Data Processing Agreement
Gold Coast, Queensland, Australia
info@backlotlive.com.au
This Data Processing Agreement ("DPA") is entered into between Back Lot Trailers Pty Ltd (ABN 12 345 678 901) ("Data Processor") and the production company subscribing to the Backlot Live™ platform ("Data Controller").
This DPA forms part of and is incorporated into the Software Licence Agreement between the parties. In the event of any inconsistency between this DPA and the Software Licence Agreement with respect to the processing of personal data, the terms of this DPA prevail.
The purpose of this DPA is to ensure that the processing of personal data — including crew member data collected through the Backlot Live™ platform — is carried out in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs").
1. Definitions
In this DPA, the following terms have the meanings set out below. Where applicable, these definitions align with the terminology used in the Australian Privacy Act 1988 (Cth) and, for international reference, the EU General Data Protection Regulation (GDPR).
- "Personal Data" means any information or opinion about an identified or reasonably identifiable individual, as defined in the Privacy Act 1988 (Cth). This includes all Crew Data as defined in the Software Licence Agreement.
- "Data Controller" means the production company that determines the purposes and means of processing Personal Data — being the production company that subscribes to the Platform and invites crew members to onboard.
- "Data Processor" means Back Lot Trailers Pty Ltd, which processes Personal Data on behalf of and under the instructions of the Data Controller.
- "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, transmission, combination, restriction, erasure, or destruction.
- "Data Subject" means the individual to whom Personal Data relates — typically a crew member or production staff member whose data is collected through the Platform.
- "Sensitive Information" means Personal Data as defined in APP 3.3, including health information, biometric information, tax file numbers, and financial information.
- "Data Breach" means an eligible data breach as defined under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth) — being unauthorised access to, disclosure of, or loss of Personal Data that is likely to result in serious harm to one or more individuals.
- "Sub-processor" means any third-party processor engaged by the Data Processor to process Personal Data on the Data Processor's behalf in connection with the Platform.
- "Instructions" means the documented directions given by the Data Controller to the Data Processor regarding the processing of Personal Data, as set out in this DPA and the Software Licence Agreement.
2. Scope and Purpose of Processing
2.1 Nature and Purpose
Back Lot Trailers Pty Ltd processes Personal Data on behalf of the Data Controller solely for the purpose of providing the Backlot Live™ platform and associated services under the Software Licence Agreement. The processing activities include:
- storing and organising crew member profile data submitted during digital onboarding;
- processing payroll-related information (TFN, bank account details, superannuation) to facilitate payroll management;
- managing digital security pass issuance and access control records;
- processing dietary and health information for catering management;
- storing emergency contact information for workplace safety purposes;
- maintaining usage logs and audit trails within the Platform.
2.2 Data Controller Responsibility
The Data Controller is responsible for:
- determining the lawful basis for collecting and processing Personal Data from crew members;
- ensuring crew members are appropriately notified about data collection and provided with a valid opportunity to consent where required;
- ensuring the accuracy and currency of Personal Data submitted to the Platform;
- responding to Data Subject access, correction, and deletion requests received by the Data Controller directly (with assistance from the Data Processor as set out in clause 3.3).
2.3 Instruction-based Processing Only
The Data Processor will process Personal Data only in accordance with the Data Controller's documented Instructions, as set out in this DPA and the Software Licence Agreement. If the Data Processor is required by law to process Personal Data beyond those Instructions, it will notify the Data Controller before doing so (unless prohibited by law).
3. Data Processor Obligations
3.1 Instruction Compliance
The Data Processor will process Personal Data only on the documented Instructions of the Data Controller. The Data Processor will immediately notify the Data Controller if, in its reasonable opinion, any Instruction infringes applicable privacy law.
3.2 Confidentiality of Personnel
The Data Processor will ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations and have received appropriate privacy training. Access to Personal Data is limited to personnel who require it to perform their functions in connection with the Platform.
3.3 Assistance with Data Subject Rights
The Data Processor will provide reasonable assistance to the Data Controller in responding to Data Subject requests for access, correction, or deletion of their Personal Data. The Data Processor will, within 5 business days of receiving a request that appears to be from a Data Subject, forward that request to the Data Controller for direction.
3.4 Data Breach Notification
The Data Processor will:
- notify the Data Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of a Data Breach that may affect Personal Data processed under this DPA;
- provide the Data Controller with all information reasonably available about the nature of the breach, the Personal Data affected, the likely consequences, and steps taken or proposed to contain and remediate the breach;
- cooperate with the Data Controller in any notification to the Office of the Australian Information Commissioner (OAIC) and affected Data Subjects as required under the NDB scheme;
- take all reasonable steps to contain, investigate, and remediate the breach.
3.5 Privacy Impact Assessments
Upon request, the Data Processor will provide reasonable assistance to the Data Controller in conducting privacy impact assessments where the processing of Personal Data poses a high risk to Data Subjects.
4. Sub-processors
4.1 Authorisation
The Data Controller authorises the Data Processor to engage the following approved Sub-processors in connection with the Platform. The Data Processor will ensure each Sub-processor is bound by contractual obligations that are no less protective of Personal Data than the obligations in this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud Infrastructure Provider (e.g. Amazon Web Services, Google Cloud Platform, or equivalent) |
Hosting, storage, database, and compute infrastructure for the Platform | Australia (primary); international failover regions |
| Email / Notification Service (e.g. SendGrid, Twilio, or equivalent) |
Transactional email and SMS notifications to crew members and production administrators | Australia / USA |
| Identity Verification Service (e.g. GreenID, Onfido, or equivalent) |
Identity verification and KYC checks where required | Australia / international |
| Analytics and Error Monitoring (e.g. Sentry, Datadog, or equivalent) |
Anonymised application performance monitoring and error tracking | USA / EU |
| AI / Document Processing Services (where applicable to Platform features) |
Document scanning, data extraction, or AI-assisted features within the Platform | Australia / international |
4.2 Changes to Sub-processors
The Data Processor will notify the Data Controller of any proposed addition or replacement of a Sub-processor with at least thirty (30) days' notice. The Data Controller may object to the proposed change within that period on reasonable grounds. If the parties cannot resolve the objection, the Data Controller may terminate the Software Licence Agreement without penalty.
5. Data Retention and Deletion
5.1 Retention Period
The Data Processor will retain Personal Data for the period specified in the Privacy Policy — being the duration of the relevant production plus seven (7) years, unless the Data Controller provides Instructions to delete data earlier (subject to applicable legal obligations).
5.2 Biometric Data
Biometric face photographs are retained for no longer than thirty (30) days after the production wrap date notified by the Data Controller, after which they are permanently and securely deleted.
5.3 Deletion on Termination
Upon termination or expiry of the Software Licence Agreement, Personal Data will remain available for export by the Data Controller for a period of thirty (30) days, after which it will be permanently deleted from all active systems. Backup data may persist for an additional period of up to ninety (90) days in accordance with standard backup rotation practices, after which it too will be deleted.
5.4 Deletion Certification
Upon request, the Data Processor will provide the Data Controller with written certification that Personal Data has been deleted in accordance with this clause.
6. Security Measures
The Data Processor implements and maintains the following technical and organisational security measures to protect Personal Data against unauthorised access, loss, destruction, alteration, or disclosure:
6.1 Technical Measures
- Encryption in transit: All data transmitted between users and the Platform is encrypted using TLS 1.3 or higher.
- Encryption at rest: All stored Personal Data is encrypted at rest using AES-256 encryption.
- Access controls: Role-based access controls (RBAC) ensure that personnel can only access Personal Data necessary for their function. Multi-factor authentication (MFA) is required for all administrative access.
- Audit logging: All access to and modifications of Personal Data are logged and retained for audit purposes.
- Pseudonymisation: Where technically feasible, the Data Processor implements pseudonymisation to reduce the risk of identification in the event of a breach.
6.2 Organisational Measures
- Privacy and security training for all personnel with access to Personal Data;
- Documented data breach response procedures aligned with the NDB scheme;
- Regular security assessments and penetration testing;
- Vendor due diligence for all Sub-processors;
- Principle of minimum necessary access applied to all personnel roles.
6.3 Updates to Security Measures
The Data Processor will review and update its security measures periodically to reflect changes in technology, threats, and legal requirements. The Data Controller may request information about current security measures at any time.
7. Audit Rights
7.1 Information Requests
The Data Processor will make available to the Data Controller all information reasonably necessary to demonstrate compliance with this DPA, upon written request with reasonable notice.
7.2 Audits
The Data Controller has the right to conduct (or commission a qualified independent third party to conduct) an audit of the Data Processor's data processing activities and security practices, no more than once per calendar year and subject to:
- at least thirty (30) days' prior written notice;
- execution of a confidentiality undertaking by the auditor;
- the audit being conducted during normal business hours and in a manner that does not unreasonably disrupt the Data Processor's operations;
- the Data Controller bearing all costs of the audit unless the audit reveals a material non-compliance, in which case the Data Processor will bear reasonable audit costs.
7.3 Certifications
In lieu of an audit, the Data Processor may provide the Data Controller with current third-party security certifications (such as SOC 2 Type II or ISO 27001) or audit reports as evidence of its security posture.
8. Liability Allocation
8.1 Data Controller Liability
The Data Controller is responsible for the lawfulness of its instructions to the Data Processor. The Data Controller indemnifies the Data Processor against any liability, loss, or damage arising from the Data Processor processing Personal Data in accordance with the Data Controller's Instructions where those Instructions were unlawful or in breach of applicable privacy law.
8.2 Data Processor Liability
The Data Processor is liable for any loss or damage caused to Data Subjects or the Data Controller by its failure to comply with its obligations under this DPA, to the extent that such failure is directly attributable to the Data Processor or its Sub-processors.
8.3 Cap on Liability
The total aggregate liability of each party under this DPA is subject to the liability cap set out in the Software Licence Agreement. Neither party will be liable for indirect, consequential, or special loss or damage arising under this DPA, except to the extent required by applicable law.
8.4 Shared Liability
Where a claim arises from the actions of both the Data Controller and the Data Processor, liability will be apportioned between the parties in proportion to their respective fault, as determined by a court of competent jurisdiction or by agreement between the parties.
9. Governing Law
This DPA is governed by the laws of Queensland, Australia. The parties submit to the non-exclusive jurisdiction of the courts of Queensland and the Federal Court of Australia sitting in Queensland.
Any dispute arising under this DPA will be resolved in accordance with the dispute resolution mechanism set out in the Software Licence Agreement.
This DPA will remain in force for the duration of the Software Licence Agreement and will survive termination to the extent necessary to give effect to clauses 5 (Data Retention and Deletion) and 8 (Liability Allocation).
For any questions regarding this DPA, please contact: info@backlotlive.com.au