means Personal Data contained within Customer
Data that is Processed by SupplyScope on behalf of the Customer.
1.1.3 “Data Protection Laws” means the GDPR and all applicable EU member state
data protection laws.
1.1.4 “SCCs” means the standard contractual clauses pursuant to Commission
Implementing Decision (EU) 2021/914 (Module Two).
2.1 For the purposes of this Agreement, the Customer acts as the Controller and
SupplyScope acts as the Processor in respect of Customer Personal Data.
2.2 SupplyScope acts as an independent Controller in respect of the following processing activities:
(a) account administration and user management;
(b) billing and payment processing;
(c) platform analytics and improvement;
(d) security monitoring, fraud prevention and operational telemetry;
(e) marketing communications (where the Customer has consented); and
(f) legal compliance and responding to law enforcement requests.
3.1 For the purposes of this DPA, the Customer’s documented instructions to SupplyScope
are limited to those set out in the Agreement, this DPA, the applicable Order Form, and
any other written instructions expressly agreed in writing by SupplyScope. SupplyScope
shall without undue delay after becoming aware inform the Customer if, in its opinion,
an instruction infringes the GDPR or other applicable Data Protection Laws.
3.2 SupplyScope will:
3.2.1 process Customer Personal Data only on documented instructions;
3.2.2 ensure that persons authorised to process Customer Personal Data have
committed themselves to confidentiality or are under an appropriate statutory
obligation of confidentiality;
3.2.3 implement appropriate technical and organisational measures in accordance
with Article 32 GDPR to ensure a level of security appropriate to the risk,
including measures to protect against unauthorised or unlawful processing and
against accidental loss, destruction or damage;
3.2.4 taking into account the nature of processing and the information available to
SupplyScope, assist with Data Subject requests and the Customer’s compliance
with its obligations under Articles 12 to 23 GDPR, to the extent reasonably
required, technically feasible and proportionate, taking into account the nature
of the Processing and the information available to SupplyScope.
3.2.5 taking into account the nature of processing and the information available to
SupplyScope, assist the Customer in ensuring compliance with the obligations
pursuant to Articles 32 to 36 GDPR (security of processing, breach notification,
data protection impact assessment, and prior consultation);
3.2.6 SupplyScope may charge reasonable fees for any assistance under clauses 3.2.4 and 3.2.5 that requires material effort beyond the provision of the Services, provided that such fees are communicated to the Customer in advance;
3.2.7 notify the Customer without undue delay of a Personal Data Breach affecting
Customer Personal Data;
3.2.8 at the choice of the Customer, delete or return all Customer Personal Data to the Customer after the end of the provision of services relating to processing, and
delete existing copies unless EU or Member State law requires storage of the
Personal Data;
3.2.9 make available to the Customer all information necessary to demonstrate
compliance with the obligations laid down in Article 28 GDPR and allow for and
contribute to audits, including inspections, conducted by the Customer or
another auditor mandated by the Customer, subject to the audit rights and
limitations set out in clause 6 of this DPA.
3.3 The details of the Processing carried out under this DPA are set out in Annex 1, and the applicable technical and organisational security measures are described in Annex 2, each of which forms part of this DPA.
4.1 The Customer hereby provides general written authorisation for SupplyScope to engage sub-processors in accordance with this clause 4 and Article 28(2) and (4) of the GDPR.
4.2 SupplyScope will maintain a current list of its sub-processors, which will be made
available to the Customer upon request or at a designated URL. SupplyScope will inform the Customer at least thirty (30) days in advance of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Customer the opportunity to object to such changes on reasonable grounds relating to data protection.
(a) If the Customer objects to a new sub-processor on reasonable data protection
grounds within fifteen (15) days of receiving notice under clause 4.2, SupplyScope will
either:
(b) If SupplyScope cannot accommodate the Customer’s objection within thirty (30) days, the Customer may terminate the affected Services or the Agreement by giving written notice to SupplyScope, without penalty and with a pro-rata refund of any
prepaid fees for the terminated portion of the Services.
4.3 SupplyScope remains responsible for sub-processors.
4.4 SupplyScope remains fully liable to the Customer for the performance of its sub-
processors’ obligations under this DPA.
5.1 Transfers outside the EEA will be governed by appropriate safeguards including SCCs. The parties agree that the SCCs (Module 2) are hereby incorporated by reference and deemed executed, with the details in Annex 1 constituting Annex I to the SCCs, and Annex 2 constituting Annex II to the SCCs. For UK transfers, the UK International Data Transfer Addendum to the EU SCCs is incorporated.
6.1 SupplyScope will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA.
6.2 The Customer may conduct an audit of SupplyScope’s compliance with this DPA only where required by applicable Data Protection Laws and subject to the following
conditions:
(a) no more than once in any 12-month period, unless required by a competent
supervisory authority or following a confirmed Personal Data Breach;
(b) at least 30 days’ prior written notice;
(c) conducted during normal business hours and in a manner that does not
unreasonably disrupt SupplyScope’s operations;
(d) subject to reasonable confidentiality obligations; and
(e) limited in scope to matters strictly necessary to assess compliance with this DPA.
6.3 The Customer must first seek to rely on any relevant third-party audit reports,
summaries or certifications (including ISO/IEC 27001) made available by SupplyScope.
7.1 Liability under this DPA is subject to the limitations in the Agreement.
8.1 In the event of any inconsistency between this DPA and the Agreement, this DPA prevails solely to the extent of the Processing of Customer Personal Data.
9.1 Unless otherwise agreed in writing, this DPA is governed by, and construed in accordance with, the laws of the jurisdiction in which you are domiciled, as set out in the SupplyScope Terms and Conditions.
Data Exporter
The Customer, as defined in the Agreement.
Data Importer
Supply Scope Pty Ltd (ACN 650 495 668).
Subject Matter of Processing
Provision of the SupplyScope software-as-a-service platform and related services.
Duration of Processing
For the term of the Agreement and thereafter in accordance with deletion and retention
obligations under the Agreement and this DPA.
Nature and Purpose of Processing
Hosting, storage, organisation, analysis, transmission and management of Customer Personal Data to provide, maintain, support and improve the Platform.
Categories of Data Subjects
Authorised Users, employees, contractors, suppliers and other individuals whose Personal Data is included in Customer Data.
Categories of Personal Data
Business contact information, professional details, compliance and supply chain data and any other Personal Data submitted to the Platform by or on behalf of the Customer.
Special Categories of Personal Data
The parties do not intend to transfer special categories of Personal Data. If special categories are inadvertently included in Customer Data, the Customer remains responsible as Controller for ensuring an appropriate legal basis exists..
Supervisory Authority
The competent supervisory authority in the EU Member State or the UK (as applicable) where the Customer is established.
SupplyScope maintains appropriate technical and organisational measures designed to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage, including:
SupplyScope Pty Ltd is certified to ISO/IEC 27001:2022, demonstrating our commitment to information security and data protection across all in-scope activities.
SupplyScope is an all-in-one AI platform specialising in compliance automation and product workflows for retailers, marketplaces and brands. Our platform is designed to enhance product integrity, address mandatory compliance requirements and streamline collaboration.
SupplyScope acknowledges Aboriginal and Torres Strait Islander peoples as the First Australians and Traditional Custodians of the lands where we live, learn, and work.
