Data Processing Addendum

This Data Processing Addendum applies where Mainbridge processes personal information on behalf of a business customer through a Mainbridge product or service. It forms part of the customer's agreement with Mainbridge unless the parties sign a separate data processing agreement.

The customer is responsible for determining why and how customer data is processed. Mainbridge processes customer data to provide, secure, support, and improve the relevant service. Depending on the applicable privacy law and product context, the customer may act as controller, principal, or accountable organisation, and Mainbridge may act as processor, service provider, or recipient.

Mainbridge will process customer data according to the agreement, product configuration, documented customer instructions, and applicable law. We may also process data as needed to prevent misuse, maintain security, comply with law, or protect legal rights.

• encryption in transit where technically supported
• access controls and least-privilege permissions
• credential separation and secure secret handling
• logging, monitoring, and backup controls appropriate to the service
• reasonable provider security review and operational safeguards

Mainbridge may use subprocessors to host, deliver, secure, support, analyse, bill, or operate the services. Current categories include cloud hosting, email delivery, payment processing, analytics or error monitoring where enabled, domain and DNS services, and professional advisers.

Expected providers may include Amazon Web Services, Circumvend-operated email delivery infrastructure, payment processors where paid products are offered, and analytics or error monitoring providers where enabled. We will update our Privacy Policy or this DPA when our subprocessors materially change.

Customer data may be processed in Australia, the United States, Singapore, and other countries where Mainbridge or its subprocessors operate infrastructure, support, security, billing, or delivery services. We take reasonable steps to use suitable providers and contractual protections where practicable.

If Mainbridge becomes aware of a confirmed or reasonably suspected security incident affecting customer data, we will investigate promptly and notify the affected customer without undue delay where required by law or where the incident materially affects the customer's data. The customer is responsible for any notifications it is legally required to make to its own users, regulators, or affected individuals, except where the law requires Mainbridge to notify directly.

On account closure or contract termination, Mainbridge will delete, de-identify, or return customer data according to the product functionality and agreement, subject to retention needed for legal, accounting, backup, security, dispute, or legitimate business purposes.

The customer is responsible for having a lawful basis to provide data to Mainbridge, giving required notices, obtaining required consents, configuring product settings, managing users, limiting access, and avoiding unnecessary personal information in support tickets, logs, exports, or free text fields.