NEO GLOBAL PTY LTD
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of the agreement between NEO Global Pty Ltd (“NEO”) and the counterparty identified in the Principal Agreement (“Counterparty”), being one of the following:
(a) Customer Master Services Agreement (“Customer MSA”);
(b) Channel Partner Agreement (“CPA”); or
(c) Marketplace Participation Agreement (“MPA”).
(the applicable agreement, the “Principal Agreement”)
This DPA sets out the terms under which Personal Data will be processed in connection with the Principal Agreement. The applicable Schedule to this DPA (determined by the Principal Agreement type) specifies the data processing details for that relationship.
1. Definitions
In this DPA, unless the context otherwise requires:
“Applicable Data Protection Law” means all laws and regulations relating to privacy and data protection applicable to the processing of Personal Data under the Principal Agreement, including (as applicable): the EU General Data Protection Regulation (EU 2016/679) (“GDPR”); the UK GDPR; the Australian Privacy Act 1988 (Cth); and any other relevant local laws in jurisdictions where Resources are employed or Services are provided.
“Controller” means the entity that determines the purposes and means of Processing Personal Data.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“Joint Controllers” means two or more Controllers that jointly determine the purposes and means of Processing.
“Marketplace Partner” means an independent third-party EOR or workforce service provider delivering Partner Services through the NEO Platform.
“Personal Data” means any information relating to an identified or identifiable natural person processed in connection with the Principal Agreement.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
“Platform Data” means Personal Data processed by NEO for the purpose of operating the Platform, including user credentials, usage logs, transaction records, and communication metadata.
“Processing” means any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, and erasure.
“Processor” means an entity that Processes Personal Data on behalf of, and under the instructions of, a Controller.
“Resource” means any individual employed by a Marketplace Partner or Channel Partner EOR Entity to perform services for a Customer.
“Resource Data” means Personal Data relating to Resources, including identification data, employment records, payroll data, tax information, benefits data, and performance information.
“Standard Contractual Clauses (SCCs)” means the standard contractual clauses approved by the European Commission for international transfers of Personal Data, as applicable.
“Sub-processor” means any entity engaged by a Processor to Process Personal Data on behalf of a Controller.
2. NEO’s Role in the Data Processing Ecosystem
2.1 Platform Operator
NEO operates a marketplace platform that connects Customers with Marketplace Partners for workforce services. NEO is not the employer of any Resource and does not control the employment relationship.
2.2 NEO’s Processing Activities
NEO Processes Personal Data solely for the following purposes:
(a) Operating and maintaining the Platform;
(b) Facilitating payment orchestration between parties;
(c) Coordinating communications between Customers, Channel Partners, and Marketplace Partners;
(d) Providing account management and operational support;
(e) Complying with legal and regulatory obligations; and
(f) Performing analytics to improve Platform services (using aggregated or anonymised data where possible).
2.3 Data Controller Status
NEO acts as:
(a) An independent Controller for Platform Data (user accounts, usage logs, transaction records);
(b) A Processor or Joint Controller for Resource Data, as specified in the applicable Schedule; and
(c) A Processor for any Customer or Channel Partner data processed solely on their instructions.
3. Data Flows and Controller Relationships
3.1 Multi-Party Data Flows
The parties acknowledge that Personal Data flows through multiple entities in connection with the Services:
| Data Flow | Data Types | Controller(s) |
| Customer → NEO | Work Orders, Resource requirements, payment instructions | Customer (Controller); NEO (Processor) |
| NEO → Marketplace Partner | Resource onboarding data, employment terms, payment amounts | Customer (Controller); NEO (Processor); Partner (Processor/Controller) |
| Marketplace Partner → Resource | Employment contracts, payroll, statutory filings | Marketplace Partner (Controller) |
| Resource → NEO Platform | Platform credentials, document uploads, self-service data | NEO (Controller for Platform Data); Partner (Controller for Resource Data) |
3.2 Joint Controller Arrangements
Where NEO and another party act as Joint Controllers (as specified in the applicable Schedule), the parties agree that:
(a) Each party is responsible for compliance with Applicable Data Protection Law in respect of its own Processing activities;
(b) The party with the direct relationship with the Data Subject is responsible for providing privacy notices and responding to Data Subject requests, unless otherwise agreed;
(c) Each party shall implement appropriate technical and organisational measures for its own Processing; and
(d) The parties shall cooperate in good faith to address any data protection issues that arise.
3.3 Marketplace Partner Data Processing
NEO requires each Marketplace Partner to comply with data protection obligations under the Marketplace Participation Agreement and Standard EOR Terms, including:
(a) Compliance with Applicable Data Protection Law in Processing Resource Data;
(b) Implementation of appropriate security measures;
(c) Notification of Personal Data Breaches within 72 hours; and
(d) Cooperation with Data Subject requests.
NEO does not assume liability for the data protection practices of Marketplace Partners. Counterparty’s remedies for Marketplace Partner data protection failures are as set out in the Principal Agreement.
4. Processor Obligations
Where NEO acts as Processor on behalf of the Counterparty as Controller, NEO shall:
(a) Process Personal Data only on documented instructions from the Controller, unless required by law to Process otherwise (in which case NEO shall notify the Controller before Processing, unless prohibited by law);
(b) Ensure that persons authorised to Process Personal Data are subject to confidentiality obligations;
(c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 6;
(d) Assist the Controller in responding to Data Subject requests, as described in Section 7;
(e) Assist the Controller in ensuring compliance with its obligations under Applicable Data Protection Law, including in relation to security, breach notification, and data protection impact assessments;
(f) Notify the Controller of any Personal Data Breach in accordance with Section 8;
(g) At the Controller’s choice, delete or return all Personal Data after the end of Processing, unless retention is required by Applicable Law; and
(h) Make available information necessary to demonstrate compliance with this DPA and allow for audits in accordance with Section 9.
5. Sub-processors
5.1 Authorisation
The Controller provides general authorisation for NEO to engage Sub-processors to Process Personal Data, subject to the requirements of this Section 5.
5.2 Current Sub-processors
NEO’s current Sub-processors are listed in Annex 2. NEO shall maintain an up-to-date list of Sub-processors and make it available to the Controller upon request.
5.3 New Sub-processors
NEO shall notify the Controller of any intended changes to Sub-processors at least 14 days before engaging a new Sub-processor. The Controller may object to the new Sub-processor on reasonable data protection grounds within that period. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected Services without penalty.
5.4 Sub-processor Obligations
NEO shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA. NEO remains liable to the Controller for the performance of its Sub-processors.
6. Security Measures
6.1 Technical and Organisational Measures
NEO shall implement and maintain appropriate technical and organisational measures to protect Personal Data, including:
(a) Encryption of Personal Data in transit and at rest;
(b) Access controls and authentication mechanisms;
(c) Regular security assessments and penetration testing;
(d) Incident detection and response procedures;
(e) Business continuity and disaster recovery measures;
(f) Employee training on data protection and security; and
(g) Physical security controls for data processing facilities.
6.2 Security Standards
NEO shall maintain security measures consistent with industry standards for platforms processing similar categories of Personal Data. NEO’s current security measures are described in Annex 3.
7. Data Subject Rights
7.1 Assistance with Requests
NEO shall, taking into account the nature of the Processing, assist the Controller in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.
7.2 Notification
If NEO receives a request from a Data Subject directly, NEO shall promptly notify the Controller (unless prohibited by law) and shall not respond to the request except on the Controller’s documented instructions, unless required by law.
7.3 Marketplace Partner Requests
Where a Data Subject request relates to Resource Data held by a Marketplace Partner, NEO shall use reasonable efforts to facilitate the request through the Marketplace Partner, but NEO does not guarantee the Marketplace Partner’s response.
8. Personal Data Breach Notification
8.1 Notification to Controller
NEO shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Controller.
8.2 Breach Information
The notification shall include, to the extent known:
(a) A description of the nature of the breach, including categories and approximate number of Data Subjects and Personal Data records affected;
(b) The name and contact details of NEO’s data protection contact;
(c) A description of the likely consequences of the breach; and
(d) A description of measures taken or proposed to address the breach and mitigate its effects.
8.3 Cooperation
NEO shall cooperate with the Controller in investigating and remediating any Personal Data Breach and in meeting the Controller’s own notification obligations under Applicable Data Protection Law.
8.4 Marketplace Partner Breaches
If NEO becomes aware of a Personal Data Breach by a Marketplace Partner, NEO shall promptly notify the affected Controller and use reasonable efforts to ensure the Marketplace Partner complies with its breach notification obligations under the Standard EOR Terms.
9. Audit Rights
9.1 Audit Right
The Controller may audit NEO’s compliance with this DPA, subject to the following conditions:
(a) No more than one audit per 12-month period, unless a Personal Data Breach has occurred or a Supervisory Authority requires an audit;
(b) At least 30 days’ prior written notice;
(c) During normal business hours;
(d) In a manner that minimises disruption to NEO’s operations; and
(e) At the Controller’s expense, unless the audit reveals a material breach by NEO.
9.2 Third-Party Audits and Certifications
NEO may satisfy the audit requirement by providing the Controller with:
(a) A summary of the results of a third-party audit or certification (such as SOC 2 or ISO 27001); or
(b) Responses to a reasonable security questionnaire.
9.3 Confidentiality
Any information obtained through an audit is Confidential Information of NEO and subject to the confidentiality provisions of the Principal Agreement.
10. International Data Transfers
10.1 Transfer Restrictions
NEO shall not transfer Personal Data to a country outside the country of origin (or outside the EU/EEA, for EU Personal Data) unless:
(a) The transfer is to a country with an adequacy decision under Applicable Data Protection Law;
(b) Appropriate safeguards are in place, such as Standard Contractual Clauses or Binding Corporate Rules; or
(c) The transfer is otherwise permitted under Applicable Data Protection Law.
10.2 Standard Contractual Clauses
Where required for transfers of Personal Data from the EU/EEA or UK, the parties agree that the applicable Standard Contractual Clauses are incorporated by reference:
(a) For EU transfers: the SCCs approved by European Commission Decision 2021/914;
(b) For UK transfers: the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner.
The details required by the SCCs are set out in Annex 4.
10.3 Transfer Impact Assessments
Where required by Applicable Data Protection Law, NEO shall cooperate with the Controller in conducting transfer impact assessments and implementing supplementary measures.
11. Liability
11.1 Liability Cap
Each party’s liability under this DPA is subject to the limitations and exclusions set forth in the Principal Agreement, except that liability for Personal Data Breaches caused by a party’s gross negligence or wilful misconduct is not subject to limitation.
11.2 Indemnification
Each party shall indemnify the other for losses arising from the indemnifying party’s breach of this DPA or Applicable Data Protection Law, subject to the indemnification procedures and limitations in the Principal Agreement.
11.3 Marketplace Partner Liability
NEO is not liable for the data protection practices of Marketplace Partners. Counterparty’s remedies for Marketplace Partner data protection failures are limited to the claims facilitation process and direct enforcement rights set out in the Principal Agreement and Standard EOR Terms.
12. Term and Termination
12.1 Term
This DPA shall remain in force for as long as NEO Processes Personal Data on behalf of the Counterparty under the Principal Agreement.
12.2 Effect of Termination
Upon termination of the Principal Agreement, NEO shall, at the Controller’s choice:
(a) Return all Personal Data to the Controller in a commonly used format; or
(b) Delete all Personal Data and certify such deletion in writing.
NEO may retain Personal Data to the extent required by Applicable Law, subject to continued compliance with this DPA.
13. General Provisions
13.1 Governing Law
This DPA is governed by the laws specified in the Principal Agreement. For matters relating to EU/EEA Personal Data, the GDPR shall apply regardless of the governing law of the Principal Agreement.
13.2 Conflict
In the event of conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the Processing of Personal Data.
13.3 Amendments
NEO may update this DPA to reflect changes in Applicable Data Protection Law or NEO’s Processing activities, provided that such updates do not materially reduce the protections afforded to Personal Data. NEO shall notify the Counterparty of material updates.
Schedule A: Channel Partner Agreement Data Processing Details
This Schedule applies where the Principal Agreement is a Channel Partner Agreement.
1. Parties and Roles
| Channel Partner | Joint Controller with NEO (for EOR Services Resource Data); Controller (for End Client data) |
| NEO | Joint Controller with Channel Partner (for EOR Services); Processor (for Payroll Services); Controller (for Platform Data) |
| Marketplace Partner | Controller (for employment and payroll Processing in EOR Services) |
2. Joint Controller Arrangements (EOR Services)
For EOR Services, NEO and Channel Partner act as Joint Controllers with the following responsibilities:
| NEO Responsibilities | Channel Partner Responsibilities |
| Platform security and access controls | Privacy notices to End Clients and Resources |
| Sub-processor management | Obtaining consents where required |
| International transfer safeguards (Platform) | Responding to Data Subject requests (first point of contact) |
| Breach notification to Channel Partner | Breach notification to authorities and Data Subjects |
3. Processor Role (Payroll Services)
For Payroll Services where Channel Partner remains the employer, NEO acts as Processor and Channel Partner acts as Controller. The processing is limited to payroll calculations, report generation, and related administrative functions as instructed by Channel Partner.
4. Self-Service EOR
NEO disclaims all Controller obligations for employment-related Processing under the Self-Service EOR model. Channel Partner shall not represent to any Data Subject or supervisory authority that NEO is a Controller for such Processing.
Annex 1: NEO Contact Details
| Data Protection Contact | privacy@neohr.io |
| Address | 39 Martin Place, Sydney NSW 2000, Australia |
| Breach Notifications | security@neohr.io |
Annex 2: Approved Sub-processors
(to be provided on the request)
- Cloud infrastructure providers
- Payment processing providers
- Customer support tools
- Analytics providers (where Personal Data is processed)
Annex 3: Security Measures
(to be provided on the request)
- Encryption standards (in transit and at rest)
- Access control mechanisms
- Incident response procedures
- Business continuity measures
- Certifications held (SOC 2, ISO 27001, etc.)
Annex 4: Standard Contractual Clauses Details
(to be provided on the request)
- Module(s) applicable (Controller-to-Controller, Controller-to-Processor, etc.)
- Optional clauses selected
- Annexes to the SCCs (categories of data, technical measures, etc.)
- UK Addendum details (where applicable)
