Data Processing Agreement

Table of Contents

​

1. Introduction and Scope

2. Definitions

3. Roles and Responsibilities

4. Details of Processing

5. Customer Instructions

6. Processor Obligations

7. Sub-Processors

8. Security Measures

9. Data Subject Rights

10. Data Breach Notification

11. Data Protection Impact Assessments

12. Audits and Inspections

13. Deletion and Return of Data

14. CCPA and US State Privacy Laws

15. Australian Privacy Principles

16. Liability and Indemnification

17. Term and Termination

18. General Provisions

​

ANNEXES:

Annex 1: EU Standard Contractual Clauses (2021/914)
Annex 2: Sub-Processors List
Annex 3: Technical and Organizational Security Measures (Provided upon request)

1. INTRODUCTION AND SCOPE
1.1 Purpose
This Data Processing Agreement ("DPA") forms part of and is an addendum to the Master Services Agreement, Terms of Use, or other written or electronic agreement between MoneyMind Profile Pty Ltd ("MoneyMind Profile," "Processor," "Service Provider," "we," "us," or "our") and the Customer ("Customer," "Controller," "Business," "you," or "your") for the provision of the MoneyMind Profile software platform and related services (the "Services") (the "Agreement").

1.2 Application
This DPA applies when and to the extent that MoneyMind Profile Processes Personal Data on behalf of Customer in the course of providing the Services. This DPA reflects the Parties' agreement with regard to the Processing of Personal Data in accordance with applicable Data Protection Laws and Regulations.

1.3 Incorporation
This DPA is incorporated into and forms an integral part of the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement regarding the Processing of Personal Data, this DPA shall prevail to the extent of such conflict or inconsistency.

1.4 Authorized Affiliates
This DPA shall also apply to any Authorized Affiliates of Customer who have executed an Order Form or are otherwise authorized to use the Services pursuant to the Agreement. Each such Authorized Affiliate shall be deemed a separate "Customer" for purposes of this DPA.

1.5 Pre-Signed Addendum
This DPA has been pre-signed on behalf of MoneyMind Profile. Customer may execute this DPA by:

(a) Signing and returning a Master Services Agreement; or
(b) Accepting this DPA electronically through the Platform during account setup; or
(c) Executing the Agreement, which incorporates this DPA by reference.

Upon execution or acceptance by Customer, this DPA becomes legally binding between the Parties.

​

2. DEFINITIONS
2.1 Defined Terms
The following terms have the meanings set forth below. Capitalized terms not otherwise defined in this DPA have the meanings given to them in the Agreement.

• "Agreement" means the Master Services Agreement, Terms of Use, or other written or electronic agreement between MoneyMind Profile and Customer for the provision of Services.

• "Authorized Affiliate" means any Affiliate of Customer which: (a) is subject to Data Protection Laws and Regulations; (b) is permitted to use the Services pursuant to the Agreement; and (c) has executed an Order Form or been authorized by Customer to access the Services.

• "Business" has the meaning given in the CCPA and means Customer in its capacity as an entity that determines the purposes and means of the Processing of Personal Information.

• "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Proposition 24), Cal. Civ. Code § 1798.100 et seq., and any implementing regulations.

• "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, Customer is the Controller.

• "Data Protection Laws and Regulations" means all applicable laws, regulations, and other legal requirements relating to privacy, data protection, and data security, including:

      (a) The EU General Data Protection Regulation 2016/679 ("GDPR");

      (b) The UK GDPR and the Data Protection Act 2018 (UK);

      (c) The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs");

      (d) The CCPA and other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA);

      (e) Any other applicable national, federal, state, provincial or other data protection laws, regulations, and guidance.

• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

• "Data Subject Request" means a request by a Data Subject to exercise their rights under applicable Data Protection Laws and Regulations, including rights of access, rectification, erasure, restriction, portability, objection, or rights related to automated decision-making.

• "EEA" means the European Economic Area.

• "End Client" means a natural person who receives financial advice or wealth management services from Customer (or Customer's Authorized Users) and whose Personal Data is Processed through the Services.

• "EU Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced from time to time.

• "Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws and Regulations, that is Processed by MoneyMind Profile on behalf of Customer in the course of providing the Services. For clarity, Personal Data includes but is not limited to: End Client Personal Data (information about individuals receiving financial advice) and Authorized User Personal Data (information about Customer's employees, contractors, and authorized representatives)

• "Processing" or "Process" means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

• "Processor" or "Service Provider" means an entity which Processes Personal Data on behalf of the Controller. For the purposes of this DPA, MoneyMind Profile is the Processor.

• "Security Incident" means any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by MoneyMind Profile in connection with the provision of the Services. Security Incidents exclude unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

• "Sensitive Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person's sex life or sexual orientation. Under some Data Protection Laws (e.g., CCPA), Sensitive Personal Information also includes Social Security numbers, financial account information, precise geolocation, and content of communications.

• "Sub-Processor" means any Processor engaged by MoneyMind Profile to Process Personal Data on behalf of Customer in connection with the Services.

• "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.

2.2 Interpretation
Unless the context otherwise requires:

(a) Defined terms in the singular include the plural and vice versa;
(b) References to sections, annexes, and schedules are to sections of and annexes and schedules to this DPA;
(c) "Including" and similar terms mean "including without limitation";
(d) Headings are for convenience only and do not affect interpretation.

3. ROLES AND RESPONSIBILITIES
3.1 Controller-Processor Relationship
The Parties acknowledge and agree that with regard to the Processing of Personal Data in connection with the Services:

(a) Customer is the Controller (or Business under CCPA) which determines the purposes and means of Processing Personal Data;
(b) MoneyMind Profile is the Processor (or Service Provider under CCPA) which Processes Personal Data on behalf of and upon the instructions of Customer;
(c) This DPA establishes the respective obligations of the Controller and the Processor.

​

3.2 Customer as Controller
Customer, as Controller, shall:
(a) Instruction: Customer acknowledges that the Agreement (including the Master Services Agreement, Terms of Use, Order Forms and this DPA) constitutes Customer's complete and final documented instructions to MoneyMind Profile concerning the Processing of Personal Data. Additional instructions outside the scope of these documents (if any) require prior written agreement between the Parties, including agreement on any additional services or fees payable by Customer to MoneyMind Profile.
(b) Lawfulness of Processing: Ensure that Customer's instructions comply with all applicable Data Protection Laws and Regulations and that the Processing of Personal Data pursuant to such instructions will not cause MoneyMind Profile to violate any applicable laws or regulations.
(c) Legal Bases: Obtain and maintain all necessary consents, authorizations, and legal bases for the collection and Processing of Personal Data, including providing required privacy notices and disclosures.
(d) Data Accuracy: Ensure the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
(e) Rights and Complaints: Remain solely responsible for responding to Data Subject Requests and handling complaints from Data Subjects or supervisory authorities concerning the Processing of Personal Data, except to the extent MoneyMind Profile is required to assist under Section 9.
(f) Security: Implement and maintain appropriate technical and organizational measures to secure Personal Data in Customer's possession and control, including access controls to the Services and management of Authorized User accounts and credentials.
(g) No Sensitive Data (Unless Authorized): Not Process Sensitive Personal Data through the Services unless Customer has accepted appropriate consents under applicable Data Protection Laws and Regulations.

 

3.3 MoneyMind Profile as Processor
MoneyMind Profile, as Processor, shall:
(a) Process Personal Data only in accordance with Customer's documented instructions as set forth in this DPA and the Agreement, unless required to do so by applicable law (in which case MoneyMind Profile shall inform Customer of that legal requirement before Processing, unless prohibited by law);
(b) Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) Implement and maintain appropriate technical and organizational measures to protect Personal Data as described in Section 8 and Annex 4;
(d) Respect the conditions for engaging Sub-Processors as described in Section 7;
(e) Assist Customer in responding to Data Subject Requests as described in Section 9;
(f) Assist Customer in ensuring compliance with obligations concerning security of Processing, breach notifications, data protection impact assessments, and prior consultations with supervisory authorities, as described in Sections 10, 11, and 8;
(g) At Customer's election, delete or return all Personal Data to Customer after the end of the provision of Services, as described in Section 14;
(h) Make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections as described in Section 12;
(i) Immediately inform Customer if, in MoneyMind Profile's opinion, an instruction from Customer infringes applicable Data Protection Laws and Regulations.

 

4. DETAILS OF PROCESSING
4.1 Subject Matter and Duration
Subject Matter: Provision of the MoneyMind Profile software-as-a-service platform and related services to enable Customer to conduct financial advisory services, including client behavior profiling, risk tolerance assessment, and client relationship management.
Duration: Processing will continue for the Term of the Agreement plus any period reasonably necessary to delete or return Personal Data in accordance with Section 14.

 

4.2 Nature and Purpose of Processing
Nature: MoneyMind Profile will Process Personal Data by hosting, storing, managing, and enabling Customer and Authorized Users to access, input, modify, analyze, import, and export Personal Data through the Services.
Purpose: To enable Customer to:

• Conduct behavior profiling and risk tolerance assessments of End Clients

• Manage client relationships through CRM functionality

• Comply with regulatory and professional record-keeping obligations

• Perform such other processing activities as specified in Order Forms or otherwise agreed in writing

 

4.3 Types of Personal Data
MoneyMind Profile may Process the following types of Personal Data on behalf of Customer:
End Client Personal Data:

• Identity information (names, dates of birth, contact details)

• Financial information (income, assets, liabilities, net worth, investment portfolio asset allocation)

• Behavioral data (risk tolerance responses, financial goals, investment preferences)

• Professional and demographic information (employment, occupation, family status, life stage)

• Advisor and Client Reports (behavioral and risk profile analysis)

• Communication records (emails, notes, meeting summaries)

​

Authorized User Personal Data:

• Identity information (names, contact details)

• Professional information (job title, credentials, licenses)

• Account and authentication information (usernames, login activity)

• Usage data (features accessed, documents created, activity logs)

Sensitive Personal Data (if authorized by Customer):​

• Information revealing racial or ethnic origin, religious beliefs, or other special categories (only if provided by Customer)

​

4.4 Categories of Data Subjects

• End Clients (individuals receiving financial advice from Customer)

• Authorized Users (Customer's employees, contractors, and authorized representatives)

• Prospective clients (individuals in Customer's CRM)

 

4.5 Additional Processing Details
Additional details of Processing, including specific data fields, retention periods, and processing activities, may be specified in:

• Order Forms

• Data processing specifications provided by Customer

• The Agreement and associated documentation

5. CUSTOMER INSTRUCTIONS
5.1 Scope of Instructions
Customer instructs MoneyMind Profile to Process Personal Data:

(a) To provide the Services in accordance with the Agreement, including:

• Hosting and storing Personal Data

• Enabling Customer and Authorized Users to access, input, modify, analyze, and export Personal Data

• Generating outputs, reports, and analytics

• Providing support services

• Performing backups and disaster recovery

• Maintaining security and integrity of the Services

 

(b) As necessary to comply with applicable laws and regulations (e.g., responding to lawful requests from authorities, complying with court orders);
(c) To create Aggregated Data in accordance with the Data Aggregation and De-Identification Policy and the terms set forth in Section 9 of the Agreement;
(d) As otherwise documented in writing by Customer through Order Forms, support tickets, or other written communications.

 

5.2 Compliance with Instructions
MoneyMind Profile shall Process Personal Data only in accordance with Customer's documented instructions as set forth in Section 5.1, unless:

(a) Processing is required by EU or Member State law, UK law, Australian law, US federal or state law, or other applicable law to which MoneyMind Profile is subject, in which case MoneyMind Profile shall inform Customer of that legal requirement before Processing (unless prohibited by law from doing so);
(b) Processing is necessary to provide the Services requested by Customer (e.g., routine system maintenance, backup processes).

​

5.3 Objection to Instructions
If MoneyMind Profile becomes aware that Customer's instructions infringe applicable Data Protection Laws and Regulations, MoneyMind Profile shall:

(a) Immediately inform Customer in writing of the suspected infringement;
(b) Suspend Processing of Personal Data in accordance with the suspected unlawful instruction until Customer confirms in writing that the instruction has been modified or withdrawn, or provides legal justification for the instruction.

MoneyMind Profile shall not be liable for any failure to comply with instructions that MoneyMind Profile reasonably believes to be unlawful.

5.4 Additional Instructions
Customer may issue additional written instructions regarding the Processing of Personal Data, provided that:

(a) Such instructions are consistent with the terms of this DPA and the Agreement;
(b) MoneyMind Profile has agreed in writing to the additional instructions;
(c) Customer pays any additional fees agreed upon for Processing pursuant to such instructions.

6. PROCESSOR OBLIGATIONS
6.1 Confidentiality
MoneyMind Profile shall ensure that any person authorized to Process Personal Data:

(a) Is subject to a contractual or statutory obligation of confidentiality;
(b) Has received appropriate training on data protection and privacy obligations;
(c) Processes Personal Data only as necessary to perform their duties in connection with providing the Services.

​

6.2 Security Measures
MoneyMind Profile shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data, as further described in Section 8 and Annex 4.

6.3 Sub-Processing
MoneyMind Profile shall engage Sub-Processors only in accordance with Section 7 of this DPA.

6.4 Assistance with Data Subject Rights
MoneyMind Profile shall provide reasonable assistance to Customer in fulfilling Customer's obligation to respond to Data Subject Requests, as described in Section 9.

6.5 Assistance with Security and Compliance
MoneyMind Profile shall assist Customer:

(a) In ensuring compliance with security obligations under Data Protection Laws and Regulations, as described in Section 8;
(b) With data breach notifications, as described in Section 10;
(c) With data protection impact assessments and prior consultations with supervisory authorities, as described in Section 11.

6.6 Deletion or Return of Personal Data
At the end of the provision of Services, MoneyMind Profile shall delete or return Personal Data in accordance with Section 14.

6.7 Audit and Information Provision
MoneyMind Profile shall:

(a) Make available to Customer all information reasonably necessary to demonstrate compliance with this DPA;
(b) Allow for and contribute to audits and inspections as described in Section 12.

​

6.8 Record of Processing Activities
MoneyMind Profile shall maintain written records of all categories of Processing activities carried out on behalf of Customer, in accordance with Article 30(2) of the GDPR and equivalent provisions in other Data Protection Laws and Regulations.

6.9 Data Protection Officer
MoneyMind Profile has designated a Data Protection Officer ("DPO") who may be contacted at dpo@moneymindprofile.com for matters related to the Processing of Personal Data under this DPA.

​

7. SUB-PROCESSORS
7.1 Authorization to Use Sub-Processors
Customer provides general authorization for MoneyMind Profile to engage Sub-Processors to Process Personal Data on Customer's behalf, subject to the conditions in this Section 7.

7.2 Current Sub-Processors
A current list of Sub-Processors engaged by MoneyMind Profile is published and maintained at:
www.moneymindprofile.com/subprocessors
The list includes:

(a) The name of each Sub-Processor;
(b) The location of the Sub-Processor;
(c) A description of the Processing activities performed by the Sub-Processor;
(d) The date the Sub-Processor was authorized.

As of the Effective Date of this DPA, MoneyMind Profile's Sub-Processors include:

• Amazon Web Services, Inc.

• GitHub

• Superbase

• Vercel

​

7.3 New Sub-Processors
(a) Notification: MoneyMind Profile shall provide Customer with at least thirty (30) days' prior written notice before authorizing any new Sub-Processor or replacing an existing Sub-Processor. Notice will be provided by:

(i) Email to Customer's primary contact; and
(ii) Update to the Sub-Processor list at www.moneymindprofile.com/subprocessors

(b) Objection: Customer may object to the engagement of a new Sub-Processor or the replacement of an existing Sub-Processor on reasonable grounds relating to the protection of Personal Data by providing written notice to MoneyMind Profile within fourteen (14) days of receiving notice from MoneyMind Profile.
(c) Resolution: If Customer objects to a new Sub-Processor:

(i) MoneyMind Profile will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-Processor;
(ii) If MoneyMind Profile is unable to make available such change within a reasonable period (not to exceed ninety (90) days), Customer may terminate the affected Services by providing written notice to MoneyMind Profile, and MoneyMind Profile will refund any prepaid Fees for the terminated Services covering the period after the effective date of termination.

​

7.4 Sub-Processor Obligations
MoneyMind Profile shall:

(a) Enter into an agreement with each Sub-Processor imposing data protection obligations no less protective than those imposed on MoneyMind Profile under this DPA, including:

(i) Processing only on documented instructions;
(ii) Confidentiality obligations;
(iii) Appropriate security measures;
(iv) Assistance with Data Subject Requests and security obligations;
(v) Deletion or return of Personal Data;
(vi) Audit rights;

(b) Remain fully liable to Customer for the performance of each Sub-Processor's obligations, as if MoneyMind Profile were performing such obligations directly.

​

7.5 Sub-Processor Access to Contracts
Upon Customer's request, MoneyMind Profile shall provide Customer with a copy of the Sub-Processor agreement (redacted to remove confidential commercial information not relevant to data protection obligations) or a summary thereof.

​

8. SECURITY MEASURES
8.1 Security Obligations
MoneyMind Profile shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents and to ensure a level of security appropriate to the risk of Processing, taking into account:

(a) The state of the art;
(b) The costs of implementation;
(c) The nature, scope, context, and purposes of Processing;
(d) The risks to the rights and freedoms of Data Subjects.

​

8.2 Technical and Organizational Measures
MoneyMind Profile's security measures include (but are not limited to) those described in Annex 4 and the following:
(a) Encryption:

• Data in transit encrypted using TLS 1.2 or higher

• Data at rest encrypted using AES-256 or equivalent

• Database encryption and encrypted backups

(b) Access Controls:

• Multi-factor authentication (MFA) for all administrative access

• Role-based access control (RBAC) limiting access based on job function

• Principle of least privilege

• Regular access reviews and revocations

(c) Network Security:

• Firewalls and intrusion detection/prevention systems

• Network segmentation and isolation

• DDoS protection and mitigation

• Regular vulnerability scanning and penetration testing

(d) Application Security:

• Secure software development lifecycle (SDLC)

• Code reviews and security testing

• Input validation and output encoding

• Protection against OWASP Top 10 vulnerabilities

(e) Personnel Security:

• Background checks for employees with access to Personal Data

• Confidentiality agreements for all personnel

• Regular security awareness training

• Separation of duties

(f) Physical Security:

• Secure data centers with access controls (via third-party hosting providers)

• 24/7 monitoring and surveillance

• Environmental controls (power, cooling, fire suppression)

(g) Monitoring and Incident Response:

• Security information and event management (SIEM)

• 24/7 security monitoring

• Incident response plan and procedures

• Regular security drills and tabletop exercises

8.3 Security Certifications and Audits
MoneyMind Profile maintains or is working toward the following certifications:

• SOC 2 Type II (in progress)

• ISO/IEC 27001:2013 (planned)

Upon Customer's reasonable request (not more than annually), MoneyMind Profile will provide:

• Summary of security measures and controls

• Copies of current security certifications

• Summary of penetration test results (redacted for security)

8.4 Updates to Security Measures
MoneyMind Profile may update or modify its security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.
8.5 Customer Security Responsibilities
Customer is responsible for:

• Implementing strong password policies and enforcing MFA

• Managing Authorized User accounts and access permissions

• Promptly revoking access for terminated users

• Reporting suspected security incidents to support@moneymindprofile.com

• Maintaining security of Customer's own systems and networks

• Regularly backing up and exporting Personal Data

9. DATA SUBJECT RIGHTS
9.1 Assistance Obligation
Taking into account the nature of the Processing, MoneyMind Profile shall provide reasonable assistance to Customer to enable Customer to respond to Data Subject Requests, including requests for:

(a) Access to Personal Data
(b) Rectification of inaccurate Personal Data
(c) Erasure of Personal Data ("right to be forgotten")
(d) Restriction of Processing
(e) Data portability
(f) Objection to Processing
(g) Rights related to automated decision-making and profiling

 

9.2 Data Subject Request Procedures
(a) Direct Requests to MoneyMind Profile: If MoneyMind Profile receives a Data Subject Request directly from a Data Subject, MoneyMind Profile shall:

(i) Promptly forward the request to Customer (within 2 Business Days);
(ii) Not respond to the Data Subject directly without Customer's prior written authorization;
(iii) Advise the Data Subject (if appropriate) to submit their request to Customer.

(b) Customer Requests for Assistance: If Customer requests MoneyMind Profile's assistance in responding to a Data Subject Request, MoneyMind Profile shall:

(i) Provide the requested assistance within ten (10) Business Days or such shorter period as required by applicable law;
(ii) Provide access to relevant Personal Data through the Platform's export functionality or other means;
(iii) Implement corrections, deletions, or restrictions as instructed by Customer;
(iv) Provide technical information about Processing activities as reasonably necessary.

(c) Fees: MoneyMind Profile's assistance under this Section 9 is included in the Fees for the Services, except that MoneyMind Profile may charge reasonable fees for assistance with Data Subject Requests that:

(i) Are manifestly unfounded or excessive;
(ii) Require significant custom development or engineering effort.

​

9.3 Limitations
MoneyMind Profile is not required to assist with Data Subject Requests to the extent that:

(a) Customer has the ability to address the request through use of the Platform's functionality;
(b) The request relates to Personal Data for which Customer (not MoneyMind Profile) is responsible (e.g., data in Customer's own systems);
(c) Complying with the request would violate applicable law or legal obligations to which MoneyMind Profile is subject.

​

9.4 Automated Decision-Making
Customer acknowledges that the Services provide tools and analytics to assist Customer in making decisions, but the Services do not make automated decisions that produce legal effects or similarly significantly affect Data Subjects. Customer remains responsible for all decisions made regarding End Clients, including ensuring compliance with restrictions on automated decision-making under applicable Data Protection Laws and Regulations.

​

10. DATA BREACH NOTIFICATION
10.1 Notification to Customer
MoneyMind Profile shall notify Customer without undue delay after becoming aware of a Security Incident. Such notification shall be provided:

(a) Within seventy-two (72) hours of MoneyMind Profile becoming aware of the Security Incident for UK/EU/EEA customers (to enable Customer to meet GDPR notification requirements);
(b) Within seventy-two (72) hours for Australian customers (to enable Customer to meet Privacy Act notification requirements);
(c) Within the timeframes required by applicable US state law (24-72 hours) for US customers.

​

10.2 Notification Content
The notification shall include, to the extent available:

(a) Description of the nature of the Security Incident, including categories and approximate number of affected Data Subjects and Personal Data records;
(b) Name and contact details of MoneyMind Profile's data protection officer or other contact point for further information;
(c) Description of the likely consequences of the Security Incident;
(d) Description of measures taken or proposed to address the Security Incident and mitigate its possible adverse effects;
(e) Timeline of events and discovery of the incident.

​

10.3 Notification Method
Notification will be delivered to Customer via:

• Email to primary contact email address on file; and

• In-Platform alert (if accessible); and

• Phone call to primary contact (for critical incidents)

​

10.4 Investigation and Remediation
MoneyMind Profile shall:

(a) Promptly investigate the Security Incident;
(b) Take reasonable steps to contain and remediate the Security Incident;
(c) Cooperate with Customer in investigating the Security Incident;
(d) Provide timely updates to Customer on the status of investigation and remediation (at least weekly for ongoing incidents);
(e) Implement measures to prevent similar Security Incidents in the future.

 

10.5 Customer Obligations
Customer acknowledges that:

(a) Customer is responsible for determining whether the Security Incident requires notification to Data Subjects, supervisory authorities, or other parties under applicable Data Protection Laws and Regulations;
(b) MoneyMind Profile's notification to Customer does not constitute an acknowledgment of fault or liability;
(c) MoneyMind Profile will not notify Data Subjects, supervisory authorities, or third parties on Customer's behalf without Customer's prior written consent (except where required by law).

 

10.6 Cooperation
MoneyMind Profile shall reasonably cooperate with Customer in Customer's handling of the Security Incident, including:

(a) Providing information and assistance for Customer's breach notifications;
(b) Assisting with Customer's communications to supervisory authorities;
(c) Responding to reasonable inquiries from Customer about the incident;
(d) Implementing reasonable remediation measures requested by Customer.

 

10.7 Exclusions
The notification obligations in this Section 10 do not apply to incidents that:

(a) Do not result in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data;
(b) Are caused solely by Customer or Authorized Users (e.g., accidental deletion by user, sharing of credentials);
(c) Consist of unsuccessful attempts that do not compromise Personal Data (e.g., failed login attempts, blocked port scans).

11. DATA PROTECTION IMPACT ASSESSMENTS
11.1 Assistance with DPIAs
MoneyMind Profile shall provide reasonable assistance to Customer if Customer is required to conduct a Data Protection Impact Assessment ("DPIA") under Article 35 of the GDPR or equivalent provisions in other Data Protection Laws and Regulations.

11.2 Information Provision
Upon Customer's reasonable request, MoneyMind Profile shall provide:

(a) Description of the Processing operations carried out by MoneyMind Profile;
(b) Information about the security measures implemented (see Annex 4);
(c) Information about Sub-Processors;
(d) Information about data retention and deletion practices;
(e) Other information reasonably necessary for Customer to complete the DPIA.

​

11.3 Prior Consultation
If Customer is required to consult with a supervisory authority following a DPIA, MoneyMind Profile shall provide reasonable assistance and cooperation to Customer in such consultation, including providing additional information or clarification as requested by the supervisory authority through Customer.

11.4 Limitation
MoneyMind Profile's assistance under this Section 11 does not include:

(a) Conducting the DPIA on Customer's behalf (this is Customer's responsibility as Controller);
(b) Making decisions about whether a DPIA is required;
(c) Legal or compliance advice regarding the DPIA.

12. AUDITS AND INSPECTIONS
12.1 Customer's Audit Rights
Customer (or Customer's independent third-party auditor) may, upon reasonable advance written notice to MoneyMind Profile and subject to the conditions in this Section 12, audit MoneyMind Profile's compliance with its obligations under this DPA.

 

12.2 Audit Frequency and Scope
(a) Frequency: Customer may conduct audits no more than once per twelve (12) month period, except:

(i) If required by a supervisory authority or regulatory body;
(ii) In response to a Security Incident;
(iii) If Customer has reasonable grounds to believe MoneyMind Profile is not complying with this DPA.

(b) Scope: Audits shall be limited to verification of MoneyMind Profile's compliance with this DPA and shall not unnecessarily interfere with MoneyMind Profile's business operations.
(c) Notice: Customer shall provide at least thirty (30) days' advance written notice of any audit, specifying:

(i) The proposed scope and duration of the audit;
(ii) The proposed audit date(s);
(iii) The identity of any third-party auditors.

​

12.3 Third-Party Auditors
If Customer engages a third-party auditor:

(a) The auditor must be independent, reputable, and bound by confidentiality obligations no less protective than those in the Agreement;
(b) The auditor must be approved by MoneyMind Profile (such approval not to be unreasonably withheld);
(c) The auditor may not be a competitor of MoneyMind Profile.

​

12.4 Audit Procedures
Audits shall be conducted:

(a) During normal business hours (9:00 AM - 5:00 PM local time, Monday-Friday, excluding public holidays);
(b) At MoneyMind Profile's facilities or remotely via secure connection, at MoneyMind Profile's discretion;
(c) In a manner that does not unreasonably disrupt MoneyMind Profile's operations or those of other customers;
(d) Subject to MoneyMind Profile's reasonable security policies and procedures.

​

12.5 Alternative to Audit
In lieu of an on-site audit, MoneyMind Profile may offer to provide Customer with:

(a) Copies of relevant security certifications (SOC 2 Type II, ISO 27001) obtained by MoneyMind Profile within the preceding twelve (12) months;
(b) Summary reports of internal or third-party audits conducted by MoneyMind Profile;
(c) Completed third-party audit questionnaires (e.g., SIG, CAIQ);
(d) Other information or documentation sufficient to verify compliance with this DPA.

If Customer accepts such alternative verification, no on-site audit is required.

12.6 Audit Reports
(a) Draft Report: Customer (or the third-party auditor) shall provide MoneyMind Profile with a draft audit report and allow MoneyMind Profile at least ten (10) Business Days to comment on the accuracy of factual findings before finalizing the report.
(b) Confidentiality: Audit reports are Confidential Information of MoneyMind Profile and may not be disclosed to third parties except as required by law or regulatory authorities.
(c) Remediation: If an audit identifies non-compliance, MoneyMind Profile shall:

(i) Acknowledge the findings within ten (10) Business Days;
(ii) Prepare a remediation plan within thirty (30) days;
(iii) Implement corrective measures within a reasonable timeframe agreed with Customer.

​

12.7 Costs
(a) Each Party shall bear its own costs related to audits.

13. DELETION AND RETURN OF DATA
13.1 Deletion or Return
Upon termination or expiration of the Agreement, or upon Customer's written request, MoneyMind Profile shall, at Customer's election:

(a) Delete all Personal Data in accordance with Section 13.2; or
(b) Return all Personal Data to Customer in a commercially reasonable format in accordance with Section 13.3.

13.2 Deletion
(a) Timing: MoneyMind Profile shall delete Personal Data:

(i) Within thirty (30) days after termination or expiration of the Agreement; or
(ii) Promptly upon Customer's written request during the Agreement, to the extent feasible while continuing to provide the Services.

(b) Method: Deletion shall be carried out using secure deletion methods that render Personal Data unrecoverable, including:

(i) Overwriting or cryptographic erasure of primary storage;
(ii) Deletion from backups in accordance with MoneyMind Profile's standard backup retention schedule (backups are retained for up to ninety (90) days, after which they are securely deleted).

(c) Certification: Upon Customer's request, MoneyMind Profile shall provide written certification that Personal Data has been deleted in accordance with this Section 13.2.

13.3 Return
(a) Format: If Customer elects return of Personal Data, MoneyMind Profile shall return the data in a structured, commonly used, machine-readable format (e.g., CSV, JSON, XML) or via the Platform's standard export functionality.
(b) Method: Personal Data shall be returned via:

(i) Secure electronic transfer (encrypted file transfer);
(ii) Export functionality within the Platform (if still accessible);
(iii) Other secure method agreed upon by the Parties.

(c) Timing: Return shall be completed within thirty (30) days after Customer's request.
(d) Subsequent Deletion: After returning Personal Data to Customer, MoneyMind Profile shall delete all copies of Personal Data in accordance with Section 14.2(b).

13.4 Exceptions
MoneyMind Profile may retain Personal Data to the extent required by applicable law, provided that:

(a) MoneyMind Profile shall inform Customer of any legal requirement to retain Personal Data;
(b) Retained Personal Data shall be subject to confidentiality obligations and shall not be Processed for any purpose other than compliance with the legal requirement;
(c) MoneyMind Profile shall delete the retained Personal Data as soon as the legal requirement expires.

​

13.5 Aggregated Data
The deletion and return obligations in this Section 13 do not apply to Aggregated Data (as defined in the Agreement and Data Aggregation and De-Identification Policy) that has been properly de-identified and anonymized such that it no longer constitutes Personal Data under applicable Data Protection Laws and Regulations.

​

14. CCPA AND US STATE PRIVACY LAWS
14.1 Application
This Section 15 applies to the extent that MoneyMind Profile Processes Personal Information (as defined in the CCPA) on behalf of Customer, and Customer is subject to the CCPA or other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, etc.).

14.2 Service Provider Status
The Parties acknowledge and agree that:

(a) Customer is a Business (as defined in the CCPA) that determines the purposes and means of Processing Personal Information;
(b) MoneyMind Profile is a Service Provider (as defined in the CCPA) that Processes Personal Information on behalf of Customer;
(c) Personal Information is disclosed by Customer to MoneyMind Profile solely for the Business Purpose of providing the Services as described in the Agreement.

​

14.3 Service Provider Obligations
MoneyMind Profile certifies that it understands the restrictions in CCPA Section 1798.140(v) and agrees that it shall:
(a) No Sale or Sharing: Not sell or share (as those terms are defined in the CCPA) Personal Information that MoneyMind Profile receives from Customer or collects on Customer's behalf.
(b) Limited Use: Not retain, use, or disclose Personal Information:

(i) For any purpose other than for the specific Business Purpose of performing the Services specified in the Agreement; or
(ii) For any purpose other than as permitted by the CCPA for Service Providers; or
(iii) Outside of the direct business relationship between MoneyMind Profile and Customer.

(c) No Combination: Not combine Personal Information received from Customer or on behalf of Customer with Personal Information that MoneyMind Profile receives from or on behalf of another person or persons, or collects from its own interaction with consumers, except as permitted by the CCPA.
(d) Compliance Certification: MoneyMind Profile certifies that it understands and will comply with the requirements of CCPA Section 1798.140(v).

14.4 Consumer Rights Assistance
MoneyMind Profile shall provide reasonable assistance to Customer in responding to verified consumer requests under the CCPA, including requests to:

(a) Know what Personal Information is being collected, used, disclosed, or sold;
(b) Delete Personal Information;
(c) Correct inaccurate Personal Information;
(d) Opt-out of sale or sharing of Personal Information (not applicable as MoneyMind Profile does not sell or share);
(e) Limit use of Sensitive Personal Information (to the extent applicable).

​

14.5 Sensitive Personal Information
To the extent MoneyMind Profile Processes Sensitive Personal Information (as defined under CCPA and other US state laws), MoneyMind Profile shall use and disclose such Sensitive Personal Information only:

(a) To perform the Services;
(b) As necessary for security and integrity purposes;
(c) For short-term, transient use;
(d) As permitted under CCPA Section 1798.121(a) and equivalent provisions in other US state laws.

​

14.6 Other US State Privacy Laws
The obligations in this Section 14 apply mutatis mutandis to Customer's and MoneyMind Profile's respective obligations under Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and other substantially similar US state privacy laws.

​

15. AUSTRALIAN PRIVACY PRINCIPLES
15.1 Application
This Section 15 applies to the extent that MoneyMind Profile Processes Personal Information (as defined under the Australian Privacy Act 1988) on behalf of Customer, and Customer is subject to the Privacy Act and Australian Privacy Principles (APPs).

 

16.2 Compliance with APPs
MoneyMind Profile agrees to comply with the APPs to the extent applicable to MoneyMind Profile as a Processor, including:
(a) APP 1 (Open and Transparent Management): Maintaining this DPA and making information about privacy practices available.
(b) APP 8 (Cross-border Disclosure): When Personal Information is disclosed to overseas recipients (e.g., AWS in United States), MoneyMind Profile shall take reasonable steps to ensure the overseas recipient does not breach the APPs.
(c) APP 11 (Security): Taking reasonable steps to protect Personal Information from misuse, interference, loss, unauthorized access, modification, or disclosure (see Section 8).

15.3 Notifiable Data Breaches
In the event of an Eligible Data Breach (as defined under Part IIIC of the Privacy Act 1988), MoneyMind Profile shall:

(a) Notify Customer as soon as practicable and in any event within seventy-two (72) hours of becoming aware of the breach;
(b) Provide Customer with sufficient information to enable Customer to assess whether the breach is an Eligible Data Breach requiring notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals;
(c) Cooperate with Customer in Customer's assessment and notification obligations.

​

15.4 OAIC Complaints
If a complaint is made to the OAIC regarding MoneyMind Profile's handling of Personal Information, MoneyMind Profile shall:

(a) Notify Customer promptly;
(b) Cooperate with Customer and the OAIC in investigating the complaint;
(c) Provide information and assistance as reasonably requested.

 

15.5 Australian Data Hosting
Upon Customer's request, MoneyMind Profile may offer the option to host Customer's Personal Data exclusively in Australian data centers (AWS ap-southeast-2 region), subject to:

(a) Availability of the feature;
(b) Additional fees as specified in an Order Form;
(c) Execution of an addendum specifying data residency requirements.

16. LIABILITY AND INDEMNIFICATION
16.1 Liability
(a) General: Each Party's liability under this DPA is subject to the limitation of liability provisions in the Agreement.
(b) Excluded Liabilities: Notwithstanding the limitation of liability in the Agreement, neither Party limits or excludes its liability for:

(i) Gross negligence or willful misconduct in the Processing of Personal Data;
(ii) Breach of confidentiality obligations regarding Personal Data;
(iii) Fraud or fraudulent misrepresentation;
(iv) Liabilities that cannot be limited or excluded under applicable Data Protection Laws and Regulations.

(c) GDPR Article 82: For the purposes of GDPR Article 82 (Right to compensation and liability):

(i) MoneyMind Profile shall be liable to Customer for damage caused by Processing of Personal Data where MoneyMind Profile has not complied with obligations under the GDPR specifically directed at Processors, or where MoneyMind Profile has acted outside or contrary to lawful instructions of Customer;
(ii) MoneyMind Profile shall not be liable if it proves that it is not in any way responsible for the event giving rise to the damage.

​

16.2 Indemnification by Customer
Customer shall indemnify, defend, and hold harmless MoneyMind Profile from and against any claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising from or relating to:

(a) Customer's violation of applicable Data Protection Laws and Regulations in connection with Customer's use of the Services or Customer's instructions to MoneyMind Profile;
(b) Customer's failure to obtain necessary consents or provide required notices to Data Subjects;
(c) Customer's Processing of Personal Data in violation of this DPA or applicable law;
(d) Inaccurate, unlawful, or fraudulent information provided by Customer or Authorized Users.

​

16.3 Indemnification by MoneyMind Profile
MoneyMind Profile shall indemnify, defend, and hold harmless Customer from and against any claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising from or relating to:

(a) MoneyMind Profile's material breach of its obligations under this DPA;
(b) MoneyMind Profile's gross negligence or willful misconduct in the Processing of Personal Data;
(c) MoneyMind Profile's violation of applicable Data Protection Laws and Regulations in the performance of its obligations as Processor (excluding violations caused by Customer's instructions).

​

16.4 Allocation of Responsibility
(a) Controller Responsibilities: Customer (as Controller) is solely responsible for:

(i) Determining the lawfulness of Processing;
(ii) Obtaining consents and providing notices to Data Subjects;
(iii) Determining retention periods;
(iv) Responding to Data Subject Requests (except to the extent MoneyMind Profile must assist);
(v) Notifying supervisory authorities and Data Subjects of data breaches (except to the extent MoneyMind Profile must assist);
(vi) Conducting Data Protection Impact Assessments (except to the extent MoneyMind Profile must assist);
(vii) Ensuring accuracy and lawfulness of Personal Data provided to MoneyMind Profile.

(b) Processor Responsibilities: MoneyMind Profile (as Processor) is solely responsible for:

(i) Processing Personal Data only on instructions;
(ii) Implementing appropriate security measures;
(iii) Engaging Sub-Processors in accordance with this DPA;
(iv) Assisting Customer with Data Subject Requests, security obligations, and DPIAs;
(v) Notifying Customer of Security Incidents;
(vi) Deleting or returning Personal Data.

17. TERM AND TERMINATION
17.1 Term
This DPA shall become effective on the Effective Date and shall remain in effect for so long as MoneyMind Profile Processes Personal Data on behalf of Customer, including during the term of the Agreement and for such additional period as is necessary for MoneyMind Profile to delete or return Personal Data in accordance with Section 13.

17.2 Termination
This DPA shall automatically terminate upon the earlier of:

(a) Termination or expiration of the Agreement; or
(b) Completion of MoneyMind Profile's deletion or return of all Personal Data in accordance with Section 13.

​

17.3 Survival
The following provisions shall survive termination of this DPA:

Section 8 (Security Measures) - with respect to any Personal Data retained pursuant to Section 13.4
Section 10 (Data Breach Notification) - with respect to any Security Incidents occurring before termination
Section 13 (Deletion and Return of Data)
Section 16 (Liability and Indemnification)
Section 18 (General Provisions)

18. GENERAL PROVISIONS
18.1 Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws specified in the Agreement for Customer's jurisdiction:

(a) New South Wales, Australia (for Australian customers);
(b) England and Wales (for UK customers);
(c) State of New York, United States (for US customers).

Disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions in the Agreement.

 

18.2 Order of Precedence

In the event of any conflict or inconsistency between the documents forming the relationship between the Parties, the following order of precedence applies (highest to lowest):

• This Data Processing Agreement (for data protection matters only)

• EU Standard Contractual Clauses (Annex 1)

• The Master Services Agreement or other Agreement

• Order Forms and Statements of Work

For the avoidance of doubt, in the event of any conflict between the main body of this DPA and the Annexes, the Annexes shall prevail with respect to the specific matters they govern (e.g., SCCs prevail for EU transfers).

18.3 Entire Agreement
This DPA, together with the Agreement, constitutes the entire agreement between the Parties with respect to the Processing of Personal Data and supersedes all prior agreements, understandings, and representations (whether written or oral) relating to such Processing.

18.4 Amendments
This DPA may only be amended or modified:

(a) By mutual written agreement of the Parties; or
(b) By MoneyMind Profile where required to comply with changes in Data Protection Laws and Regulations, provided that:

(i) MoneyMind Profile provides Customer with at least ninety (90) days' advance written notice of the amendment;
(ii) The amendment does not materially reduce Customer's rights or increase Customer's obligations;
(iii) If Customer objects to the amendment on reasonable data protection grounds, Customer may terminate the Agreement in accordance with Section 8.7 of the Agreement.

​

18.5 Severability
If any provision of this DPA is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not be affected or impaired. The Parties shall negotiate in good faith to replace the invalid provision with a valid provision that achieves the same or similar objective.

 

18.6 Waiver
No failure or delay by either Party in exercising any right under this DPA shall operate as a waiver, nor shall any single or partial exercise of any right preclude any other or further exercise of that or any other right.

18.7 Assignment
Neither Party may assign or transfer this DPA without the prior written consent of the other Party, except that MoneyMind Profile may assign this DPA in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the assignee agrees in writing to be bound by the terms of this DPA.

18.8 Third-Party Beneficiaries
Except as expressly provided in the EU Standard Contractual Clauses (Annex 1), this DPA does not confer any rights upon any person or entity other than the Parties.

18.9 Notices
All notices under this DPA shall be provided in accordance with the notice provisions in the Agreement.
For DPA-specific notices, the following additional contacts apply:

To MoneyMind Profile:
Email: info@moneymindprofile.com
Attn: Data Protection Officer, Legal Department, or Privacy Officer

18.10 Language
This DPA is executed in English. If this DPA is translated into any other language, the English version shall prevail in the event of any conflict or inconsistency.

18.11 Counterparts
This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures and delivery by email (PDF) shall have the same legal effect as original signatures and delivery.

18.12 Relationship to Standard Contractual Clauses
To the extent that the EU Standard Contractual Clauses (Annex 1) conflict with any provision of this DPA, the Standard Contractual Clauses or UK IDTA (as applicable) shall prevail with respect to transfers of Personal Data to which they apply.

18.13 Compliance with Laws
Each Party shall comply with all applicable Data Protection Laws and Regulations in connection with its performance under this DPA.

18.14 Interpretation
In the event of any ambiguity or uncertainty in the interpretation of this DPA, the interpretation most favorable to the protection of Personal Data and the rights of Data Subjects shall apply, to the extent consistent with applicable Data Protection Laws and Regulations.

18.15 Force Majeure
Neither Party shall be liable for any failure or delay in performance under this DPA due to causes beyond its reasonable control, except that this provision does not excuse:

(a) Customer's payment obligations;
(b) MoneyMind Profile's security obligations under Section 8;
(c) MoneyMind Profile's data breach notification obligations under Section 10.

 

18.16 Relationship to Agreement

This DPA supplements and forms an integral part of the Agreement. Except as expressly modified by this DPA, all terms and conditions of the Agreement remain in full force and effect. In the event of any conflict regarding the Processing of Personal Data, this DPA shall control.

​

Note: This DPA may be executed by Customer by:
Accepting electronically through the MoneyMind Profile Platform during account setup; OR
Executing the Master Services Agreement, which incorporates this DPA by reference.

​

Version: 1.0
Effective Date: January 20, 2026