Data Processing Addendum

Home
>
Data Processing Addendum

Between:
Xtreme Digital Pty Ltd (ABN 66 619 207 877)
Trading as Live Chat Agent and Call Eva
("Processor", "we", "us", "our")
and
The Client using the Live Chat Agent / Call Eva Services
("Controller", "Client", "you", "your")
Effective Date: 09/12/2025
Version: 1.0

1. Purpose and Scope

This Data Processing Addendum ("DPA") forms part of the Terms & Conditions, Services Agreement or other contract ("Agreement") between Xtreme Digital Pty Ltd and the Client. It governs the processing of Personal Information by the Processor on behalf of the Client through the Hybrid Chat AI, Voice AI, call-handling, and associated software platforms ("Services").

This DPA reflects the obligations under:

  • The Privacy Act 1988 (Cth)
  • The Australian Privacy Principles (APPs)
  • The Notifiable Data Breach Scheme
  • Any other applicable privacy or telecommunications laws

2. Definitions

For the purposes of this DPA:

"Personal Information" has the meaning given under the Privacy Act 1988 and includes any information relating to an identified or reasonably identifiable individual.

"Controller" refers to the Client, which determines the purpose and means of processing Personal Information.

"Processor" refers to Xtreme Digital Pty Ltd, which processes Personal Information on behalf of the Controller as part of delivering the Services.

"Processing" includes collecting, storing, recording, transmitting, retrieving, analysing, using, disclosing, or erasing Personal Information.

"Sub-Processor" means any third party engaged by the Processor to assist in delivering the Services.

"Services" means the Hybrid Chat AI, Voice AI, call recording, CRM/LMS integration, outbound campaigns, and all related features.

3. Roles and Responsibilities

3.1 Controller Responsibilities

The Client acknowledges and agrees that it is solely responsible for:

  • Determining the lawful basis for collecting and processing Personal Information
  • Obtaining all necessary notices, consents and permissions from individuals
  • Ensuring callers are informed that calls may be recorded, monitored or processed by AI
  • Ensuring all data entered or submitted into the Services is lawful and authorised
  • Ensuring its own systems (CRM, LMS, email servers, API endpoints) are secure

3.2 Processor Responsibilities

The Processor agrees to:

  • Process Personal Information only in accordance with documented instructions from the Controller
  • Implement reasonable security safeguards to protect Personal Information
  • Ensure personnel handling Personal Information are bound by confidentiality obligations
  • Notify the Controller in the event of a data breach as required by law
  • Assist the Controller with privacy-related enquiries where legally required

4. Nature and Purpose of Processing

The Processor processes Personal Information solely for the purpose of providing the Services, which includes:

  • Lead capture and customer enquiry handling
  • Automated chat interactions and messaging
  • Voice AI call handling, routing, and recording
  • Transcription, intent detection, and call summarisation
  • Booking requests, service reminders and follow-up campaigns
  • CRM, LMS, and email integrations
  • API and webhook data transfers
  • Improving system performance and AI accuracy (see Section 6)

5. Categories of Data Subjects and Data Types

5.1 Data Subjects

Personal Information relates to:

  • End customers interacting with the Client’s website or Voice AI
  • Individuals participating in chats, calls or enquiries
  • Client staff or personnel (where relevant)

5.2 Data Types

This may include:

  • Names
  • Email addresses
  • Phone numbers
  • Enquiry details
  • Booking information
  • Call recordings and transcripts
  • Metadata such as IP address, session logs, timestamps, device information

6. AI, Machine Learning and LLM Training

The Client acknowledges and agrees that:

  1. Data submitted into the Services may be used to train or improve AI models, including large language models (LLMs).
  2. Training may involve chunking data into non-identifiable segments, anonymisation, or other methods.
  3. Once incorporated into a machine learning model, such data cannot be feasibly isolated or removed.
  4. AI-generated outputs may involve automated decision-making such as classification, routing or summarisation.
  5. The Client is responsible for auditing, verifying, and validating AI-generated outcomes within its business workflows.

The Processor does not sell training data or Personal Information.

7. Sub-Processors

The Controller authorises the Processor to use Sub-Processors necessary for delivering the Services, including but not limited to:

  • AI technology providers (OpenAI, Azure OpenAI, Google, Anthropic, ElevenLabs)
  • Cloud infrastructure providers (AWS, Cloudflare)
  • Offshore support and development teams (India, Philippines)
  • Telecommunication and call-routing partners
  • CRM and LMS integration tools

The Processor ensures that all Sub-Processors are subject to privacy and confidentiality obligations substantially equivalent to those in this DPA.

8. Cross-Border Data Transfers

Personal Information may be transferred to and processed in:

  • Australia
  • India
  • Philippines
  • United States
  • European Union
  • Other regions where Sub-Processors operate

The Processor takes reasonable steps to ensure overseas recipients apply privacy safeguards consistent with the Australian Privacy Principles.

9. Security Measures

The Processor will implement reasonable administrative, technical and physical measures to protect Personal Information, including:

  • Encryption at rest and in transit
  • Access controls and authentication
  • Secure data hosting
  • Logging and monitoring
  • Confidentiality agreements
  • Regular security review and updates

No data transmission system is 100% secure. The Controller is responsible for securing its own CRM, LMS, API keys, devices, and email environments.

10. Data Breaches

In accordance with the Notifiable Data Breach Scheme, the Processor will:

  1. Notify the Controller promptly upon becoming aware of a suspected or actual eligible data breach.
  2. Investigate and assess the breach.
  3. Take reasonable steps to mitigate harm.
  4. Provide required notifications to affected individuals and the OAIC, where legally required.

The Controller is responsible for breaches arising within their own systems.

11. Data Subject Rights

To the extent required by law, the Processor will assist the Controller in responding to requests relating to:

  • Access to Personal Information
  • Correction of inaccurate information
  • General privacy enquiries

Requests from individuals will be forwarded to the Controller unless otherwise required by law.

12. Retention and Deletion

The Processor will retain Personal Information only for as long as necessary to deliver the Services or comply with legal obligations.

Upon termination of the Agreement:

  • The Controller may request deletion or return of Personal Information, except for data already incorporated into AI training models, which cannot be removed.
  • Backup copies may continue to exist for a reasonable retention period.

13. Compliance and Audits

The Processor will make available information reasonably necessary to demonstrate compliance with this DPA.

Direct audits must be mutually agreed upon and may be subject to fees.

14. Liability and Indemnity

The Controller indemnifies the Processor against any loss arising from:

  • The Controller’s failure to obtain necessary consents
  • Misuse of Personal Information by the Controller
  • Inaccurate or unlawful data submitted into the Services
  • Breaches occurring within the Controller’s CRM, LMS or systems

The Processor’s liability is limited in accordance with the underlying Agreement.

15. Term and Termination

This DPA remains in force for the duration of the Agreement between the Parties.

Termination of the Agreement automatically terminates this DPA.

Sections relating to confidentiality, data retention, security and liability survive termination.

16. Governing Law

This DPA is governed by the laws of New South Wales, Australia, and the Parties submit to the exclusive jurisdiction of its courts.

17. Contact Information

For questions regarding this DPA or data protection, contact:
Xtreme Digital Pty Ltd t/a Live Chat Agent & Call EVA
Email: support@livechatagent.com.au
Website: www.livechatagent.com.au