Terms defined in the AI Service Agreement have the same meaning in this Addendum. In addition, the following definitions apply:
Syrgas Pty Ltd processes Client Data as a data processor acting on behalf of the Client as data controller for the purposes of the Privacy Act 1988 (Cth). The Client determines the purposes and means of processing Client Data and is responsible for ensuring that its own collection and use of that data comply with applicable privacy laws.
Syrgas Pty Ltd will process Client Data only for the following purposes, and for no other purpose without the Client's prior written consent:
Syrgas Pty Ltd will not:
The following table identifies the categories of Client Data that Syrgas Pty Ltd may process in connection with the Services, together with the legal basis for processing and the applicable retention period.
| Data category | Examples | Legal basis | Retention period |
|---|---|---|---|
| Contact and identity data | Full name, email address, phone number, job title, company name | Performance of contract; Legitimate interests | Duration of engagement + 3 years |
| Business performance data | Lead volumes, conversion rates, revenue figures, pipeline data | Performance of contract | Duration of engagement + 3 years |
| CRM and pipeline data | Deal records, lead scores, contact history, email sequences | Performance of contract | Duration of engagement + 1 year |
| Process and workflow data | Current-state process maps, bottleneck analysis, workflow configurations | Performance of contract | Duration of engagement + 3 years |
| Email content data | Email templates, sequence copy, automated message content | Performance of contract | Duration of engagement + 1 year |
| Website and analytics data | Form submissions, page traffic, lead source attribution | Legitimate interests; Consent where required | Duration of engagement + 1 year |
| Employee and team data | Names and roles of team members participating in training or interviews | Legitimate interests | Duration of engagement only |
Syrgas Pty Ltd will request only the minimum Client Data necessary to perform each specific task. Where the Services can be performed using anonymised or aggregated data, Syrgas Pty Ltd will prefer that approach over processing Personal Information.
Syrgas Pty Ltd accesses Client Data through the tools and systems listed in Schedule A. Access is granted by the Client specifically for the purposes of the Engagement and is revoked on termination of the Agreement. Syrgas Pty Ltd will not retain access credentials beyond the period necessary for the Engagement.
Syrgas Pty Ltd will not use AI Tools to make automated decisions about identifiable individuals that have legal or similarly significant effects without a documented human review step and explicit Client approval. All AI-assisted recommendations and outputs undergo human review by Syrgas Pty Ltd before being delivered to the Client or deployed in the Client's systems.
Client Data is processed by the Sub-processors listed in Schedule A. Syrgas Pty Ltd has reviewed the data processing terms and privacy policies of each Sub-processor and is satisfied that they provide an adequate level of protection for Client Data. Syrgas Pty Ltd will notify the Client at least 14 days before engaging a new Sub-processor that will process Client Data.
| Tool | Data processed | Storage location | Data residency | Compliant |
|---|---|---|---|---|
| HubSpot | Contact data, deal records, email content, lead scores | HubSpot Inc., USA | US — GDPR/APPs compliant | Yes |
| Zapier | Data in transit between platforms — no persistent storage beyond 7 days | Zapier Inc., USA | US — SOC 2 Type II | Yes |
| Instantly.ai | Contact names, email addresses for personalisation | Instantly.ai servers | US/EU — contractual safeguards | Yes |
| Calendly | Contact names, email addresses, meeting times | Calendly LLC, USA | US — GDPR compliant | Yes |
| Lucidchart | Process diagrams — no personal data unless included in diagram content | Lucid Software, USA | US — SOC 2 certified | Yes |
| Google Looker Studio | Aggregated metrics only — no personal data | Google LLC | Australian region preferred | Yes |
| Webflow | Email addresses from form submissions | Fastly CDN — global | Global CDN — encrypted | Yes |
Some Sub-processors store and process data outside Australia, primarily in the United States and European Union. Syrgas Pty Ltd has assessed each transfer and is satisfied that appropriate safeguards are in place, including contractual protections in Sub-processor data processing agreements, Sub-processor compliance with applicable data protection frameworks, and encryption of data in transit and at rest.
The Client consents to these international transfers by entering this Addendum. Where the Client has specific data residency requirements, these must be agreed in writing before the Engagement commences and may affect the tools available for the Engagement.
Syrgas Pty Ltd will implement and maintain reasonable technical and organisational security measures appropriate to the nature and sensitivity of the Client Data being processed.
| Security measure | How Syrgas Pty Ltd implements it |
|---|---|
| Access control | Client Data is accessible only to Syrgas Pty Ltd personnel directly involved in the Engagement. Access credentials are unique per person and not shared. |
| Encryption in transit | All data transferred between Syrgas Pty Ltd and Client systems or third-party tools is encrypted using TLS 1.2 or higher. |
| Encryption at rest | Client Data stored in Syrgas Pty Ltd-controlled systems is encrypted at rest using AES-256 or equivalent. |
| Device security | Devices used to access Client Data are protected by full-disk encryption, strong passwords, and automatic screen lock. Remote wipe capability is enabled. |
| Password management | All credentials related to Client systems and tools are managed using a reputable password manager. Unique credentials are used for each system. |
| Software updates | Operating systems and software used in connection with the Services are kept current with security patches. |
| Phishing and social engineering | Syrgas Pty Ltd does not respond to unsolicited requests to transfer Client Data or credentials, regardless of how they are presented. |
| Incident response | A documented incident response procedure is maintained and tested. The Client will be notified within 72 hours of a confirmed or suspected breach affecting Client Data. |
The Client is responsible for maintaining the security of its own systems, accounts, and credentials; ensuring that access credentials shared with Syrgas Pty Ltd are appropriately managed and revoked when no longer required; notifying Syrgas Pty Ltd promptly if it becomes aware of any actual or suspected unauthorised access to Client systems that may affect the Services; and ensuring that its own employees and contractors who interact with Syrgas Pty Ltd handle Client Data in accordance with applicable privacy laws.
Despite the security measures described in this clause, Syrgas Pty Ltd cannot guarantee the absolute security of Client Data. Syrgas Pty Ltd will notify the Client of any Data Breach in accordance with clause 6.
Syrgas Pty Ltd will maintain procedures for detecting, assessing, and responding to Data Breaches. On becoming aware of a confirmed or reasonably suspected Data Breach, Syrgas Pty Ltd will immediately take steps to contain the breach and assess its scope and likely impact.
| Timeframe | Action | Detail |
|---|---|---|
| 0 to 24 hours | Contain and assess | Identify the nature and scope of the breach. Take immediate steps to contain it. Preserve evidence. Notify the Syrgas Pty Ltd account holder. |
| 24 to 72 hours | Notify Client | Provide the Client with written notification including: what data was affected, how the breach occurred (if known), steps taken to contain it, and estimated impact. |
| 72 hours to 30 days | Remediate and report | Implement fixes to prevent recurrence. Cooperate with Client in any regulatory notifications required under the Privacy Act 1988 (Notifiable Data Breaches scheme). Provide written incident report. |
| Ongoing | Monitor and review | Continue monitoring for further incidents. Review and update security measures as appropriate. Retain incident records for a minimum of five years. |
The initial notification to the Client will include, to the extent known at the time: a description of the nature of the Data Breach including the categories and approximate number of individuals and records affected; the likely consequences of the breach; the measures taken or proposed to address the breach and mitigate its effects; and the name and contact details of Syrgas Pty Ltd's point of contact for breach-related enquiries.
Where a Data Breach is likely to trigger notification obligations under the Notifiable Data Breaches scheme, Syrgas Pty Ltd will cooperate with the Client in preparing any required notifications to the Office of the Australian Information Commissioner. The Client is responsible for making any required regulatory notifications, and Syrgas Pty Ltd will provide reasonable assistance.
Syrgas Pty Ltd will maintain a record of all Data Breaches affecting Client Data, including breaches that were contained and did not require notification. These records will be retained for a minimum of five years and made available to the Client on request.
The Client, as data controller, is responsible for responding to requests from individuals exercising their rights under the Privacy Act 1988 (Cth), including requests to access, correct, or complain about the handling of their Personal Information.
Where Syrgas Pty Ltd holds or can access Client Data relevant to an individual's request, Syrgas Pty Ltd will provide the Client with reasonable assistance in responding to the request, including by locating, retrieving, correcting, or deleting relevant data as instructed by the Client. Syrgas Pty Ltd will respond to such requests within five business days.
If Syrgas Pty Ltd receives a direct request from an individual regarding Personal Information held in connection with the Client's Engagement, Syrgas Pty Ltd will promptly redirect the individual to the Client and will not respond to the request directly without the Client's authorisation.
Syrgas Pty Ltd retains Client Data only for as long as necessary to perform the Services, plus the retention periods specified in Section 3 of this Addendum. Retention periods reflect legal requirements, the legitimate needs of the parties, and best practice for professional services engagements.
On written request by the Client, Syrgas Pty Ltd will return all Client Data in a commonly used, machine-readable format within 10 business days of the request; permanently delete all copies of Client Data from Syrgas Pty Ltd's systems and instruct Sub-processors to do the same, subject to any legal retention requirements; and provide written confirmation of deletion within 30 days of completing the deletion process.
On termination or expiry of the Agreement, Syrgas Pty Ltd will automatically initiate the return and deletion process described in clause 8.2 within 30 days of the termination date, unless the Client provides alternative written instructions.
Where Syrgas Pty Ltd is required by law to retain certain Client Data beyond the periods specified in this Addendum, Syrgas Pty Ltd will notify the Client in writing, identify the specific data and the legal basis for retention, and ensure the data is isolated from active processing.
Where Syrgas Pty Ltd designs, configures, builds, or operates email automation sequences on behalf of the Client, the Client warrants that it has obtained all necessary consents from recipients in accordance with the Spam Act 2003 (Cth); all recipients on any list used in connection with the Services have consented to receive commercial electronic messages from the Client; it will maintain records of consent sufficient to demonstrate compliance with the Spam Act 2003 (Cth); and it will promptly notify Syrgas Pty Ltd of any consent withdrawals or unsubscribe requests that affect automation sequences managed by Syrgas Pty Ltd.
Syrgas Pty Ltd will ensure that all email automation sequences configured on behalf of the Client include a functional unsubscribe mechanism in every message; clearly identify the Client as the sender; are not sent to individuals who have previously unsubscribed or objected to receiving messages from the Client; and include the Client's accurate physical address or registered business address as required by the Spam Act 2003 (Cth).
The Client is solely responsible for the accuracy and compliance of its contact lists. Syrgas Pty Ltd will implement technical unsubscribe mechanisms but is not responsible for ensuring that the Client's lists are legally compliant at the time of import. Where Syrgas Pty Ltd identifies a potential compliance concern with a contact list, it will raise this with the Client before proceeding.
Syrgas Pty Ltd will maintain records sufficient to demonstrate compliance with this Addendum, including records of processing activities, security measures implemented, Sub-processors engaged, data breaches, and data deletion activities.
The Client may request, no more than once per calendar year, written confirmation from Syrgas Pty Ltd that it is complying with its obligations under this Addendum. Syrgas Pty Ltd will respond to such requests within 15 business days. Where the Client has reasonable grounds to suspect a material breach of this Addendum, it may request more frequent confirmation.
Syrgas Pty Ltd will cooperate with the Client and, where required, with the Office of the Australian Information Commissioner or other relevant regulatory authorities in connection with any investigation or enquiry relating to the processing of Client Data under this Addendum.
This Addendum is incorporated into and forms part of the AI Service Agreement. In the event of any inconsistency between this Addendum and the AI Service Agreement with respect to the handling of Client Data, this Addendum prevails.
Syrgas Pty Ltd may update this Addendum from time to time to reflect changes in applicable law, regulatory guidance, or Syrgas Pty Ltd's data handling practices. Syrgas Pty Ltd will provide the Client with at least 30 days written notice of any material changes. The Client's continued use of the Services after the notice period constitutes acceptance of the updated Addendum.
This Addendum is governed by the laws of Victoria, Australia and the Commonwealth of Australia. Each party submits to the non-exclusive jurisdiction of the courts of Victoria.
The following Sub-processors are currently engaged by Syrgas Pty Ltd to process Client Data in connection with the Services. Syrgas Pty Ltd will update this Schedule and notify the Client at least 14 days before adding or replacing any Sub-processor.
| Tool | Data processed | Storage location | Data residency | Compliant |
|---|---|---|---|---|
| HubSpot | Contact data, deal records, email content, lead scores | HubSpot Inc., USA | US — GDPR/APPs compliant | Yes |
| Zapier | Data in transit between platforms — no persistent storage beyond 7 days | Zapier Inc., USA | US — SOC 2 Type II | Yes |
| Instantly.ai | Contact names, email addresses for personalisation | Instantly.ai servers | US/EU — contractual safeguards | Yes |
| Calendly | Contact names, email addresses, meeting times | Calendly LLC, USA | US — GDPR compliant | Yes |
| Lucidchart | Process diagrams — no personal data unless included in diagram content | Lucid Software, USA | US — SOC 2 certified | Yes |
| Google Looker Studio | Aggregated metrics only — no personal data | Google LLC | Australian region preferred | Yes |
| Webflow | Email addresses from form submissions | Fastly CDN — global | Global CDN — encrypted | Yes |
Syrgas Pty Ltd confirms that it has entered into data processing agreements with each Sub-processor (or relies on their published data processing terms where a direct agreement is not required) and that each Sub-processor provides an adequate level of protection for Client Data consistent with the obligations in this Addendum.