martinCRM

Legal

Data Processing Addendum

This Data Processing Addendum (DPA) describes how martinCRM processes personal information contained in Customer Data on the Customer’s behalf. It forms part of the Terms of Service.

Last updated:
4 May 2026
Effective:
4 May 2026

DRAFT — pending external legal review

This document is a working draft published for transparency. It reflects an internal review but has not yet been signed off by external legal counsel and is not intended to create binding obligations. We will publish the final version, with an effective date, before martinCRM accepts paying customers. Questions: legal@martincrm.com.au.

On this page

This Data Processing Addendum (the “DPA”) is entered into between the Customer and World Wide Productions Pty Ltd ABN 84 068 751 771, trading as martinCRM (“martinCRM”, “we”, “us”) and forms part of the martinCRM Terms of Service (the “Terms”). It applies to our processing of Personal Information contained in Customer Data on the Customer’s behalf.

This DPA is currently published as version 0.1 to close the commitment in the Terms that a DPA will be available before martinCRM accepts paying customers. We will refine the wording in consultation with external counsel before relying on it for an executed customer contract.

1. Parties and scope

This DPA applies between the Customer (the entity identified in the Order or, where no entity is identified, the individual that subscribes to the Service) and martinCRM. It governs our processing of Personal Information contained in Customer Data submitted to or generated by the Service for the duration of the subscription term, and for any subsequent period during which Customer Data is held by us pending export or deletion.

2. Definitions

Capitalised terms not defined here have the meaning given to them in the Terms.

  • Personal Information means “personal information” as defined in the Privacy Act 1988 (Cth) and includes “personal data” as defined in the EU/UK General Data Protection Regulation where that legislation applies.
  • Privacy Laws means the Privacy Act 1988 (Cth) and the Australian Privacy Principles, together with any other data-protection law applicable to the Customer’s use of the Service (which the Customer is responsible for identifying).
  • Sub-processor means any third party engaged by martinCRM to process Personal Information contained in Customer Data on the Customer’s behalf.

3. Roles of the parties

For Personal Information contained in Customer Data, the Customer is the controller (or, in Australian terms, the APP entity that determines the purposes for which the Personal Information is collected and held), and martinCRM is the processor (or service provider) acting on the Customer’s instructions.

For data we collect about the Customer’s administrative users (for example, account credentials and audit logs of administrative actions) we act as a controller; that processing is described in our Privacy Policy.

4. Processing instructions

martinCRM will process Personal Information contained in Customer Data only:

  • to provide, secure, support and improve the Service in accordance with the Terms and the Customer’s configuration of the Service;
  • to comply with the Customer’s reasonable, documented instructions (including instructions given through the Service’s administrative interfaces); and
  • to comply with applicable law (in which case we will tell the Customer of the legal requirement before processing, unless the law prohibits us from doing so).

We will tell the Customer if, in our opinion, an instruction breaches Privacy Laws.

5. Confidentiality of personnel

We will ensure that personnel authorised to process Personal Information contained in Customer Data are bound by appropriate obligations of confidentiality (whether by contract or by law), and have received training appropriate to their role.

6. Security measures

We will implement and maintain appropriate technical and organisational measures designed to protect Personal Information contained in Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The measures we implement currently include:

  • encryption in transit (HTTPS/TLS) and at rest;
  • tenant-level data isolation, including row-level security in the relational database and prefix-based isolation in object storage;
  • role-based access controls and least-privilege access for our personnel;
  • multi-factor authentication for our administrative consoles;
  • audit logging of administrative and security-relevant actions;
  • no embedding of third-party behavioural analytics inside the Service.

A current summary of our security measures is available on request.

7. Sub-processors

The Customer authorises martinCRM to engage the Sub-processors listed at /legal/sub-processors to process Personal Information contained in Customer Data on the Customer’s behalf. We will:

  • give the Customer at least 30 days’ notice before adding or replacing a Sub-processor;
  • impose data-protection obligations on each Sub-processor that are no less protective than this DPA in any material respect; and
  • remain liable to the Customer for the acts and omissions of each Sub-processor that affect Personal Information contained in Customer Data.

If the Customer reasonably objects to a new Sub-processor and we cannot accommodate the objection within 30 days, the Customer may terminate the affected subscription and receive a pro-rata refund of pre-paid unused fees, as set out in the Terms.

8. Data-subject requests

The Service provides the Customer with administrative tools to access, correct, export and delete Personal Information contained in Customer Data. To the extent the Customer cannot fulfil a data-subject request through those tools, we will provide reasonable assistance, taking into account the nature of the processing and the information available to us.

If we receive a data-subject request directed to Personal Information held on the Customer’s behalf, we will, unless legally required to respond, refer the request to the Customer and not respond to the data subject ourselves.

9. Personal data breach notification

We will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of any breach of security that affects Personal Information contained in the Customer’s Customer Data. Our notice will include, to the extent then known, the nature of the breach, the categories and approximate volume of data affected, the likely consequences, and the measures we have taken or propose to take to address the breach.

We will provide the Customer with reasonable assistance to enable the Customer to comply with its own breach-notification obligations under the Notifiable Data Breaches scheme and other applicable Privacy Laws.

10. Audits and certifications

On the Customer’s reasonable written request (no more than once per 12-month period, except where a regulator or a personal data breach reasonably requires more), we will provide:

  • our then-current SOC 2 Type II report (when available) or an equivalent third-party audit report; and
  • responses to a reasonable security questionnaire, scoped to the Service.

On-site audits may be agreed where required by law and conducted on terms (including notice, scope, confidentiality and cost) agreed in advance.

11. International transfers

We design the Service to keep Personal Information contained in Customer Data within Australia. Our current Sub-processors for Customer Data (AWS hosting and Amazon SES) operate in AWS’s Sydney (ap-southeast-2) region. If a future Sub-processor of Customer Data is located outside Australia, we will identify it on the sub-processor list, give notice of the change, and apply appropriate transfer safeguards (such as the European Commission’s Standard Contractual Clauses for any transfers subject to the GDPR).

12. Return or deletion on termination

On termination or expiry of the subscription, the Customer may export Customer Data through the Service’s export tools or by request, in accordance with the Terms. After the export window, we will delete Customer Data from the live Service in the ordinary course, and from operational backups in accordance with our backup-rotation schedule, unless retention is required by law.

13. Liability and order of precedence

The liability provisions of the Terms apply to this DPA. If there is any conflict between this DPA and the Terms in relation to the processing of Personal Information contained in Customer Data, this DPA prevails.

14. Changes to this DPA

We may update this DPA from time to time. For changes that materially and adversely affect the Customer’s rights or obligations, we will give at least 30 days’ notice (by email to the account’s primary administrator and a notice on this page). If the Customer objects to the change, the Customer may terminate the affected subscription and receive a pro-rata refund of pre-paid unused fees.