This Data Processing Addendum with its appendices (together, this “Addendum“) is incorporated into the Master Services Agreement (or other mutually executed written agreement) between the entity identified as the customer (“Customer”) and Leonardo Interactive Pty Ltd T/A Leonardo.Ai (ACN 662 209 485) (“Leonardo”) governing Customer’s access to and use of the Services (the “Agreement”).
In the course of providing the Services to Customer pursuant to the Agreement, Leonardo may process Customer Personal Data (as defined below) on behalf of Customer. This Addendum reflects the parties’ agreement with respect to the Processing of Customer Personal Data that is subject to Applicable Privacy Laws (as defined below). This Addendum applies where and to the extent that Leonardo is acting as a Processor or Service Provider (as applicable) of Customer Personal Data on behalf of Customer under the Agreement.
In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent of such conflict.
1. Definitions and Interpretation
In this Addendum, the following terms shall have the following meanings:
(a) “Applicable Privacy Laws” means all worldwide data protection and privacy laws and regulations applicable to the Processing of Customer Personal Data in question including, where applicable: (i) European Privacy Laws; (ii) the Australian Privacy Act 1988 (Cth); and (iii) the California Consumer Privacy Act of 2018 and its regulations (the “CCPA“) and any other similar United States law governing the processing of Customer Personal Data (collectively, “U.S. State Privacy Laws”), in each case as amended, superseded or replaced from time to time.
(b) “Data Subject” means an identified or identifiable individual whose Personal Data is processed.
(c) “European Privacy Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR“); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (the “Swiss DPA“); (iv) EU Directive 2002/58/EC on Privacy and Electronic Communications; and (v) any national law made under or pursuant to items (i) – (iv); in each case as amended, superseded or replaced from time to time.
(d) “Personal Data” means any information relating to an identified or identifiable individual or any other information defined as ‘personal data’ or ‘personal information’ under Applicable Privacy Laws.
(e) “Security Incident” means a breach of Leonardo’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
(f) “Restricted Transfer” means (i) where the GDPR applies, a transfer of Customer Personal Data from the European Economic Area (the “EEA”) to a country outside the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Customer Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK GDPR; and (iii) where the Swiss DPA applies, a transfer of Customer Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
(g) “SCCs” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.
(h) “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, as may be amended, superseded or replaced from time to time.
(i) The terms “Controller”, “Processor“, “Data Subject” and “processing” have the meanings given to them in Applicable Privacy Laws or, if not defined therein, the GDPR (and “process“, “processes” and “processed” shall be interpreted accordingly) and the terms “Business” and “Service Provider” have the meanings given to them in the CCPA.
(j) Any capitalized terms used but not defined in this Addendum shall have the meanings given to them under the Agreement.
2. Processing of Personal Data
2.1 Relationship of the parties: Customer is a Controller or Business (as applicable) of the Personal Data described in Annex 1.B (the “Customer Personal Data“) and Leonardo shall process the Customer Personal Data solely as a Processor or Service Provider (as applicable) on behalf of Customer. Leonardo and Customer shall each comply with their respective obligations under Applicable Privacy Laws and further guidance from data protection authorities with respect to such processing. Where the concepts of Controller and Processor are not expressly contemplated by Applicable Privacy Laws, the parties’ obligations in connection with this Addendum shall be interpreted under those Applicable Privacy Laws to align as closely as possible with the scope of those roles while still complying fully with those Applicable Privacy Laws.
2.2 Purpose limitation: Leonardo shall only process the Customer Personal Data as necessary to perform its obligations under the Agreement, including this Addendum, and strictly in accordance with the documented instructions of Customer as set out in the Agreement and this Addendum (the “Permitted Purpose“). Leonardo shall not retain, use, disclose or otherwise process the Customer Personal Data for any purpose other than the Permitted Purpose (including for its own commercial purpose), except where otherwise required by any law applicable to Leonardo. Leonardo shall immediately inform Customer if it becomes aware that Customer’s processing instructions infringe Applicable Privacy Laws but without obligation to actively monitor Customer’s compliance with Applicable Privacy Laws.The parties acknowledge that Customer’s transfer of Customer Personal Data to Leonardo is not a “sale” of Personal Data within the meaning of U.S. State Privacy Laws and Leonardo provides no monetary or other valuable consideration to Customer in exchange for the Customer Personal Data.
2.3 International transfers: To the extent that Leonardo transfers Customer Personal Data to a country other than the country in which the Customer Personal Data was first collected, it shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws.
2.4 Standard contractual clauses: To the extent that the transfer of Customer Personal Data from Customer to Leonardo involves a Restricted Transfer, the SCCs shall be incorporated by reference and form an integral part of this Addendum with Customer as “data exporter” and Leonardo as “data importer”. For the purposes of the SCCs: (i) the module two (controller to processor) terms shall apply and the module one, three and four terms shall be deleted in their entirety; (ii) in Clause 9, Option 2 shall apply; (iii) in Clause 11, the optional language shall be deleted; (iv) in Clause 17, Option 1 shall apply and the SCCs shall be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) the Annexes of the SCCs shall be populated with the information set out in the Annexes to this Addendum; and (vii) if and to the extent the SCCs conflict with any provision of the Agreement (including this Addendum), the SCCs shall prevail to the extent of such conflict.
UK transfers: In relation to Customer Personal Data that is protected by the UK GDPR, the SCCs as incorporated under Section 2.4 shall apply with the following modifications: (i) the SCCs shall be amended as specified by the UK Addendum, which shall be incorporated by reference; (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in the Annexes of this Addendum; (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “importer”; and (iv) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
Swiss transfers: In relation to Customer Personal Data that is protected by the Swiss DPA, the SCCs as incorporated under Section 2.4 shall apply with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references the Swiss DPA; (ii) references to “EU,” “Union,” and “Member State” shall be replaced with “Switzerland”; (iv) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”; and (v) the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.
2.5 Confidentiality of processing: Leonardo shall ensure that any person that it authorises to process the Customer Personal Data (an “Authorised Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty). Leonardo shall ensure that all Authorised Persons process the Customer Personal Data only as necessary for the Permitted Purpose.
2.6 Security: Leonardo shall implement appropriate technical and organizational measures to protect the Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to the Customer Personal Data as described in Annex 2 (“Technical and Organizational Measures“). Customer acknowledges that Leonardo may update or modify the Technical and Organizational Measures from time to time, provided that such updates and modifications do not result in a degradation to the overall level of security.
2.7 Subprocessing: Customer authorizes Leonardo to engage third party Processors (“Subprocessor(s)”) to process the Customer Personal Data for the Permitted Purpose provided that Leonardo:
- enters into a written agreement with each Subprocessor containing substantially the same standard of protection of Customer Personal Data provided under this Addendum, to the extent applicable to the nature of the Service provided by such Subprocessor, and
- remains liable for any breach of this Addendum caused by the acts or omissions of its Subprocessors.
Leonardo will maintain an up-to-date list of Subprocessors as described in Annex 3. Leonardo shall update the list of Subprocessors at least fourteen (14) days prior to the addition of any new and replacement Subprocessors, in order to allow Customer to raise any reasonable objections on grounds of data protection, related to the protection of Customer Personal Data. Customer shall notify Leonardo, at [email protected], describing its objection within fourteen (14) days of notification. If Leonardo, in its sole discretion, is unable to satisfy Customer’s objection regarding the proposed use of the new or replacement Subprocessor, then Customer may terminate the applicable Order Form effective upon the date Leonardo begins use of such new or replacement Subprocessor.
2.8 Cooperation and Data Subjects’ rights: Leonardo shall provide all reasonable and timely assistance to Customer to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Privacy Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with Leonardo’s processing of the Customer Personal Data, unless prohibited by Applicable Privacy Laws. In the event that any such request, correspondence, enquiry or complaint is made directly to Leonardo, Leonardo shall promptly inform Customer providing full details of the same.
2.9 Data Protection Impact Assessment: Leonardo shall provide Customer with all such reasonable and timely assistance as Customer may require in order to comply with its obligation under Applicable Privacy Laws to conduct data protection impact assessments and, if necessary, to consult with its relevant data protection authority.
2.10 Security Incident: Upon becoming aware of a Security Incident, Leonardo shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may reasonably require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Privacy Laws. Leonardo shall further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Security Incident insofar as it affects the Customer Personal Data and keep Customer informed of all material developments in connection with the Security Incident. Customer will not communicate or publish any notice or admission of liability concerning any Security Incident which directly or indirectly identifies Leonardo (including in any legal proceeding or in any notification to regulatory authorities or affected Data Subjects) without Leonardo’s prior approval, unless Customer is compelled to do so under applicable law. In any event, Customer shall provide Leonardo with reasonable prior written notice of any such communication or publication.
2.11 Deletion or return of Customer Personal Data: Upon termination or expiry of the Agreement, Leonardo shall (at Customer’s election) destroy all Customer Personal Data (including all copies of the Customer Personal Data) in its possession or control. This requirement shall not apply to the extent that Leonardo is required by any law to retain some or all of the Customer Personal Data, in which event Leonardo shall isolate and protect the Customer Personal Data from any further processing except to the extent required by such law until deletion is possible.
2.12 Audit: Upon request, Leonardo shall supply a summary copy of its audit report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Agreement. Leonardo shall also respond to any written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year. Customer agrees that Customer shall exercise its rights under Clause 8.9 of the SCCs by instructing Leonardo to comply with the audit measures described in this Section 2.12.
ANNEX I. A. LIST OF PARTIES
Data exporter(s):
Name: As provided in the Agreement
Address: As provided in the Agreement
Contact person’s name, position and contact details: As provided in the Agreement
Activities relevant to the data transferred under these Clauses: The data exporter is a customer of the data importer and utilizing the data importer’s Services on Leonardo.Ai to create visual content.
Role (controller/processor): Controller Data importer(s):
Name: Leonardo.Ai
Address: Suite 1007 120 High St, North Sydney NSW 2060, Australia
Contact person’s name, position and contact details: Chris Gillis, Director & COO,[email protected]
Representative contact details: (EEA) European Data Protection Office (EDPO), Ground Floor, 71 Lower Baggot Street, Dublin, D02 P593, Ireland; (UK) European Data Protection Office UK (EDPO UK), 8 Northumberland Avenue, London WC2N 5BY, United Kingdom.
Activities relevant to the data transferred under these Clauses: The data importer operates an online content creation platform used to create visual content.
Role (controller/processor): Processor
Annex 1.B. DESCRIPTION OF TRANSFER
Categories of data subjects:
- Users of the Service pursuant to the Agreement between Leonardo and Customer.
- Third party individuals whose information is included in Content in the Service.
Categories of personal data: The categories of personal data are determined and controlled by Customer in its sole discretion and may include:
- Access credentials of Authorized Users;
- Contact details of Authorized Users (e.g. name, email address, phone number); and
- any other personal data that Customer or Authorized Users include in Content in the Service.
Sensitive data transferred (if applicable) and applied restrictions or safeguards:
Any sensitive data included by Customer created in the Service, the extent of which is determined and controlled by Customer in its sole discretion. See Annex 2 for applied restrictions and safeguards.
Frequency of the transfer: Continuous
Nature of the processing: Leonardo will Process Customer Personal Data in the course of providing the Services pursuant to the terms of the Agreement.
Purpose(s) of the data transfer and further processing: Provision of the Service pursuant to the Agreement.
Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The personal data will be retained until termination or expiry of the Agreement, in accordance with Section 2.11 of this Addendum.
Annex 1.C. COMPETENT SUPERVISORY AUTHORITY
The supervisory authority of the EEA Member State in which Customer is established or, if Customer is not established in the EEA, the EEA Member State in which Customer’s representative is established or in which Customer is predominantly located.
ANNEX 2 – TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
This describes the minimum security standards that Leonardo applies to Personal Data received under the Services under the Agreement.
Measures of pseudonymization and encryption of personal data
Leonardo encrypts Personal Data transmitted between customers and the Leonardo application over public networks using TLS 1.2 or higher. Customer Personal Data stored on Leonardo’s servers is encrypted at rest using AES 256 or stronger.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Leonardo has personnel responsible for oversight of security and privacy. It has an appointed Chief Technology Officer and Head of Engineering who are responsible for the security and privacy across the platform.
Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
In order to support availability of the service, Leonardo utilizes Amazon Web Services (AWS) auto scaling, AWS availability zones, extensive application and infrastructure monitoring, and 24×7 application support rosters.
Leonardo maintains backups of the data stores, including Customer Personal Data, that support the core functionalities of the Leonardo application. Backups are stored in a location geographically-separated from the primary data storage location.
Leonardo maintains a security incident response capability that includes a documented Incident Response Plan for security incidents involving Data. This defines how we contain, respond, assess, communicate incidents, as well as roles and responsibilities of Leonardo personnel and a requirement for post-incident reviews.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Leonardo engages a specialist third-party security tester to perform an annual penetration test of its application and infrastructure. Leonardo also employs a third-party application vulnerability scanning service.
Measures for user identification and authorization
Where a Customer’s account contains a password for authentication, the password is salted and hashed using an industry-standard password hashing function. Leonardo supports social login through OAuth 2.0 + OpenID Connect
Measures for the protection of data during transmission
As per item 1, Leonardo encrypts Data transmitted over public networks between customers and the Leonardo application using TLS 1.2 or higher.
Measures for the protection of data during storage
As per item 1, Customer Personal Data stored on Leonardo’s servers is encrypted using AES 256 or stronger.
Measures for ensuring physical security of locations at which personal data are processed
The service is hosted and Data is stored within data centres provided by Amazon Web Services (AWS). As such, Leonardo relies on the physical, environmental and infrastructure controls of AWS.
Measures for ensuring events logging
Leonardo maintains application and infrastructure security audit logs. Audit logs are analyzed to detect anomalous activity.
Measures for ensuring system configuration, including default configuration
Leonardo applies security patches to its servers in accordance with its Vulnerability Management Policy.
Measures for internal IT and IT security governance and management
Leonardo staff access to Customer Personal Data is role-based and follows the principle of least privilege. Staff are only provided with sufficient access to Customer Personal Data to be able to discharge their responsibilities effectively. Remote network access to Leonardo systems requires encrypted communication via secured protocols and use of multi-factor authentication. Leonardo has established and will maintain procedures for password management for its personnel, designed to ensure accounts are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
- cryptographically protecting passwords when stored in computer systems or in transit over the network;
- education on good password practices.
Staff access to production infrastructure requires multi-factor authentication (MFA).
Leonardo staff are subject to confidentiality obligations. Leonardo requires its staff to undergo information security awareness training, both at the commencement of their employment and then annually thereafter.
Measures for certification/assurance of processes and products
Leonardo will maintain a SOC2 certification, undergoing periodic external surveillance and recertification audits to ensure that our processes and practices meet the requirements of this standard.
Measures for ensuring data minimization
Leonardo minimizes the Data it requires from Customers to only what is necessary to provide the service requested.
Measures for ensuring data quality
Leonardo ensures the quality of its data through verification of emails that sign up to the platform. Leonardo also allows users to update the information in their accounts themselves or via requests to the Customer Support Team.
Measures for ensuring limited data retention
Leonardo maintains a Data Retention Policy setting out the retention periods for various types of data based on legal requirements, justified interests of Leonardo and the purposes of collection.
Measures for allowing data portability and ensuring erasure
Leonardo has an automated process for deleting Customer Personal Data on request within 30 days and enables the download of Customer Personal Data if requested.
ANNEX 3 – LEONARDO.AI SUBPROCESSORS
Last reviewed April 2025
| Name | Description of Processing | Entity Country |
|---|---|---|
| Amazon Web Services, Inc. | Platform Hosting and Infrastructure | United States |
| Black Forest Labs Inc. | Inference Services | Germany |
| Braze, Inc. | User Engagement and Communication | United States |
| Cloudflare, Inc. | Inference Services | United States |
| Google LLC | Gemini via Vertex AI | United States |
| Groq, Inc. | Enhancement and Editing of User Prompts | United States |
| Hasura, Inc. | API Gateway for Backend Services | United States |
| Intercom, Inc. | Customer Support | United States |
| OpenAI, LLC | Enhancement and Editing of User Prompts | United States |