Skill Readiness

Legal

Data Processing Addendum

This addendum sets out how Skill Readiness handles customer personal data when we act as a processor or service provider for a customer organisation.

Effective Date

April 25, 2026

Last Updated

April 25, 2026

WAHLU LABS PTY LTD

ACN 696 304 140 · ABN 99 696 304 140 · Governing law: New South Wales, Australia

This Data Processing Addendum forms part of a customer's agreement with WAHLU LABS PTY LTD where it is incorporated by reference, attached to an order, or otherwise agreed in writing. It is designed for standard Skill Readiness customer use and may be supplemented by a signed customer-specific data processing agreement.

1. Roles

For customer personal data submitted to Skill Readiness, the customer organisation is typically the controller or business, and we act as processor or service provider on the customer's behalf. For account, billing, security, and business relationship information, we may act as an independent controller where applicable law allows.

2. Processing instructions

We will process customer personal data only to:

  • provide, secure, maintain, and support Skill Readiness;
  • operate assessment, reporting, workspace, invite, and growth-plan workflows;
  • comply with documented customer instructions and the customer agreement;
  • meet legal obligations and protect the service from misuse or security threats.

3. Customer responsibilities

Customers are responsible for deciding what personal data is submitted to the platform, ensuring they have a lawful basis to collect and use it, providing required notices to participants and staff, and configuring access permissions appropriately.

4. Subject matter and data categories

Processing covers operation of the Skill Readiness platform and related support. Customer personal data may include business contact details, workspace membership and role data, participant invite details, assessment responses, reviewer notes, scores, reports, growth plan outputs, audit history, usage records, and support information.

5. Security measures

We maintain reasonable technical and organisational measures designed to protect customer personal data, including access controls, passwordless authentication, role-based workspace permissions, managed cloud infrastructure, encrypted transport, audit logging for key product events, secret management, backup practices, and operational monitoring. More detail is available on our Security and Data page.

6. Personnel and confidentiality

We limit access to customer personal data to personnel and service providers who need access to deliver, secure, or support the service. Personnel with access to customer data are expected to handle it confidentially and only for authorised business purposes.

7. Subprocessors

We may use subprocessors to provide hosting, database, storage, email, payment, analytics, security, and support services. We remain responsible for our subprocessors' performance of the processing obligations we delegate to them. A current summary is published on our Subprocessors page.

8. International transfers

Customer personal data may be processed in countries outside the country where it was collected. Where required, we rely on contractual protections, provider safeguards, or other lawful transfer mechanisms appropriate to the relevant processing.

9. Personal data breach notice

If we become aware of a confirmed personal data breach affecting customer personal data, we will notify the affected customer without undue delay and provide information reasonably available to us to help the customer meet its own legal obligations. We may provide updates as our investigation progresses.

10. Assistance with requests

Taking into account the nature of the service and information available to us, we will provide reasonable assistance for privacy rights requests, regulator enquiries, impact assessments, and security information requests. We may direct individual requests to the relevant customer organisation where that organisation controls the data.

11. Return and deletion

On termination, expiry, or written customer request, we will take reasonable steps to export, return, or delete customer personal data in accordance with the customer agreement and applicable law. Some backup, audit, billing, or security records may remain for a limited period where deletion is not technically immediate or retention is legally or operationally necessary.

12. Evidence and audits

We can provide reasonable security and privacy information to customers under appropriate confidentiality conditions. Unless a signed agreement says otherwise, we do not commit to broad onsite audits, but we will cooperate in good faith with proportionate customer diligence requests.

13. Conflicts

If this addendum conflicts with a signed customer-specific data processing agreement, the signed customer-specific agreement will prevail to the extent of the inconsistency.