Effective Date: 1 January 2025
Version: 2.0 — Ultra-Final (Djenie Edition)

1. INTRODUCTION

This Data Processing Agreement (“DPA”) forms part of the contractual relationship between customer organisations (“Customer”) and In Delay There Lies No Plenty Pty Ltd ACN 162 881 138 ATF Future Thinking Family Trust t/a Djenie ABN 98 399 797 036 (“Djenie”), governing the processing of Personal Data in connection with Djenie’s membership-management systems, custom development services, and associated operational platforms.
This DPA ensures compliance with:

  • Australian Privacy Act 1988 & APPs
  • EU GDPR & UK GDPR
  • CPRA (California)
  • China PIPL
  • LATAM privacy laws including LGPD
  • Global data protection standards

2. DEFINITIONS

  • Customer: the organisation licensing or using Djenie’s services.
  • Customer Data: Personal Data uploaded, provided, or otherwise submitted by the Customer.
  • Djenie Data: Operational analytics, logs, metadata, and service-generated information.
  • Personal Data: Information relating to an identifiable individual.
  • Processing: Any operation performed on Personal Data.
  • Controller: Entity determining the purposes of Processing.
  • Processor: Entity processing Personal Data on behalf of a Controller.
  • Subprocessor: Third party engaged by Djenie to support Processing.

3. ROLES AND RESPONSIBILITIES (HYBRID MODEL)

Djenie may act as:
Processor for: Customer Data including membership information, uploads, workflow data, records, or program data.
Controller for: account records, authentication data, analytics, operational logs, security monitoring, billing information.

4. SUBJECT MATTER & DURATION

Djenie processes Customer Data only to deliver, maintain, and support Djenie services.
Processing continues for the duration of the Customer agreement and ends upon deletion or return of Customer Data.

5. CUSTOMER INSTRUCTIONS

Djenie processes Customer Data solely on:

  • documented Customer instructions, or
  • where legally required.

Djenie will never sell Customer Data.

6. SECURITY OF PROCESSING

Djenie maintains technical and organisational measures including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Access controls (MFA, RBAC, least privilege)
  • Secure SDLC and code reviews
  • Network segmentation and cloud hardening
  • SAST/DAST and dependency scanning
  • Logging, SIEM, monitoring, and alerting
  • Business continuity and disaster recovery aligned with ISO 22301
  • Vulnerability scanning and defined patching SLAs

7. CONFIDENTIALITY

All authorised staff are subject to confidentiality obligations and regular security training.

8. SUBPROCESSORS

Djenie:

  • imposes GDPR-equivalent requirements on all subprocessors
  • maintains a Subprocessor Register
  • ensures subprocessors meet equivalent security standards
  • remains responsible for subprocessor actions

9. INTERNATIONAL TRANSFERS

Cross-border transfers rely on:

  • Standard Contractual Clauses (SCCs)
  • UK Addendum
  • Adequacy decisions
  • PIPL-compliant safeguards
  • Additional technical measures where appropriate

10. ASSISTANCE TO CUSTOMER

Djenie assists Customers with:

  • Data Subject Requests
  • Data Protection Impact Assessments
  • Regulatory engagement
  • Security and compliance documentation

11. DATA SUBJECT RIGHTS

Djenie notifies Customers of relevant Data Subject Requests and supports fulfilment as required.

12. PERSONAL DATA BREACH NOTIFICATION

Djenie will:

  • notify the Customer without undue delay
  • provide breach details and remediation actions
  • assist with Customer regulatory obligations

13. CUSTOMER RESPONSIBILITIES

Customers must:

  • ensure lawful basis for Customer Data
  • provide notices and obtain consents where required
  • configure their systems and permissions securely
  • secure Customer-side access controls and credentials

14. AUDITS & COMPLIANCE

Djenie maintains documentation proving compliance with this DPA and applicable law.
Customers may request information and, under appropriate safeguards, conduct audits without compromising Djenie’s security architecture.

15. DATA RETENTION & DELETION

Customer Data is:

  • deleted or returned upon termination
  • removed from backups following automated lifecycle expiry

16. LIABILITY

Liability is governed by the primary Customer Agreement.
Djenie is responsible for Processor obligations; Customers remain responsible for instructions and Customer-side controls.

17. TERM & SURVIVAL

This DPA remains effective while Djenie processes Customer Data.
Confidentiality, liability, and retention/deletion obligations survive termination.

18. GOVERNING LAW

For Australian Customers, this DPA is governed by the laws of Queensland, Australia.
For other regions, the governing law follows the main agreement.

19. CONTACT

privacy@djenie.com
Djenie, Brisbane, Australia

ANNEX A — DEFINITIONS

(Full list included in original DPA; adapted for Djenie.)

ANNEX B — DATA CATEGORIES & PROCESSING PURPOSES

Data Subjects: administrators, members, staff, end users, support contacts.
Data Categories: identifiers, account details, logs, uploaded documents.
Purposes: service delivery, authentication, security, analytics, support.

ANNEX C — TECHNICAL & ORGANISATIONAL MEASURES (TOMs)

  • RBAC, MFA
  • Encryption in transit and at rest
  • SIEM monitoring
  • DR/BCP
  • Secure development lifecycle
  • Staff training

VERSION CONTROL & GOVERNANCE

Version: 2.0 — Ultra-Final (Djenie Edition)
Effective Date: 1 January 2025
Approval: Chief Executive Officer, Djenie
Change Summary: Full rewrite replacing Cushi-specific structures with Djenie; aligned to membership-management scope and international processing rules.
Review Cycle: Annual or upon legislative change.