Terms and Conditions
Upollo is a technology company that protects users, businesses and their growth through customer insights. Our services allow businesses to analyse customer insights to improve their online security and minimise fraudulent accounts while identifying new growth opportunities to better serve their customers.
1. Our Disclosures
Our complete terms and conditions are contained below, but some important points for the Account holder to know before the Account holder becomes a customer are set out below:
- We may amend these Terms or the features of the Platform at any time, by providing written notice to the Account holder;
- Unless the Account holder, is suspended or terminated in accordance with these Terms, the Account holder's Subscription will roll over on an ongoing basis;
- To the maximum extent permitted by law, the Fees are non-refundable;
- The Account holder is responsible and liable for the actions of its Authorised Users;
- Our liability under these Terms is limited to us repaying you the amount of the Fees paid by you to us during the term of your Subscription, and we will not be liable for Consequential Loss, any loss that is a result of a Third Party Service, or any loss or corruption of data; and
- We may terminate your paid Subscription at any time by giving written notice to you and providing the Account holder with a full refund.
Nothing in these terms limit your rights under the Australian Consumer Law.
2. Introduction
- These terms and conditions (Terms) are entered into between Upollo Pty Ltd (ABN 89 649 311 124) (we, us or our) and you, together the Parties and each a Party.
- We provide a cloud-based, software as a service platform and access to our application programming interfaces and client libraries for integrating with our platform (Platform).
- In these Terms, you means the person or entity registered with us as an Account holder (who has registered for a Subscription), or an Authorised User of an entity registered with us as an Account holder. In these Terms, there are clauses which only apply to an Account holder (including clause 7 (Subscription), clause 14 (Indemnity) and clause 15.1 (Cancel your paid subscription)) and clauses that apply to all users.
- If you are registering for an Account on behalf of your employer or a business entity, you, in your individual capacity, represent and warrant that you are authorised to act on behalf of your employer or the business entity who is the Account holder and to bind the entity and the entity's Authorised Users to these Terms.
3. Acceptance and Platform License
- You accept these Terms as an Account holder by registering for an Account or as an Authorised User by using the Platform or as otherwise set out on the Platform.
- We may amend these Terms at any time, by providing written notice to you. By continuing to use the Platform after the notice or 30 days after notification (whichever date is earlier), you agree to the amended Terms. If the Account holder does not agree to the amendment, the Account holder may terminate these Terms and the Subscription in accordance with the Termination clause.
- Subject to compliance with these Terms, we grant the Account Holder and its Authorised Users a personal, non-exclusive, royalty-free, revocable, worldwide, non-transferable licence to use our Platform solely to analyse Your Data and to benefit from the intended use of the Platform in accordance with these Terms. All other uses are prohibited without our prior written consent.
- When using the Platform, the Account holder and the Authorised Users must not do or attempt to do anything that is unlawful or inappropriate, including:
- When using the Platform, the Account holder and the Authorised Users must not do or attempt to do anything that is unlawful or inappropriate, including:
- anything that would constitute a breach of an individual's privacy (including uploading private or personal information without an individual's consent) or any other legal rights;
- using the Platform to defame, harass, threaten, menace or offend any person, including using the Platform to send unsolicited electronic messages;
- tampering with or modifying the Platform (including by transmitting viruses and using trojan horses);
- using data mining, robots, screen scraping or similar data gathering and extraction tools on the Platform; or
- facilitating or assisting a third party to do any of the above acts.
4. Upollo Services
- We have developed and provide access to application programming interfaces (APIs) that may be used to access our services on the Platform. You may use the APIs to process data for fraud prevention and detection or to gain customer insights. You may manage your Account depending on your Account permissions and enable additional features through our API dashboard.
- We agree to provide the Account holder and its Authorised Users with access to the Platform which includes access to our APIs and client libraries (Client Libraries), the support services as set out in the Account, and any other services we agree to provide as set out in the Account.
- We agree to use our best endeavours to make the Platform available at all times. However, from time to time we may perform reasonable scheduled and emergency maintenance, and the Platform may be unavailable during the times we are performing such maintenance.
- Should you be unable to access the Platform, or should you have any other questions or issues impacting on your use and enjoyment of the Platform, you must place a request via email. We will endeavour to respond to any support requests in a reasonable period.
- You acknowledge and agree that the Platform may be reliant on, or interface with third party systems that are not provided by us (for example, cloud storage providers (such as AWS and Google Cloud)) (Third Party Services). To the maximum extent permitted by law, we shall have no Liability for any Third Party Services, or any unavailability of the Platform due to a failure of the Third Party Services.
- You acknowledge and agree that data loss is an unavoidable risk when using any software. To the extent you input any data into the Platform, you agree to maintain a backup copy of any data you input into the Platform.
- To the maximum extent permitted by law, we shall have no Liability to you for any loss or corruption of data, or any scheduled or emergency maintenance that causes the Platform to be unavailable.
Integration and Support
- We will provide the Account holder with specifications that provide you guidance to establish the required interfaces between your System and the APIs (API Documentation), how to use our Client Libraries (Client Libraries Documentation) or any relevant third party integrations.
- We may update the APIs and API Documentation from time to time which may add or remove the API functionality. If there is a breaking change, we will notify you to minimise interruption of our services to you.
- In relation to APIs, the Account holder is responsible for and must meet its own costs of:
- setting up and maintaining interfaces between its System and the APIs using suitably qualified Personnel and in accordance with the API Documentation;
- establishing and configuring its Systems for the use of the APIs in accordance with the API Documentation; and
- obtaining and maintaining all hardware, software and communications equipment necessary to access and use the APIs.
- In relation to Client Libraries, the Account holder is responsible for and must meet its own costs of:
- setting up and integrating your application with our Client Libraries using suitably qualified Personnel and in accordance with the Client Libraries Documentation;
- establishing and configuring your Systems and applications in accordance with the Client Libraries Documentation; and
- obtaining and maintaining all hardware, software and communications equipment necessary to access and use the Client Libraries.
Limitations and Obligations
- The Account holder acknowledges and agrees that the number of API calls which it is permitted to make using the APIs, during any given period, may be limited as set out in its Subscription.
- You may not use the APIs for any purpose, function or feature not described in the API Documentation or as indicated by us.
- We may provide you with publishable and secret API keys to use our Platform. You are responsible for keeping your secret API keys secure and not sharing any secret API keys with unauthorised users. Failure to do so may result in the misuse of the Account and potential data breaches to the Account holder, the Authorised Users, the Account holder's customers or us. For more information on the proper use of API keys, please see our API Documentation.
- The Account holder agrees to:
- allow us to use the APIs to extract information we reasonably require from your Systems to provide the Platform and to provide our products and/or services to clients;
- ensure that its System and interfaces to the APIs:
- are configured to prevent any unauthorised third party from accessing the APIs; and
- incorporate industry best practice in relation to the implementation of encryption systems, anti-virus protection, patches, updates and upgrades for security purposes.
5. Accounts
- The Account holder must register on the Platform and create an account (Account) to access the Platform's features. Each Authorised User will require a login that is linked to the Account in order to access the Platform.
- The Account holder must provide basic information when registering for an Account including its business name, contact name and email address.
- The Account holder may also register for an Account using its Google or similar account (Third Party Account). As an Account holder, if you sign in to your Account using your Third Party Account, you authorise us to access certain information on your Third Party Account. All personal information the Account holder and its Authorised Users provide to us will be treated in accordance with our Privacy Policy.
- The Account holder and Authorised Users agree to provide and maintain up to date information in the Account and to not share the Account or login password with any other person. The Account is personal to the Account Holder and its Authorised Users and the Account holder must not transfer or provide it to others with the exception of its Authorised Users.
- The Account holder is responsible for keeping the Account details confidential and the Account holder will be liable for all activity on its Account, including purchases made using the Account details, and any activity from one of its Authorised Users. Each Authorised User is responsible for keeping their login details confidential. The Account holder and each Authorised User agrees to immediately notify us of any unauthorised use of the Account.
- When the Account holder creates an Account, the Account holder must also select a subscription (Subscription) of which there are different tiers with different services and different subscription periods as set out on our Platform.
6. Authorised Users
- The Account holder may be permitted to invite a number of users to the Platform, who will be permitted to access and use the Platform under the Account (Authorised Users). We agree to provide the Account holder with access for the number of Authorised Users as set out in the Account.
- The Authorised Users will have permission to access certain features of the Platform and your Account, as detailed in the Account.
- The Account holder will ensure that each Authorised User complies with these Terms. The Account holder is responsible and liable for the acts or omissions of its Authorised Users.
7. Subscription
- To create an Account you must choose between a free subscription or paid subscription tiers.
- If you choose a paid subscription tier, you agree to pay the Subscription fee set out on the Platform (Fees) by the date specified on the Platform (Payment Date) to use additional features on the Platform and benefit from your Subscription.
- Unless your Subscription is suspended or terminated in accordance with these Terms, your Subscription will roll over on an ongoing monthly basis, and you will be charged the same Fees on an ongoing monthly basis from the Payment Date. Without limiting your rights under the Australian Consumer Law, you can cancel your Subscription at any time in accordance with the Termination clause of these Terms but the cancellation will only have effect from expiry of the monthly period for which you have paid the Fees.
- The payment methods we offer for the Fees are set out on the Platform. We may offer payment through a third-party provider. You acknowledge and agree that we have no control over the actions of the third-party provider, and your use of the third-party payment method may be subject to additional terms and conditions.
- You must not pay, or attempt to pay, the Fees by fraudulent or unlawful means. If you make a payment by debit card or credit card, you warrant that you are authorised to use the debit card or credit card to make the payment.
- You agree that we may set-off or deduct from any monies payable to you under these Terms, any amounts which are payable by you to us (whether under these Terms or otherwise).
- Changes to your Subscription: If you wish to suspend or change your Subscription (for example, by upgrading to a different Subscription tier), you must provide notice to us through your Account that you wish to suspend or vary your Subscription before the next Payment Date. If you vary your Subscription and the Fees increase, we will charge you for the increase in the Fees on a pro-rata basis for the remainder of the period until your next Payment Date, and you will have access to the additional Subscription features from the date you make such payment.
- To the extent permitted by law, the Fees are non-refundable and non-cancellable once paid.
- We may need to change what is available as part of your Subscription (for example, the inclusions, exclusions, updated features) from time to time. If we change what is available as part of your Subscription, we will provide you with 30 days' notice of the change. After 30 days, we will apply the changes to your Subscription. If the changes substantially and adversely affect your enjoyment of the Subscription, you may cancel your Subscription in accordance with the 'Termination' clause.
- We may need to change the Fees from time to time. If we change the Fees, we will provide you with 30 days' notice of the change. After 30 days, we will apply the updated Fee to your Subscription. If the updated Fee is not acceptable to you, you may cancel your Subscription in accordance with the 'Termination' clause.
8. Our Intellectual Property
- You acknowledge and agree that any Intellectual Property or content (including copyright and trademarks) available on the Platform, the Platform itself, and any algorithms or machine learning models used on the Platform (Our Intellectual Property) will at all times vest, or remain vested, in us.
- We authorise you to use Our Intellectual Property solely for your limited commercial use. You must not exploit Our Intellectual Property for any other purpose, nor allow, aid or facilitate such use by any third party. Use must be limited to Authorised Users on devices that are controlled or approved by the Account holder.
- You must not, without our prior written consent:
- copy, in whole or in part, any of Our Intellectual Property;
- reproduce, retransmit, distribute, disseminate, sell, publish, broadcast or circulate any of Our Intellectual Property to any third party; or
- breach any intellectual property rights connected with the Platform, including (without limitation) altering or modifying any of Our Intellectual Property, causing any of Our Intellectual Property to be framed or embedded in another website, or creating derivative works from any of Our Intellectual Property.
- You agree that we (or the relevant third party) own all Intellectual Property Rights in the APIs.
- This clause will survive the termination of these Terms.
9. Information and Privacy
- You represent, warrant and agree:
- that you are responsible for the collection, use, disclosure, storage and other dealings with Your Data in connection with these Terms, including that your collection and handling of Your Data is compliant with all Laws, including all Privacy Laws;
- your disclosure of Your Data to us and our use of Your Data in accordance with these Terms, is not inconsistent with the terms of any applicable privacy policies, information notices or other relevant documentation;
- that if you become aware of, or have reason to suspect the existence of, any incident involving unauthorised access to the APIs or unauthorised, access, loss or disclosure of the Output Data, you will:
- promptly notify us and take all steps reasonably available to you to identify the individuals and information involved, and to inform us of their identity and the details of the information;
- take all possible steps to cure such unauthorised access to the APIs or unauthorised, access, loss or disclosure of the Output Data; and
- comply with any reasonable request made by us in connection with the management of such unauthorised access, loss or disclosure.
- to ensure, at all times,
- the accuracy, reliability, completeness and integrity of Your Data; and
- that the collection and use of Your Data is compliant with all Laws, including all Privacy Laws;
- if you are the Account Holder, that you have provided all required notices (including notice of collection by us/disclosure to us (including the disclosure to other clients of ours) of Personal Information included in Your Data) and obtained all necessary rights, releases and permissions to provide or have Your Data provided to us and for our handling of Your Data as authorised by you in connection with these Terms; and
- that our handling of Your Data and any Personal Information, as authorised by you in connection with these Terms:
- is not inconsistent with the terms of any applicable privacy policies, privacy notices or other relevant documentation.
- will not cause us to breach or infringe any Laws (including Privacy Laws and those relating to export control and electronic communications) or rights of any third party, including any intellectual property rights, rights of privacy, or rights of publicity; and
- Where an individual whose Personal Information is included in Output Data requests that we delete their Personal Information, you agree to also delete such Personal Information promptly upon our request to you.
- You acknowledge and agree that:
- subject to clauses 9.3 and 9.4, we assume no responsibility or Liability for Your Data;
- we do not provide a data storage service and we cannot guarantee that Your Data will be available at all times. Any back-up or storage services are provided solely for your convenience and it is the Account holder's responsibility to back-up Your Data and ensure the ongoing secure storage of Your Data; and
- the operation of the Platform is reliant on the accuracy of Your Data, and the provision of inaccurate or incomplete Your Data by the Account holder, its Personnel or an Authorised User may affect the use, output and operation of the Platform.
- We agree to handle any Personal Information the Account holder or its Authorised Users provide to us or instruct us to collect for the Account Holder:
- solely as permitted under these Terms;
- in accordance with all Privacy Laws; and
- in accordance with our Privacy Policy.
- Data Processing Addendum: If you are in the UK or EEA, or are otherwise subject to laws of jurisdictions that have enacted privacy laws that require a written data processing agreement, you agree to the Data Processing Addendum set out in Annexure 1.
- This clause will survive the termination of these Terms
10. Your Data
- As part of our services, we obtain information from our clients about their users, their users devices and their usage of our clients application to help our clients make better decisions using the Platform.
- The Account holder owns, or has the all the rights you need to let us process all data, information or content the Account holder and its Authorised Users provide access to on the Platform including through the APIs (Your Data). The Account holder agrees that we own any data or information output from the Platform including information using Your Data as input (Output Data). Note that Your Data does not include the Analytics (as described below).
- You grant us a licence to copy, transmit, store, backup and/or otherwise access or use Your Data to:
- identify and prevent account and user fraud for our clients;
- provide insights on users and their actions;
- use machine learning to improve the services we provide to you and, to our other clients;
- supply the Platform to you and otherwise perform our obligations under these Terms;
- perform Analytics, diagnose problems, enhance or otherwise modify the Platform;
- develop new services; and
- as reasonably required to perform our obligations under these Terms.
- The Account holder agrees that it is solely responsible for all of Your Data that the Account holder and its Authorised Users make available on or through the Platform. The Account holder represents and warrants that:
- it is either the sole and exclusive owner of Your Data or it has all rights, licences, consents and releases that are necessary to grant to us the rights in Your Data (as contemplated by these Terms); and
- neither Your Data nor the posting, uploading, publication, submission or transmission of Your Data or our use of Your Data on, through or by means of our Platform will infringe, misappropriate or violate a third party's intellectual property rights, or rights of publicity or privacy, or result in the violation of any applicable law or regulation.
- The Account holder acknowledges and agrees that we may monitor, analyse and compile statistical and performance information based on and/or related to Your Data and the Account holder or its Authorised Users' use of the Platform, in an aggregated format (Analytics). The Account holder and each Authorised User acknowledges and agrees that we own all rights in the Analytics, and that we may use the Analytics for our own business purposes (including to improve the Platform, create analytics or prevent fraud and abuse to us and our clients), provided that the Analytics do not contain any identifying information.
- We do not endorse or approve, and are not responsible for, any of Your Data.
- You acknowledge and agree that the Platform and the integrity and accuracy of the Output Data is reliant on the accuracy and completeness of Your Data, and the provision by you of Your Data that is inaccurate or incomplete may affect the use, output and operation of the Platform.
- This clause will survive the termination of these Terms.
11. Warranties
- You represent, warrant and agree that:
- we do not guarantee the accuracy of the data and insights we provide to you, or any recommendations we provide through the Platform;
- you will not use our Platform, including Our Intellectual Property and APIs, in any way that competes with our business;
- there are no legal restrictions preventing you from entering into these Terms; and
- all information and documentation that you provide to us in connection with these Terms is true, correct and complete.
12. Australian Consumer Law
- Certain legislation, including the Australian Consumer Law (ACL) in the Competition and Consumer Act 2010 (Cth), and similar consumer protection laws and regulations, may confer you with rights, warranties, guarantees and remedies relating to the provision of the Platform by us to you which cannot be excluded, restricted or modified (Consumer Law Rights).
- If the ACL applies to you as a consumer, nothing in these Terms excludes your Consumer Law Rights as a consumer under the ACL. You agree that our Liability for the Platform provided to an entity defined as a consumer under the ACL is governed solely by the ACL and these Terms.
- Subject to your Consumer Law Rights, we exclude all express and implied warranties, and all material, work and services (including the Platform) are provided to you without warranties of any kind, either express or implied, whether in statute, at law or on any other basis.
- This clause will survive the termination of these Terms.
13. Liability
- Despite anything to the contrary, to the maximum extent permitted by law:
- neither Party will be liable for Consequential Loss;
- each Party's liability for any Liability under these Terms will be reduced proportionately to the extent the relevant Liability was caused or contributed to by the acts or omissions of the other Party or any of that Party's personnel (including where you are the Account Holder, your Authorised Users), including any failure by that Party to mitigate its losses; and
- (in respect of any failure by us to comply with relevant Consumer Law Rights) our Liability is limited (at our discretion) to resupplying the Platform or paying the cost of having the Platform resupplied; and
- our aggregate liability for any Liability arising from or in connection with these Terms will be limited to us repaying you the amount of the Fees paid by you to us during the term of your Subscription.
- This clause will survive the termination of these Terms.
14. Indemnity
- Despite anything to the contrary, to the maximum extent permitted by law, you are liable for, and agree to indemnify us and hold us harmless in respect of, any Liability that we may suffer, incur or otherwise become liable for, arising from or in connection with:
- your breach of the Acceptance and Platform Licence clause and the Intellectual Property clause of these Terms
- any claim made by an individual whose Personal Information is included in Your Data or Output Data provided to you; and
- any claim made by one of our clients;
- in both cases in connection with, your use of or access to the APIs or the Output Data; or
- any breach by you of the privacy obligations of these Terms or by any Privacy Laws.
- This clause will survive the termination or expiry of these Terms.
15. Termination
- Cancel your paid Subscription: You may request to cancel your paid Subscription at any time by notifying us via email. Your cancellation will take effect from the next Payment Date. Should you cancel your paid Subscription with us, your Account will be downgraded to a free Subscription.
- Should we suspect that the Account holder or an Authorised User are in breach of these Terms or misusing the Platform or whose continued access and use of the Platform would have a detrimental effect on us or in breach of applicable law or any Platform usage policies, we may suspend or terminate the Account holder's (and all its Authorised Users') access to the Platform.
- We may terminate your paid Subscription at any time by giving written notice to you and providing the Account holder with a full refund, or your free Subscription or any Authorised User at any time by providing immediate notice to you. (Termination for Convenience). Upon termination of the Account holder's Subscription, these Terms will also terminate as between the Account holder or Authorised User and us and:
- the Account holder and its Authorised Users access to the Platform will be terminated;
- the Account holder and its Authorised Users must immediately cease to access the APIs and cease to use the Output Data;
- the Account holder agrees that other than where termination is due to our Termination for Convenience or our breach of these Terms, and to the maximum extent permitted by law, any payments made by the Account holder to us (including any Fees) are not refundable to the Account holder;
- where we terminate the Account holder's Subscription for any reason other than a Termination for Convenience, the Account holder also agrees to pay us our reasonable additional costs directly arising from such termination.
- Where termination is due to our Termination for Convenience or our breach of these Terms, we agree to refund the Account holder for any prepaid unused Fees on a pro-rata basis.
- Termination of these Terms will not affect any rights or liabilities that a Party has accrued under these Terms.
- This clause will survive the termination of these Terms.
16. General
- Assignment: Subject to the below clause, a Party must not assign or deal with the whole or any part of its rights or obligations under these Terms without the prior written consent of the other Party (such consent is not to be unreasonably withheld).
- Assignment of Debt: You agree that we may assign or transfer any debt owed by you to us, arising under or in connection with these Terms, to a debt collector, debt collection agency, or other third party.
- Disputes: A Party may not commence court proceedings relating to a dispute without first meeting with the other Party to seek (in good faith) to resolve the dispute, failing which the Parties agree to engage a mediator to attempt to resolve the dispute. The costs of the mediation will be shared equally between the Parties. Nothing in this clause will operate to prevent a Party from seeking urgent injunctive or equitable relief from a court of appropriate jurisdiction.
- Entire Terms: Subject to your Consumer Law Rights, these Terms contains the entire understanding between the Parties and the Parties agree that no representation or statement has been made to, or relied upon by, either of the Parties, except as expressly stipulated in these Terms, and these Terms supersedes all previous discussions, communications, negotiations, understandings, representations, warranties, commitments and agreements, in respect of its subject matter.
- Force Majeure: To the maximum extent permitted by law, we shall have no Liability for any event or circumstance outside of our reasonable control.
- Governing law: These Terms are governed by the laws of New South Wales. Each Party irrevocably and unconditionally submits to the exclusive jurisdiction of the courts operating in New South Wales and any courts entitled to hear appeals from those courts and waives any right to object to proceedings being brought in those courts.
- Notices: Any notice given under these Terms must be in writing addressed to us at the details set out below or to you at the details provided in your Account. Any notice may be sent by standard post or email, and will be deemed to have been served on the expiry of 48 hours in the case of post, or at the time of transmission in the case of transmission by email.
- Severance: If a provision of these Terms is held to be void, invalid, illegal or unenforceable, that provision is to be read down as narrowly as necessary to allow it to be valid or enforceable, failing which, that provision (or that part of that provision) will be severed from these Terms without affecting the validity or enforceability of the remainder of that provision or the other provisions in these Terms.
- Third party sites: The Platform may contain links to websites operated by third parties. Unless we tell you otherwise, we do not control, endorse or approve, and are not responsible for, the content on those websites. We recommend that you make your own investigations with respect to the suitability of those websites. If you purchase goods or services from a third party website linked from the Platform, such third party provides the goods and services to you, not us.
17. Definitions
- Consequential Loss includes any consequential loss, indirect loss, real or anticipated loss of profit, loss of benefit, loss of revenue, loss of business, loss of goodwill, loss of opportunity, loss of savings, loss of reputation, loss of use and/or loss or corruption of data, whether under statute, contract, equity, tort (including negligence), indemnity or otherwise.
- Intellectual Property means any domain names, know-how, inventions, processes, trade secrets or confidential information; or circuit layouts, software, computer programs, databases or source codes, including any application, or right to apply, for registration of, and any improvements, enhancements or modifications of, the foregoing.
- Intellectual Property Rights means for the duration of the rights in any part of the world, any industrial or intellectual property rights, whether registrable or not, including in respect of Intellectual Property.
- Laws means all applicable laws, regulations, codes, guidelines, policies, protocols, consents, approvals, permits and licences, and any requirements or directions given by any person with the authority to bind the relevant Party in connection with these Terms or the provision of the Platform, and includes Privacy Laws and the Spam Act 2003 (Cth).
- Liability means any expense, cost, liability, loss, damage, claim, notice, entitlement, investigation, demand, proceeding or judgment (whether under statute, contract, equity, tort (including negligence), indemnity or otherwise), howsoever arising, whether direct or indirect and/or whether present, unascertained, future or contingent and whether involving a third party or a party to these Terms or otherwise.
- Personnel means, in respect of us or the Account Holder, any of its employees, consultants, suppliers, subcontractors or agents, and in respect of the Account holder any Authorised Users.
- Personal Information has the meaning given in the Privacy Act 1988 (Cth) and also includes any similar term as defined in any other applicable Privacy Laws.
- Privacy Laws means the Privacy Act 1988 (Cth) and Australian Privacy Principles as set out in Schedule 1 of the Privacy Act 1988 (Cth) and any other privacy or anti-spam Laws as applicable to each Party.
- Privacy Policy means any privacy policy located at www.upollo.ai/privacy.
- System means all hardware, software, networks, computing environments and other IT systems used by a Party from time to time.
For any questions or notices, please contact us at:
Upollo Pty Ltd (ABN 89 649 311 124)
Email: support@upollo.ai
Last update: 19 December 2022
© LegalVision ILP Pty Ltd
Annexure 1 - Data Processing Addendum
Data Processing Agreement ("DPA")
THIS DPA FORMS PART OF THE AGREEMENT ENTERED INTO BETWEEN UPOLLO PTY LTD (ABN 89 649 311 124) ("UPOLLO") AND YOU (THE "CUSTOMER") ON THE EFFECTIVE DATE (AS DEFINED IN THE AGREEMENT), AND ALL REFERENCES TO THE AGREEMENT SHALL INCLUDE THIS DPA (INCLUDING THE NEW SCCS, AS DEFINED HEREIN). ALL CAPITALISED TERMS NOT DEFINED IN THIS DPA SHALL HAVE THE MEANINGS SET FORTH IN THE AGREEMENT. THIS DPA APPLIES WHERE, AND ONLY TO THE EXTENT THAT, UPOLLO PROCESSES YOUR PERSONAL DATA THAT IS PROTECTED BY DATA PROTECTION LAWS APPLICABLE TO THE EEA.
If the processing of your Personal Data involves an International Transfer, the EU Standard Contractual Clauses and/or the UK Standard Contractual Clauses (together, the "Standard Contractual Clauses"), as the case may be, and as stated in section 5, apply, and are incorporated by reference.
All references to the Agreement shall include this DPA (including the New SCCs, as defined herein). All capitalised terms not defined in this DPA shall have the meanings set forth in the Agreement. This DPA applies
Definitions
1. Roles and Responsibilities
- Parties' roles. As between UPOLLO and the Customer, the Customer is the controller of Customer Personal Data, and UPOLLO shall process Customer Personal Data only as a processor acting on behalf of Customer as described in Annex A (Details of Processing) of this DPA.
- Purpose limitation. UPOLLO shall process Customer Personal Data only in connection with the arrangements envisaged under this DPA and in accordance with Customer's documented lawful instructions, except where otherwise required by applicable law. Customer instructs UPOLLO and its Sub-processors to process Customer Personal Data as reasonably necessary for the provision of the services contemplated by the Agreement and to perform its obligations under the Agreement.
- Sensitive Data. The Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer's Uses to transmit or process, any Sensitive Data via the Products.
- Customer compliance. Customer represents and warrants, and shall procure that Users to whom the Customer Personal Data relates represent and warrant that (i) it has complied, and will continue to comply, with all applicable Data Protection Laws in respect of its processing of Customer Personal Data and any processing instructions it issues to UPOLLO; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for UPOLLO to process Customer Personal Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed pursuant to the Agreement, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. UPOLLO shall have no liability towards the Users, and the Customer shall fully indemnify UPOLLO against all losses arising as a result of a User bringing an independent claim against UPOLLO or its Affiliates under or in connection with this DPA.
- Notification obligations regarding the Customer's instructions. UPOLLO shall promptly notify the Customer in writing without any obligation to provide legal advice, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any data processing instruction from the Customer violates Data Protection Laws.
2. Sub-processing
- Authorised Sub-processors. The Customer agrees that UPOLLO may engage Sub-processors to process Customer Personal Data on the Customer's behalf. The Sub-processors currently engaged by UPOLLO and authorised by Customer are those entities listed on the authorised sub-processor page on the UPOLLO website [link].
- Objection to Sub-processors. The Customer may object in writing to UPOLLO's appointment of a new Sub-processor within seven (7) calendar days of receiving notice in accordance with Section 2.1, by email to the main portal user and to the tech portal contact, provided that such objection is based on reasonable grounds relating to data protection. If the Customer does not object to the Sub-processor within seven calendar days of receiving the information, the Customer shall be deemed to have accepted the Sub-processor. If the Customer has raised a reasonable objection to the new Sub-processor, and the parties have failed to agree on a solution within reasonable time, the Customer shall have the right to terminate the Agreement with a notice period determined by the Customer, without prejudice to any other remedies available under law or contract. During the notice period, UPOLLO shall not transfer any Customer Data to the Sub-processor.
- Sub-processor obligations. UPOLLO shall: (i) enter into a written agreement with each Sub- processor containing data protection obligations that provide equivalent protection for Customer Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain responsible for such Sub-processor's compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause UPOLLO to breach any of its obligations under this DPA.
3. Security
- Security Measures. UPOLLO shall implement and maintain appropriate technical and organisational security measures to protect Customer Personal Data from Security Incidents and top reserve the security and confidentiality of Customer Personal Data in accordance with UPOLLO's security standards described in Annex B ( Security Measures ). The Customer acknowledges and agrees that the Security Measures which are to be implemented by UPOLLO are appropriate to meet the requirements under applicable Data Protection Laws.
- Confidentiality of processing. UPOLLO shall ensure that any person who is authorised by UPOLLO to process Customer Personal Data (including its staff, agents and subcontractors) shall be under an obligation of confidentiality commensurate with the obligations of confidentiality in the Agreement.
- Updates to Security Measures. The Customer is responsible for reviewing the information made available by UPOLLO relating to data security and making an independent determination as to whether the Licensed Software meets the Customer's requirements and legal obligations under the Data Protection Laws. The Customer acknowledges that the Security Measures are subject to technical progress and development and that UPOLLO may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to the Customer.
- Security Incident response. Upon becoming aware of a Security Incident, a Party shall: (i) notify the other Party without undue delay after becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by the other Party; and (iii) promptly take reasonable steps to contain and investigate any Security Incident. Notification of or response to a Security Incident under this Section 3.4 shall not be construed as an acknowledgment by such Party of any fault or liability with respect to the Security Incident.
4. Security Reports
- Records. Upon reasonable written request from the Customer, UPOLLO shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, provided nothing in this Section 4.1 requires UPOLLO to provide the Customer with any of UPOLLO's Confidential Information.
5. International Transfers
- Limitations on International Transfer. Personal Data from EEA, UK, or Swiss Data Controller(s) may only be exported toor accessed by UPOLLO or its authorised Sub-processors outside the EEA, the UK, or Switzerland, as applicable ("International Transfer"):
- If the recipient, or the country or territory in which it processes or accesses Customer Personal Data, ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Customer Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction; or
- In accordance with the Standard Contractual Clauses and Multi-tier Framework as set out in Section 5.2 below.
- The Standard Contractual Clauses apply where (i) there is an International Transfer to a country that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Customer Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction, and/or (ii) there is an International Transfer to a recipient that is not covered by an appropriate safeguard, including, but not limited to, binding corporate rules, an approved industry code of conduct, and individual adequacy decision by a regulatory body of competent jurisdictions, or an individual transfer authorisation granted by a regulatory body of competent jurisdiction.
- EEA Data transfers. Where the Standard Contractual Clauses apply: (i) UPOLLO agrees that it is the data importer and the Customer is the data exporter under the Standard Contractual Clauses; (ii) Annex A and Annex B of this DPA shall replace Annexes 1 and 2 of the Standard Contractual Clauses, respectively.
- For Third Country Sub-processors, UPOLLO shall ensure that such sub-processor has entered into the unchanged version of the Standard Contractual Clauses prior to the Sub-processor's processing of Customer Personal Data.
- The Data Processor shall, upon written request of the Data Controller prior to transferring Customer Personal Data to Third Country Sub-processors, request the data importer to provide the Data Controller with a written assessment as to whether the law of the third country of destination ensures adequate protection, under Applicable Data Protection Law, of personal data transferred pursuant to the Standard Contractual Clauses, by providing, where necessary, additional safeguards to those offered by those Standard Contractual Clauses.
- Furthermore, prior to transferring Customer Personal Data to Third Country Sub-processors or processing Customer Personal Data in such third countries, Data Processor must use best efforts to implement appropriate (in particular, but not limited to technical and organisational) guarantees capable of ensuring that data subjects whose personal data are transferred to the third country of destination pursuant to the Standard Contractual Clauses enjoy a level of protection essentially equivalent to that which is guaranteed under Data Protection Laws and Regulations.
6. Return or Deletion of Data
- Deletion on termination. Upon termination or expiration of the Agreement, UPOLLO shall (at the Customer's election) delete or return to the Customer all Customer Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent UPOLLO is required by applicable law to retain some or all of the Customer Personal Data, or Customer Personal Data it has archived on back-up systems, which UPOLLO shall securely isolate, protect from any further processing and eventually delete in accordance with UPOLLO's data retention policies, except to the extent required by applicable law.
7. Data Subject Rights and Cooperation
- Data subject requests. UPOLLO shall provide reasonable cooperation to assist the Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Agreement. In the event that any such request is made to UPOLLO directly, UPOLLO shall not respond to such communication directly except as appropriate (for example, to direct the data subject to contact the Customer) or legally required, without the Customer's prior authorisation. If UPOLLO is required to respond to such a request, UPOLLO shall promptly notify the Customer and provide the Customer with a copy of the request unless UPOLLO is legally prohibited from doing so. For the avoidance of doubt, nothing in the Agreement (including this DPA) shall restrict or prevent UPOLLO from responding to any data subject or data protection authority requests in relation to personal data for which UPOLLO is a controller.
- Data protection impact assessment. To the extent required under applicable Data Protection Laws, UPOLLO shall (at the Customer's expense) provide all reasonably requested information regarding the Licensed Software or other products or services (as applicable) to enable the Customer to carryout data protection impact assessments or prior consultations with data protection authorities as required by law.
8. Audit Rights
- Subject to this section 8, UPOLLO shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by UPOLLO or authorised sub-processors.
- Information and audit rights of the Customer only arise under section 8.1 to the extent that the DPA does not otherwise give the Customer information and audit rights meeting the relevant requirements of Data Protection Law.
9. Limitation of Liability
- The Customer shall be liable for, and shall indemnify (and keep indemnified) UPOLLO in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, UPOLLO arising directly or in connection with Customer's processing activities that are subject to this DPA:
- any non-compliance by the Customer with the Data Protection Laws;
- any processing carried out by UPOLLO in accordance with instructions given by the Customer that infringe the Data Protection Laws; or
- any breach by the Customer of its obligations under the Agreement; except to the extent that UPOLLO is liable under Section 9.2.
- not to the extent that the same is, or are contributed to, by any breach of the DPA by UPOLLO.
- UPOLLO shall be liable for, and shall indemnify (and keep indemnified) the Customer in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Customer arising directly or in connection with UPOLLO's processing activities that are subject to this DPA.
- only to the extent that the same results from UPOLLO's breach of, or non-compliance with, this Agreement, the Customer's instructions, or the Data Protection Laws; and
- not to the extent that the same is, or are contributed to, by any breach of the DPA by the Customer.
- The Customer shall not be entitled to claim back from UPOLLO any sums paid in compensation by the Customer in respect of any damage to the extent that the Customer is liable to indemnify UPOLLO under Section 9.2.
- Any claims against UPOLLO or its Affiliates under or in connection with this DPA (including, where applicable, the New SCCs) shall be brought solely against the entity that is a party to the Agreement.
- In no event shall any Party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.
10. Relationship with the Agreement
- This DPA shall remain in effect for as long as UPOLLO carries out Customer Personal Data processing operations on behalf of the Customer or until termination of the Agreement (and all Customer Personal Data has been returned or deleted in accordance with Section 6.1).
- The Parties agree that this DPA shall replace any existing data processing agreement or similar document that the Parties may have previously entered into in connection with the Agreement.
- In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clausess; then (b) this DPA; and then (c) the Agreement.
- No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
- This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
Annex A
Details of Data Processing (Summary)
Full details of the data processing activity is set out in Annex C
- Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data.
- Duration: As between UPOLLO and Customer, the duration of the data processing under this DPA is until the expiration or termination of the Agreement in accordance with its terms.
- Purpose: UPOLLO shall only process Customer Personal Data for the following purposes: (i) processing to perform its obligations under the Agreement in connection with fraud monitoring, prevention, detection and associated compliance activities; and (ii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the Purpose ).
- Nature of the processing: UPOLLO provides support to the Customer in their use of the Platform as more particularly described in the Agreement and Annex C to this DPA..
- Categories of data subjects: Customer's employees and Authorised Users (as such term is defined in the Agreement) and information about customers of the Customer in connection with fraud monitoring prevention, detection and associated compliance activities
- Types of Customer Personal Data: Customer may upload, submit or otherwise provide (such as from business partners, financial services providers, identity verification services and other publicly available sources) certain personal data to UPOLLO, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data: Customer employees and Users: Identification and contact data (name, job title, contact details, including email address) and IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data) and, subject to Clause 2.3 of this DPA, Sensitive Data; and data about customers of the Customer: name, address, phone number and IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data).
- Processing Operations: Customer Personal Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities: Storage and other processing necessary to provide, maintain and improve the Products and Professional Services provided to Customer pursuant to the Agreement; and/or Disclosures in accordance with this DPA and/or as compelled by applicable law.
Annex B
Security Measures
UPOLLO shall:
- Provide a level of security (including appropriate Security Measures relating to the categories or nature of Customer Data) appropriate to protect against the harm that might result from a data breach, which shall include but not be limited to:
- ensure role-based access is granted only to those individuals needing access for the provision of the Platform
- ensure that suitable and effective authentication processes are established and used to protect Customer Data (e.g., multifactor authentication for privileged access or restricted information),
- back up Customer Data on a regular basis as required by the Customer and ensuring that any back up data is subject to appropriate Security Measures as necessary to protect the confidentiality, integrity and availability of Customer Data,
- encrypt, using industry standard encryption tools and key strengths, all records and files containing Customer Data that UPOLLO: (i) transmits or sends (including wirelessly) across public networks, (ii) stores on laptops or storage media, or (iii) stores on portable devices.
- safeguarding the security and confidentiality of all encryption keys associated with encrypted Customer Data.
- Establish, maintain and enforce a comprehensive information security program, that includes information security policies, hiring policies, privacy policies and data handling procedures consistent with industry standards and appropriate Security Measures or as mandated by Applicable Law, to protect the security, integrity and confidentiality of Customer Data against a data breach, which shall include but not be limited to:
- providing information security awareness and training programs covering its policies and practices to all employees' agents or other personnel that will have access to Personal Data,
- having a comprehensive, up to date and tested business continuity plan in place to protect the confidentiality, integrity and availability of Customer Data, and
- prohibiting employees, agents or other personnel from accessing or storing Customer Data remotely (e.g. from home or via their own electronic device or internet portal) other than through a secure electronic network and in accordance with an organisational remote working policy.
- Not use Customer Data on systems that are in development or are in testing where the security controls are less protective than the controls identified in this Addendum.
Annex C
Full Details of Data Processing Activity
End User Data
Category of Data | Details | On what Platform is it collected | When is it collected | Why is it collected | Retention |
---|---|---|---|---|---|
IP address | This includes ISP and other information derived from this IP Address | All | Any interaction between the end user and Upollo servers, including identify requests | To understand where the device likely is, where the request is coming from, to prevent against abuse and fraud and to give additional context about the user for customers to use for growth, analytics or additional abuse protection | Until deletion is requested by customer |
Device fingerprint and device identifiers | This includes: unique device identifiers, software, hardware, configuration and performance characteristics | All | Identify or similar requests | To detect bots, to prevent account compromise, to gain more context on a user, to enable us to connect users and devices together and to prevent fraud and abuse. This data is also used for additional context for customers to use for growth, analytics or additional abuse protection | Until deletion is requested by customer |
Local network details | Details of the users local network environment | All | Identify or similar requests | To detect bots, gain more context about the user and to prevent fraud and abuse. This data will also feed into models for helping provide additional context to our customers to use for growth, analytics or additional abuse protection | 180 days from devices last use or unless deletion is requested by customer |
Events and app activity | All | Identify or similar requests | To prevent fraud and abuse, detection of bots and to connect multiple accounts together, provide more context to our customers to use for growth, analytics or additional abuse protection either directly or via models which generate context | Key events are kept until deletion is requested by the customer. Other events 90 days | |
User interactions | Details of how a user interacts with an application such as clicks, keypresses or other interactions | All | Identify or similar requests | To detect bots, to prevent account compromise, to gain more context on a user, to enable us to connect users and devices together and to prevent fraud and abuse. This data is also used for additional context for customers to use for growth, analytics or additional abuse protection either directly or via a model | Until a deletion is requested by the customer |
UserID | A unique userid given to us by our clients | All | Identify or similar requests, Challenges, Verifications | To understand a user account and tie events and the rest of the data back to an identifier | Until a deletion is requested by the customer |
Name | The user's full or partial name | All | Identify or similar requests | To prevent fraud and abuse, detection of bots and to connect multiple accounts together. Metadata from this may be used an an input to models which provide more context to our customers to use for growth, analytics or additional abuse protection | Until a deletion is requested by the customer |
Physical address | All | Identify or similar requests, Challenges, Verifications | To prevent fraud and abuse, detection of bots and to connect multiple accounts together. This may be used to provide more context to our customers to use for growth, analytics or additional abuse protection either directly or via input into a model | Until a deletion is requested by the customer | |
User metadata | Includes: User type, role, organization size | All | Identify or similar requests | To provide more context to our customers to use for growth, analytics or additional abuse protection either directly or via input into a model. It would also be used to verify output of models | Until a deletion is requested by the customer |
Phone number | All | Identify or similar requests, Phone number verification, SMS Challenges | To prevent fraud and abuse, detection of bots and to connect multiple accounts together. Metadata from this may be used an an input to models which provide more context to our customers to use for growth, analytics or additional abuse protection | Until a deletion is requested by the customer | |
Email address | All | Identify or similar requests, Email verification | To prevent fraud and abuse, detection of bots and to connect multiple accounts together. Metadata from this may be used an an input to models which provide more context to our customers to use for growth, analytics or additional abuse protection | Until a deletion is requested by the customer | |
Payment metadata | Includes: Payment method, payment method country, hashed payment fingerprint, billing address | All | Identify or similar requests, Challenges, Verifications | To prevent fraud and abuse, detection of bots and to connect multiple accounts together. This may be used to provide more context to our customers to use for growth, analytics or additional abuse protection either directly or via input into a model | Until a deletion is requested by the customer |
Subscription details | This includes an identifier of the subscription as well as details of the subscription such as cost, start and end dates and type | All | Identify or similar requests | To prevent fraud and abuse, detection of bots and to connect accounts on the same subscription together, provide more context to our customers to use for growth, analytics or additional abuse protection either directly or via models which generate context | Until a deletion is requested by the customer |
Referral information | The details of the person being referred which includes phone number, email address and name and detailers of the referer | All | Identify or similar requests | To prevent fraud and abuse, detection of bots and to connect together users who know each other to provide context to customer to use for growth, analytics or additional abuse protection | Until a deletion is requested by the customer |
Webauthn Credentials | Includes device make and model (group of at most 10k devices) | Web | WebAuthn challenge | To prevent fraud and abuse, detection of bots and to connect multiple accounts together. Metadata from this may be used an an input to models which provide more context to our customers to use for growth, analytics or additional abuse protection | Until a deletion is requested by the customer |
Customer Data
Category of Data | Details | On what Platform is it collected | When is it collected | Why is it collected |
---|---|---|---|---|
Same as for end users AND | ||||
Business name | Web | Signup | To be able to bill correctly and to give context in the UI | |
Whitelisted URLs | Web | For the service to work for those URLs | ||
Whitelisted package names | Web | For the service to work for those applications | ||
Webhook URLs | Web | For webhooks to work | ||
Business type | Web | Signup | To understand our users better and offer relevant services | |
Business size | Web | Signup | To understand our users better and offer relevant services | |
Logo | Web | Signup | To give context in the UI | |
Project name | Web | Signup | To give context when there are multiple projects | |
Tax number | Web | Signup | To be able to bill correctly |