Legal Documents

Data Processing Addendum
End User Microsoft Office JavaScript (Office.JS) API Library Terms and Conditions
Privacy Policy
Terms of Use
Website Terms and Conditions

Data Processing Addendum

This Data Processing Addendum (“DPA”) is effective as of 7 January 2026. Please contact us if you wish to access any previous versions of this DPA.

This DPA is supplementary to, and forms part of, the Main Agreement (as defined below). This DPA prevails to the extent of any inconsistency with the other terms of the Main Agreement.

However, this DPA does not apply if: (i) a signed Data Processing Agreement has been entered into between Sideline and the Customer; or (ii) no Personal Data (as defined below) is or will be processed in accordance with the Main Agreement; or (iii) the Main Agreement does not reference this DPA.

If this DPA does not meet your regulatory requirements, or you wish to enter into a signed Data Processing Agreement, please contact us.

1. Defined terms

In this DPA, terms used but not defined have the meaning given to them in the Main Agreement, and:

“Controller” means the Customer.

“Data Protection Laws” means any laws or regulations from time to time in force regulating the privacy or protection of personal data or personal information, which may include the European Union Regulation (EU) 2016/679 (“GDPR”), the Data Protection Act 2018 (UK), or the California Consumer Privacy Act of 2018 (“CCPA”) and California Privacy Rights Act of 2020 (“CPRA”).

“Personal Data” means personal data, personal information or the equivalent concept as defined in applicable Data Protection Laws, to the extent its processing in accordance with the Main Agreement: (i) is regulated under applicable Data Protection Laws; (ii) involves the Customer acting as the controller (as defined in the GDPR), the business (as defined in the CCPA and CPRA) or the equivalent role under applicable Data Protection Laws; and (iii) involves Sideline acting as the processor (as defined in the GDPR), the service provider (as defined in the CCPA and CPRA) or the equivalent role under applicable Data Protection Laws.

“Main Agreement” means the Terms of Use, SaaS Agreement or other contract between Sideline Technology Pty Ltd (Australian Business Number 21 662 534 527) and the relevant customer in relation to the use of the Sideline Outlook Add-in.

“Processor” means Sideline.

“Term” means the term of the Main Agreement.

2. Controller’s instructions

The Controller instructs the Processor to process Personal Data in accordance with this DPA, and is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow the Processor to process Personal Data.

3. Processor obligations

The Processor will:

(a) only process Personal Data in accordance with this DPA and the Controller’s instructions (unless legally required to do otherwise);

(b) not sell, share, retain, disclose, combine or otherwise use any Personal Data for any purpose other than as permitted by this DPA and the Main Agreement;

(c) inform the Controller immediately if (in its opinion) any instructions infringe Data Protection Laws, or if it can no longer meet its obligations under Data Protection Laws;

(d) use the technical and organisational measures described in the Main Agreement when processing Personal Data to ensure a level of security appropriate to the risk involved;

(e) notify the Controller within the timeframe required under Data Protection Laws in the event that the security of any Personal Data is breached, and provide assistance to the Controller as required under Data Protection Laws in responding to it;

(f) ensure that anyone authorised to process Personal Data is committed to confidentiality obligations;

(g) without undue delay, provide the Controller with reasonable assistance with: (i) data protection impact assessments; (ii) responses to data subjects’ requests to exercise their rights under Data Protection Laws; and (iii) engagement with supervisory authorities, governmental agencies, courts and law enforcement;

(h) if requested, provide the Controller with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA;

(i) allow for audits of the Processor’s compliance with obligations under Data Protection Laws and this DPA: (i) at the Controller’s reasonable request, provided that audits are limited to once a year and during standard business hours in Melbourne (Australia); or (ii) at any time following a breach of the security of any Personal Data; and

(j) return or stop processing Personal Data upon the Controller’s written request or delete Personal Data by the end of the Term, unless retention is legally required.

4. Compliance with Data Protection Laws

The Parties must, and must ensure that their staff and subcontractors, comply with their applicable obligations under Data Protection Laws for the Term.

5. Sub-processors

(a) The Controller authorises the Processor to engage Microsoft Corporation (referred to in this section as the sub-processor) when processing Personal Data.

(b) The Processor will: (i) require its sub-processor to comply with equivalent terms as the Processor’s obligations in this DPA; (ii) ensure appropriate safeguards are in place before transferring Personal Data to its sub-processor; and (iii) be liable for any acts, errors or omissions of its sub-processor as if they were a party to this DPA.

(c) The Processor will not appoint any other sub-processor without the prior written consent of the Controller.

6. International transfers

The Processor will not transfer Personal Data outside the region in which that Personal Data is originally processed by the Processor, except as required by law.

7. Changes to these Terms

To the extent permitted by law, the Processor may change this DPA from time to time, by publishing an updated version of this DPA on its website. The Processor will provide the Controller with reasonable advance notice of any change to this DPA that, in the Processor’s reasonable determination, materially adversely affects the Controller’s rights or would cause it to breach its regulatory obligations. By continuing to use the Software after any revised DPA becomes effective, the Controller agrees to be bound by the new DPA.

8. General

(a) Headings used in this DPA are provided for convenience only and will not in any way affect the meaning or interpretation of this DPA.

(b) No one other than a party to this DPA has the right to enforce any of its terms.

(c) This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the Parties with respect to its subject matter. Neither Party has relied on any statement or representation of any person in entering into this DPA.

(d) Neither Party can assign this DPA to anyone else without the other Party's consent, except to any successor by way of a merger, acquisition, or change of control.

(e) If a Party fails to enforce a right under this DPA, that is not a waiver of that right at any time.

(f) This DPA is governed by the laws of England & Wales.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation and analyse site usage. View our Privacy Policy for more information.
PreferencesDenyAccept