AWS AUSTRALIAN NOTIFIABLE DATA BREACH ADDENDUM

THIS AWS AUSTRALIAN NOTIFIABLE DATA BREACH ADDENDUM (this “Addendum”) is an agreement between the
applicable Amazon Web Services contracting party under the Agreement (“AWS”) and you or the entity you represent
(“you” or “your”), and is an addendum to the AWS Customer Agreement available at
http://aws.amazon.com/agreement (as updated from time to time) by and between you and AWS, or other
agreement between you and AWS governing your use of the Services (the “Agreement”). This Addendum takes effect
with respect to the ANDB Account (as defined below) on the date when you click an “Accept AWS Australian
Notifiable Data Breach Addendum for this Account” button (or other electronic means made available by AWS for
such purpose) presented with this Addendum (the “Addendum Effective Date”). You represent to AWS that you are
lawfully able to enter into contracts (e.g., you are not a minor). If you are entering into this Addendum for an entity,
such as the company you work for, you represent to AWS that you have legal authority to bind that entity.
The parties hereby agree as follows:
1. Applicability and Definitions. This Addendum applies only (a) to the ANDB Account, (b) when you are subject
to the Privacy Act 1988 (Cth) (the “Privacy Law”), and (c) to “personal information” (as defined in the Privacy Law)
in AWS’s possession or control (the “Customer Data”). The “ANDB Account” means the AWS account under the
Agreement that you used to log in to AWS Artifact (or any successor Service offered by AWS) to accept this
Addendum. You acknowledge and agree that this Addendum does not apply to any other AWS accounts you may
have now or in the future, and that if you have any other AWS accounts they must either have a separate AWS
Australian Notifiable Data Breach Addendum or be joined as member accounts in an organization using AWS
Organizations (or any successor service offered by AWS) for which there is an applicable AWS Organizations
Australian Notifiable Data Breach Addendum in effect. Unless otherwise expressly defined in this Addendum, all
capitalized terms in this Addendum will have the meanings set forth in the Agreement.
2. Security Breach Notification.
2.1. If AWS becomes aware of either (a) any unlawful access to any Customer Data stored on AWS equipment or in
AWS facilities, or (b) any unauthorized access to such equipment or facilities, where in either case such access results
in loss, disclosure, or alteration of Customer Data (each a “Security Event”), AWS will promptly (i) notify you of the
Security Event, and (ii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the
Security Event.
2.2. You agree that:
(a) an unsuccessful Security Event will not be subject to this Section. An unsuccessful Security Event is
one that results in no unauthorized access to, or disclosure of, Customer Data or to any of AWS’s
equipment or facilities storing Customer Data, and may include, without limitation, pings and other
broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of
service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in
access beyond IP addresses or headers) or similar incidents; and
(b) AWS’s obligation to report or respond to a Security Event under this Section is not and will not be
construed as an acknowledgement by AWS of any fault or liability of AWS with respect to the
Security Event.
2.3. Notification(s) of Security Events, if any, will be delivered to one or more of your administrators by any means
AWS selects, including via email. It is your sole responsibility to ensure your administrators maintain accurate
contact information on the AWS management console at all times.
2.4. Following notification by AWS to you of a Security Event under Section 2.1, you must (a) determine if the
Security Event has resulted, or is likely to result, in serious harm to any person within the meaning of the Privacy
Law, including by carrying out your own internal assessment to make that determination, and (b) fulfill all notice
requirements, and take any other action in relation to the Security Event as required by the Privacy Law. You
acknowledge that the parties together intend that you will fulfill all notice obligations under the Privacy Law in
relation to a Security Event.

AWS Australian Notifiable Data Breach Addendum Page 1 of 3

AMAZON CONFIDENTIAL
2.5. If you have additional AWS accounts that need to be covered under an AWS Australian Notifiable Data
Breach Addendum, you must either (a) log in to AWS Artifact (or any successor Service offered by AWS) under each
of those other AWS accounts and accept a separate AWS Australian Notifiable Data Breach Addendum, or (b) join
such AWS accounts as member accounts in an organization using AWS Organizations (or any successor service
offered by AWS) for which there is an applicable AWS Organizations Australian Notifiable Data Breach Addendum
(“AWS Organizations ANDB Addendum”) in effect. You affirm that the only AWS account(s) that includes
Customer Data that is subject to the Privacy Law are the AWS account(s) for which you have taken the steps
described in Section 2.5(a) or (b), and no other AWS account(s) of yours includes Customer Data that is subject to
the Privacy Law.
3. Term and Termination
3.1. Term. The term of this Addendum will commence on the Addendum Effective Date and will remain in effect
with respect to the ANDB Account until the earlier of (a) the termination of the Agreement, (b) termination of this
Addendum by you as set forth in Section 3.2 below, or (c) termination of this Addendum by AWS on notice to you
if AWS includes security breach notification terms in the Service Terms to help you comply with the Privacy Law. A
material breach of this Addendum will be treated as a material breach of the Agreement.
3.2. Termination. You have the right to terminate this Addendum for any reason upon notice to AWS by logging
in to AWS Artifact (or any successor Service offered by AWS) under the ANDB Account and clicking a “Terminate
the AWS Australian Notifiable Data Breach Addendum for this Account” button (or other electronic means made
available by AWS for such purpose).
4. Notice. AWS may provide notice to you under this Addendum by (a) facsimile transmission, (b) by personal
delivery, overnight courier or registered or certified mail, (c) sending a message to an email address then
associated with the ANDB Account, or (d) posting a notice on the AWS Site. Notices provided by personal delivery
will be effective immediately. Notices provided by facsimile transmission or overnight courier will be effective one
business day after they are sent. Notices provided by registered or certified mail will be effective three business
days after they are sent. Any notices provided by posting on the AWS Site will be effective upon posting and
notices provided by email will be effective when AWS sends the email.
5. No Agency Relationship. As set forth in the Agreement, nothing in this Addendum is intended to make either
party an agent of the other. Nothing in this Addendum is intended to confer upon you the right or authority to
control AWS’s conduct in the course of AWS complying with the Agreement and Addendum.
6. Nondisclosure. You agree that the terms of this Addendum are not publicly known and constitute AWS
Confidential Information under the Agreement.
7. Entire Agreement; Conflict. Except as amended by this Addendum, the Agreement will remain in full force and
effect. This Addendum, together with the Agreement as amended by this Addendum (a) is intended by the parties
as a final, complete and exclusive expression of the terms of their agreement, and (b) supersedes all prior
agreements and understandings (whether oral or written) between the parties with respect to the subject matter
hereof, except that if the ANDB Account is joined as a member account in an organization using AWS Organizations
(or any successor service offered by AWS) for which there is an applicable AWS Organizations ANDB Addendum in
place, then this Addendum will not supersede such AWS Organizations ANDB Addendum. While an AWS
Organizations ANDB Addendum is in effect with respect to the ANDB Account, it will apply to the ANDB Account
instead of this Addendum. If there is a conflict between the Agreement, this Addendum, or any other amendment
or addendum to the Agreement or this Addendum, the document later in time will prevail, except that while an
AWS Organizations ANDB Addendum is in effect with respect to the ANDB Account, it will control over this
Addendum. AWS will not be bound by, and specifically objects to, any term, condition or other provision which is
different from or in addition to the provisions of this Addendum (whether or not it would materially alter this
Addendum) and which is submitted by you in any order, receipt, acceptance, confirmation, correspondence or
other document.
8. Modification. From time to time, AWS may modify the terms of the AWS Australian Notifiable Data Breach
Addendum that it offers to its customers, but no modification or amendment of any portion of this Addendum will

AWS Australian Notifiable Data Breach Addendum Page 2 of 3

AMAZON CONFIDENTIAL
be effective unless in writing and accepted by you and by AWS, which acceptance may be made electronically
through AWS Artifact (or any successor Service offered by AWS) or through other electronic means made available
by AWS for such purpose.

[Remainder of Page Intentionally Left Blank]

AWS Australian Notifiable Data Breach Addendum Page 3 of 3

AMAZON CONFIDENTIAL