Effective: 7/3/26

Uber Health Data Processing Addendum - Australia

The company identified within this sign-up page (“Company”) hereby accepts and agrees to this Uber Health Data Processing Addendum (“DPA”) to the Uber Health Product Addendum to the Uber for Business General Terms and Conditions (“Product Addendum”) which is an addendum to the Uber for Business General Terms and Conditions (“General Terms”) and constitutes a legally binding agreement by and between Company and Uber Pacific Pty Ltd, an Australian company registered in New South Wales (ABN 96 622 366 116), registered at PKF Lawler, Level 8, 1 O’Connell Street, Sydney NSW 2000, Australia (“Uber"). Capitalised terms used but not otherwise defined herein shall have the meaning ascribed to such terms in the General Terms and the Product Addendum. In the event of any conflict between the terms of the Agreement and this DPA, the terms of this DPA shall govern. This DPA describes the parties’ obligations, including under applicable privacy, data security, and data protection laws, with respect to the processing and security of Company Assigned Data (as defined below). Company’s use of Uber Health is subject to this DPA as applicable and as may be modified or updated by Uber as set forth in the General Terms.

1. Definitions. 

“Company Assigned Data” means Personal Data provided by Company to Uber through the use and/or access of a Health Product, excluding Uber Health User Data or any other Personal Data which Uber in its sole discretion deems related to Company’s use of the Uber Services. Company Assigned Data may include, for example, gender, payer name, and payer ID.

“Controller” means the party or parties to the Agreement that determine(s) the purposes and means of the Processing of Personal Data for purposes of the Product Addendum.

“Data Protection Laws” all laws and regulations applicable to the Processing of Personal Data under the Product Addendum, including, as applicable, the Australian Privacy Act, as amended from time to time.

“Data Subject” means an identified or identifiable natural person.

“Data Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Company Assigned Data on systems managed by or otherwise controlled by Uber.

“Personal Data” shall mean “personal data,” “personal information,” or equivalents as defined in applicable Data Protection Laws. In the absence of applicable Data Protection Laws, “Personal Data” shall mean any information relating, directly or indirectly, to an identified or identifiable natural person.

“Process, Processes, Processing, or Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collecting, recording, accessing, releasing, disclosing, making available, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise, aligning or combining, restricting, erasing or destroying.

“Subprocessor” means a third party authorised as another processor under this DPA to process Company Assigned Data in order to provide Company access to applicable Health Products.

2. Roles of Parties and Compliance.

2.1. The parties agree that when Uber is Processing Company Assigned Data on behalf of Company pursuant to an applicable Product Addendum, Uber is a Processor and Company is a Controller of Company Assigned Data. For the avoidance of doubt, Uber acts as an independent Controller with regard to all other data it processes, excluding Company Assigned Data.

2.2. Uber will only process Company Assigned Data pursuant to the Product Addendum and only in accordance with Company's documented instructions except where and to the extent otherwise required by applicable law. The parties agree that the Product Addendum together with this DPA constitute Company's documented instructions. Company may issue additional or alternate instructions as reasonably required to ensure compliance with applicable Data Protection Law, provided that such instructions are agreed in writing between Company and Uber.

2.3. Company represents and warrants that Company has a valid legal basis for processing Company Assigned Data and that its instructions to Uber will not result in Uber’s violation of any applicable law, regulation or rule, including, without limitation, Data Protection Laws.

2.4. Each party agrees it will comply with its obligations under applicable Data Protection Laws relating to any Company Assigned Data it processes under or in relation to the Product Addendum. Uber will promptly inform the Company if Uber is of the opinion that Company’s instruction infringes on applicable Data Protection Law.

3. Data Deletion.

Uber will delete Company Assigned Data processed pursuant to the Product Addendum when it is no longer needed to fulfill the obligations under the Product Addendum, or upon Company’s reasonable advance request. Company also retains the right to delete Company Assigned Data directly. In addition, unless Company provides different instructions, Uber will automatically delete Company Assigned Data after 90 days following the cessation of Processing activities. Uber will comply with Company’s data deletion instruction as soon as reasonably practicable, unless applicable law requires storage.

4. Data Security and Incidents.

4.1. Uber will implement and maintain technical, organisational, and physical measures as described in Appendix 1 (Security Measures) (the “Security Measures”) to help provide a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Company Assigned Data; and prevent a Data Security Incident.

4.2. Uber may update the Security Measures from time to time provided that such updates do not result in a material reduction of the security of the services pursuant to the Terms.

4.3. Uber will notify Company within 48 hours after becoming aware of a Data Security Incident and promptly take reasonable steps to minimise harm and secure Company Assigned Data.

4.4. Uber’s notice will describe, to the extent known to Uber, the nature of the Data Security Incident; the categories and approximate number of data subjects concerned, the measures Uber has taken, or plans to take, to address the Data Security Incident and mitigate its potential risk; the measures, if any, Uber recommends that Company take to address the Data Security Incident; and other information required by applicable Data Protection Laws, as soon as such information can be collected or otherwise becomes available.

4.5. Uber will require that any person that it authorises to process Company Assigned Data (including its staff, agents, and subcontractors) be subject to a duty of confidentiality (whether in accordance with Uber's confidentiality obligations in the General Terms or a statutory duty).

4.6. Each party will provide reasonable information and assistance to the other party to the extent necessary to help the other party to meet its obligations to data subjects and regulators. Except as required by law, the parties shall refrain from disclosing information as relates to the other party or the other parties’ personal information, without the other party’s prior written consent.

5. Subprocessors. Uber will impose legally binding terms on each Subprocessor that are as restrictive as those contained in this DPA to the extent applicable to the nature of the services provided by such Subprocessors. Uber will remain responsible for any acts or omissions of Subprocessor that cause Uber to breach any of its obligations under this DPA.

6. Miscellaneous.

6.1. Unless the above explicitly states otherwise, the terms and conditions of the Agreement shall apply to this DPA. In case of any conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA prevail with regard to data processing activities.

6.2. Any claims brought under this DPA will be subject to the terms of the Agreement (including its exclusions and limitations).

6.3. The governing law and forum that apply to the Agreement also apply to this DPA.

APPENDIX 1: SECURITY MEASURES

Uber will implement and maintain security standards at least as protective as those set out below (as applicable).

1. Organisational/Administrative Security Measures: Uber has implemented, and will maintain and update as appropriate throughout its Processing of Company Assigned Data:

1.1. A written and comprehensive information security program in compliance with applicable data protection laws.

1.2. Business continuity and disaster recovery plans that are documented and tested on a regular basis to ensure operational continuity (to the extent necessary for its operations).

1.3. Policies and procedures to limit access to Company Assigned Data to those who require such access to perform their roles and responsibilities in connection with the Agreement, including regular updates to such access based on changes to data importer’s personnel, policies or procedures.

1.4. Procedures to verify access rights through effective authentication methods.

1.5. Policies and procedures, trained personnel, and record-keeping, to assess government data requests and limit responses to when required by law or when there is imminent serious risk to individuals.

2. Physical Security Measures. Uber has implemented, and will maintain and update as appropriate throughout its Processing of Company Assigned Data, appropriate physical security measures for any facility used to Process Company Assigned Data and continually monitor any changes to the physical infrastructure, business, and known threats.

3. Technical Security Measures: Uber shall throughout its Processing of Company Assigned Data:

3.1. Perform vulnerability scanning and assessments on applications and infrastructure used to Process Company Assigned Data.

3.2. Secure its computer networks using multiple layers of access controls to protect against unauthorised access.

3.3. Restrict access through mechanisms such as, but not limited to, management approvals, robust controls, logging, and monitoring access events and subsequent audits.

3.4. Identify computer systems and applications that warrant security event monitoring and logging and reasonably maintain and analyze log files.

3.5. Use up-to-date, industry standard, commercial virus/malware scanning software that identifies malicious code on all of its systems that Process Company Assigned Data.

3.6. Encrypt Company Assigned Data in transit outside Uber networks.

3.7. Encrypt Company Assigned Data at rest, where possible.