QuarryLink
All documents

GDPR addendum — data processing addendum (DPA)

Data processing terms for customers where GDPR applies, including processor obligations and safeguards.

Plain-language version for GDPR-aligned data processing. This Addendum forms part of the QuarryLink SaaS Subscription Agreement between the Customer and QuarryLink.

1. Introduction

This Data Processing Addendum ("DPA") sets out how Socoro Pty Ltd ACN 612 824 905 trading as QuarryLink ("QuarryLink", "we", "us") handles Personal Data that is subject to:

  • the EU General Data Protection Regulation (GDPR);
  • the UK GDPR;
  • any equivalent European data-protection laws.

This DPA forms part of, and is incorporated into, the QuarryLink SaaS Subscription Agreement ("Agreement") between QuarryLink and the Customer ("Controller", "you", "your").

If there is a conflict between this DPA and the Agreement, the DPA prevails to the extent required to comply with GDPR.

2. Roles of the parties

2.1 Customer as controller

The Customer acts as the Data Controller. The Controller determines what Personal Data is submitted to the Platform and how it is used.

2.2 QuarryLink as processor

QuarryLink acts as the Data Processor, processing Personal Data only:

  • on documented instructions from the Customer;
  • as required to operate the Platform and provide Support Services;
  • as required by applicable law.

QuarryLink does not determine the purpose of personal data processing.

3. Types of Personal Data processed

QuarryLink processes the following categories of Personal Data on behalf of the Customer:

  • names, job titles and contact information;
  • driver names and licence details (where provided);
  • vehicle identifiers (e.g. registration numbers);
  • weighbridge and dispatch-related identifiers;
  • user login information;
  • audit logs;
  • operational history related to quarry, fleet and logistics workflows.

QuarryLink does not require or process sensitive personal data (special categories under GDPR).

Customer must not upload such data to the Platform.

4. Nature and purpose of processing

QuarryLink processes Personal Data only for:

  • providing access to and operation of the QuarryLink Platform;
  • authentication and account management;
  • dispatch, logistics and weighbridge workflows;
  • customer support and technical assistance;
  • API integrations authorised by the Customer;
  • analytics, diagnostics and platform improvement (using de-identified or aggregated data);
  • security, fraud detection and incident prevention;
  • legal compliance.

5. Sub-processors

QuarryLink may use carefully selected sub-processors to provide hosting, infrastructure, analytics or support functionality.

5.1 Requirements for sub-processors

All sub-processors must:

  • operate under written data-processing agreements;
  • implement appropriate technical and organisational security measures;
  • only process Personal Data to deliver the services required.

5.2 Approved sub-processors

A list of sub-processors (e.g. hosting, support tools) is available upon request or published on our website.

5.3 Objection rights

The Customer may reasonably object to a new sub-processor on privacy or security grounds. If so, QuarryLink will work with the Customer in good faith to find a resolution.

6. International transfers

6.1 Data location

All User Data is hosted in Australia unless otherwise agreed in writing.

6.2 Transfers outside the EU/UK

Where Personal Data is transferred outside the EU/UK, QuarryLink will ensure:

  • compliance with Chapter V of the GDPR;
  • appropriate safeguards are applied (e.g. Standard Contractual Clauses (SCCs));
  • the level of protection is essentially equivalent to GDPR requirements.

6.3 EU Standard Contractual Clauses (SCCs)

Where required, the EU SCCs are incorporated into this DPA by reference and apply to Customer Personal Data transferred outside the EEA or UK.

7. Security measures

QuarryLink maintains industry-standard security measures, including:

  • encryption in transit (TLS) and at rest;
  • secure Australian hosting environments;
  • access controls and role-based permissions;
  • audit logging;
  • MFA capability;
  • intrusion detection and monitoring;
  • data backups and disaster recovery;
  • secure software development practices;
  • regular vulnerability scanning and patching.

Details are outlined in the QuarryLink Security Overview.

8. Breach notification

If QuarryLink becomes aware of a Personal Data Breach, we will:

  1. Notify the Customer without undue delay (typically within 72 hours)
  2. Provide details about: nature of the breach; categories and volume of data affected; likely consequences; remedial actions taken or proposed
  3. Cooperate with Customer investigations and regulatory obligations

The Customer is responsible for notifying supervisory authorities or affected individuals unless otherwise agreed.

9. Data subject rights

Where a Data Subject exercises rights under GDPR (e.g. access, deletion, correction, objection), QuarryLink will:

  • assist the Customer as required;
  • provide tools or information needed to fulfil the request;
  • process only on documented instructions.

QuarryLink does not respond directly to Data Subjects unless instructed by the Customer or required by law.

10. Data retention, return and deletion

Upon termination or expiry of the Agreement:

  • QuarryLink will retain archived User Data for the period set out in the Agreement;
  • upon Customer request, QuarryLink will export User Data in a standard industry format;
  • after retention periods expire, Personal Data will be securely deleted or anonymised.

Additional extraction or migration services may be available as professional services.

11. Customer responsibilities

The Customer is responsible for:

  • determining the lawful basis for processing;
  • ensuring Personal Data submitted to the Platform complies with GDPR;
  • obtaining appropriate consent (if applicable);
  • ensuring accuracy and lawfulness of Personal Data;
  • configuring user access permissions appropriately;
  • not uploading special categories of data.

12. Confidentiality

QuarryLink ensures all personnel authorised to process Personal Data:

  • are bound by confidentiality obligations;
  • receive security and privacy training;
  • access data only as required for their role.

13. Audits

Upon reasonable notice, QuarryLink will:

  • provide documentation required to demonstrate compliance;
  • discuss security controls with the Customer or auditors;
  • cooperate with assessments required under GDPR.

Formal onsite audits by the Customer may require separate agreement and additional cost.

14. Term, termination and survival

This DPA:

  • remains in effect for as long as QuarryLink processes Personal Data on behalf of the Customer;
  • terminates automatically with the Agreement;
  • continues to apply to data retained during the retention period.

Certain obligations (e.g. confidentiality, security, deletion) survive termination.

15. Governing law

For EU Data Subjects, this DPA is governed by EU/EEA law as required by the GDPR SCCs.

For all other matters, this DPA is subject to the governing law of the underlying Agreement: New South Wales, Australia.

16. Contact information

For privacy and data protection enquiries:

privacy@quarrylink.com.au
Socoro Pty Ltd ACN 612 824 905 trading as QuarryLink
Suite 1102, 132 Arthur Street, North Sydney NSW 2060, Australia