Data Processing Agreement
Effective date: 1 May 2026 - Kutamo Pty Ltd, Victoria, Australia
1. Definitions
In this DPA:
- "Controller" means the Customer, who determines the purposes and means of processing Personal Data.
- "Processor" means Kutamo Pty Ltd, which processes Personal Data on behalf of the Controller.
- "Personal Data" has the meaning given by the GDPR and/or applicable Australian privacy laws.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-Processor" means a third party engaged by Kutamo to process Personal Data.
- "Security Incident" means any confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- "Applicable Privacy Law" means the GDPR, UK GDPR, the Privacy Act 1988 (Cth), and any other applicable data protection legislation.
2. Scope and Purpose of Processing
Kutamo processes Personal Data as a Processor solely on documented instructions from the Controller and for the purpose of providing the Kutamo platform and Services as described in the Terms of Service.
Details of processing:
- Categories of data subjects: The Controller's employees, contractors, and invited meeting participants.
- Categories of personal data: Names, email addresses, job titles, meeting content and activity data, IP addresses.
- Nature of processing: Storage, retrieval, display, transmission, and deletion of personal data within the platform.
- Duration: For the term of the Customer's subscription and for 30 days following termination (for export), thereafter deleted.
3. Processor Obligations
Kutamo shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case Kutamo will notify the Controller unless prohibited by law.
- Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organisational security measures as described in Section 7.
- Assist the Controller in fulfilling its obligations to respond to Data Subject requests (Section 8).
- Assist the Controller in ensuring compliance with its obligations under Articles 32–36 of the GDPR (security, breach notification, DPIAs).
- Delete or return all Personal Data at the end of the service relationship as described in Section 10.
- Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits (Section 11).
- Notify the Controller without undue delay if it believes any instruction infringes Applicable Privacy Law.
4. Controller Obligations
The Controller shall:
- Ensure it has a lawful basis for processing Personal Data and for providing it to Kutamo.
- Provide accurate and complete instructions to Kutamo regarding the processing of Personal Data.
- Ensure Data Subjects have been informed of the processing as required by Applicable Privacy Law.
- Obtain any necessary consents from Data Subjects where processing is consent-based.
5. Sub-Processors
The Controller authorises Kutamo to engage Sub-Processors to assist in providing the Services. Current Sub-Processors include:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure and hosting | Australia (primary), global failover |
| Stripe, Inc. | Payment processing | United States |
| Mailgun / Sinch Email | Transactional email delivery | United States |
| Twilio Inc. | SMS notifications | United States |
| Microsoft Azure Service Bus | Message queuing | Australia |
Kutamo will inform the Controller of any intended addition or replacement of Sub-Processors with at least 14 days' prior notice, giving the Controller the opportunity to object. Kutamo imposes equivalent data protection obligations on all Sub-Processors.
6. International Data Transfers
Transfers of Personal Data to Sub-Processors outside the EEA, UK, or Australia are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent transfer mechanisms. Details are available on request at [email protected].
7. Security Measures
Kutamo implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, including:
- Encryption of data in transit using TLS 1.2 or higher.
- Encryption of data at rest on Azure infrastructure.
- Role-based access controls limiting staff access to Personal Data on a need-to-know basis.
- Multi-factor authentication for platform administrator access.
- Regular security assessments and vulnerability scanning.
- Incident response procedures and logging.
- Employee training on data protection and information security.
8. Data Subject Requests
Kutamo will notify the Controller within 5 business days of receiving any request from a Data Subject exercising their rights (access, erasure, portability, etc.) that relates to the Controller's data. Kutamo will assist the Controller in responding to such requests using available platform tools. The Controller remains responsible for determining how to respond.
9. Security Incident Notification
In the event of a Security Incident affecting Personal Data processed on behalf of the Controller, Kutamo will notify the Controller without undue delay and no later than 72 hours after becoming aware of the incident. Notification will include:
- A description of the nature of the Security Incident, including categories and approximate number of data subjects and records affected.
- Contact details of Kutamo's privacy point of contact.
- Likely consequences of the Security Incident.
- Measures taken or proposed to address the incident.
Kutamo will cooperate with the Controller in investigating and remedying the Security Incident and, where applicable, meeting any breach notification obligations under Applicable Privacy Law.
10. Data Return and Deletion
Upon expiry or termination of the Services, Kutamo will, at the Controller's choice, securely delete or return all Personal Data and copies thereof within 30 days, unless applicable law requires continued storage. Proof of deletion will be made available on request.
11. Audit Rights
Kutamo will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by the Controller or a mandated auditor, subject to:
- Reasonable prior written notice (minimum 30 days).
- Execution of a mutually agreed non-disclosure agreement.
- Audits being conducted during normal business hours and at the Controller's cost.
- No more than once per 12-month period, unless a Security Incident has occurred.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits liability where prohibited by Applicable Privacy Law (including fines and penalties imposed by a supervisory authority).
13. Term and Termination
This DPA is effective from the date the Controller first accesses the Services and remains in effect for the duration of the Terms of Service. Termination of the Terms of Service automatically terminates this DPA, subject to the survival of obligations in Sections 7 and 10.
14. Governing Law
This DPA is governed by the laws of Victoria, Australia. To the extent that GDPR or UK GDPR apply, the parties agree that GDPR requirements take precedence for EEA/UK data subjects.
15. Contact
For enquiries relating to this DPA:
Kutamo Pty LtdPO Box 7319 Melbourne Victoria, 3004 Australia
Email: [email protected]