[LEGAL REVIEW REQUIRED] The text below is a conservative draft authored to spec §15. Specific clauses are flagged with [LEGAL REVIEW REQUIRED] in-line. Final wording must be reviewed and signed off by your legal counsel before this banner is removed (set LEGAL_DOCS_REVIEWED=true).

Neomeric Pty Ltd · NeoMind

Data Processing Addendum

Last updated:

Where you process personal information about your end users (e.g. the customers chatting with your Simon agent) through NeoMind, Neomeric Pty Ltd acts as a processor on your behalf. This Addendum (the “DPA”) governs that processing.

A signable PDF of the DPA is available for download: dpa-template.pdf. [LEGAL REVIEW REQUIRED] the PDF currently published is a placeholder; final wording must be drafted by counsel against this summary.

1. Subject-matter and duration

Neomeric processes Customer Personal Information for the duration of your NeoMind subscription, solely to provide the Service in accordance with the Terms of Service and your documented instructions.

2. Nature and purpose of processing

Processing comprises hosting, indexing for retrieval, generation of agent responses grounded in your Customer Data, transmission of those responses to your end users, and operational telemetry.

3. Categories of data subjects

Your end users (typically your customers), your authorised users of the NeoMind dashboard, and any individuals identifiable in Customer Data you upload.

4. Categories of personal information

  • Identification data (name, email, organisation);
  • Communication content (chat messages, voice transcripts and recordings where applicable);
  • Technical metadata (IP address, browser, device identifiers);
  • Any other personal information you submit as Customer Data, the scope of which is determined by you.

5. Sub-processors

Our current sub-processors are listed in the Privacy Policy. We will give you at least fourteen (14) days’ notice of any addition or replacement of a sub-processor; you may object on reasonable grounds (in which case we will work in good faith to resolve the objection or, failing that, allow you to terminate the affected Service for convenience).

6. Security measures

We implement technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls, network segmentation, vulnerability management, and incident response. [LEGAL REVIEW REQUIRED] attach the detailed security schedule (Annex II equivalent) once finalised; SOC 2 / ISO 27001 references should match your actual certification state.

7. International transfers

Customer Data is stored in Australia by default. Where data is transferred internationally (for example to a sub-processor), appropriate safeguards under the Australian Privacy Principles apply.

8. Assistance with data-subject requests

We will provide reasonable assistance, taking into account the nature of the processing and the information available to us, to help you respond to access, correction, deletion, or portability requests from your end users.

9. Personal-data breach notification

We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Data, with sufficient information to enable you to meet your own notification obligations. [LEGAL REVIEW REQUIRED] define the notification SLA precisely (e.g. “within 72 hours”) and align with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.

10. Return or deletion of data

On termination of the Service, we will, at your election, return or delete Customer Data, subject to the retention provisions of the Privacy Policy.

11. Audits

On reasonable notice and not more than once in any twelve-month period (other than following a personal-data breach), you may request a summary of our most recent independent audit report. On-site audits may be requested for enterprise customers under terms to be agreed in good faith.