Data Processing Agreement (Customers)
Applies to customer use of Strength By Numbers services
This public DPA contains the full legal terms. It applies when you accept our Terms of Service and use our services. If your procurement team needs a signed execution copy, contact [email protected].
Parties
Data Importer (Processor)
| Name | SBN Technology Pty Ltd |
|---|---|
| ACN | 624 009 598 |
| Registered address | 18/328 Reserve Rd, Cheltenham, Victoria 3192, Australia |
| Privacy contact | [email protected] |
Data Exporter (Controller)
| Who | The customer entity that accepted the Terms of Service or is identified in the applicable order, and its authorized users. |
|---|---|
| Address & contacts | As per the customer account/order records held by Strength By Numbers. |
Background
Strength By Numbers and the Data Exporter will exchange data as part of the services. The parties agree to handle and transfer data under this DPA.
Date of Agreement
Effective when the customer accepts the Terms of Service or, if separately executed, on the date of last signature.
Agreed terms
1. Agreement
This DPA supplements and forms part of the Terms of Service between Strength By Numbers and the Data Exporter. Scope, duration, and nature of processing follow the Terms. This DPA ends when the Terms end.
This public DPA is binding without signatures. If a signed copy is needed, a countersigned cover sheet may be executed; the public DPA governs in case of conflict.
2. Relationship between the parties
- Data Exporter is the controller.
- Strength By Numbers is the processor and complies with Data Protection Laws, including Article 28 GDPR, with appropriate technical and organisational measures and any Supplementary Measures.
3. Transfers
For any Restricted Transfers, the parties enter into the EU Standard Contractual Clauses (Schedule 1, Module Two: Controller to Processor) and, where applicable, the UK ICO Addendum (Schedule 2). The SCCs take effect when a Restricted Transfer starts. Strength By Numbers limits access to personnel under confidentiality and need-to-know principles.
4. Data processing
- Exporter instructs Strength By Numbers and its Approved Subprocessors to process Personal Data and make transfers as needed to deliver the services and as consistent with the Terms.
- Subprocessors process only under documented instructions or where required by law.
5. Approved Subprocessors
General authorisation to engage subprocessors on the current list at https://strengthbynumbers.com/pages/list-of-subprocessors. We will give at least 30 days’ notice of changes. Objections and related options are handled per this section. Contracts with subprocessors provide protections at least equivalent to this DPA and include required flow-downs and third-party beneficiary rights. Strength By Numbers remains liable for subprocessor performance.
6. Data Subject rights
- Each party implements measures to assist the other in responding to Data Subject requests.
- Strength By Numbers notifies the Exporter of requests and only responds per Exporter instructions or where required by law.
- Data Subjects may enforce the SCCs as third-party beneficiaries.
- Strength By Numbers publishes a complaint contact and handles complaints.
7. Data Protection Impact Assessment & prior consultation
Strength By Numbers provides reasonable assistance to the Exporter with DPIAs and consultations limited to processing performed for the Exporter.
8. Personal Data Breach
- Cooperate to investigate, mitigate, and remediate.
- Notify the Exporter without undue delay and provide the details reasonably required.
- Inform the Exporter of relevant complaints, claims, or regulatory actions.
9. Technical and organisational measures (TOMs)
Strength By Numbers and each Approved Subprocessor implement and maintain appropriate TOMs per Article 32 GDPR, Annex II to the SCCs, and any Supplementary Measures, considering risks and transfer assessments.
10. Deletion or return of data
On written request after service completion or when processing is no longer required, Strength By Numbers will securely delete or return Personal Data and delete existing copies unless retention is required by law, and provide written certification.
11. Audit rights
- Maintain complete records of processing; make available on request.
- Allow audits/inspections with reasonable notice; remediate issues at our cost.
12. Access by public authorities
Notify the Exporter (and where possible Data Subjects) of binding requests or direct access; seek waivers to allow notification; provide periodic transparency information where lawful; review legality and challenge unlawful requests; minimise disclosures.
13. Definitions
Terms have the meanings in GDPR/UK GDPR and as used here: Applicable Laws, Approved Addendum, Approved Subprocessor, Data Exporter Personal Data, Data Protection Laws, EU, Representative, Restricted Transfer, Services, Standard Contractual Clauses, Supplementary Measures, UK. “Including” means “without limitation.”
Schedule 1: EU Standard Contractual Clauses (Module Two)
View SCCs text (unaltered)
These are the EU Commission’s Standard Contractual Clauses (Controller to Processor), Commission Implementing Decision (EU) 2021/914, included here by reference and reproduced in full. If you prefer, you may paste the full text below.
Appendix to SCCs — Annexes
Annex I — Parties and description of transfer
Annex I.A — Parties
| Data Exporter | The customer entity that accepted the Terms of Service or is identified in the applicable order. Role: Controller. |
|---|---|
| Data Importer | SBN Technology Pty Ltd, ACN 624 009 598, 18/328 Reserve Rd, Cheltenham, Victoria 3192, Australia. Role: Processor. |
Annex I.B — Description of transfer
Data subjects: customer representatives; end users; individuals whose data is entered into the services; and current/past personnel including contractors and consultants.
Categories of personal data: direct identifiers (name, contact, employment contact, payment details); indirect identifiers (employer, job title, age, gender, address, height/weight, sports/activities); device and traffic data (including location); and data supplied via communications.
Sensitive data (if provided): injury history (type/date), examination data, test results. Protected per TOMs and need-to-know handling.
Frequency: as the services are used.
Nature & purposes: provision of services, including physical performance assessment and related features under the Terms.
Retention: 5 years after termination of the Terms unless otherwise agreed or required by law.
Subprocessors: current list at https://strengthbynumbers.com/pages/list-of-subprocessors.
Annex I.C — Competent supervisory authority
If the Exporter is established in the EU: the authority in its Member State. If not, the authority where its GDPR representative is based.
Annex II — Technical and organisational measures
Organisational security (assigned responsibility, privacy team, need-to-know access, confidentiality), handling of data (encryption/pseudonymisation as appropriate; HTTPS in transit; media destruction; DLP; restricted employee access; malware controls), physical security (secured facilities and locations; secure paper destruction), and controller assistance measures (contact point, processing register, breach plan, data subject rights policy, security policy, request form and register, minimisation, quality, retention, secure transmission, restriction, accountability, portability, erasure).
Annex III — List of subprocessors
Authorised subprocessors are those listed at https://strengthbynumbers.com/pages/list-of-subprocessors.
Schedule 2: UK International Data Transfer Addendum (ICO)
View UK Addendum (ICO) text
This section includes the UK ICO-approved International Data Transfer Addendum to the EU Standard Contractual Clauses. It applies automatically where UK data protection law governs a transfer. You may request a copy of the full text at any time.
Last updated: