Data Processing Addendum (DPA)
Typed By Hand (TBH) Data Processing Addendum (DPA)
Last Updated: 2nd April, 2026
This Data Processing Addendum (“DPA”) is entered into between Typed By Hand (TBH) (“Processor”) and the User (defined as an "Educational Agency," "Corporation," or "Individual") and is incorporated by reference into the Main Agreement. This DPA ensures global compliance with Australian Privacy Laws and US State requirements, including New York, Illinois, and California.
1. DEFINITIONS:
• "Personal Information" means any information relating to an identified or identifiable individual, including Student Data (as defined by FERPA and NYS Ed Law 2-d) and Professional/Corporate User Data (as defined by the Australian Privacy Act 1988).
• "Controller" means the entity or individual that determines the purpose of processing. In this DPA, the Controller is the User.
• "Sub-processor" means any third party (e.g., cloud providers or development partners) engaged by TBH to process Personal Information.
• "Breach" means any unauthorised access, acquisition, or disclosure of data as defined by the NY SHIELD Act and the Australian Notifiable Data Breaches (NDB) scheme.
2. SCOPE AND ROLE
• Roles: TBH acts as the Processor for the User. The User remains the Controller of their data.
• Purpose: Data is processed solely for the "Authentically Human" verification service and associated account management.
• AI Integrity: TBH warrants that it shall not use Personal Information or writing samples for any commercial purpose, targeted advertising, or to train global AI models/LLMs.
• Jurisdiction: This DPA covers all processing globally, specifically satisfying Australian Privacy Principles (APPs) and the requirements of NYS Education Law § 2-d.
3. DATA SECURITY
• Security Frameworks: TBH maintains a comprehensive cybersecurity programme aligned with NIST CSF 2.0 (US requirement) and the ASD Essential Eight (Australian requirement) at a Maturity Level 2 baseline.
• Encryption: All data is encrypted using AES-256 at rest and TLS 1.2+ in transit.
• Breach Notification: TBH shall notify the User within 48 hours of confirming an "Eligible Data Breach" or "Unauthorised Release". This satisfies the NY SHIELD Act and the Australian Privacy Act notification windows.
4. SUB-PROCESSORS
• Authorised Entities: The User provides general authorisation for TBH to engage:
• Infrastructure: Google Cloud Platform (GCP) / AWS (US-based regions).
• Engineering: Wyvern Innovations (Philippines).
• Control Standards: TBH maintains a legally binding agreement with Wyvern Innovations. All offshore access to production environments is via Zero Trust Network Access (ZTNA) and Multi-Factor Authentication (MFA). No Personal Information is stored locally in the Philippines.
5. DATA SUBJECT RIGHTS
• Access & Erasure: TBH provides tools for all Users to access, correct, or request the deletion of their Personal Information, complying with APP 12/13 and California’s CCPA/CPRA.
• Automated Decision-Making: In compliance with the Australian 2026 Transparency Reforms, TBH provides clear disclosure on how the "Authentically Human" AI logic functions.
• Retention: Data is retained only as long as necessary. Personal/Corporate Users can trigger account deletion at any time; Educational Data is purged within 30 days of contract termination.
6. LEGAL SPECIFICS (US & AUSTRALIA)
• NY Education Law § 2-d: TBH acts as a "Third-Party Contractor." This DPA, alongside the Supplemental Information exhibit, satisfies all NY security standards.
• Australian Privacy Act: TBH warrants that any cross-border transfer of data (e.g., to US cloud servers) is protected under APP 8 standards.
• Corporate Usage: Where a corporation is the User, TBH acknowledges its obligations to protect "Personal Information" under the Privacy Act 1988 (Cth) and relevant state-based privacy legislation.