Data Processing Agreement

Sustainability Intelligence Operated by Ransome-Wallis Pty Ltd (ABN 49 630 459 068) Last updated: 30 March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Ransome-Wallis Pty Ltd (ABN 49 630 459 068) ("Processor", "we", "us") and the user of the Sustainability Intelligence service ("Controller", "you").

This DPA applies where we process personal data on your behalf in connection with your use of the Service, in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, and the Australian Privacy Act 1988 (Cth).

---

1. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person, as defined by the GDPR, UK GDPR, or Australian Privacy Act.
  • Processing: any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
  • Data Subject: an identified or identifiable natural person whose Personal Data is processed.
  • Sub-processor: a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Supervisory Authority: the relevant data protection authority (OAIC in Australia, ICO in the UK, or the applicable EU authority).

    • ---

    2. Scope and Purpose of Processing

    2.1 Purpose

    We process Personal Data solely for the purpose of providing the Sustainability Intelligence service, specifically:
  • Account creation and authentication (email address, encrypted password)
  • Email verification and essential service communications

    • 2.2 Categories of Data Subjects

  • Users who create accounts on the Service

    • 2.3 Types of Personal Data Processed

  • Email addresses
  • Encrypted passwords (we cannot access the plaintext)

    • 2.4 Data NOT Processed as Personal Data

    The following data is collected anonymously and cannot be linked to any individual:
  • Industry, country, and business profile selections
  • Scenario and analysis mode selections
  • Visitor country (derived from IP address, IP itself is never stored)

    • ---

    3. Obligations of the Processor

    3.1 Lawful Processing

    We will process Personal Data only on your documented instructions (i.e., as necessary to provide the Service), unless required to do so by applicable law. If we are required by law to process Personal Data for any other purpose, we will inform you of that legal requirement before processing, unless the law prohibits such notification.

    3.2 Confidentiality

    We ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.

    3.3 Security Measures

    We implement and maintain appropriate technical and organisational measures to protect Personal Data, including:
  • HTTPS/TLS encryption for all data in transit
  • Industry-standard password hashing (data at rest)
  • Firewall restricting access to essential ports only (22, 80, 443)
  • Fail2ban intrusion prevention (automatic blocking of brute-force attempts)
  • Automatic security updates (unattended-upgrades)
  • Server hosted in Germany (EU) by Hetzner Online GmbH (ISO 27001 certified)
  • Docker containerisation isolating the application from the host system

    • 3.4 Sub-processors

    We use the following sub-processors:

    | Sub-processor | Purpose | Location | Safeguards | |---------------|---------|----------|------------| | Hetzner Online GmbH | Server hosting and infrastructure | Nuremberg, Germany (EU) | DPA in place, ISO 27001 certified, GDPR compliant | | DeepSeek | AI text generation | China | No Personal Data sent. Only business profile selections and free-text descriptions are transmitted. Users are instructed not to include personal data in prompts. | | Paddle.com Market Limited | Payment processing (Merchant of Record) | United Kingdom | PCI DSS compliant, own DPA available at paddle.com |

    We will notify you before adding or replacing any sub-processor, giving you the opportunity to object. If you object on reasonable data protection grounds, and we cannot accommodate your objection, you may terminate the Service.

    3.5 Data Subject Rights

    We will assist you in responding to requests from Data Subjects exercising their rights under applicable law (access, rectification, erasure, restriction, portability, objection). We will notify you promptly if we receive any such request directly.

    3.6 Data Breach Notification

    In the event of a Personal Data breach, we will notify you without undue delay (and in any event within 72 hours of becoming aware of the breach) with sufficient information to enable you to meet any obligations to report or inform Data Subjects under applicable law.

    3.7 Data Protection Impact Assessments

    We will provide reasonable assistance if you are required to carry out a Data Protection Impact Assessment (DPIA) or prior consultation with a Supervisory Authority in relation to the processing.

    3.8 Audit Rights

    You have the right to audit our compliance with this DPA. We will make available all information necessary to demonstrate compliance and will allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint. Such audits will be conducted with reasonable notice and during normal business hours.

    ---

    4. International Data Transfers

    4.1 Primary Processing Location

    All Personal Data (email addresses, encrypted passwords) is stored and processed within the European Union (Germany), ensuring GDPR-adequate protection.

    4.2 AI Processing

    When a user generates an analysis, non-personal data (industry, country, business size, and free-text description) is sent to DeepSeek's API, which may process data outside the EU and Australia. No Personal Data is included in these transfers. Users are explicitly instructed not to include personal data in the free-text field.

    4.3 Transfer Safeguards

    For any transfer of Personal Data outside the EU/EEA/UK, we will ensure appropriate safeguards are in place, such as:
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission or UK Secretary of State
  • Other mechanisms recognised under applicable law

    • ---

    5. Data Retention and Deletion

    5.1 Retention

    We retain Personal Data only for as long as necessary to provide the Service:
  • Account data: Retained while the account is active
  • Anonymous usage data: Retained indefinitely (contains no Personal Data)

    • 5.2 Deletion

    Upon termination of the Service or at your request, we will delete all Personal Data within 30 days, unless retention is required by applicable law. We will provide written confirmation of deletion upon request.

    ---

    6. Obligations of the Controller

    You confirm that:

  • You have a lawful basis for providing Personal Data to us
  • You will inform Data Subjects about the processing as described in our Privacy Policy
  • You will not instruct us to process Personal Data in a manner that would violate applicable law
  • You will not enter personal data of third parties into the free-text business description field

    • ---

    7. Duration and Termination

    This DPA remains in effect for the duration of your use of the Service. The obligations in this DPA survive termination to the extent necessary to complete the deletion of Personal Data and to comply with applicable law.

    ---

    8. Governing Law

    This DPA is governed by the laws of Queensland, Australia. For processing subject to the GDPR, the provisions of the GDPR take precedence to the extent of any conflict. For processing subject to the UK GDPR, the provisions of the UK GDPR take precedence to the extent of any conflict.

    ---

    9. Contact

    For questions about this DPA: Email: helpfulperson@sustainabilityintelligence.tools Address: Ransome-Wallis Pty Ltd, 2/290 Boundary Street, Spring Hill, QLD 4000, Australia