TitanRDM Data Processing Agreement
Effective Date: 25 May 2025
Last Updated: 25 May 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between the Customer ("Controller", "you") and Willow Box Pty Ltd ATF Willow Box Trust ("Processor", "we", "us"), operating as TitanRDM.
This DPA applies where we process personal data on your behalf in the course of providing the TitanRDM platform ("the Service"). This DPA is designed to meet the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the Australian Privacy Act 1988 (Cth).
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf in connection with the Service.
- "Processing" means any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
- "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
- "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for international data transfers.
2. Scope and Roles
2.1. You are the Controller and determine the purposes and means of processing Personal Data. We are the Processor and process Personal Data only on your behalf and in accordance with your documented instructions.
2.2. This DPA applies to all Personal Data processed by us in connection with the Service, including data contained within Customer Data (e.g., if your reference data tables contain personal information about individuals).
3. Details of Processing
| Subject Matter | Provision of the TitanRDM reference data management platform |
| Duration | For the term of the Agreement plus the data retention period (90 days post-termination) |
| Nature and Purpose | Storage, retrieval, management, versioning, deployment, import/export of reference data; user account management and authentication |
| Types of Personal Data | As determined by the Controller; may include names, contact details, identifiers, or any data the Controller uploads to the Service |
| Categories of Data Subjects | As determined by the Controller; may include the Controller's customers, employees, suppliers, or other individuals whose data is stored in reference tables |
4. Obligations of the Processor
We shall:
- 4.1. Process Personal Data only on your documented instructions, unless required by applicable law (in which case we will notify you in advance, where legally permitted).
- 4.2. Ensure that persons authorised to process Personal Data are subject to confidentiality obligations.
- 4.3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 7).
- 4.4. Assist you in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) through the Service's functionality and, where necessary, additional reasonable cooperation.
- 4.5. Assist you in ensuring compliance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
- 4.6. At your choice, delete or return all Personal Data upon termination of the Agreement, and delete existing copies unless retention is required by law.
- 4.7. Make available to you all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 9).
5. Obligations of the Controller
You shall:
- 5.1. Ensure that you have a lawful basis for processing Personal Data and for instructing us to process it.
- 5.2. Provide documented instructions regarding the processing of Personal Data.
- 5.3. Ensure that Data Subjects have been informed about the processing in accordance with applicable law.
- 5.4. Be responsible for the accuracy and legality of the Personal Data provided to us.
6. Sub-processors
6.1. You provide general authorisation for us to engage Sub-processors to assist in providing the Service.
6.2. Our current Sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, storage, database services | Sydney, Australia (ap-southeast-2) |
| Stripe, Inc. | Payment processing and billing | United States |
6.3. We will notify you at least 14 days in advance of any intended addition or replacement of Sub-processors, providing you with the opportunity to object.
6.4. If you object to a new Sub-processor on reasonable grounds related to data protection, we will use reasonable efforts to make available an alternative or, if not possible, you may terminate the affected Service by providing written notice.
6.5. We shall impose on each Sub-processor data protection obligations no less protective than those set out in this DPA through a written contract.
6.6. We remain fully liable to you for the performance of each Sub-processor's obligations.
7. Security Measures
We implement and maintain the following technical and organisational measures:
7.1 Technical Measures
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using AES-256
- Logical tenant isolation (separate database schemas per customer)
- Automated encrypted backups with point-in-time recovery
- Network security controls (firewalls, security groups, private subnets)
- Vulnerability scanning and patching
- Secure authentication (password hashing with bcrypt, session management, account lockout)
7.2 Organisational Measures
- Access restricted on a need-to-know basis (principle of least privilege)
- Security awareness for personnel with access to Personal Data
- Incident response procedures
- Regular review of security measures
- Secure development practices
8. Security Incident Notification
8.1. We shall notify you of any Security Incident without undue delay and in any event within 72 hours of becoming aware of the incident.
8.2. The notification shall include:
- A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected
- The name and contact details of our point of contact
- A description of the likely consequences of the incident
- A description of the measures taken or proposed to address the incident, including measures to mitigate its adverse effects
8.3. We shall cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.
8.4. Notification of a Security Incident shall not be construed as an admission of fault or liability.
9. Audits and Compliance
9.1. We shall make available to you, on request, information necessary to demonstrate compliance with this DPA.
9.2. You (or a mandated third-party auditor bound by confidentiality) may conduct an audit of our processing activities once per year, with at least 30 days' written notice, during normal business hours, and subject to reasonable confidentiality obligations.
9.3. If an audit reveals non-compliance, we shall promptly remediate the identified issues at our own cost.
9.4. We may satisfy audit requests by providing relevant third-party certifications, audit reports (e.g., SOC 2), or other evidence of compliance.
10. International Data Transfers
10.1. Personal Data is primarily stored in the USA.
10.2. Where Personal Data is transferred to a country outside Australia, the EU/EEA, or the UK that has not been deemed to provide an adequate level of data protection, we shall ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (EU Commission Decision 2021/914) for EU/EEA transfers
- The UK International Data Transfer Agreement or Addendum for UK transfers
- Contractual commitments providing equivalent protections for Australian Privacy Act purposes
10.3. You acknowledge that the Sub-processor Stripe processes limited data (billing-related) in the United States and is certified under applicable data transfer frameworks.
11. Data Subject Rights
11.1. We shall assist you in fulfilling your obligations to respond to Data Subject rights requests, taking into account the nature of the processing.
11.2. If we receive a request directly from a Data Subject, we shall promptly redirect the request to you unless legally required to respond directly.
11.3. The Service provides functionality for data export, correction, and deletion that you may use to fulfil Data Subject requests.
12. Data Deletion and Return
12.1. Upon termination or expiry of the Agreement, we shall:
- Continue to make Customer Data (including any Personal Data) available for export for 90 days
- After the 90-day period, permanently delete all Customer Data from our production systems within 30 days
- Delete Customer Data from backups within 90 days of the deletion from production systems (or upon natural backup rotation)
12.2. We may retain Personal Data where required by applicable law, in which case we shall inform you of the legal basis and limit processing to the extent required by law.
13. Liability
13.1. The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement (Terms of Service), including the aggregate liability cap equal to the total Subscription Fees paid in the twelve (12) months preceding the event giving rise to the claim.
13.2. Each party's liability under this DPA is not additional to, but inclusive of, its liability under the Agreement. The total combined liability of either party for all claims under the Agreement and this DPA shall not exceed the cap stated in Section 12.1 of the Terms of Service.
13.3. Nothing in this DPA limits either party's liability for: (a) wilful misconduct or fraud; (b) liability that cannot be excluded by law; or (c) each party's indemnification obligations for third-party claims arising from breach of this DPA, subject to the liability cap.
14. Term and Termination
14.1. This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination of the Agreement, subject to the data retention and deletion obligations in Section 12.
14.2. Obligations that by their nature should survive termination (including confidentiality, liability, and data deletion) shall survive.
15. Governing Law
15.1. This DPA is governed by the laws of Queensland, Australia, consistent with the Agreement.
15.2. For matters specifically governed by the GDPR, the applicable provisions of EU/UK law shall apply to the extent they relate to GDPR compliance.
16. Precedence
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
17. Contact
For questions or requests related to this DPA, please contact:
- Email: support@titanrdm.com
- Entity: Willow Box Pty Ltd ATF Willow Box Trust
- Jurisdiction: Queensland, Australia