luris Pty Ltd

Legal

Data Processing Addendum

Luris Pty Ltd ("Luris", "Processor", "we", "us")

This Data Processing Addendum ("DPA") forms part of and supplements the Software Licence Agreement & Terms of Service ("Agreement") between Luris Pty Ltd (ABN [insert]) and the Customer ("Controller", "you").

This DPA applies where Luris processes Personal Information on behalf of the Customer in connection with:

  • CrossExam AI
  • CostGuard
  • Court Filing Readiness Checker
  • LimitGuard
  • and any related hosted services ("Services").

If there is any inconsistency between this DPA and the Agreement, this DPA prevails to the extent of the inconsistency in relation to Personal Information processing.

1. Roles of the Parties

The parties acknowledge that:

  • The Customer is the Controller (or APP Entity) determining the purpose and means of handling Personal Information.
  • Luris is the Processor (or service provider) processing Personal Information solely on behalf of the Customer.
  • Luris does not determine the legal purpose for which Personal Information is collected or used.

2. Definitions

  • Personal Information has the meaning given in the Privacy Act 1988 (Cth).
  • Sensitive Information includes health information, criminal history information, and other information defined as sensitive under the Privacy Act.
  • Processing includes collection, storage, access, analysis, transmission, and deletion of Personal Information.
  • Security Incident means unauthorised access, disclosure, alteration, or loss of Personal Information.

3. Scope and Purpose of Processing

Luris processes Personal Information only for the purpose of:

  • providing and operating the Services
  • authenticating authorised users
  • maintaining system security
  • performing backup and recovery
  • providing support requested by the Customer

Luris will process Personal Information only in accordance with:

  • this DPA
  • the Agreement
  • documented instructions from the Customer
  • applicable Australian law

Luris will not use Personal Information for marketing, profiling, or training public artificial intelligence systems.

4. Types of Personal Information

Depending on Customer use, the Services may process:

  • names and contact details
  • legal practitioners' details
  • client information contained in legal documents
  • litigation materials
  • financial or transactional information
  • health or sensitive information included in case files
  • system access logs and authentication records

The Customer is responsible for determining whether it is lawful to upload and process such information.

5. Data Location (Australian Data Sovereignty)

Where the hosted environment is used, Personal Information is stored and processed within Australia (Sydney region infrastructure).

Luris will not intentionally transfer Personal Information outside Australia unless:

  • directed in writing by the Customer; or
  • required by Australian law.

6. Security Measures

Luris will implement and maintain reasonable technical and organisational security measures, including:

  • encryption of stored data (AES-256 or equivalent)
  • encrypted transmission (TLS 1.2+)
  • authenticated user access controls
  • role-based permissions
  • logical separation of each customer organisation's data
  • database-level access restrictions preventing cross-organisation access
  • audit logging of system access
  • security patching and updates

Luris personnel access to Personal Information is limited to authorised staff who require access to provide support or maintain the Services.

7. Confidentiality

Luris will ensure that persons authorised to process Personal Information:

  • are subject to confidentiality obligations
  • access data only when necessary
  • are trained in handling sensitive information

8. Sub-processors

Luris may use infrastructure and hosting providers to operate the Services. Luris will maintain a current list of sub-processors and provide it upon reasonable request.

Luris will:

  • ensure sub-processors are bound by confidentiality and security obligations
  • remain responsible for their acts and omissions relating to Personal Information
  • use providers capable of meeting Australian security expectations
  • notify the Customer (e.g., via email or website update) at least 30 days prior to engaging any new sub-processor

If the Customer reasonably objects to the new sub-processor on data protection grounds, the Customer may terminate the Agreement without penalty.

9. Assistance to the Customer

Taking into account the nature of processing, Luris will reasonably assist the Customer to:

  • respond to access or correction requests
  • investigate privacy complaints
  • comply with Australian Privacy Principles
  • respond to regulatory enquiries

10. Data Breach Notification

If Luris becomes aware of a Security Incident involving Personal Information, Luris will:

  • notify the Customer without undue delay, and in any event within 48 hours of Luris confirming a Security Incident
  • provide available details regarding the incident
  • take reasonable steps to contain and remediate the incident
  • cooperate with the Customer in meeting Notifiable Data Breach obligations

Luris will not notify affected individuals directly unless legally required or instructed by the Customer.

11. Access and Correction Requests

Where Luris receives a request from an individual regarding Personal Information processed on behalf of the Customer, Luris will:

  • not respond directly except to acknowledge receipt
  • promptly refer the request to the Customer

The Customer is responsible for handling such requests.

12. Data Retention and Deletion

Upon termination of the Agreement, or upon written request by the Customer, Luris will, within a reasonable period:

  • delete Personal Information; or
  • return it to the Customer (where technically practicable)

Upon written request following deletion, Luris will provide written certification to the Customer that the Personal Information has been securely destroyed.

Backup copies may remain for a limited period solely for disaster recovery and will remain protected under this DPA.

13. Audit Rights

Upon reasonable written notice, the Customer may request information demonstrating Luris' compliance with this DPA.

Luris may satisfy this obligation by:

  • providing written security information
  • responding to security questionnaires
  • providing policy documentation

Direct audits may be refused where they would compromise other customers' confidentiality or system security.

14. Government and Sensitive Environments

The Services are capable of deployment in environments assessed under the Australian Government Information Security Registered Assessors Program (IRAP) at the PROTECTED level when implemented within approved infrastructure.

15. Liability

Each party remains liable for its own compliance with the Privacy Act 1988 (Cth). Nothing in this DPA expands Luris' liability beyond the limits set in the Agreement.

16. Term

This DPA remains in force for as long as Luris processes Personal Information on behalf of the Customer.

17. Governing Law

This DPA is governed by the laws of New South Wales, Australia.

18. Contact

Luris Pty Ltd
Address: [Insert address]
Email: [Insert privacy contact email]

All privacy and security enquiries should be directed in writing to the above contact.