Syrgas — Data Handling Addendum
Data Handling Addendum · Version 1.0
Syrgas Pty Ltd · Legal Document

Data Handling Addendum

Incorporated into and forming part of the AI Service Agreement
Governing law: Victoria, Australia · Privacy Act 1988 (Cth)
ABN 44 699 738 406 ACN 699 738 406 Version 1.0 Jurisdiction Victoria, Australia
This document governs the collection, processing, storage, transmission, and deletion of all Client Data in connection with any Syrgas engagement. It is incorporated into and forms part of the AI Service Agreement. By signing the Statement of Work, the client confirms they have read and agreed to the terms of this Addendum.
Section 1

Definitions

Terms defined in the AI Service Agreement have the same meaning in this Addendum. In addition, the following definitions apply:

  • Australian Privacy Principles (APPs) means the principles set out in Schedule 1 of the Privacy Act 1988 (Cth).
  • Client Data means all data, information, and materials provided by or on behalf of the Client to Syrgas Pty Ltd, or accessed by Syrgas Pty Ltd in connection with the Services, including personal information, CRM records, lead data, business performance data, email content, and process documentation.
  • Data Breach means unauthorised access to, disclosure of, or loss of Client Data that is likely to result in serious harm to any individual, or that otherwise triggers notification obligations under the Notifiable Data Breaches scheme.
  • Notifiable Data Breaches scheme means the mandatory breach notification regime under Part IIIC of the Privacy Act 1988 (Cth).
  • Personal Information has the meaning given in section 6 of the Privacy Act 1988 (Cth) and includes any information or opinion about an identified individual or an individual who is reasonably identifiable.
  • Processing means any operation performed on Client Data, including collection, access, use, storage, transmission, analysis, deletion, and destruction.
  • Sensitive Information has the meaning given in section 6 of the Privacy Act 1988 (Cth), including health information, biometric information, and information about racial or ethnic origin.
  • Sub-processor means any third-party tool or service engaged by Syrgas Pty Ltd that processes Client Data on Syrgas Pty Ltd's behalf, as listed in Schedule A of this Addendum.
Section 2

Scope and Role of the Parties

2.1 Nature of data processing

Syrgas Pty Ltd processes Client Data as a data processor acting on behalf of the Client as data controller for the purposes of the Privacy Act 1988 (Cth). The Client determines the purposes and means of processing Client Data and is responsible for ensuring that its own collection and use of that data comply with applicable privacy laws.

2.2 Purpose limitation

Syrgas Pty Ltd will process Client Data only for the following purposes, and for no other purpose without the Client's prior written consent:

  • Performing the Services described in the applicable Statement of Work
  • Configuring, testing, and maintaining AI Tools and workflow automations on behalf of the Client
  • Producing Deliverables including process maps, reports, dashboards, and recommendations
  • Communicating with the Client and its nominated team members about the Engagement
  • Complying with legal obligations applicable to Syrgas Pty Ltd
2.3 Prohibition on secondary use

Syrgas Pty Ltd will not:

  • Use Client Data for any purpose other than those listed in clause 2.2
  • Use Client Data to develop, train, or improve any AI model, algorithm, or analytical system
  • Sell, licence, or otherwise transfer Client Data to any third party for that third party's own purposes
  • Aggregate Client Data with data from other clients to create anonymised datasets without the Client's explicit written consent
Section 3

Categories of Client Data

The following table identifies the categories of Client Data that Syrgas Pty Ltd may process in connection with the Services, together with the legal basis for processing and the applicable retention period.

Data categoryExamplesLegal basisRetention period
Contact and identity dataFull name, email address, phone number, job title, company namePerformance of contract; Legitimate interestsDuration of engagement + 3 years
Business performance dataLead volumes, conversion rates, revenue figures, pipeline dataPerformance of contractDuration of engagement + 3 years
CRM and pipeline dataDeal records, lead scores, contact history, email sequencesPerformance of contractDuration of engagement + 1 year
Process and workflow dataCurrent-state process maps, bottleneck analysis, workflow configurationsPerformance of contractDuration of engagement + 3 years
Email content dataEmail templates, sequence copy, automated message contentPerformance of contractDuration of engagement + 1 year
Website and analytics dataForm submissions, page traffic, lead source attributionLegitimate interests; Consent where requiredDuration of engagement + 1 year
Employee and team dataNames and roles of team members participating in training or interviewsLegitimate interestsDuration of engagement only
Important — Sensitive Information
Syrgas Pty Ltd does not require access to Sensitive Information (including health information, financial account information, or information about racial or ethnic origin) to perform the Services. The Client must not provide Sensitive Information to Syrgas Pty Ltd without prior written agreement. If Sensitive Information is inadvertently disclosed, Syrgas Pty Ltd will notify the Client immediately and delete the information unless retention is required by law.
3.2 Minimisation

Syrgas Pty Ltd will request only the minimum Client Data necessary to perform each specific task. Where the Services can be performed using anonymised or aggregated data, Syrgas Pty Ltd will prefer that approach over processing Personal Information.

Section 4

How Syrgas Processes Client Data

4.1 Access

Syrgas Pty Ltd accesses Client Data through the tools and systems listed in Schedule A. Access is granted by the Client specifically for the purposes of the Engagement and is revoked on termination of the Agreement. Syrgas Pty Ltd will not retain access credentials beyond the period necessary for the Engagement.

4.2 No autonomous AI decisions

Syrgas Pty Ltd will not use AI Tools to make automated decisions about identifiable individuals that have legal or similarly significant effects without a documented human review step and explicit Client approval. All AI-assisted recommendations and outputs undergo human review by Syrgas Pty Ltd before being delivered to the Client or deployed in the Client's systems.

4.3 Sub-processors

Client Data is processed by the Sub-processors listed in Schedule A. Syrgas Pty Ltd has reviewed the data processing terms and privacy policies of each Sub-processor and is satisfied that they provide an adequate level of protection for Client Data. Syrgas Pty Ltd will notify the Client at least 14 days before engaging a new Sub-processor that will process Client Data.

ToolData processedStorage locationData residencyCompliant
HubSpotContact data, deal records, email content, lead scoresHubSpot Inc., USAUS — GDPR/APPs compliantYes
ZapierData in transit between platforms — no persistent storage beyond 7 daysZapier Inc., USAUS — SOC 2 Type IIYes
Instantly.aiContact names, email addresses for personalisationInstantly.ai serversUS/EU — contractual safeguardsYes
CalendlyContact names, email addresses, meeting timesCalendly LLC, USAUS — GDPR compliantYes
LucidchartProcess diagrams — no personal data unless included in diagram contentLucid Software, USAUS — SOC 2 certifiedYes
Google Looker StudioAggregated metrics only — no personal dataGoogle LLCAustralian region preferredYes
WebflowEmail addresses from form submissionsFastly CDN — globalGlobal CDN — encryptedYes
4.4 International transfers

Some Sub-processors store and process data outside Australia, primarily in the United States and European Union. Syrgas Pty Ltd has assessed each transfer and is satisfied that appropriate safeguards are in place, including contractual protections in Sub-processor data processing agreements, Sub-processor compliance with applicable data protection frameworks, and encryption of data in transit and at rest.

The Client consents to these international transfers by entering this Addendum. Where the Client has specific data residency requirements, these must be agreed in writing before the Engagement commences and may affect the tools available for the Engagement.

Section 5

Security Measures

5.1 Syrgas Pty Ltd security obligations

Syrgas Pty Ltd will implement and maintain reasonable technical and organisational security measures appropriate to the nature and sensitivity of the Client Data being processed.

Security measureHow Syrgas Pty Ltd implements it
Access controlClient Data is accessible only to Syrgas Pty Ltd personnel directly involved in the Engagement. Access credentials are unique per person and not shared.
Encryption in transitAll data transferred between Syrgas Pty Ltd and Client systems or third-party tools is encrypted using TLS 1.2 or higher.
Encryption at restClient Data stored in Syrgas Pty Ltd-controlled systems is encrypted at rest using AES-256 or equivalent.
Device securityDevices used to access Client Data are protected by full-disk encryption, strong passwords, and automatic screen lock. Remote wipe capability is enabled.
Password managementAll credentials related to Client systems and tools are managed using a reputable password manager. Unique credentials are used for each system.
Software updatesOperating systems and software used in connection with the Services are kept current with security patches.
Phishing and social engineeringSyrgas Pty Ltd does not respond to unsolicited requests to transfer Client Data or credentials, regardless of how they are presented.
Incident responseA documented incident response procedure is maintained and tested. The Client will be notified within 72 hours of a confirmed or suspected breach affecting Client Data.
5.2 Client security obligations

The Client is responsible for maintaining the security of its own systems, accounts, and credentials; ensuring that access credentials shared with Syrgas Pty Ltd are appropriately managed and revoked when no longer required; notifying Syrgas Pty Ltd promptly if it becomes aware of any actual or suspected unauthorised access to Client systems that may affect the Services; and ensuring that its own employees and contractors who interact with Syrgas Pty Ltd handle Client Data in accordance with applicable privacy laws.

5.3 No guarantee

Despite the security measures described in this clause, Syrgas Pty Ltd cannot guarantee the absolute security of Client Data. Syrgas Pty Ltd will notify the Client of any Data Breach in accordance with clause 6.

Section 6

Data Breach Response

6.1 Detection and containment

Syrgas Pty Ltd will maintain procedures for detecting, assessing, and responding to Data Breaches. On becoming aware of a confirmed or reasonably suspected Data Breach, Syrgas Pty Ltd will immediately take steps to contain the breach and assess its scope and likely impact.

6.2 Notification timeline
TimeframeActionDetail
0 to 24 hoursContain and assessIdentify the nature and scope of the breach. Take immediate steps to contain it. Preserve evidence. Notify the Syrgas Pty Ltd account holder.
24 to 72 hoursNotify ClientProvide the Client with written notification including: what data was affected, how the breach occurred (if known), steps taken to contain it, and estimated impact.
72 hours to 30 daysRemediate and reportImplement fixes to prevent recurrence. Cooperate with Client in any regulatory notifications required under the Privacy Act 1988 (Notifiable Data Breaches scheme). Provide written incident report.
OngoingMonitor and reviewContinue monitoring for further incidents. Review and update security measures as appropriate. Retain incident records for a minimum of five years.
6.3 Notification content

The initial notification to the Client will include, to the extent known at the time: a description of the nature of the Data Breach including the categories and approximate number of individuals and records affected; the likely consequences of the breach; the measures taken or proposed to address the breach and mitigate its effects; and the name and contact details of Syrgas Pty Ltd's point of contact for breach-related enquiries.

6.4 Regulatory notifications

Where a Data Breach is likely to trigger notification obligations under the Notifiable Data Breaches scheme, Syrgas Pty Ltd will cooperate with the Client in preparing any required notifications to the Office of the Australian Information Commissioner. The Client is responsible for making any required regulatory notifications, and Syrgas Pty Ltd will provide reasonable assistance.

6.5 Incident records

Syrgas Pty Ltd will maintain a record of all Data Breaches affecting Client Data, including breaches that were contained and did not require notification. These records will be retained for a minimum of five years and made available to the Client on request.

Section 7

Individual Rights and Client Obligations

7.1 Client as data controller

The Client, as data controller, is responsible for responding to requests from individuals exercising their rights under the Privacy Act 1988 (Cth), including requests to access, correct, or complain about the handling of their Personal Information.

7.2 Syrgas Pty Ltd assistance

Where Syrgas Pty Ltd holds or can access Client Data relevant to an individual's request, Syrgas Pty Ltd will provide the Client with reasonable assistance in responding to the request, including by locating, retrieving, correcting, or deleting relevant data as instructed by the Client. Syrgas Pty Ltd will respond to such requests within five business days.

7.3 Direct requests

If Syrgas Pty Ltd receives a direct request from an individual regarding Personal Information held in connection with the Client's Engagement, Syrgas Pty Ltd will promptly redirect the individual to the Client and will not respond to the request directly without the Client's authorisation.

Section 8

Data Retention and Deletion

8.1 Retention periods

Syrgas Pty Ltd retains Client Data only for as long as necessary to perform the Services, plus the retention periods specified in Section 3 of this Addendum. Retention periods reflect legal requirements, the legitimate needs of the parties, and best practice for professional services engagements.

8.2 Return and deletion on request

On written request by the Client, Syrgas Pty Ltd will return all Client Data in a commonly used, machine-readable format within 10 business days of the request; permanently delete all copies of Client Data from Syrgas Pty Ltd's systems and instruct Sub-processors to do the same, subject to any legal retention requirements; and provide written confirmation of deletion within 30 days of completing the deletion process.

8.3 Return and deletion on termination

On termination or expiry of the Agreement, Syrgas Pty Ltd will automatically initiate the return and deletion process described in clause 8.2 within 30 days of the termination date, unless the Client provides alternative written instructions.

8.4 Legal hold

Where Syrgas Pty Ltd is required by law to retain certain Client Data beyond the periods specified in this Addendum, Syrgas Pty Ltd will notify the Client in writing, identify the specific data and the legal basis for retention, and ensure the data is isolated from active processing.

Section 9

Consent and Email Compliance

9.1 Client consent obligations

Where Syrgas Pty Ltd designs, configures, builds, or operates email automation sequences on behalf of the Client, the Client warrants that it has obtained all necessary consents from recipients in accordance with the Spam Act 2003 (Cth); all recipients on any list used in connection with the Services have consented to receive commercial electronic messages from the Client; it will maintain records of consent sufficient to demonstrate compliance with the Spam Act 2003 (Cth); and it will promptly notify Syrgas Pty Ltd of any consent withdrawals or unsubscribe requests that affect automation sequences managed by Syrgas Pty Ltd.

9.2 Syrgas Pty Ltd email obligations

Syrgas Pty Ltd will ensure that all email automation sequences configured on behalf of the Client include a functional unsubscribe mechanism in every message; clearly identify the Client as the sender; are not sent to individuals who have previously unsubscribed or objected to receiving messages from the Client; and include the Client's accurate physical address or registered business address as required by the Spam Act 2003 (Cth).

9.3 Responsibility allocation

The Client is solely responsible for the accuracy and compliance of its contact lists. Syrgas Pty Ltd will implement technical unsubscribe mechanisms but is not responsible for ensuring that the Client's lists are legally compliant at the time of import. Where Syrgas Pty Ltd identifies a potential compliance concern with a contact list, it will raise this with the Client before proceeding.

Section 10

Audit and Compliance

10.1 Records

Syrgas Pty Ltd will maintain records sufficient to demonstrate compliance with this Addendum, including records of processing activities, security measures implemented, Sub-processors engaged, data breaches, and data deletion activities.

10.2 Client audit rights

The Client may request, no more than once per calendar year, written confirmation from Syrgas Pty Ltd that it is complying with its obligations under this Addendum. Syrgas Pty Ltd will respond to such requests within 15 business days. Where the Client has reasonable grounds to suspect a material breach of this Addendum, it may request more frequent confirmation.

10.3 Regulatory cooperation

Syrgas Pty Ltd will cooperate with the Client and, where required, with the Office of the Australian Information Commissioner or other relevant regulatory authorities in connection with any investigation or enquiry relating to the processing of Client Data under this Addendum.

Section 11

General

11.1 Relationship to Service Agreement

This Addendum is incorporated into and forms part of the AI Service Agreement. In the event of any inconsistency between this Addendum and the AI Service Agreement with respect to the handling of Client Data, this Addendum prevails.

11.2 Updates to this Addendum

Syrgas Pty Ltd may update this Addendum from time to time to reflect changes in applicable law, regulatory guidance, or Syrgas Pty Ltd's data handling practices. Syrgas Pty Ltd will provide the Client with at least 30 days written notice of any material changes. The Client's continued use of the Services after the notice period constitutes acceptance of the updated Addendum.

11.3 Governing law

This Addendum is governed by the laws of Victoria, Australia and the Commonwealth of Australia. Each party submits to the non-exclusive jurisdiction of the courts of Victoria.

11.4 Contact for privacy matters
Syrgas Pty Ltd — Privacy contact
For any queries, concerns, or complaints regarding the handling of Client Data, or to exercise rights under this Addendum, contact:
Website: syrgas.com.au
Response time: Syrgas Pty Ltd will acknowledge all privacy enquiries within 2 business days and respond substantively within 10 business days.
Schedule A

Current Sub-Processors

The following Sub-processors are currently engaged by Syrgas Pty Ltd to process Client Data in connection with the Services. Syrgas Pty Ltd will update this Schedule and notify the Client at least 14 days before adding or replacing any Sub-processor.

ToolData processedStorage locationData residencyCompliant
HubSpotContact data, deal records, email content, lead scoresHubSpot Inc., USAUS — GDPR/APPs compliantYes
ZapierData in transit between platforms — no persistent storage beyond 7 daysZapier Inc., USAUS — SOC 2 Type IIYes
Instantly.aiContact names, email addresses for personalisationInstantly.ai serversUS/EU — contractual safeguardsYes
CalendlyContact names, email addresses, meeting timesCalendly LLC, USAUS — GDPR compliantYes
LucidchartProcess diagrams — no personal data unless included in diagram contentLucid Software, USAUS — SOC 2 certifiedYes
Google Looker StudioAggregated metrics only — no personal dataGoogle LLCAustralian region preferredYes
WebflowEmail addresses from form submissionsFastly CDN — globalGlobal CDN — encryptedYes

Syrgas Pty Ltd confirms that it has entered into data processing agreements with each Sub-processor (or relies on their published data processing terms where a direct agreement is not required) and that each Sub-processor provides an adequate level of protection for Client Data consistent with the obligations in this Addendum.