Data Processing Addendum
Effective Date: 8 July 2026 · Rubberdesk Pty Ltd · ABN: 18 163 716 247
1. Introduction and Application
bolta.space is a product operated by Rubberdesk Pty Ltd (ABN 18 163 716 247), an Australian proprietary limited company. In this DPA, references to “we”, “us”, “our”, or “Rubberdesk” are references to Rubberdesk Pty Ltd.
1.1 Relationship to the Terms
This Data Processing Addendum (“DPA”) supplements the Terms and Conditions of Service (the “Terms”) between Rubberdesk Pty Ltd (ABN 18 163 716 247) (“Rubberdesk”, “we”, “us”, or “our”) and the Subscriber identified in the relevant subscription or Order Form (the “Subscriber”, “you”, or “your”).
Capitalised terms used but not defined in this DPA have the meanings given to them in the Terms. To the extent of any inconsistency between this DPA and the Terms in relation to the processing of Personal Information, this DPA prevails.
1.2 Scope and Purpose
This DPA applies to the extent that Rubberdesk processes Personal Information on behalf of the Subscriber in connection with the Subscriber’s use of the bolta.space platform (the “Platform”).
This DPA is intended to satisfy the requirements of:
- The Privacy Act 1988 (Cth), including the Australian Privacy Principles (“APPs”);
- The Privacy and Other Legislation Amendment Act 2024 (Cth);
- The UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (UK), where applicable;
- The Privacy and Electronic Communications Regulations 2003 (UK), where applicable; and
- Any other data protection law applicable to the processing (collectively, the “Data Protection Laws”).
2. Definitions
In this DPA, the following terms have the following meanings. Other capitalised terms have the meanings given to them in the Terms.
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Special Categories of Personal Data” have the meanings given to them in the UK GDPR, or where the UK GDPR does not apply, the corresponding meanings under the Privacy Act 1988 (Cth) (for example, “Personal Information” corresponds to “Personal Data”).
“Data Subject Request” means a request made by a Data Subject to exercise any right under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, objection, or withdrawal of consent.
“IDTA” means the International Data Transfer Agreement issued by the UK Information Commissioner’s Office, or the International Data Transfer Addendum to the EU Standard Contractual Clauses, as applicable.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA. In Australia, this corresponds to an “eligible data breach” under Part IIIC of the Privacy Act 1988 (Cth).
“SCCs” means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to UK GDPR or any equivalent contractual mechanism approved by a competent supervisory authority.
“Subscriber Personal Data” means any Personal Data that Rubberdesk processes as a Processor on behalf of the Subscriber in the course of providing the Platform.
“Sub-processor” means any third party engaged by Rubberdesk to process Subscriber Personal Data on Rubberdesk’s behalf in connection with the Platform.
“Supervisory Authority” means the Office of the Australian Information Commissioner (“OAIC”), the UK Information Commissioner’s Office (“ICO”), or any other independent public authority with jurisdiction over data protection matters relevant to the processing under this DPA.
3. Roles of the Parties
3.1 Controller and Processor
With respect to Subscriber Personal Data processed under this DPA, the parties agree that:
- The Subscriber is the Controller (or, where the Subscriber is itself acting as a Processor on behalf of a third party, the Controller acting in that capacity);
- Rubberdesk is the Processor; and
- Sub-processors engaged by Rubberdesk in accordance with this DPA are sub-processors of the Subscriber.
3.2 Rubberdesk’s Independent Processing
In relation to Personal Data that Rubberdesk processes for its own business purposes (including account management, billing, security, fraud prevention, Platform improvement, and other purposes set out in the Privacy Policy), Rubberdesk acts as an independent Controller. This DPA does not apply to that processing, which is governed by the Privacy Policy.
3.3 Subscriber Responsibilities
The Subscriber:
- Is solely responsible for determining the lawful basis for processing Subscriber Personal Data and for ensuring that such processing is lawful, fair, and transparent;
- Warrants that it has provided all necessary notices and obtained all necessary consents and authorisations from Data Subjects under Data Protection Laws to enable Rubberdesk to process Subscriber Personal Data as contemplated by the Terms and this DPA;
- Is responsible for the accuracy, quality, and legality of Subscriber Personal Data and the means by which the Subscriber acquired it;
- Will not instruct Rubberdesk to process Subscriber Personal Data in a manner that would cause either party to breach any Data Protection Law; and
- Will indemnify Rubberdesk against any claim, fine, penalty, or liability arising from the Subscriber’s breach of this clause 3.3.
4. Processing of Subscriber Personal Data
4.1 Documented Instructions
Rubberdesk will process Subscriber Personal Data only on the documented instructions of the Subscriber, which instructions are set out in the Terms, this DPA, Schedule 1 to this DPA (Description of Processing), and any further written instructions given by the Subscriber from time to time that are consistent with the Terms.
4.2 Permitted Processing
Rubberdesk may process Subscriber Personal Data for the following purposes only:
- Providing, operating, maintaining, and supporting the Platform;
- Performing Rubberdesk’s obligations under the Terms;
- Complying with the Subscriber’s documented instructions;
- Detecting, investigating, and preventing security incidents, abuse, and breaches of the Terms;
- Complying with applicable laws and lawful directions of Supervisory Authorities or courts of competent jurisdiction (in which case Rubberdesk will, unless prohibited by law, notify the Subscriber before complying); and
- Generating aggregated and anonymised data that does not identify any Data Subject, for the purposes set out in the Terms and the Privacy Policy.
4.3 Notification of Unlawful Instructions
If Rubberdesk considers (acting reasonably) that an instruction from the Subscriber would breach a Data Protection Law, Rubberdesk will promptly inform the Subscriber and may suspend performance of the relevant processing until the instruction is amended or confirmed in writing.
4.4 Restriction on Other Use
Rubberdesk will not sell, rent, lease, or otherwise commercially exploit Subscriber Personal Data, and will not use Subscriber Personal Data for any purpose other than as set out in this DPA.
5. Confidentiality and Personnel
Rubberdesk will:
- Ensure that all personnel who have access to Subscriber Personal Data are subject to written confidentiality obligations (or are under appropriate statutory duties of confidentiality) that survive the termination of their engagement with Rubberdesk;
- Limit access to Subscriber Personal Data to those personnel who require such access to perform their duties in connection with the Platform;
- Provide regular and appropriate training to personnel on data protection, information security, and confidentiality; and
- Maintain records of personnel who have, or have had, access to Subscriber Personal Data.
6. Security Measures
6.1 Technical and Organisational Measures
Rubberdesk will implement and maintain appropriate technical and organisational measures (“TOMs”) to protect Subscriber Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. The TOMs are set out in Schedule 2 to this DPA, and include:
- Encryption of Subscriber Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
- Role-based access controls and the principle of least privilege;
- Multi-factor authentication for administrative and privileged access to systems hosting Subscriber Personal Data;
- Network segmentation, firewalls, intrusion detection, and continuous monitoring;
- Regular security testing, including vulnerability scanning and penetration testing;
- Secure software development practices, including code review and dependency management;
- Backup, disaster recovery, and business continuity arrangements; and
- Physical security controls at all data centres and facilities.
6.2 Risk-Based Approach
In implementing the TOMs, Rubberdesk takes into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks of varying likelihood and severity to the rights and freedoms of Data Subjects.
6.3 Subscriber Security Responsibilities
The Subscriber is responsible for the security of: (a) its own credentials and Account access; (b) any data the Subscriber chooses to export, download, or store outside the Platform; (c) any data the Subscriber uploads in violation of clause 5.7 of the Terms; and (d) any client systems, devices, or networks used to access the Platform.
7. Sub-processors
7.1 General Authorisation
The Subscriber grants Rubberdesk general written authorisation to engage Sub-processors to process Subscriber Personal Data, subject to the conditions in this clause 7. Rubberdesk maintains a current list of authorised Sub-processors at bolta.space/subprocessors (or such other URL as Rubberdesk may notify from time to time).
7.2 Notification of New Sub-processors
Rubberdesk will provide the Subscriber with at least thirty (30) days’ prior written notice of the engagement of any new Sub-processor (such notice may be given by email, by updating the published Sub-processor list, or by such other reasonable means as Rubberdesk determines).
7.3 Right to Object
The Subscriber may object to the engagement of a new Sub-processor on reasonable data protection grounds within fifteen (15) days of receiving notice under clause 7.2, by sending written notice to privacy@bolta.space specifying the basis of the objection.
If the Subscriber objects in good faith and Rubberdesk is unable, after using reasonable efforts, to address the objection (whether by proposing an alternative arrangement or by declining to engage the proposed Sub-processor in respect of the Subscriber’s data), the Subscriber’s sole and exclusive remedy is to terminate the affected subscription on written notice, and Rubberdesk will refund any pre-paid Fees on a pro-rata basis for the unused portion of the Subscription Term. Continued use of the Platform after the new Sub-processor is engaged constitutes acceptance.
7.4 Sub-processor Obligations
Rubberdesk will enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those in this DPA, including obligations relating to confidentiality, security, breach notification, sub-processing, international transfers, and audit. Rubberdesk remains fully liable to the Subscriber for the acts and omissions of its Sub-processors in relation to Subscriber Personal Data as if they were Rubberdesk’s own acts and omissions.
8. Data Subject Rights
8.1 Assistance to the Subscriber
Taking into account the nature of the processing, Rubberdesk will provide reasonable assistance to the Subscriber (by appropriate technical and organisational measures, insofar as this is possible) for the fulfilment of the Subscriber’s obligations to respond to Data Subject Requests, including requests for:
- Access to Personal Data (APP 12 / UK GDPR Article 15);
- Correction or rectification of Personal Data (APP 13 / UK GDPR Article 16);
- Erasure of Personal Data (UK GDPR Article 17);
- Restriction of processing (UK GDPR Article 18);
- Data portability (UK GDPR Article 20);
- Objection to processing (UK GDPR Article 21); and
- Rights related to automated decision-making and profiling (UK GDPR Article 22).
8.2 Direct Requests to Rubberdesk
If Rubberdesk receives a Data Subject Request directly from a Data Subject in respect of Subscriber Personal Data, Rubberdesk will promptly notify the Subscriber and, unless legally required to respond directly, will direct the Data Subject to the Subscriber. Rubberdesk will not respond to the Data Subject Request without the Subscriber’s prior written instruction, except as required by applicable law.
8.3 Cost of Assistance
Rubberdesk’s standard assistance with Data Subject Requests is included in the Fees. Where a Data Subject Request requires assistance that is materially beyond the scope of standard support (for example, complex bulk exports, custom searches, or extensive legal coordination), Rubberdesk may charge for such assistance at its then-current rates, having given the Subscriber prior notice of the estimated cost.
9. Personal Data Breach Notification
9.1 Notification to the Subscriber
Rubberdesk will notify the Subscriber without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Subscriber Personal Data. Notification will be made by email to the Subscriber’s designated privacy or security contact (or, in the absence of such designation, to the billing or administrative contact for the Account).
9.2 Content of Notification
The notification will include, to the extent then known or reasonably available:
- A description of the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects and Personal Data records concerned;
- The name and contact details of the Rubberdesk Privacy Officer or other contact point from whom more information can be obtained;
- A description of the likely consequences of the Personal Data Breach; and
- A description of the measures taken or proposed to be taken by Rubberdesk to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.3 Updates
Where it is not possible to provide all the information in clause 9.2 at the same time, the information may be provided in phases without further undue delay.
9.4 Cooperation
Rubberdesk will reasonably cooperate with the Subscriber, and provide reasonable assistance, in the Subscriber’s investigation, response, mitigation, and notification of the Personal Data Breach to Data Subjects, Supervisory Authorities, and other relevant parties, taking into account the nature of the processing and the information available to Rubberdesk.
9.5 Subscriber Responsibility for Notifications
Unless required by Data Protection Laws applicable to Rubberdesk as Processor, Rubberdesk will not notify any Data Subject, Supervisory Authority, or third party of the Personal Data Breach without the Subscriber’s prior written instruction. The Subscriber is responsible for assessing whether the Personal Data Breach is notifiable under applicable Data Protection Laws (including the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth) and Articles 33 and 34 of the UK GDPR) and for making any required notifications to Supervisory Authorities and Data Subjects.
9.6 Rubberdesk Independent Obligations
Nothing in this clause 9 limits or modifies Rubberdesk’s own independent obligations as a Controller (in respect of Personal Data for which it is the Controller) or as Processor in respect of breaches that are notifiable directly by Rubberdesk under applicable law.
10. Audits and Inspections
10.1 Subscriber Audit Rights
The Subscriber has the right, on at least thirty (30) days’ prior written notice and not more than once per calendar year (except in the case of a Personal Data Breach affecting Subscriber Personal Data, or where required by a Supervisory Authority), to audit Rubberdesk’s compliance with this DPA.
10.2 Audit Conduct
Audits must be:
- Conducted during normal business hours and in a manner that minimises disruption to Rubberdesk’s operations;
- Conducted by the Subscriber, by Subscriber personnel, or by an independent auditor appointed by the Subscriber who is bound by appropriate confidentiality obligations (and who is not a competitor of Rubberdesk);
- Limited to information, systems, and personnel reasonably relevant to verifying Rubberdesk’s compliance with this DPA;
- Subject to Rubberdesk’s reasonable confidentiality, security, and access policies; and
- Conducted at the Subscriber’s cost, except where the audit reveals a material breach by Rubberdesk of this DPA, in which case Rubberdesk will reimburse the Subscriber’s reasonable audit costs.
10.3 Third-Party Audit Reports
To the extent reasonably possible, Rubberdesk may satisfy its audit obligations under this clause 10 by providing the Subscriber with the results of recent independent third-party audits (including SOC 2 Type II reports, ISO 27001 certifications, or equivalent) covering the Platform and its underlying infrastructure. Where such reports adequately address the Subscriber’s reasonable audit requirements, the Subscriber agrees to rely on those reports in lieu of a direct audit.
10.4 Audit Findings
The Subscriber will share audit findings with Rubberdesk and the parties will reasonably cooperate to address any material non-compliance identified.
11. International Data Transfers
11.1 Transfer Locations
Subscriber Personal Data may be processed in Australia, the United Kingdom, the European Economic Area, the United States, and other jurisdictions where Rubberdesk or its Sub-processors maintain facilities. The locations of Sub-processor processing are identified in the Sub-processor list referred to in clause 7.1.
11.2 Transfers from Australia
Rubberdesk takes reasonable steps under APP 8 of the Australian Privacy Principles to ensure that any overseas recipient of Subscriber Personal Data does not breach the APPs in relation to that data. Where Rubberdesk transfers Subscriber Personal Data outside Australia, Rubberdesk will implement appropriate safeguards, including contractual obligations on the overseas recipient consistent with the APPs.
11.3 Transfers from the United Kingdom
Where Subscriber Personal Data subject to the UK GDPR is transferred outside the United Kingdom to a country not subject to an adequacy decision, the parties agree that the transfer will be subject to:
- The IDTA (or, where applicable, the International Data Transfer Addendum to the EU Standard Contractual Clauses), which is incorporated into this DPA by reference and which the parties are deemed to have entered into in respect of any such transfer;
- Any other appropriate safeguard recognised under the UK GDPR; or
- An applicable derogation under Article 49 of the UK GDPR.
11.4 Transfer Impact Assessment
Rubberdesk will, on reasonable request and where required by Data Protection Laws, provide the Subscriber with information reasonably necessary to enable the Subscriber to conduct a transfer impact assessment in respect of transfers of Subscriber Personal Data to countries outside the UK or Australia.
11.5 Onward Transfers
Sub-processors must not make onward transfers of Subscriber Personal Data to third countries without appropriate safeguards equivalent to those in this clause 11.
12. Deletion and Return on Termination
12.1 Deletion or Return
On termination or expiry of these Terms (for any reason), at the Subscriber’s written election (made within thirty (30) days of termination), Rubberdesk will:
- Make Subscriber Personal Data available for export by the Subscriber in a structured, commonly used, and machine-readable format; or
- Delete Subscriber Personal Data.
12.2 Default Behaviour
If the Subscriber does not make an election within thirty (30) days of termination, Rubberdesk may delete Subscriber Personal Data in accordance with its data retention policies and the Privacy Policy.
12.3 Backups and Archived Data
Rubberdesk may retain Subscriber Personal Data in encrypted backups and archived systems for so long as is required by its standard backup retention cycle (typically up to ninety (90) days), after which such data will be deleted or overwritten in the ordinary course of operations. Retained backup data will not be used for any purpose other than disaster recovery and legal compliance, and will remain subject to the confidentiality and security obligations of this DPA.
12.4 Retention Required by Law
Rubberdesk may retain Subscriber Personal Data to the extent required by applicable law, regulation, court order, or for the establishment, exercise, or defence of legal claims. Such retained data will remain subject to the obligations of this DPA for as long as it is retained.
12.5 Certification
On the Subscriber’s written request following deletion, Rubberdesk will provide written certification that deletion has been completed in accordance with this clause 12 (subject to the exceptions in clauses 12.3 and 12.4).
13. Liability
13.1 Liability under the Terms
Each party’s liability arising under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms (including clauses 10, 11, and 12 of the Terms). For the avoidance of doubt, the parties’ aggregate liability under this DPA and the Terms together is subject to the cap in clause 11.2 of the Terms.
13.2 Indemnification
Without limiting the indemnities in the Terms, the Subscriber indemnifies Rubberdesk against any claim, fine, penalty, or liability imposed on or incurred by Rubberdesk under any Data Protection Law arising from:
- The Subscriber’s breach of this DPA;
- The Subscriber’s instructions to Rubberdesk being unlawful;
- The Subscriber’s failure to obtain necessary consents or provide necessary notices to Data Subjects; or
- The Subscriber’s breach of the Terms in respect of the processing of Personal Data.
14. Term and Variation
14.1 Term
This DPA takes effect on the Effective Date set out above (or, if later, the date the Subscriber first accesses the Platform) and continues for as long as Rubberdesk processes Subscriber Personal Data on behalf of the Subscriber, and thereafter for so long as is necessary to give effect to the parties’ ongoing rights and obligations under it.
14.2 Variation
Rubberdesk may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or Platform functionality. Material changes will be notified to the Subscriber at least thirty (30) days before taking effect, by email or by updating the URL at which this DPA is published. The Subscriber’s continued use of the Platform after the effective date of any change constitutes acceptance of the updated DPA.
14.3 Conflicts
In the event of any inconsistency between this DPA and the Terms in relation to the processing of Personal Data, this DPA prevails. In all other respects, the Terms prevail.
15. General
15.1 Governing Law
This DPA is governed by the law applicable to the Terms (being the laws of New South Wales, Australia, as set out in the Terms).
15.2 Severability
If any provision of this DPA is held to be invalid, illegal, or unenforceable, that provision will be modified to the minimum extent necessary to make it valid and enforceable, and the remaining provisions will continue in full force and effect.
15.3 Counterparts
This DPA may be executed in counterparts. An electronic copy of a signed counterpart is as effective as an original.
15.4 Notices
Notices under this DPA must be given in accordance with the notice provisions of the Terms. Notices to Rubberdesk relating to data protection matters should be sent to privacy@bolta.space.
Schedule 1 — Description of Processing
This Schedule sets out the particulars of processing of Subscriber Personal Data by Rubberdesk on behalf of the Subscriber, as required by Article 28(3) of the UK GDPR and APP 8.
Subject Matter of Processing
The provision of the bolta.space commercial property platform and related services to the Subscriber.
Duration of Processing
The duration of the Subscriber’s subscription to the Platform, plus any further period required by clause 12 of this DPA and applicable law.
Nature of Processing
Collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction of Subscriber Personal Data, as necessary to provide the Platform.
Purpose of Processing
Provision of the Platform, including:
- Account management and authentication
- Creation, distribution, and management of property deals
- Submission and management of property listings
- Generation and sharing of property shortlists
- Communication between Users
- AI-assisted property matching, shortlisting, and analytics
- Reporting and audit functionality
- Customer and technical support
- Security, fraud prevention, and dispute resolution
Categories of Data Subjects
- Subscriber’s employees, contractors, and Authorised Users
- Subscriber’s clients (tenants and prospective tenants)
- Subscriber’s business contacts
- Leasing Agents, property owners, and their representatives
- Other third parties named in property deals, listings, or communications
Categories of Personal Data
- Identification data (names, job titles, employers)
- Contact data (email addresses, phone numbers, business addresses)
- Professional data (industry, role, business activities, licensing details)
- Property requirement data (space needs, budgets, timing, preferences)
- Communication content (messages, notes, attachments)
- Technical data (IP addresses, device information, log data, usage data)
- Account credentials (in hashed or encrypted form)
Special Categories of Personal Data
Rubberdesk does not require, and does not intend to process, Special Categories of Personal Data (as defined in the UK GDPR) or Sensitive Information (as defined in the Privacy Act 1988 (Cth)) on behalf of the Subscriber. The Subscriber agrees not to upload, submit, or otherwise cause Rubberdesk to process any such data, except where strictly necessary and expressly agreed in writing in advance.
Schedule 2 — Technical and Organisational Measures
This Schedule sets out the technical and organisational measures (“TOMs”) implemented by Rubberdesk to protect Subscriber Personal Data, as required by Article 32 of the UK GDPR and APP 11.
Information Security Governance
- Documented information security policies, reviewed at least annually
- Designated security and privacy officers
- Risk assessment and management processes
- Incident response and breach management procedures
- Vendor and Sub-processor risk management
Access Control and Authentication
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication (MFA) for administrative and privileged access
- Strong password policies for user accounts
- Session management with appropriate timeouts
- Regular access reviews and revocation on personnel changes
Encryption
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using AES-256 or equivalent
- Encryption of database backups
- Encrypted storage of passwords using strong hashing algorithms (Argon2id or equivalent)
Network and Infrastructure Security
- Firewalls and network segmentation
- Intrusion detection and prevention systems
- DDoS protection
- Hardened operating systems and infrastructure baselines
- Regular patching and vulnerability management
- Production environments isolated from development and testing
Application Security
- Secure software development lifecycle (SDLC)
- Code review and static analysis
- Dependency vulnerability scanning
- Input validation and output encoding to prevent injection attacks
- CSRF protection on state-changing requests
- Rate limiting and abuse detection
Monitoring and Logging
- Centralised logging of security-relevant events
- Continuous monitoring of system and application logs
- Application-level audit logging that records create, update, delete, and view actions on Subscriber Personal Data, including the identity of the actor, the affected record, the changes made, and the time of the action
- Server-side visitor logging that records IP address, browser, and access time for each signed-in session, to support security investigation
- Retention of audit and security logs in accordance with applicable law and the retention periods set out in the Privacy Policy
Business Continuity and Disaster Recovery
- Regular automated backups of Subscriber Personal Data
- Geographically diverse backup storage
- Documented disaster recovery and business continuity plans
- Periodic testing of recovery procedures
Physical Security
- Use of reputable cloud infrastructure providers (such as Amazon Web Services) with appropriate physical security certifications (including ISO 27001 and SOC 2)
- No primary processing of Subscriber Personal Data in Rubberdesk offices
- Physical access controls and surveillance at corporate facilities
Personnel
- Background checks for personnel with access to Subscriber Personal Data, where lawful
- Written confidentiality and data protection obligations in all employment and contractor agreements
- Mandatory data protection and security awareness training, refreshed at least annually
- Defined onboarding and offboarding procedures, including prompt revocation of access on termination
Testing and Assessment
- Regular vulnerability scanning
- Periodic third-party penetration testing
- Independent third-party security and privacy audits, as appropriate (with reports made available to enterprise Subscribers under appropriate confidentiality terms)
Data Minimisation and Pseudonymisation
- Collection of Personal Data limited to what is necessary for the purposes of processing
- Pseudonymisation and anonymisation techniques applied where appropriate
- Aggregated and anonymised analytics that do not identify individuals
Rubberdesk reviews and updates these TOMs from time to time to reflect changes in the state of the art, the nature of the processing, and the evolving threat landscape. The current version of this Schedule will be made available to the Subscriber on reasonable request.
Schedule 3 — Sub-processors
Rubberdesk maintains a current list of authorised Sub-processors at bolta.space/subprocessors. This Schedule sets out the categories of Sub-processors engaged at the Effective Date of this DPA. The published list is the authoritative reference and may be updated from time to time in accordance with clause 7 of this DPA.
| Category | Purpose | Location |
|---|---|---|
| Cloud hosting and infrastructure | Hosting of the Platform, databases, and application infrastructure | Australia, United States |
| Email delivery | Sending transactional and notification emails | United States, European Union |
| SMS and authentication | Phone verification and authentication services | United States |
| Payment processing | Subscription billing and payment processing | United States, Australia |
| AI and machine learning | AI-assisted analysis, extraction, and recommendations | United States |
| Analytics and monitoring | Platform performance monitoring and analytics | United States, European Union |
| Customer support tools | Helpdesk and customer support communication | United States, Australia |
The specific Sub-processors engaged within each category, together with their full names, processing locations, and applicable transfer mechanisms, are published at bolta.space/subprocessors.
Contact
For any matter relating to this DPA, please contact:
Privacy Officer
Rubberdesk Pty Ltd
Email: privacy@bolta.space
Australia: 9 Castlereagh Street, Sydney NSW 2000, Australia
United Kingdom: 10 Bloomsbury Way, London WC1A 2SL, United Kingdom