Skip to content

Data Processing Addendum

This Data Processing Addendum, including the selected modules of the Standard Contractual Clauses and the attached Annexes (this “DPA”) supplements the Cogniti Subscription Agreement or other agreement entered into between the University of Sydney and Customer, including all Orders entered into between the parties.

The Cogniti Subscription Agreement and all Orders will be referred to in this DPA as the “Agreement.” The Agreement governs the provision, use, and purchase of Cogniti products and services described in the Agreement (“Services”). This DPA addresses the specific requirements of Applicable Data Protection Laws and applies solely to the extent that Customer uses a Cogniti Service that processes Data subject to an Applicable Data Protection Law.

1. Definitions

In this DPA, the following terms shall have the meanings below. Any capitalised terms used herein and not defined will have the meanings given to such terms in the Agreement.

Applicable Data Protection Law” means all international, federal, national, and state privacy and data protection laws that apply to the processing of Personal Data that is the subject matter of the Agreement (including but not limited to, where applicable, European Data Protection Law and U.S. Data Protection Law (as defined below)).

CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act (“CPRA”), and its implementing regulations.

Controller” means the entity that determines the purposes and means of the processing of Personal Data.

Customer” means the legal entity that entered into and signed an Order with the University for the purchase and use of the Services.

Data Subject” means a natural person whose Personal Data is processed in the context of this DPA.

European Data Protection Law” means: (i) prior to 25 May 2018, the EU Data Protection Directive 95/46/EC, and any applicable national implementation of it; (ii) on and after 25 May 2018, the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation)(“EU GDPR”); (iii) in respect of the United Kingdom the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the E.U. e-Privacy Directive (Directive 2002/58/E.C.); and (iv) the Swiss Federal Data Protection Act (“Swiss GDPR”).

Personal Data” shall have the meaning given to such term under Applicable Data Protection Law, but generally means any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processor” means an entity that is engaged to process Personal Data on behalf of the Controller, including, as applicable, any “service provider” as that term is defined by the CCPA.

Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Data (as defined in Section 2.1 below) transmitted, stored, or otherwise processed by the University or its Sub-Processors. “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

Standard Contractual Clauses” means: (i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (E.U.) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognised by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCCs”).

Sub-Processor” means an entity engaged by the Processor to process Data on behalf of, and under the instructions of, the Controller in connection with the provision of the Service. Sub-Processors exclude employees, consultants, or independent contractors of the University where such individual performs services equivalent to those performed by an employee.

U.S. Data Protection Law” means the data protection or privacy laws and regulations applicable to the processing of Personal Data in force within the United States, including, but not limited to, (i) the CCPA, (ii) the Virginia Consumer Data Protection Act (“VCDPA”), (iii) once in effect, the Colorado Privacy Act, Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Utah Privacy Act, and (iv) any rules or regulations implementing any of the foregoing.

      2. General Data Processing Requirements

      2.1 Relationship of the parties. As between the parties and for the purposes of this DPA, Customer is the Controller, with respect to E.U. Data Protection Law and VCDPA, and a “business” with respect to CCPA, of the Personal Data that is included in Customer Content (“Data”) and appoints the University as a Processor, with respect to E.U. Data Protection Law and VCDPA, and a “service provider” with respect to CCPA, to process Data on behalf of Customer.

      2.2 Responsibilities of the parties. The University will not sell Personal Data as the term “sell” is defined by the CCPA. The University will not disclose or transfer Personal Data to other parties that would constitute “selling,” as the term is defined by the CCPA. Customer shall comply with its obligations under Applicable Data Protection Law, including, but not limited to, providing notice to Data Subjects and obtaining Data Subjects’ consent for processing of Data Subjects’ Personal Data, where required. Customer represents that its use of the Service will: (i) not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data to the extent applicable under the CCPA; and (ii) not violate the rights of any Data Subject that has not opted into the processing of sensitive personal data to the extent applicable under the VCDPA. Customer, as a Controller or as a “business,” (as defined by the CCPA) is responsible for: (i) the accuracy, quality, and legality of the Data; (ii) how Customer acquired Data; (iii) the instructions Customer provides to the University regarding the processing of Data; (iv) providing all legally required notices to individuals and obtaining all legally required consents which may be necessary for the University to process Data; (v) ensuring that Customer’s processing instructions are lawful and do not violate Applicable Data Protection Laws; and (vi) ensuring that Data is provided to the University for a valid “Business Purpose,” as defined in the CCPA. Customer will not provide or make available to the University any Data in violation of the Agreement or provide any Data that is inappropriate for the nature of the Services.

      2.3 Processing instructions; Purpose limitation.

      2.3.1 The University shall process the Data as a Processor in accordance with the documented instructions of Customer (including those in this DPA and the Agreement) or with Customer’s written instructions and only for the following purposes: (i) as necessary to perform the Services for Customer under the Agreement; (ii) to perform any steps necessary for the performance of the Agreement; (iii) any processing initiated by an Authorised User in their use of the Service; and (iv) to comply with other reasonable, lawful instructions provided by Customer (e.g., via email, phone, support tickets, or online tool). Customer shall only give lawful instructions to the University that comply with Applicable Data Protection Law. Annex A, attached hereto, includes certain details of the processing of Data, as required under Applicable Data Protection Law.

      2.3.2 The University may process Personal Data for its own legitimate business purposes, as an independent Controller, solely when the processing is strictly necessary and proportionate, and if the processing is for one of the following purposes:

      • Billing, account and customer relationship management (including marketing communications), support, and related correspondence;
      • Complying with and resolving legal obligations, tax requirements, and in connection with any disputes;
      • Monitoring and protecting the confidentiality, privacy, and security of the Services;
      • Internal reporting, financial reporting, revenue planning, and forecast modeling;
      • Receiving feedback regarding the Services and incorporating feedback into product development; and
      • other uses permitted by Customer in the Agreement or other terms entered into between the University and Customer.

      2.4 Confidentiality of processing. The University shall ensure that any person that it authorises to process Data (including the University’s staff, agents, and subcontractors) shall be subject to a duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process Data who is not under such a duty of confidentiality.

      2.5 Security standards. The University shall implement appropriate technical and organisational measures intended to protect Data from: (i) accidental or unlawful destruction; and (ii) loss, alteration, unauthorised disclosure of, or access to Data. At a minimum, such measures shall include the security measures identified in Annex B (“Security Measures”).

      3. Sub-Processors and Subcontracting

      3.1 Subject to the terms and conditions set forth in this DPA, Customer generally authorises the University to continue to use and disclose Data to Sub-Processors engaged by the University in the context of providing the Services and processing activities. Customer approves the use of Sub-Processors described in Annex C. The University shall remain fully liable for any breach of the University’s obligations under this DPA that is caused by an act, error, or omission of the University’s Sub-Processors.

      3.2 The University shall not subcontract any processing of Data to a third-party Sub-Processor unless: (i) such Sub-Processor is subject to an agreement with the University that contains data protection terms not less protective as those provided for by this DPA with respect to the protection of Data to the extent applicable to the nature of the service provided by such Sub-Processor, and, to the extent the CCPA applies, each written agreement with a Sub-Processor will comply with the CCPA, designate the Sub-Processor as a “service provider” or “contractor,” and prohibit the Sub-Processor from selling Customer’s Data or using Customer’s Data for any purpose not authorised by the CCPA; and (ii) the University provides Customer prior notice (where notice will be provided by the University by email or by an in-product notification within the Service) of the addition or replacement of such Sub-Processor (including the details of the processing it performs or will perform, and the location of such processing) before authorising any new Sub-Processor(s) to process Customer’s Data in connection with the provision of the applicable Service.

      Notwithstanding the foregoing, in the event of an emergency concerning Service availability or security, the University is not required to provide prior notice but shall provide notification within seven (7) business days following the change in Sub-Processor.

      Customer will notify the University within ten (10) business days of receipt of the University’s notice of a new Sub-Processor if it objects to the addition or replacement of a Sub-Processor. Customer’s objection should be sent to cogniti@sydney.edu.au and explain the reasonable grounds for the objection. If Customer objects to the University’s appointment of a third party Sub-Processor on reasonable grounds relating to the protection of Data, and the University is unable to adequately address the reasonable grounds (e.g., make available to Customer a reasonable change to Customer’s configuration or use of the Service to avoid the processing of Data by the objected-to new Sub-Processor without unreasonably burdening Customer), then the University will not engage the Sub-Processor, or Customer may elect to suspend or terminate its subscription to the impacted Service without penalty. If Customer does not object to a Sub-Processor within thirty (30) days of the University’s notice as described in this Section 3, then the Sub-Processor will be deemed accepted by Customer.

      4. International Transfers of Data

      To perform the Services for Customer under the Agreement, the University may transfer Personal Data to countries other than the country in which the data were originally collected, including, without limitation, the United States. The University will ensure that such transfers are made in compliance with Applicable Data Protection Law and this Addendum. Customer authorises such cross-border Personal Data transfers and represents, warrants, and covenants that Customer will comply with any requirements under Applicable Data Protection Law regarding such Personal Data transfers. For such cross-border Personal Data transfers subject to Applicable Data Protection Law, the University and Customer agree to be bound by:

      (i) in the case of GDPR, the EU SCCs then-current and applicable module and terms of the Standard Contractual Clauses published by the European Commission and located as of the date of this DPA at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

      (ii) in the case of UK GDPR, the UK SCCs; and

      (iii) in the case of Swiss GDPR, the Swiss SCCs. In connection with the Standard Contractual Clauses referred to in (i) and (ii) of this Section 4, the parties agree to the following, as applicable:

      4.1 With respect to Data processed by the University pursuant to Section 2.3.1:

      • Module Two of the EU SCCs will apply;
      • in Clause 7, the optional docking clause will apply;
      • in Clause 9, the Option 2 will apply;
      • in Clause 11, the optional language will not apply;
      • in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by Irish law;
      • in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex 1 will be deemed completed with the information set out in Annex A (Details of Processing) of this DPA;
      • Annex 2 (Security Measures) will be deemed completed with the information set out in Annex B of this DPA; and
      • Annex 3 (Sub-Processors) will be deemed completed with the information set out in Section 3 of this DPA.

      4.2 With respect to Personal Data processed by the University pursuant to Section 2.3.2:

      • Module One of the EU SCCs will apply;
      • in Clause 7, the optional docking clause will apply;
      • in Clause 11, the optional language will not apply;
      • in Clause 17, the Standard Contractual Clauses will be governed by Irish law;
      • in Clause 18(b), disputes shall be resolved before the courts of Ireland;
      • Annex 1 will be deemed completed with the information set out in Annex A (Details of Processing) of this DPA; and
      • Annex 2 (Security Measures) will be deemed completed with the information set out in Annex B of this DPA.

      4.3 With respect to Personal Data subject to UK GDPR, the UK SCCs will apply and:

      • the EU SCCs will also apply to transfers of Personal Data; and
      • (ii) Table 1 to 3 of the UK SCCs will be deemed completed with the relevant information from the EU SCCs completed as set forth in 2.7.1 and the option “neither party” is checked in Table 4. The start date of the UK SCCs in Table 1 will be the date of this DPA.

      4.4 With respect to Personal Data subject to Swiss GDPR, the Swiss SCCs will apply and:

      • the EU SCCs will apply and any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the Swiss SCCs;
      • references to “EU,” “Union,” “Member State,” and “Member State Law” will be interpreted as references to “Switzerland’ and ‘Swiss law,’ as the case may be; and
      • references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the FDIPC and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss SCCs, in which event the Swiss SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes of the Swiss SCCs shall be populated using the information contained in Annex A and Annex B to this DPA.

      4.5 To the extent the University adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses adopted pursuant to Applicable Data Protection Laws) for the transfer of Personal Data (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism will automatically apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Laws applicable to the European Economic Area and extends to territories to which Customer’s Personal Data is transferred).

      5. Cooperation and Individuals’ Rights

      Taking into account the nature of the processing and the information available, the University shall provide all reasonable and timely assistance to enable Customer to respond to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable); and (ii) any other correspondence, inquiry, or complaint received from a regulator or public authority, Data Subject, or another third party, in connection with the processing of the Customer’s Data. If any such communication is made directly to the University, the University shall promptly and without undue delay (and in any event, no later than within forty-eight (48) hours of receiving such communication) provide Customer full details of the same and shall not respond to the communication unless specifically required by law or authorised by Customer.

      6. Data Protection Impact Assessment

      Taking into account the nature of the processing and the information available to the University, the University shall provide Customer with reasonable and timely assistance with any data protection impact assessments and, where necessary, consultations with data protection authorities.

      7. Security Incident

      Upon becoming aware of a Security Incident affecting Data, the University shall:

      (i) inform Customer without undue delay (and in any event, no later than the earlier of (A) within seventy-two (72) hours after confirming a Security Incident affected Data, and (B) the notice timescales required of the University by Applicable Data Protection Law); and

      (ii) provide sufficient available information and cooperation to enable Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.

      The University shall further take such measures and actions as are necessary to contain, investigate, remedy, and mitigate the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident. The University shall not notify any third parties of a Security Incident affecting Data unless and to the extent that:

      (a) Customer has agreed to such notification, or

      (b) notification is required to be made by the University under Applicable Data Protection Laws. Customer is responsible for its secure use of the Services, including, but not limited to, securing its account authentication credentials and protecting the security of Data transmitted via the systems Customer administers and maintains (i.e., email encryption).

      8. Deletion or Return of Data

      Upon termination or expiry of the Agreement or upon the Customer’s request, the University shall (at Customer’s election and in accordance with the terms of the Security Measures and the Agreement) delete or return all Data, including copies, in its possession or control. This requirement shall not apply to the extent that the University is required by Applicable Data Protection Laws to retain some or all Data, in which event the University shall isolate and protect Data from any further processing except to the extent required by such law.

      9. Audit Rights and Reports

      9.1 Solely to the extent required to comply with Applicable Data Protection Law, and to the extent the Reports do not satisfy Applicable Data Protection Law, Customer may audit (including by an independent third-party engaged by Customer) the University’s compliance with this DPA. In the case of such audit, the University shall make available all such information, systems, and staff reasonably necessary to allow Customer to conduct such audit. Customer shall not exercise its audit rights more than once per calendar year except following a Security Incident or following an instruction by a regulator or public authority. Customer shall give the University at least forty-five (45) days prior written notice of its intention to audit pursuant to this DPA, conduct its audit during the University’s normal business hours, and take all reasonable measures to prevent unnecessary disruption to the University’s operations and to ensure the protection of the data (which may include Personal Data) of the University’s employees, contractors, suppliers, or other users or customers. Customer and the University shall mutually agree in advance on the date, scope, duration, and security and confidentiality controls applicable to an audit. Customer understands and agrees that its right to audit a Sub-Processor’s compliance with this DPA will be subject to the audit provisions in the data processing terms between the University and such Sub-Processor, and that Customer may be required to execute a non-disclosure agreement and other related terms directly with such Sub-Processor to receive access to Sub-Processor’s reports and policies.

      9.2 Customer shall reimburse the University for all costs and expenses in connection with an audit carried out by Customer under this DPA, except that the University will provide Customer the Reports at no cost. Customer agrees that any of its audit rights set out in the Standard Contractual Clauses and other Applicable Data Protection Law shall be subject to, and carried out in accordance with, the terms of this Section 9.

      10. Compliance with Applicable Laws

      10.1 The University will process Data in accordance with this DPA and Applicable Data Protection Laws applicable to its role under this DPA. The University is not responsible for complying with Applicable Data Protection Laws uniquely applicable to Customer by virtue of its business or industry. The University will promptly inform Customer if it becomes aware that Customer’s processing instructions infringe Applicable Data Protection Laws.

      10.2 With respect to the CCPA, except to the extent Section 2.3.2 applies, the University will: (i) comply with sections of the CCPA applicable to “service providers” as defined by the CCPA; (ii) process Data solely to provide the Services to Customer, consistent with Section 1798.140(e)(5) of the CCPA; and (iii) not sell Data, or retain, use, or disclose Data for any purposes other than to perform the Service or as otherwise permitted under Agreement or this DPA.

      10.3 With respect to the VCDPA, the University will: (i) comply with sections of the VCDPA applicable to “processors” as defined by the VCDPA; and (ii) process Data solely to provide the Services to Customer.

      10.4 To the extent that Section 2.3.2 applies, the University shall comply with the CCPA sections applicable to a “business” and the VCDPA sections applicable to a Controller.

      11. Indemnification for Third Party Claims

      Subject to the terms of the Agreement (e.g., process for tendering indemnity claims) and relevant sections of this DPA, the University will defend and hold harmless Customer against any Third Party Claim brought against Customer arising from the University’s breach of its obligations under this DPA, and indemnify Customer from the resulting costs and damages awarded against Customer to the third party raising such Third Party Claim by a court of competent jurisdiction or agreed to in settlement.

      12. Costs Allocation and Liability

      12.1 Each party will bear the costs of the investigation, remediation, mitigation, and other related costs to the extent a Security Incident is caused by such party.

      12.2 Each party will bear the costs of any fines, penalties, damages, or other related amounts imposed by an authorised regulatory body, governmental agency, or court of competent jurisdiction to the extent arising from such party’s breach of its obligations under this DPA.

      12.3 To the maximum extent allowed under Applicable Data Protection Law and other applicable laws or regulations, each party’s liability under this DPA will be limited to actual and proven damages in an amount not to exceed three (3) times the amount paid by Customer to the University under the Agreement for the Services during the 12-month period immediately preceding the incident giving rise to the claim.

      13. Miscellaneous Provisions

      13.1 The obligations placed upon the University under this DPA shall start when the University or its Sub-Processors process Data on Customer’s behalf in connection with the Services, and will survive for so long that the University or its Sub-Processors process Data on Customer’s behalf. Any claims against the University or its Affiliates under this DPA may only be brought by the Customer entity that is a contracting party to the Agreement. In no event shall this DPA or any party restrict or limit the rights of any Data Subject or of any competent supervisory authority.

      13.2 Except for the changes made by this DPA, the Agreement continues to govern the provision and use of the Service and remains unchanged and in full force and effect (including, for the avoidance of doubt, the limits on liability provisions in the Agreement). If there is any direct conflict between a provision in this DPA and a provision in the Agreement, the provision in this DPA shall prevail solely to the extent of that conflict only.

      13.3 Other than as required by the Standard Contractual Clauses, this DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto, respective permitted successors, and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.

      13.4 Other than as required by the Standard Contractual Clauses, the dispute mechanisms, including those related to venue and jurisdiction, set forth in the Agreement govern any dispute pertaining to this DPA.

      ANNEX A: DETAILS OF PROCESSING OF PERSONAL DATA

      This Annex A includes certain details of the processing of Personal Data as required by the Standard Contractual Clauses and Article 28(3) GDPR. The parties agree that this Annex forms a part of the Standard Contractual Clauses.

      A. List of Parties

      Data exporter(s): Customer
      Role: Controller or Processor (if processing contracts on behalf of a Customer Affiliate)
      Contact Information: As outlined in the Agreement

      Data importer(s): the University of Sydney
      Role: Processor for purposes of Section 2.3.1 and Controller for purpose of Section 2.3.2
      Contact Information: As outlined in the Agreement

      B. Description of Transfer

      Subject matter and duration of the processing of Data: The subject matter and duration of the processing of Customer’s Data are set out in the Cogniti Subscription Agreement, the applicable Order, and this DPA.

      The nature and purpose of the processing of Data: The nature and purpose of the processing of Customer’s Data are set out in the Cogniti Subscription Agreement, the applicable Order, and this DPA.

      The types of Data to be processed: Customer may submit its contracts and related messages that may include Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following types of Personal Data:

      • Identification and contact data (name, email address);
      • Purchase and usage history data;
      • Contractual obligation data (persons and their business relationship with Customer, such as employee, consultant, the University, customer);
      • IT information (IP address, log files, software usage pattern tracking information (i.e., cookies and information recorded for operation and training purposes).

      The categories of Data Subject to whom the Data relates: Customer may submit its contracts and related messages that may include Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:

      • Employees, agents, advisors, freelancers of Customer (who are natural persons); and
      • Customer’s users, partners, Cogniti customers, and the users and employees of those entities.

      The obligations and rights of Customer: The obligations and rights of Customer are set out in the University Subscription Agreement, applicable Order Forms, and this DPA.

      Data subjects

      The personal data transferred concern the following categories of data subjects: Customer may submit its contracts and related messages that may include Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:

      • Employees, agents, advisors, freelancers of Customer (who are natural persons); and
      • Customer’s users, partners, the University, and customers and the users and employees of those entities.

      Categories of data

      The personal data transferred concern the following categories of data: Customer may submit its contracts and related messages that may include Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following types of Personal Data:

      • Identification and contact data (name, email address);
      • Purchase and usage history data;
      • Contractual obligation data (persons and their business relationship with Customer, such as employee, consultant, the University, customer);
      • IT information (IP address, log files, software usage pattern tracking information (i.e., cookies and information recorded for operation and training purposes); and,
      • If the parties mutually agree on expanded use case, financial information (account details, payment information).

      Special categories of data (if appropriate)

      The personal data transferred concerns the following special categories of data: None.

      Processing operations

      The personal data transferred will be subject to the following basic processing activities:

      The personal data transferred to or accessed by the data importer will be used only for the purposes of providing services (cloud-based onboarding and training, user registration services as well as support and maintenance) to the data exporter. To this end, personal data may be accessed, processed, or disclosed as necessary by the data importer’s duly authorised staff or Sub-Processors, strictly for the purpose of providing services to the data exporter and in accordance with the data exporter’s instructions.

      ANNEX B: SECURITY MEASURES

      See relevant University policies and cybersecurity posture at https://www.sydney.edu.au/about-us/governance-and-structure/cybersecurity.html. Such policies and other related materials shall be deemed the University’s Confidential Information.

      ANNEX C: SUB-PROCESSORS

      The University of Sydney (“the University,” “we,” “our,” or “us”), shares this list of third-party suppliers that enable us to provide the Cogniti product and service (“Cogniti”) for transparency with our users and to comply with our obligations under applicable laws and to our customers. These third-party suppliers perform the general function and processing activities described below and are considered sub-processors under certain applicable laws (“sub-processors”), including the European Union’s data privacy regulation known as the General Data Protection Regulation (“GDPR”), because they process personal data in the course of our delivery of our products and services to customers.

      When we use the terms “process,” “processing,” “processed” and “personal data” in our terms with you, those terms have the meaning given to them under GDPR and applicable laws. We require our sub-processors to implement appropriate security measures to safeguard personal data and to comply with relevant obligations. Further information about our sub-processors are available at their respective websites. For your convenience, we have shared links to our sub-processor’s data processing terms.

      Back-End Infrastructure and Product

      Like many cloud-based solutions, Cogniti uses suppliers that provide back-end infrastructure for our products’ production systems and for data storage. We also engage suppliers to allow us to analyze the performance and usage of our products and enhance certain product capabilities. These tools enable our product and engineering teams to develop new and improved features and create better user experiences. These suppliers possess an extensive set of security certifications with regular auditing to ensure compliance. More importantly, these suppliers allow us to deliver to customers better performing products.

      Sub-ProcessorProcessing LocationProcessing Activities / General FunctionData Processing Terms
       Microsoft Corporation AustraliaAzure AI services, Azure container application services, Azure database services, Azure communication serviceshttps://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
      MongoDBAustraliaFor Cogniti SaaS product: Database storagehttps://www.mongodb.com/legal/data-processing-agreement

      Other Providers

      To support a remote / hybrid work environment amongst our team, enable collaboration, and allow for data-driven and prompt client and relationship management, we use various cloud-based tools.

      Sub-processor Processing LocationProcessing Activities / General FunctionData Processing Terms
      Microsoft CorporationAustraliaBusiness productivity (e.g. email, document hosting)https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

      Version History

      DateNotes
      25 June 2025V.1: This DPA published on this page.