SEEKA HQ - Data Processing Addendum
SEEKA HQ PTY LTD
DATA PROCESSING ADDENDUM
Parties and Background
This Data Processing Addendum (the "DPA") is entered into between:
(1) SEEKA HQ PTY LTD (ACN 637 982 944), a company incorporated in Australia with its registered office at [registered office address to insert] ("Seeka", "we", "us" or "our"); and
(2) THE CUSTOMER identified in the Agreement ("Customer", "you" or "your"), (each a "Party" and together the "Parties").
This DPA forms part of, and is incorporated into, the agreement between the Parties governing the Customer's use of the Service (the "Agreement"). It reflects the Parties' agreement with respect to the Processing of Personal Data by Seeka on behalf of the Customer in connection with the provision of the Service.
By accepting the Agreement (including by accepting these terms online, by signing this DPA, or by continuing to use the Service after a written request to enter into this DPA), the Customer accepts this DPA. Where this DPA is signed on behalf of an entity, the signatory represents and warrants that they have authority to bind that entity.
In the event of any conflict between this DPA and any other provision of the Agreement, this DPA prevails solely with respect to the Processing of Personal Data.
1. Definitions
1.1 In this DPA, the following terms have the following meanings. Capitalised terms not defined in this DPA have the meanings given to them in the Agreement.
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where "control" means direct or indirect ownership or control of more than 50% of the voting interests.
"Agreement" means the agreement between Seeka and the Customer for the provision of the Service, into which this DPA is incorporated by reference.
"Applicable Data Protection Laws" means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including (as applicable): (a) the GDPR; (b) the UK GDPR and the UK Data Protection Act 2018; (c) the FADP; (d) the CCPA; (e) the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles; and (f) any other applicable privacy or data protection law in any jurisdiction from which Personal Data is transferred to Seeka.
"Authorised Affiliate" means any Affiliate of the Customer that is permitted to use the Service under the Agreement but that has not entered into a separate agreement with Seeka.
"CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 and any subsequent amendments or implementing regulations.
"Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where Applicable Data Protection Laws use a different term for the same role (such as "Business" under the CCPA), that term has equivalent meaning.
"Customer Personal Data" means Personal Data Processed by Seeka on behalf of the Customer in the course of providing the Service, including data relating to End Users.
"Data Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates; where Applicable Data Protection Laws use a different term for the same concept (such as "Consumer" under the CCPA), that term has equivalent meaning.
"EEA" means the European Economic Area, comprising the European Union Member States together with Iceland, Liechtenstein and Norway.
"End User" means any natural person whose Personal Data is collected by, or transmitted to, the Service in the course of the Customer's use of the Service, including visitors to, and customers of, the Customer's digital properties, and visitors to, and customers of, the digital properties of the Customer's authorised end-customers (where applicable).
"EU SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR, approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
"FADP" means the Swiss Federal Act on Data Protection of 25 September 2020 (Revised FADP), as amended from time to time.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in the relevant Applicable Data Protection Laws. Where Applicable Data Protection Laws use a different term for the same concept (such as "Personal Information" under the CCPA), that term has equivalent meaning.
"Personnel" means directors, officers, employees, agents and contractors of a Party.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; "Process" and "Processed" have corresponding meanings.
"Processor" means the natural or legal person which Processes Personal Data on behalf of the Controller; where Applicable Data Protection Laws use a different term for the same role (such as "Service Provider" under the CCPA), that term has equivalent meaning.
"Sensitive Data" means Personal Data that requires heightened protection under Applicable Data Protection Laws, including: (a) special categories of personal data under Articles 9 and 10 of the GDPR; (b) sensitive personal information under the CCPA; (c) sensitive information under the Australian Privacy Act 1988 (Cth); and (d) account passwords and credentials in unhashed form.
"Service" means the Seeka platform and related services provided to the Customer under the Agreement, including session-based attribution and tracking, mitigation of tracking-prevention technologies, and transmission of event data to third-party destinations as instructed by the Customer.
"Sub-processor" means any third party engaged by Seeka to Process Customer Personal Data, including Seeka's Affiliates engaged for that purpose.
"Supervisory Authority" means a regulatory authority responsible for the enforcement of Applicable Data Protection Laws.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office under section 119A of the UK Data Protection Act 2018, version B1.0 in force as of 21 March 2022.
"UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended from time to time.
2. Scope and Roles of the Parties
2.1 Scope. This DPA applies to the Processing of Customer Personal Data by Seeka on behalf of the Customer in the course of providing the Service. It does not apply to Personal Data that Seeka collects directly and Processes for its own purposes (such as Personal Data of the Customer's billing contacts or website visitors to seeka.co), which is governed by Seeka's Privacy Policy at seeka.co/privacy.
2.2 Roles. With respect to Customer Personal Data, the Parties acknowledge and agree that:
(a) the Customer is the Controller (or, where applicable, the Business under the CCPA, or the entity equivalent under other Applicable Data Protection Laws); and
(b) Seeka is the Processor (or, where applicable, the Service Provider under the CCPA, or the entity equivalent under other Applicable Data Protection Laws).
2.3 Multi-tier arrangements. Where the Customer makes the Service available to its own end-customers (for example, an event-ticketing platform making the Service available to event hosts), the Customer remains the Controller as between itself and Seeka, and remains responsible under this DPA for the acts and omissions of those end-customers in their use of the Service. The Parties may, where required, accede further parties to the EU SCCs by way of the docking clause (Clause 7 of the EU SCCs).
2.4 No joint controllership. Nothing in this DPA or the Agreement creates a joint controllership relationship between the Parties within the meaning of Article 26 of the GDPR or any equivalent provision of other Applicable Data Protection Laws.
3. Customer Obligations
3.1 Lawful basis. The Customer represents and warrants that it has, and will maintain throughout the term of the Agreement, all rights, consents and lawful bases required under Applicable Data Protection Laws to collect, Process and authorise Seeka to Process Customer Personal Data in accordance with this DPA and the Agreement, including for the purpose of transmitting Customer Personal Data to the third-party destinations instructed by the Customer.
3.2 Notices and transparency. The Customer is responsible for providing all required notices to End Users (including notices required under Articles 13 and 14 of the GDPR, the CCPA notice at collection requirements, and equivalent provisions of other Applicable Data Protection Laws) and for obtaining and maintaining all consents required under Applicable Data Protection Laws in respect of the deployment of the Service on the Customer's digital properties.
3.3 Configuration. The Customer is responsible for configuring the Service appropriately for its use case and jurisdiction, including selecting the Data Control Mode (implicit / explicit consent) and the third-party destinations to which Customer Personal Data is transmitted.
3.4 Compliance with Applicable Data Protection Laws. The Customer's instructions to Seeka, and the Customer's use of the Service, must comply with Applicable Data Protection Laws. Seeka is not responsible for determining whether the Customer's use of the Service complies with Applicable Data Protection Laws applicable to the Customer.
4. Seeka's Processing of Personal Data
4.1 Documented instructions. Seeka will Process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers of Customer Personal Data to a third country, except where required to do so by Applicable Data Protection Laws to which Seeka is subject. The Customer's documented instructions are constituted by:
(a) the Agreement and this DPA;
(b) the configuration choices made by the Customer through the Service (including selection of destinations, retention settings, consent modes and other configurable parameters); and
(c) any further written instructions given by the Customer that are consistent with the Agreement and this DPA, provided that Seeka may charge a reasonable fee for complying with further instructions that go beyond the standard functionality of the Service.
4.2 Permitted processing purposes. Within the scope of clause 4.1, Seeka will Process Customer Personal Data only for the following purposes:
(a) to provide the Service to the Customer in accordance with the Agreement and this DPA; (b) to comply with the Customer's documented instructions;
(c) to comply with Applicable Data Protection Laws and other applicable law, including any court order or binding instruction of a Supervisory Authority or other competent authority;
(d) for the establishment, exercise or defence of legal claims; and
(e) to render Customer Personal Data fully anonymous in accordance with clause 4.5.
4.3 Infringing instructions. If Seeka, acting reasonably, considers that an instruction from the Customer infringes Applicable Data Protection Laws, Seeka will inform the Customer without undue delay. Seeka may, without liability to the Customer, suspend Processing of the affected
Customer Personal Data (other than securely storing it) pending resolution. If the Parties cannot agree on a resolution within a reasonable period, either Party may terminate the Agreement with respect to the affected Processing.
4.4 Restrictions on Seeka. Seeka will not (and will procure that its Sub-processors do not), in respect of Customer Personal Data:
(a) Process Customer Personal Data for any purpose other than the Permitted Processing Purposes in clause 4.2;
(b) Sell or Share Customer Personal Data within the meaning of the CCPA, or transfer Customer Personal Data to any third party other than a Sub-processor authorised under clause 6 or as expressly instructed by the Customer;
(c) combine Customer Personal Data with Personal Data of any other Customer of the Service, or with any other Personal Data Seeka holds, except for the purpose of providing the Service to the relevant Customer and except where the combination has been instructed by that Customer or arises from the operation of the Service for that Customer (for example, session stitching across the Customer's own properties);
(d) use Customer Personal Data outside of the direct business relationship between the Parties; or
(e) retain, use or disclose Customer Personal Data for any "commercial purpose" (as defined in the CCPA) other than the Permitted Processing Purposes.
4.5 Anonymised and aggregated data. Seeka may use aggregated and de-identified statistical information derived from Customer Personal Data (for example, total events processed, conversion rates by industry vertical, system performance metrics) for its internal research, analytical, product development and reporting purposes. For these purposes, Seeka will ensure that the information is processed in such a way that it cannot, by any reasonably available means, be used to identify any individual either alone or in combination with other information held by Seeka. Such information is not Personal Data for the purposes of this DPA. These rights survive termination of the Agreement.
4.6 What Seeka does NOT do. For the avoidance of doubt, and in support of Seeka's status as a Processor:
(a) Seeka does not acquire, purchase, license or receive Personal Data from third-party data brokers, list providers or other external sources to enrich Customer Personal Data;
(b) Seeka does not build, maintain or operate a cross-customer identity graph. Customer Personal Data Processed for one Customer is logically siloed and is not combined with, or used to enrich, Personal Data Processed for any other Customer;
(c) Seeka does not Sell Personal Data within the meaning of the CCPA or equivalent terms under other Applicable Data Protection Laws;
(d) Seeka does not use Customer Personal Data for any controller-side or own-purpose Processing, other than to derive aggregated and de-identified statistical information in accordance with clause 4.5; and
(e) Seeka does not use Customer Personal Data to train, develop or fine-tune any generative artificial intelligence model or large language model, whether operated by Seeka or by any third party.
5. Sensitive Data
5.1 The Service is not designed, and must not be used by the Customer, to Process Sensitive Data. The Customer must not configure the Service to capture or transmit Sensitive Data, and represents and warrants that it will not do so.
5.2 If the Customer wishes to use the Service for Processing of Sensitive Data, it must first obtain Seeka's express prior written consent and the Parties must agree any additional terms required by Seeka.
6. Sub-processors
6.1 General authorisation. The Customer grants Seeka a general written authorisation to engage Sub-processors for the Processing of Customer Personal Data, subject to the requirements of this clause 6. The current list of Sub-processors is set out in Schedule 2 and is also published at seeka.co/sub-processors (the "Sub-processor List"). The Customer is deemed to have authorised the Sub-processors on the Sub-processor List as at the date of first use of the Service.
6.2 Notification of new Sub-processors. Seeka will notify the Customer of any intended addition of a new Sub-processor, or replacement of an existing Sub-processor, at least thirty (30) days before the new Sub-processor commences Processing of Customer Personal Data. Notification will be by email to the Customer's notified administrative or privacy contact, and by update to the Sub-processor List.
6.3 Right to object. The Customer may, within thirty (30) days of notification, object in writing to the addition of a new Sub-processor on reasonable grounds relating to the protection of Customer Personal Data. The Parties will discuss the objection in good faith. If the Parties are unable to resolve the objection within a further thirty (30) days, the Customer may, as its sole remedy in respect of the objection, terminate the Agreement (or the affected portion of the Service) on written notice.
6.4 Sub-processor agreements. Seeka will enter into a written agreement with each Sub-processor imposing on the Sub-processor data protection obligations substantially equivalent to those imposed on Seeka under this DPA, in particular obligations to implement appropriate technical and organisational measures.
6.5 Sub-processor liability. Where a Sub-processor fails to fulfil its data protection obligations in respect of Customer Personal Data, Seeka remains liable to the Customer for the performance of that Sub-processor's obligations, on the same basis as Seeka's own performance under this DPA.
6.6 Cross-border Sub-processors. Where a Sub-processor is located outside the EEA, the United Kingdom or Switzerland, Seeka will ensure that an appropriate transfer mechanism is in place (including, where required, the EU SCCs or UK Addendum), and will identify the transfer mechanism in the Sub-processor List.
7. Security
7.1 Technical and organisational measures. Seeka will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. Those measures are described in Schedule 3, Annex II (Technical and Organisational Measures), and in Seeka's Security Documentation published at seeka.co/security (or such other URL as Seeka may notify), as updated from time to time.
7.2 Updates to security measures. Seeka may update its technical and organisational measures and Security Documentation from time to time, provided that any update does not materially diminish the protection afforded to Customer Personal Data.
7.3 Confidentiality of Personnel. Seeka will ensure that its Personnel authorised to Process Customer Personal Data are bound by appropriate obligations of confidentiality and have received appropriate training in the protection of Personal Data.
8. Audits and Inspections
8.1 Information rights. Seeka will, on the Customer's reasonable written request, make available to the Customer information necessary to demonstrate compliance with this DPA, including: (a) the most recent version of Seeka's Security Documentation; (b) copies of any current independent third-party audit reports or certifications held by Seeka in respect of the Service (such as SOC 2 or ISO/IEC 27001 reports); and (c) responses to a reasonable security questionnaire.
8.2 On-site audit. Where the information provided under clause 8.1 is not sufficient to demonstrate compliance and the Customer is required by Applicable Data Protection Laws to conduct an on-site audit, the Customer may, no more than once in any 12-month period and on at least thirty (30) days' prior written notice, audit Seeka's compliance with this DPA, subject to the following:
(a) the audit must be conducted by the Customer or by an independent, reputable, third-party auditor that is not a competitor of Seeka, in either case bound by appropriate confidentiality obligations;
(b) the audit must be conducted during normal business hours and in a manner that does not unreasonably interfere with Seeka's business operations;
(c) the scope of the audit, and the duration, location and timing, must be agreed in advance in writing;
(d) the Customer will bear its own costs and Seeka's reasonable costs of cooperating with the audit;
(e) the audit must not extend to commercially sensitive information of Seeka, information of other customers of Seeka, or information protected by legal privilege; and
(f) the Customer will provide Seeka with a copy of any audit report on request and will keep all information obtained in the audit confidential and use it solely for the purpose of demonstrating compliance with Applicable Data Protection Laws.
8.3 Regulator audits. Nothing in this clause 8 limits the audit and inspection rights of any Supervisory Authority under Applicable Data Protection Laws.
9. Data Incidents
9.1 Notification to the Customer. Seeka will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Data Incident. The notification will include, to the extent then known to Seeka:
(a) a description of the nature of the Data Incident, including (where possible) the categories and approximate number of Data Subjects and records concerned;
(b) the likely consequences of the Data Incident;
(c) the measures taken or proposed to be taken to address the Data Incident, including measures to mitigate its possible adverse effects; and
(d) the contact point at Seeka for further information.
9.2 Information not yet known. Where any of the information in clause 9.1 is not available at the time of initial notification, Seeka will provide that information to the Customer in phases as it becomes available, without further undue delay.
9.3 Remediation. Seeka will take reasonable steps to identify the cause of any Data Incident, take steps to mitigate the effects and to minimise damage, and (where appropriate) restore Customer Personal Data, all at Seeka's cost (except where the Data Incident was caused by the Customer or by a person acting on the Customer's behalf, or by the Customer's misuse of the Service).
9.4 Coordinated disclosure. The Parties will reasonably cooperate in respect of any public disclosure or regulator notification arising from a Data Incident, including timing, content and recipients of communications. Subject to the Customer's obligations under Applicable Data Protection Laws, the Customer will provide Seeka with reasonable prior notice and an opportunity to comment on any communication that identifies Seeka by name.
10. Data Subject Requests
10.1 Referral. Where Seeka receives a request from a Data Subject under Applicable Data Protection Laws (including a request for access, rectification, erasure, restriction of Processing, portability, objection, or any right to opt out of Sale or Sharing under the CCPA — a "Data Subject Request"), Seeka will, unless otherwise required by Applicable Data Protection Laws, refer the Data Subject to the Customer.
10.2 Assistance to the Customer. Taking into account the nature of the Processing, Seeka will provide reasonable assistance to the Customer, by appropriate technical and organisational measures and insofar as this is possible, in fulfilling the Customer's obligation to respond to Data Subject Requests. Seeka may charge a reasonable fee for assistance that requires significant work beyond standard Service functionality.
10.3 Deletion and redaction tools. The Service provides functionality (the "Data Redaction Tool") that allows the Customer to fulfil End User erasure and redaction requests. The Customer is responsible for initiating and tracking such requests through the Data Redaction Tool or by written request to privacy@seeka.co.
11. Data Protection Impact Assessments and Consultations
11.1 On the Customer's reasonable written request, Seeka will provide reasonable assistance to the Customer with any data protection impact assessment, transfer impact assessment, or prior consultation with a Supervisory Authority, that the Customer is required to carry out under Applicable Data Protection Laws in respect of the Customer's use of the Service, to the extent that the Customer does not otherwise have access to the relevant information and to the extent the information is available to Seeka. Seeka may charge a reasonable fee for assistance that requires significant work.
12. Return and Deletion of Customer Personal Data
12.1 On termination. On termination or expiry of the Agreement, Seeka will, at the Customer's election (notified to Seeka within thirty (30) days of termination or expiry), either return Customer Personal Data to the Customer in a commonly used machine-readable format, or delete Customer Personal Data. If the Customer makes no election, Seeka will delete Customer Personal Data.
12.2 Time period. Seeka will complete the return or deletion within ninety (90) days of termination or expiry of the Agreement, except to the extent that retention is required by Applicable Data Protection Laws, in which case the retention will be limited to the minimum necessary period and the data will continue to be Processed in accordance with this DPA.
12.3 Backups. Customer Personal Data contained in routine backups will be deleted in accordance with Seeka's standard backup rotation schedule, and until deletion will continue to be protected by the measures described in this DPA and Schedule 3, Annex II.
12.4 Default retention during the term. During the term of the Agreement, raw event-level Customer Personal Data is retained for a default rolling period of two (2) years from the date of collection, unless the Customer configures a different retention period through the Service or otherwise agrees a different period with Seeka in writing.
12.5 Certification. On the Customer's written request following completion of return or deletion, Seeka will provide written confirmation of completion.
13. Cross-Border Transfers
13.1 Australia. Seeka is established in Australia. Australia has not been the subject of an adequacy decision by the European Commission under Article 45 of the GDPR or by the UK Secretary of State under the UK GDPR. The Parties acknowledge that, accordingly, an appropriate transfer mechanism is required for transfers of Customer Personal Data from the EEA, the United Kingdom or Switzerland to Seeka in Australia.
13.2 EEA transfers. For transfers of Customer Personal Data from the EEA to Seeka, the Parties enter into and are bound by the EU SCCs, which are incorporated into this DPA by reference, with the following selections:
(a) Module Two (Controller-to-Processor) applies;
(b) Clause 7 (Docking Clause) applies;
(c) Clause 9 (Use of sub-processors): Option 2 (General Written Authorisation) applies, with the notice period and procedure set out in clause 6 of this DPA;
(d) Clause 11 (Redress): the optional language does not apply;
(e) Clause 17 (Governing law): Option 1 applies; the EU SCCs are governed by the law of the Republic of Ireland;
(f) Clause 18 (Choice of forum and jurisdiction): the courts of the Republic of Ireland have jurisdiction; and
(g) the Annexes I.A, I.B, I.C, II and III to the EU SCCs are set out in Schedule 3 to this DPA.
13.3 UK transfers. For transfers of Customer Personal Data from the United Kingdom to Seeka, the Parties enter into and are bound by the UK Addendum, which is incorporated into this DPA by reference. The Tables required by the UK Addendum are set out in Schedule 4.
13.4 Swiss transfers. For transfers of Customer Personal Data from Switzerland to Seeka, the Parties enter into and are bound by the EU SCCs as adapted in accordance with this clause 13.4. References to the GDPR in the EU SCCs are read as references to the FADP for the purposes of transfers subject exclusively to the FADP. The competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner. References to "Union", "EU" and "EU Member State" do not exclude Data Subjects in Switzerland from exercising their rights in Switzerland in accordance with Clause 18(c) of the EU SCCs.
13.5 Additional safeguards. Seeka will, in respect of Customer Personal Data transferred under this clause 13:
(a) implement and maintain appropriate technical safeguards to protect Customer Personal Data against unauthorised access, including encryption in transit and at rest;
(b) use reasonable efforts to resist, subject to applicable law, any request by a government authority for bulk surveillance access to Customer Personal Data, including under section 702 of the United States Foreign Intelligence Surveillance Act;
(c) where Seeka becomes aware that a government authority wishes to obtain access to Customer Personal Data on a voluntary or mandatory basis, and unless legally prohibited from doing so, (i) notify the Customer immediately, (ii) inform the relevant government authority that Seeka is a Processor and that requests should be served on the Controller, and (iii) use commercially reasonable legal mechanisms to challenge the request; and
(d) once in every 12-month period, on the Customer's written request, provide aggregate information on the types of binding legal demands for Personal Data that Seeka has received during that period.
13.6 Onward transfers to Sub-processors. Where Seeka transfers Customer Personal Data to a Sub-processor outside the EEA, the United Kingdom or Switzerland, Seeka will ensure that an appropriate transfer mechanism is in place between Seeka and the Sub-processor, including (where required) the EU SCCs or UK Addendum, in accordance with clause 6.6.
13.7 Conflict. In the event of any conflict between this DPA and the EU SCCs or UK Addendum, the EU SCCs or UK Addendum (as applicable) prevail.
14. Authorised Affiliates
14.1 Coverage. By entering into this DPA, the Customer enters into it on behalf of itself and, as applicable, on behalf of its Authorised Affiliates. Each Authorised Affiliate agrees to be bound by the obligations of the Customer under this DPA in respect of Processing carried out for that Authorised Affiliate.
14.2 Communications. The Customer is responsible for all communications with Seeka under this DPA, and may make and receive all communications on behalf of its Authorised Affiliates. Any breach by an Authorised Affiliate of this DPA is deemed a breach by the Customer.
15. CCPA-Specific Terms
15.1 Application. This clause 15 applies to the extent that (a) the Customer is a Business under the CCPA, and (b) Seeka Processes Personal Information (as defined under the CCPA) on behalf of the Customer that is subject to the CCPA.
15.2 Service Provider status. The Customer appoints Seeka as a Service Provider under the CCPA for the purposes of Processing Personal Information on the Customer's behalf in the course of providing the Service. Seeka will Process Personal Information in accordance with the applicable provisions of the CCPA and will provide the same level of privacy protection as is required of Businesses by the CCPA.
15.3 Permitted business purposes. Seeka will Process Personal Information solely for the business purposes specified in the Agreement and this DPA (the "Permitted Business Purposes"), which include providing the Service to the Customer. Seeka will not:
(a) Sell or Share Personal Information;
(b) retain, use or disclose Personal Information for any purpose other than the Permitted Business Purposes, including for any commercial purpose other than providing the Service;
(c) retain, use or disclose Personal Information outside of the direct business relationship between the Parties; or
(d) combine Personal Information that Seeka receives from or on behalf of the Customer with Personal Information that Seeka receives from or on behalf of any other person, or collects from any other interaction with the relevant Consumer, except where permitted by the CCPA for Service Providers.
15.4 Certification. Seeka certifies that it understands the restrictions in clause 15.3 and will comply with them. Seeka does not receive Personal Information as consideration for any services provided to the Customer.
15.5 Deidentified data. Where the Customer makes Deidentified data (as defined by the CCPA) available to Seeka, Seeka will (a) take reasonable measures to ensure that the data cannot be associated with a Consumer or household, (b) not attempt to re-identify the data, and (c) contractually obligate any recipient of the data to comply with the same restrictions.
15.6 Notification. Seeka will notify the Customer if Seeka makes a determination that it can no longer meet its obligations under the CCPA in respect of the Processing of Personal Information.
16. Liability
16.1 Aggregate cap. The liability of each Party under or in connection with this DPA is subject to the aggregate limitation of liability set out in the Agreement. The Parties intend that this DPA does not increase or reduce the aggregate liability cap in the Agreement, and any claim under this DPA is part of, and not in addition to, that aggregate cap.
16.2 Allocation between Customer and Authorised Affiliates. Any liability owed to a Customer's Authorised Affiliate is treated as liability owed to the Customer and is subject to the Agreement's aggregate cap as a single cap shared between the Customer and its Authorised Affiliates.
17. Modifications to this DPA
17.1 Either Party may, by giving at least forty-five (45) days' prior written notice, propose modifications to this DPA where required as a result of a change in, or decision of a competent authority under, Applicable Data Protection Laws, to allow Processing to continue without breach of those laws.
17.2 The Parties will discuss the proposed modifications in good faith. If the Parties are unable to agree within thirty (30) days, either Party may terminate the Agreement (or the affected portion of the Service) on written notice.
17.3 Seeka may update the Sub-processor List in accordance with clause 6, and may update its Security Documentation in accordance with clause 7, without requiring an amendment to this DPA.
18. General Provisions
18.1 Order of precedence. In the event of any conflict between this DPA and any other part of the Agreement, this DPA prevails, except that the EU SCCs and UK Addendum prevail over this DPA in respect of the matters they govern.
18.2 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remainder of this DPA continues in full force and effect.
18.3 Governing law. This DPA is governed by, and construed in accordance with, the law specified in the Agreement, except that (a) the EU SCCs are governed by the law of the Republic of Ireland in accordance with clause 13.2(e), and (b) the UK Addendum is governed by the law of England and Wales.
18.4 Counterparts and execution. This DPA may be executed in counterparts, including by electronic means. Acceptance by clicking "I accept" or equivalent, or by continued use of the Service after notification of this DPA, constitutes execution by the Customer.
18.5 Notices. Notices under this DPA must be sent in writing to the addresses notified by the Parties, with notices to Seeka sent to privacy@seeka.co and copied to the Seeka entity's registered office.
18.6 Entire agreement. This DPA, together with the Agreement, constitutes the entire agreement between the Parties in respect of the Processing of Customer Personal Data and supersedes all prior or contemporaneous communications and proposals on that subject.
Schedule 1 - Details of Processing
A. Nature and Purpose of the Processing
Seeka Processes Customer Personal Data on behalf of the Customer for the purpose of providing the Service. The Service is a session-based attribution, tracking and conversion-measurement platform that mitigates the impact of common tracking-prevention technologies (such as Intelligent Tracking Prevention, App Tracking Transparency and browser cookie restrictions). The nature of the Processing includes:
We will Process Personal Data as necessary to provide the Service in accordance with the Terms, as further specified in our online documentation relating to the Service, and as further instructed by you and your Personnel and other end users you allow to use the Service through the use of the Service.
Duration of Processing
Subject to clause 11 of this Addendum, we will Process Personal Data for the duration of the Terms, unless otherwise agreed upon in writing.
B. Categories of Data Subjects
End Users, including visitors, ticket buyers, registrants, customers, leads and other individuals who interact with the Customer's digital properties or with properties operated by the Customer's authorised end-customers (where the Service is deployed).
C. Categories of Customer Personal Data
The Customer determines and controls the Personal Data submitted to the Service. The categories may include:
• online identifiers (IP address, device identifiers, user-agent strings, first-party cookie or local-storage identifiers, advertising platform click identifiers such as fbclid, gclid, rdt_cid, ttclid);
• event and behavioural data (pages viewed, actions taken, timestamps, referrer information, conversion events);
• hashed identifiers passed to destinations as instructed by the Customer (for example, hashed email addresses or hashed phone numbers used for enhanced matching by third-party advertising platforms - Seeka does not generate or collect plaintext email or phone for End Users from sources other than the Customer's own data flow);
• transactional data submitted by the Customer or their authorised end-customer (for example, transaction values, currencies, product or ticket identifiers).
Seeka does not Process special categories of Personal Data under Articles 9 and 10 of the GDPR. The Customer must not configure the Service to capture or transmit such data.
D. Sensitive Personal Data
None. See clause 5 of this DPA.
E. Frequency of Processing
Continuous, for the duration of the Agreement.
F. Duration of Processing
For the duration of the Customer's subscription to the Service, plus any retention period required under clause 12 of this DPA or by Applicable Data Protection Laws.
G. What Seeka does NOT do
For the avoidance of doubt, and in support of Seeka's status as a Processor:
• Seeka does not acquire, purchase, license or receive Personal Data from third-party data brokers, list providers or other external sources to enrich the data Processed under the Service;
• Seeka does not build, maintain or operate a cross-customer identity graph. Customer Personal Data Processed for one Customer is logically siloed and is not combined with, or used to enrich, Customer Personal Data Processed for any other Customer;
• Seeka does not Sell Personal Data and does not use Customer Personal Data for any controller-side purpose of its own, other than to derive aggregated and de-identified statistical information as set out in clause 4.5 of this DPA; and
• Seeka does not use Customer Personal Data to train, develop or fine-tune any generative artificial-intelligence model or large language model.
Schedule 2 - Sub-Processors
The following Sub-processors are authorised by the Customer in accordance with clause 6 of this DPA as at the date of this DPA.
List of Sub-Processors
Sub-processor | Purpose | Location | Transfer mechanism |
Microsoft Azure | Cloud infrastructure, hosting, and database services for the Service. | Australia, United States | EU SCCs Module 2 between Seeka and Microsoft for non-EEA processing; primary processing in Microsoft Azure Australia East. |
Google Workspace | Internal collaboration and cloud productivity tools used in administering the Service. | United States | EU SCCs Module 2 between Google and Seeka. |
Stripe | Payment processing in connection with the Customer's subscription fees. Does not Process End User Personal Data under this DPA. | United States | EU SCCs Module 2 between Stripe and Seeka. |
Claude ChatGPT Google Gemini
| Hosted large-language-model inference services used in connection with Seeka Proactive features, where instructed by the Customer. | United States | EU SCCs Module 2 between Seeka and the AI provider; no data used for model training. |
Updates to this Schedule are published at seeka.co/sub-processors and notified to Customers in accordance with clause 6 of this DPA.
Schedule 3 - EU SCC Annexes
This Schedule sets out the Annexes to the EU SCCs (Module 2 - Controller-to-Processor) as incorporated by reference under clause 13.2 of this DPA.
Annex I.A - List of Parties
Data Exporter:
Name | |
Address | |
Contact details | |
Activities relevant to data transferred | Operation of digital properties on which the Service is deployed. Determination of the means and purposes of Processing End User Personal Data collected via the Service. |
Role | Controller |
Data Importer:
Name | SEEKA HQ Pty Ltd (ACN 637 982 944) |
Address | 194 Varsity Parade, Varsity Lakes QLD 4227 |
Contact details | privacy@seeka.co / +61 7 5578 8211 |
Activities relevant to data transferred | Provision of the Seeka platform: session-based attribution and tracking, mitigation of tracking-prevention technologies, transmission of event data to Customer-instructed third-party destinations. |
Role | Processor |
Annex I.B - Description of the Transfer
Categories of data subjects, categories of Personal Data, sensitive data, frequency, nature and purpose of the Processing, retention period and Sub-processors are as set out in Schedule 1 (Details of Processing) and Schedule 2 (Sub-Processors) of this DPA.
Annex I.C - Competent Supervisory Authority
The competent Supervisory Authority is determined in accordance with Clause 13 of the EU SCCs by reference to the location of the Data Exporter:
• where the Data Exporter is established in an EU/EEA Member State, the supervisory authority of that Member State;
• where the Data Exporter is not established in an EU/EEA Member State but Chapter V of the GDPR applies, the supervisory authority of the Member State in which the Data Exporter's representative under Article 27 GDPR is established;
• where neither of the above applies, the Irish Data Protection Commission. Annex II - Technical and Organisational Measures
Seeka implements and maintains the technical and organisational measures set out in this Annex II to ensure an appropriate level of security for Customer Personal Data, taking into account the nature, scope, context and purposes of Processing and the risks for the rights and freedoms of natural persons.
Where any measure is updated or supplemented, the updated version is published in Seeka's Security Documentation at seeka.co/security. The Customer may access the current version on request.
1. Pseudonymisation and encryption of Personal Data
• All Customer Personal Data in transit between End User devices, the Service, and Sub-processor destinations is encrypted using TLS 1.2 or higher.
• Customer Personal Data at rest is encrypted using AES-256 encryption within Microsoft Azure services.
• Identifiers passed to advertising destinations for enhanced matching purposes (such as email or phone) are hashed using SHA-256 in accordance with each destination's published specification.
[ENG: Confirm specific Azure encryption configurations (e.g. customer-managed keys vs Azure-managed; encryption scope per service).]
2. Confidentiality, integrity, availability and resilience
• Production systems are hosted on Microsoft Azure with redundancy across availability zones.
• Role-based access controls applied on a least-privilege basis.
• Continuous monitoring and alerting of system health and security events. • Regular security testing including vulnerability scanning and periodic penetration testing.
3. Restoration of availability and access
• Automated backups of production databases retained in accordance with Seeka's backup policy.
• Documented disaster recovery and business continuity plan, tested periodically.
4. Testing, assessment and evaluation
• Internal six-monthly security and compliance review.
• Engagement with Deloitte as security partner for periodic review of security posture.
5.User identification and authorisation
• Customer access to the Service via authenticated user accounts with password and multi-factor authentication.
• Internal access by Seeka Personnel requires individual named accounts, MFA, and is restricted on a need-to-know basis.
• Audit logging of administrative access and privileged actions.
6. Data transmission
• TLS 1.2 or higher for all data in transit. HTTPS-only enforcement on customer-facing endpoints.
• Server-side transmission to advertising destinations using each platform's documented secure API (Meta Conversions API, Google Ads API, etc.).
7. Data storage
• Customer Personal Data is logically siloed by organisation. Cross-customer access is prohibited and not technically supported.
• Encryption at rest as described in item 1 above.
8. Physical security
• Customer Personal Data is Processed in cloud infrastructure (Microsoft Azure) at data centre facilities that hold ISO/IEC 27001 and other relevant physical-security certifications.
• Seeka does not operate self-hosted infrastructure for production Processing of Customer Personal Data.
9. Events logging
• Production systems generate access and event logs for security monitoring and incident investigation, retained in accordance with Seeka's log-retention policy.
• Acceptance of this DPA (including click-through acceptance) is logged with user ID, organisation ID, acceptance timestamp, source IP, DPA version, and the scope snapshot at the time of acceptance.
10. System configuration and defaults
• New customer organisations are provisioned with privacy-conservative defaults where applicable.
• Default retention for raw event-level data is two (2) years unless otherwise configured by the Customer.
11. IT and security governance
• Documented information security policy, reviewed annually.
• Personnel complete security-awareness training on onboarding and annually thereafter.
12. Certification and assurance
• Engagement with Deloitte as security partner.
13. Data minimisation
• Destination integrations are enabled on a per-Customer basis. Customer Personal Data is only transmitted to destinations the Customer has actively connected.
• The Service offers Data Control Modes (Implicit / Explicit) allowing Customers to gate data collection on consent in jurisdictions requiring opt-in.
14. Data quality
• The Service provides a Data Redaction Tool in the customer dashboard supporting GDPR Right to Erasure and CCPA deletion requests.
15. Data retention
• Default retention is two (2) years for raw event-level data, configurable per Customer. • Retention on termination as set out in clause 12 of the DPA.
16. Accountability
• Designated privacy contact: privacy@seeka.co.
• Internal six-monthly security and compliance review.
• Sub-processor change notification process per clause 6 of the DPA.
17. Data portability and erasure
• Customer dashboard supports export of Customer data on termination per clause 12 of the DPA.
• Data Redaction Tool supports End User data-subject erasure requests forwarded by the Customer.
Measures for transfers to Sub-processors
Where Sub-processors are located outside the EEA, the UK or Switzerland, Seeka enters into the EU SCCs (or equivalent transfer mechanism) with each Sub-processor in respect of the relevant transfer. The Sub-processor List in Schedule 2 identifies each Sub-processor, its location and the transfer mechanism applicable.
Annex III - List of Sub-processors
The Sub-processors authorised by the Customer are listed in Schedule 2 of this DPA (and at seeka.co/sub-processors), which is incorporated into this Annex III by reference.
Schedule 4 - UK Addendum Tables
This Schedule sets out the Tables required by the UK Addendum, incorporated into this DPA by reference under clause 13.3.
Table 1 - Parties
As set out in Schedule 3, Annex I.A.
Table 2 - Selected SCCs, Modules and Selected Clauses
The EU SCCs (Commission Implementing Decision (EU) 2021/914), Module Two (Controller-to-Processor), with the docking clause (Clause 7) selected, and the further selections set out in clause 13.2 of this DPA.
Table 3 - Appendix Information
As set out in Schedule 3, Annexes I.A, I.B, I.C, II and III.
Table 4 - Ending the Addendum when the Approved Addendum Changes Neither Party may end the UK Addendum as set out in Section 19 of the UK Addendum.
Execution
This DPA is executed by the Parties as set out below.
For and on behalf of the CUSTOMER:
Signature: ___________________________________
Name: ___________________________________
Title: ___________________________________
Date: ___________________________________
For and on behalf of SEEKA HQ PTY LTD:
Signature: ___________________________________
Name: ___________________________________
Title: ___________________________________
Date: ___________________________________