Should the Supplier create, access, store, process or transmit Client Information or connect to or otherwise interact with Client Systems, this Data Security Schedule (“Schedule”) will act as a guide for the Supplier and the Client, as to how we handle this data and what security is in place.
“Supplier” means Debt Recoveries Australia and / or DRA Mercantile.
“Customer” means the debtor.
“Client” means the company, business or individual instructing the Supplier to provide services, such as debt collection.
”Data” means (a) any “personal information” as defined in the Australian Privacy Act 1988 (Cth) about any individual disclosed by the Client to the Supplier in connection with or under the Agreement, and (b) any other information about an individual that is subject to applicable Privacy Laws.
“Privacy and Security Laws” means all laws and regulations and codes of practice issued by any Regulator, as amended or replaced, applicable to the supplier or the Client, which relate to the security, confidentiality, protection, or privacy of Client Information, including without limitation, the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
“Regulator” means any governmental, statutory, legal, regulatory or enforcement authority, regulator, body, or agency concerned with Privacy and Security Laws, or any activities carried on by the Client or the supplier pursuant to this Agreement or Schedule, including without limitation, any data protection authority, insurance regulator, and financial services regulator.
“Security” means the supplier’s technological, technical, physical, administrative, organizational and procedural safeguards, including, without limitation, policies, procedures, guidelines, practices, standards, controls, hardware, software and firmware, the function or purpose of which is, in whole or part, to: (a) protect the confidentiality, integrity or availability of Client Information and Supplier Systems; (b) prevent the unauthorized use of or unauthorized access to Client Information and Supplier Systems; (c) prevent the loss, theft or damage of Client Information; (d) prevent a breach, damage or malicious infection of Supplier Systems and Client Systems; or (e) comply with Privacy and Security Laws.
“Security Breach” means any actual or reasonably suspected: (a) unauthorized use of, or unauthorized access to, Supplier Systems or Client Systems used by or on behalf of the supplier; (b) damage to, or inability to access, Client Information or Supplier Systems due to a malicious use, attack or exploit of such Client Information or Supplier Systems; (c) unauthorized access to, theft of or loss of Client Information; (d) unauthorized use of Client Information for purposes of actual, reasonably suspected, or attempted theft, fraud, identity theft or other misuse; (e) breach of, or transmission of malicious code to, Client Systems arising from, in whole or part, an act, error, or omission of the Supplier, or third parties acting on behalf of the supplier; or (f) unauthorized disclosure of Client Information.
“Supplier Systems” means any computer, network, application, imaging device, storage device or media, mobile computing device, or any other information technology, hardware or software, owned, leased or controlled by the supplier or operated by a third party for or on behalf of the supplier that uses, creates, stores, accesses, processes or transmits Client Information, or that is connected to or otherwise interacts with Client Systems.
“Staff” means any employee, officer or director, or an individual working as a consultant, independent contractor or agent, and/or temporary worker.
- Supplier Obligations
2.1 Security and Compliance
The Supplier is responsible for the security of Supplier Systems and any Data and Client Information. The Supplier agrees that from either the effective date of the Agreement, when services commence under the Agreement, or when the supplier has access to Client Information, and continuing as long as the supplier controls, accesses, possesses, stores, transmits or otherwise processes Client Information, the supplier shall employ and maintain reasonable, appropriate and adequate Security to:
- protect all Client Information from unauthorized use, alteration, access or disclosure, and loss, theft, and damage, and to protect and ensure the confidentiality, integrity and availability of Client Information; and
- prevent a Security Breach.
2.2 Use of Third Parties
The Supplier shall not provide any supplier, cloud computing company, subcontractor, vendor, or other third party (“Subcontractor”) with access to Client Information, or allow any Subcontractor to transmit, store or process Client Information, unless it has received prior written consent from the Client or such access is specifically allowed under the Agreement. In any event, the supplier is and shall remain fully responsible for any act, error or omission of any Subcontractor retained by the supplier with respect to this Schedule and the Agreement.
2.3 Ownership and Use Limitations
As between the supplier and Client, the Client is the owner of any and all Client information provided by the Client’s clients, customers, Staff, third party business partners or other users, if applicable, and the Supplier shall have no intellectual property or any other ownership rights or interest in Client Information.
Subject to clause 2.4 below, the Supplier shall use, process and handle Client Information solely for the purpose of providing services under and in accordance with the Agreement, and shall not use Client Information for any purposes not contemplated by the Agreement or the purposes of any party other than the Client, including, without limitation, any marketing purposes; any transfer, sharing or selling of Client Information; or any aggregation, analysis or anonymization of Client Information for its own purposes.
The Client agrees to let the Supplier use the contact information of the Client and the Client’s staff provided in order to send the Client correspondence and marketing via email addresses collected from emails sent to the Supplier and which addresses may be added to the Suppliers subscriber list.
The Supplier will however initially offer the Client and Clients staff an opportunity to subscribe to their email newsletters and such marketing. If the Client or Clients staff does not wish to receive the newsletters and marketing, the Client and Clients staff will have an opportunity to click “unsubscribe” at the bottom of the newsletter and marketing.
Notwithstanding the foregoing, the Supplier will not share the Client’s email addresses with a third party without the Client’s prior consent.
- Customer Data
The Client will supply all data or information required to supply or maintain the Services, to perform our obligations under these Terms and Conditions or as we may reasonably specify from time to time (Customer Data).
The Client warrants that:
- they hold all necessary legal rights, title, consents and authority to provide the Customer Data to us and authorise us to use the Customer Data in accordance with these Terms and Conditions;
- the supply of the Customer Data will not infringe the Intellectual Property Rights of any person;
- the Customer Data is complete, accurate, up-to-date and not misleading at the time it is provided; and
- they will supply us with all information to correct and update the Customer Data from time to time and you authorise us to apply those corrections and updates.
3.2 Duty of Obligation
Except to the extent required by law, we have no duty or obligation to verify, correct, complete, update, remove or delete any of the Customer Data.
The Client acknowledges that the quality of our Services relies on the Customer Data you provided to us. We will not be liable for any loss or damage arising from your failure or delay in providing the Customer Data or for any inaccuracy, omission or other defect in the Customer Data.
3.4 Licence over Customer Data. The Client grants us a non-exclusive, perpetual, irrevocable, transferable, royalty-free licence to use and sub-licence the Customer Data to supply our Services to you and to others, to otherwise fulfil our obligations under these Terms and Conditions, to validate and enhance our Services and for any other lawful purpose or for any purpose expressly authorised by you.
- Monitoring and Reporting
The Supplier shall provide the Client upon reasonable request with any information that the Client requests concerning the Supplier’s compliance with this Schedule, Security Breaches, the supplier’s access to, and creation, storage, processing, transmission and destruction of, Client Information, and the accessing and use of Supplier Systems and Client Systems.
4.2 Security Assessments
Upon the provision of reasonable notice to the Supplier, not more than once per year during the term of the Agreement, any time after a Security Breach, or at the request or direction of a Regulator or customer, client or business partner of the Client in connection with any legal or regulatory requirement, the Client (or any third party reasonably selected by the Client) may undertake an investigation and assessment of the Supplier’s compliance with this Schedule, the Supplier’s storage, processing and transmission of Client Information, the accessing and use of Supplier Systems and/or any Security Breach (if applicable). Any such investigation or assessment shall be conducted during normal business hours unless otherwise agreed to by the parties, and the parties shall endeavour to conduct the investigation and assessment in a manner intended to limit the non-availability of Supplier Systems.
- Security Breach Response
- Security Breach Response Actions
In the event of a Security Breach, the supplier shall:
(a) immediately conduct a reasonable investigation of the reasons for and circumstances of such Security Breach;
(b) use reasonable efforts and take all necessary actions to prevent, contain, and mitigate the impact of, such Security Breach, and remediate such Security Breach, without delay;
(c) provide immediate notice to the Client, and in any event within twelve (12) hours after the Supplier discovered such Security Breach;
(d) collect and preserve all evidence concerning the discovery, cause, vulnerability, remedial actions and impact related to such Security Breach;
(e) document the incident response and remedial actions taken;
(f) keep the fact and details of the Security Breach confidential, to the extent possible, during the investigation and remediation of the Security Breach and limit communications about the Security Breach to those necessary to fulfil the requirements of subsections 4.1 (a) to (e) above.
5.2 Security Breach Notice. The Supplier authorizes the Client to provide third parties with notice of, and reasonable information and documents concerning, any Security Breach, including, without limitation, individuals or entities that may have been impacted by the Security Breach.
- Security Breach Response Actions
- Material Breach
- Breach of Schedule
Notwithstanding anything to the contrary set forth in the Agreement, the following shall be considered a material breach or default of the Agreement: (a) a Security Breach; and/or (b) the supplier’s failure to comply with the obligations set forth in this Schedule. In the event of such a breach or default, the Client, in its sole and absolute discretion, may terminate the Agreement in accordance with its terms.
- Breach of Schedule
- Cooperation and Coordination
The supplier agrees to reasonably cooperate and coordinate with the Client concerning: (a) the Client’s investigation, enforcement, monitoring, document preparation, notification requirements and reporting concerning Security Breaches, and the supplier’s and the Client’s compliance with Privacy and Security Laws, including without limitation, investigations by any government authority or Regulator; and (b) any other activities or duties set forth under this Schedule for which cooperation between the Client and the Supplier may be reasonably required by the Client.
- Supplier’s Expense
The supplier’s compliance with this Schedule shall be at the supplier’s sole and exclusive expense and shall be included as part of the price of the services provided by the supplier for no additional fee to the Client, including without limitation, any of the Client requests authorized herein.
The supplier’s obligations and the Client’s rights in this Schedule shall continue so long as the supplier, or a third party for or on the supplier’s behalf, controls, possesses, stores, transmits or processes Client Information, or is connected to or otherwise interacts with Client Systems, including after expiration or termination of the Agreement.
- Cooperation and Coordination