Data Processing Agreement

1. Parties

This Data Processing Agreement (“DPA”) is entered into between Pixelex Pty Ltd (ABN pending) (“Processor”) and the organisation subscribing to Pixelex Exchange (“Controller”).

This DPA supplements and forms part of the Pixelex Exchange Terms of Service and applies to the extent that Pixelex processes personal data on behalf of the Controller.

2. Scope of Processing

Nature and purpose: Pixelex processes personal data to provide the Pixelex Exchange document control and correspondence platform.

Categories of data subjects: Organisation employees and authorised users, project collaborators from invited organisations, individuals referenced in correspondence and documents.

Types of personal data: Names, email addresses, job roles, organisation affiliation, IP addresses, user activity logs, and content of uploaded documents and correspondence.

Duration: Data is processed for the duration of the subscription term plus 90 days for data export after termination.

3. Processor Obligations

Pixelex shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorised to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures including:
  • Row-level security (RLS) for strict tenant data isolation
  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • JWT-based authentication with bcrypt password hashing
  • Role-based access control with audited permission checks
  • Malware scanning of all uploaded files
  • Immutable audit trail for all data access and modifications
• Only engage sub-processors with the Controller's prior written consent (see Section 5)
• Assist the Controller in responding to data subject access requests
• Notify the Controller of a personal data breach without undue delay (and in any event within 72 hours of becoming aware)
• Delete or return all personal data at the Controller's request upon termination (subject to the 90-day export window)

4. Controller Obligations

The Controller shall:

• Ensure a lawful basis exists for processing personal data
• Provide clear instructions regarding the processing of personal data
• Manage user access and roles within their organisation
• Inform data subjects about the processing of their data and their rights

5. Sub-Processors

The Controller acknowledges and consents to the use of the following sub-processors:

Pixelex will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object within 14 days.

6. International Transfers

Primary data storage is in the Sydney, Australia region. Some sub-processors operate in the USA and EU. Where personal data is transferred outside Australia, Pixelex ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) with EU-based sub-processors
• Sub-processors' compliance with relevant data protection frameworks (e.g., EU-US Data Privacy Framework)

7. Data Breach Notification

In the event of a personal data breach, Pixelex will notify the Controller without undue delay and no later than 72 hours after becoming aware. The notification will include:

• Nature of the breach, including categories and approximate number of data subjects
• Contact details for further information
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8. Audit Rights

The Controller has the right to audit Pixelex's compliance with this DPA. Pixelex will make available all information necessary to demonstrate compliance and allow for audits, including inspections, conducted by the Controller or an independent auditor.

9. Term and Termination

This DPA remains in effect for the duration of the Pixelex Exchange subscription. Upon termination, Pixelex will delete all personal data within 90 days unless retention is required by law, or the Controller requests data return.

10. Contact

For DPA inquiries, contact privacy@pixelex.app.