When Plexxa processes personal information on a customer's behalf — for example, content uploaded by your team, or data passing through an embedded widget — these are the contractual terms that apply.
This is a starting-point Data Processing Agreement. We strongly recommend you have it reviewed by qualified privacy counsel before relying on it. References to "Customer" mean the entity entering into the Terms of Service; references to "Plexxa" or "Processor" mean Travelogica Pty Ltd ACN [insert ACN], trading as Plexxa.
This Data Processing Agreement (the "DPA") supplements the Plexxa Terms of Service (the "Terms") and applies to the extent Plexxa Processes Personal Data on behalf of the Customer. If there is any conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA controls.
This DPA is intended to address the requirements of the Australian Privacy Principles under the Privacy Act 1988 (Cth), and where applicable to a Customer's processing, the EU General Data Protection Regulation (2016/679) ("GDPR"), the UK GDPR, and equivalent laws.
Capitalised terms not defined here have the meaning given in the Terms.
The parties acknowledge that, with respect to the Processing of Personal Data, the Customer is the Controller and Plexxa is the Processor. Plexxa will Process Personal Data only on the documented instructions of the Customer, including:
Plexxa will inform the Customer if, in its opinion, an instruction infringes applicable data-protection law. Plexxa may Process Personal Data without instructions where required to do so by Australian or applicable foreign law (in which case Plexxa will, where legally permitted, inform the Customer of that legal requirement before processing).
The subject-matter of the Processing is the provision of the Plexxa service. The duration is the term of the underlying agreement plus any retention period required by law. The nature of the Processing includes hosting, indexing, retrieval, transmission to AI sub-processors for inference, generation of derivative works (embeddings, summaries), and deletion. The purpose is to provide the Service to the Customer in accordance with the Terms.
Categories of data subjects: end users of the Service authorised by the Customer (employees, contractors, agents); end users of any embedded widget the Customer deploys (e.g. visitors to the Customer's website); individuals named or otherwise identifiable in the Customer Content.
Categories of Personal Data: name, email address, IP address, browser metadata, queries submitted, content of documents the Customer chooses to upload, and any other Personal Data the Customer chooses to submit. Special category data (sensitive information) should not be uploaded; if it is, the Customer accepts that it is uploaded on the Customer's instructions and at the Customer's risk.
Plexxa does not, and will not, use Customer Personal Data to train, fine-tune or otherwise improve any AI or machine-learning model — Plexxa's, a Sub-processor's, or any third party's. Plexxa contractually requires its model Sub-processors to refrain from such use.
The Customer represents and warrants that:
Plexxa will: (a) treat Personal Data as confidential; (b) ensure personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations; (c) limit access to Personal Data to personnel who need it to provide the Service; and (d) provide reasonable training to those personnel on their data-protection obligations.
Plexxa will implement and maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. The current measures are described in Schedule B and on our Security page.
Plexxa may update its security measures from time to time. Any update will not materially decrease the overall protection of Personal Data.
Plexxa will, on becoming aware of a Personal Data Breach affecting Customer Personal Data, notify the Customer without undue delay and in any event within 72 hours where required by applicable law. The notification will include, to the extent known: a description of the nature of the breach, the categories and approximate number of data subjects and records involved, the likely consequences, and the measures taken or proposed to address the breach.
Plexxa will reasonably assist the Customer with the Customer's own breach-notification obligations (including under Part IIIC of the Privacy Act 1988 (Cth) and Articles 33–34 GDPR), but the Customer remains responsible for assessing whether a breach is notifiable and for making the relevant notifications.
The Service provides functionality to help the Customer respond to requests from data subjects (e.g. access, correction, deletion). Where a data subject contacts Plexxa directly with a request that should be directed to the Customer, Plexxa will refer the data subject to the Customer and will not independently respond, except as required by law. Plexxa will provide reasonable assistance to the Customer in responding to such requests, taking into account the nature of the Processing and the information available to Plexxa.
Plexxa will make available to the Customer, on reasonable request, the information necessary to demonstrate compliance with this DPA, including (when available) third-party audit reports, our published Security page, and responses to a security questionnaire.
If the Customer is required by applicable law to perform an audit, the Customer may, no more than once per twelve-month period and on at least 30 days' written notice, conduct an audit of Plexxa's compliance with this DPA. Such audit will be: (a) conducted during business hours; (b) limited to information strictly necessary; (c) subject to confidentiality obligations; and (d) at the Customer's cost (except where the audit reveals material non-compliance, in which case Plexxa bears reasonable costs). Plexxa may satisfy this obligation by providing a recent third-party audit report covering equivalent scope.
The Customer authorises Plexxa to engage Sub-processors to Process Personal Data, subject to the conditions in this section. The current list of authorised Sub-processors is in Schedule C.
Plexxa will: (a) enter into a written contract with each Sub-processor that imposes data-protection obligations substantially equivalent to those in this DPA; (b) remain liable for the Sub-processor's compliance; and (c) notify the Customer in writing (which may be by email or via the Plexxa website) at least 30 days before adding or replacing a Sub-processor that processes Personal Data. The Customer may object on reasonable, data-protection-related grounds within that period. If the parties cannot agree a resolution within a further 30 days, the Customer's exclusive remedy is to terminate the affected Service for material breach with a pro-rated refund of prepaid fees for the unused portion of the Service term.
Some Sub-processors are located outside Australia (see Schedule C). For Personal Data transferred from the EEA, UK or Switzerland to a country not deemed adequate by the relevant authority, Plexxa relies on the Standard Contractual Clauses (with the UK Addendum or Swiss equivalent where applicable), which are incorporated into this DPA by reference. The Customer authorises Plexxa to enter into the SCCs with Sub-processors on the Customer's behalf, on its standard terms.
For data subject to the Australian Privacy Principles, Plexxa takes steps that are reasonable in the circumstances (per APP 8) to ensure overseas recipients do not breach the APPs in relation to the data, including by entering into appropriate contractual protections.
On termination or expiry of the underlying agreement, Plexxa will, on the Customer's written instruction, return or delete all Personal Data, except to the extent retention is required by applicable law. In the absence of an instruction within 30 days, Plexxa will delete Personal Data from production systems; backup copies age out within a further 30 days. Plexxa is not obliged to delete Personal Data the Customer can re-export itself prior to termination.
The liability of each party under or in connection with this DPA is subject to the same limitations and exclusions of liability set out in the Terms (including the Australian Consumer Law carve-outs). For clarity, the aggregate cap in the Terms applies in aggregate to claims under both the Terms and this DPA.
This DPA takes effect on the earlier of (a) the Customer's acceptance of the Terms, or (b) the Customer's first use of the Service, and continues until the end of Plexxa's Processing of Personal Data on behalf of the Customer. Provisions which by their nature should survive (including 15, 16, and the audit / breach-cooperation obligations) survive termination.
This DPA is governed by the law and jurisdiction set out in the Terms, except that for transfers subject to the SCCs, the governing law and forum specified in the SCCs will apply to disputes about those transfers.
Subject-matter: provision of the Plexxa AI assistant service to the Customer.
Duration: the term of the Customer's subscription plus any post-termination retention permitted under Section 15.
Nature & purpose: hosting, indexing, retrieval, transmission to AI Sub-processors for inference, generation of derivative works (embeddings, summaries), audit logging, billing, and deletion.
Categories of data subjects: the Customer's employees, contractors and agents; visitors to any embedded widget the Customer deploys; individuals identifiable in Customer Content.
Categories of Personal Data: name, email, IP address, browser/user-agent, content of queries, content of documents and other materials the Customer uploads, links to, or connects.
Plexxa implements the security measures described on its public Security page, including:
The following Sub-processors are authorised at the date of this DPA. Plexxa will notify the Customer of changes at least 30 days in advance (per Section 13).
Sub-processors located outside Australia rely on Standard Contractual Clauses, the UK IDTA, or equivalent transfer mechanisms, as applicable.