Data Processing Agreement

Aplas Pty Ltd | ABN 17 625 144 461

Version 1.0 — February 2026

1. Introduction

This Data Processing Agreement ("DPA") is entered into between Aplas Pty Ltd (ABN 17 625 144 461) ("Processor", "Company", "we", "us", "our") and the Customer ("Controller", "you", "your") and forms part of the Agreement between the parties.

This DPA sets out the terms under which the Processor will process Personal Data on behalf of the Controller in connection with the provision of the Aplas platform and related services.

This DPA supplements and is subject to the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail in respect of data protection matters.

2. Definitions

Terms used in this DPA that are defined in the Terms of Service have the same meaning. In addition:

Data Protection Laws has the meaning given in the Terms of Service.
Personal Data has the meaning given in the Terms of Service.
Personal Data Breach has the meaning given in the Terms of Service.
Processing means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Sub-processor has the meaning given in the Terms of Service.

3. Scope and Purpose of Processing

3.1

The Processor will process Personal Data only to the extent necessary to provide the Aplas platform and related services to the Controller, as described in the Terms of Service and any applicable Commercial Terms.

3.2

The categories of Personal Data processed, the categories of data subjects, and the nature and purpose of processing are set out in Schedule 1 to this DPA.

3.3

The Processor will not process Personal Data for any purpose other than as instructed by the Controller, unless required to do so by applicable law (in which case, the Processor will inform the Controller of that legal requirement before processing, unless prohibited by law from doing so).

4. Obligations of the Processor

The Processor will:

process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the jurisdiction in which it was collected;
ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in the Terms of Service and the Security Policy;
comply with the conditions for engaging Sub-processors set out in clause 6;
taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to data subject requests;
assist the Controller in ensuring compliance with its obligations under the Data Protection Laws with respect to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities;
at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data; and
make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits in accordance with clause 7.

5. Obligations of the Controller

The Controller will:

ensure that it has a lawful basis for processing Personal Data and for instructing the Processor to process Personal Data on its behalf;
provide documented processing instructions to the Processor; and
comply with its obligations under the applicable Data Protection Laws.

6. Sub-processors

6.1

The Controller provides general authorisation for the Processor to engage Sub-processors to process Personal Data on behalf of the Controller.

6.2

The Processor maintains a current list of Sub-processors at the Site. The Processor will provide the Controller with at least 30 days' prior written notice before engaging a new Sub-processor or replacing an existing Sub-processor.

6.3

The Controller may object to a new Sub-processor by notifying the Processor in writing within 14 days of receiving notice. If the parties are unable to resolve the objection within a reasonable period, either party may terminate the affected services upon 30 days' written notice.

6.4

The Processor will impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA.

7. Audit Rights

7.1

The Processor will make available to the Controller, on reasonable request and subject to reasonable confidentiality obligations, such information as is reasonably necessary to demonstrate compliance with this DPA.

7.2

The Processor will allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, provided that:

the Controller provides at least 30 days' advance written notice;
audits are conducted during normal business hours and do not unreasonably disrupt the Processor's operations; and
audits are conducted no more than once per calendar year unless required by a supervisory authority or following a Personal Data Breach.

8. Personal Data Breach Notification

The Processor will notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notification will include the information set out in clause 6.3 of the Terms of Service.

9. International Data Transfers

Where Personal Data is transferred outside the jurisdiction in which it was collected, the Processor will ensure that appropriate safeguards are in place in accordance with the applicable Data Protection Laws, as described in clause 6.6 of the Terms of Service.

10. Term and Termination

This DPA will remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination of the Agreement, the provisions of clause 13.5 of the Terms of Service apply to the return and deletion of Personal Data.

11. Governing Law

This DPA is governed by the same governing law as the Terms of Service, unless otherwise required by applicable Data Protection Laws.

12. Changes to This Agreement

The Company may update this DPA from time to time to reflect changes in applicable Data Protection Laws or our processing activities. Material changes will be notified in accordance with the Terms of Service.

13. Contact Us

If you have any questions about this Data Processing Agreement, please contact us at:

Aplas Pty Ltd

Level 17, 31 Queen Street, Melbourne VIC 3000, Australia

Email: dpo@aplas.com

Website: https://aplas.com

Schedule 1 — Details of Processing

Categories of Data Subjects

Customer employees and authorised users of the Aplas platform
Individuals whose personal data is contained within Customer Data uploaded to Aplas

Categories of Personal Data

Name and contact information (email address, job title)
Account credentials and authentication data
Usage data and activity logs within the Aplas platform
Any personal data contained within Customer Data uploaded to or created within Aplas

Nature and Purpose of Processing

Providing and maintaining the Aplas platform and related services
User authentication and access management
Customer support and communication
Platform analytics and performance monitoring (using aggregated and anonymised data)
Compliance with applicable laws and regulations

Duration of Processing

For the duration of the Agreement, plus the data retention period set out in the Terms of Service

Version History

Version	Date	Changes
V1.00	February 2026	Initial release