API Terms of Use

Version: 1 September 17, 2025

Agreement

Crisisworks is a software platform by Datalink that exposes an API allowing authorised API Users to manage their system, including accessing and manipulating sensitive data.

These API Terms of Use (“Terms”) govern access to and use of the Crisisworks Application Programming Interfaces (“API”). By using the API, you agree to these Terms on behalf of yourself or the entity you represent. If you do not agree, you must not use the API.

1. Introduction and Purpose

The API provides controlled access to data within the Crisisworks platform. Customers and Datalink may jointly authorise third parties to use the API on their behalf. These Terms exist to protect the confidentiality, integrity, and availability of customer data, much of which includes personally identifiable information (PII).

We align these Terms with recognised information security standards, including ISO 27001.

2. Definitions

  • Customer: The organisation or individual who owns the data within their tenancy of the Crisisworks platform.

  • API User: Any person or entity that uses the API, whether the Customer or a third party authorised by the Customer.

  • Third Party: An API User invited by a Customer to access data.

  • Data: Any information, including PII, which is stored within the Customer's Crisisworks tenancy and accessible through the API.

  • API Credentials: Credentials issued by Datalink that enable access to the API.

3. Shared Security

Crisisworks is provided under a Shared Responsibility Model for information security, in which the following responsibilities apply

Customer responsibilities: Deciding which users and third parties may access their Data, managing authorisation and access of API Users to the Data including the assignment of API Users to Crisisworks positions and events, and monitoring the API User's actions.

API User responsibilities: Securely handling Data, ensuring lawful use, and protecting extracted Data.

Datalink responsibilities: Providing the API securely and maintaining system availability to reasonable standards.

4. Access and Authorisation

  • API Users must be approved by both the Customer and Datalink before using the system.

  • API access is granted for specific purposes and must be kept secure.

  • API Users must not share API Credentials, must protect them from unauthorised use, and must rotate them in accordance with industry best practice or as directed by Datalink.

  • API access may be suspended or revoked by Datalink or the Customer at any time, with or without notice, including in response to suspected misuse or security risk.

5. Acceptable Use

API Users must:

  • Access only the data they are explicitly authorised to access.

  • Use the API only for the intended business purpose approved by the Datalink and Customer.

  • Not circumvent or attempt to circumvent technical controls, rate limits, or security features.

  • Not engage in unreasonable usage, such as denial of service, excessive scraping, or activities that degrade the service.

  • Not use Crisisworks and Datalink trademarks, branding, or references in marketing or public materials without prior written permission.

Customers must:

  • Ensure all API access granted to their Crisisworks instance is carefully vetted, approved and monitored

  • Ensure the API users are aware of their obligations under these Terms of Use

6. Information Security

6.1 Maintain Information Security

  • API Users must implement and maintain information security controls consistent with industry standards (e.g. ISO 27001, NIST CSF, or equivalent).

  • All PII and sensitive data must be securely stored, transmitted, and disposed of in accordance with applicable laws and standards.

  • Data must not be shared, sold, or used for unrelated purposes without explicit authorisation by both Datalink and the Customer.

  • Re-identification of anonymised data is strictly prohibited.

6.2 Bulk Data Extraction

  • Bulk exports may only be performed where expressly permitted by the Customer.

  • Extracted data remains subject to these Terms.

  • API Users are fully responsible for the storage, protection, and lawful use of extracted data.

6.3 Breach Notification and Incident Response

  • API Users must notify Datalink and the relevant Customer within 72 hours of any actual or suspected security incident, data breach, or unauthorised disclosure of Data.

  • API Users must co-operate fully in investigations and remediation.

6.4 Sub-processors

  • If an API User engages sub-processors or service providers to handle Data, they must disclose this to the Customer and ensure equivalent security standards are applied contractually.

  • The Customer is responsible for ensuring contractual compliance of their users, including their API users and any sub-processors.

6.5 Testing Restrictions

  • Penetration testing, fuzzing, or automated scanning of the API is prohibited without prior written consent from Datalink.

6.6 Audit rights

  • Datalink reserves the right to audit API usage and request evidence of an API User’s security practices to verify compliance with these Terms.

6.6 Rate Limiting and Availability

  • API usage is subject to rate limiting, quotas, and throttling as determined by Datalink.

  • Datalink may suspend or modify these limits at any time to maintain service stability or security.

7. Termination of Access

  • Datalink may suspend or terminate API access immediately for breach of these Terms, suspected misuse, or any reason at its sole discretion.

  • Upon termination, all API access must cease and all Data previously retrieved must be securely deleted unless retention is required by law.

8. Legal

8.1 Compliance and Legal Requirements

  • API Users must comply with all applicable privacy, data protection, and cybersecurity laws (including but not limited to the Australian Privacy Act, the Victorian Privacy Principles and other applicable data protection laws).

  • Customers must ensure API Users comply with their applicable contractual terms concerning data security, data sovereignty and information security.

  • API Users must not transfer Data outside of the region of service provision unless legally permitted.

8.2 Liability and Indemnity

  • API Users are liable for any misuse, breach, or failure to protect Data accessed via the API.

  • API Users indemnify and hold harmless Datalink and the Customer from any claims, losses, or damages arising from their use of the API.

8.3 Changes to Terms

  • Datalink may update these Terms from time to time.

  • Continued use of the API after changes are published constitutes acceptance of the updated Terms.

  • Customers are responsible for ensuring their invited users are informed of updates.

8.4 Miscellaneous

  • These Terms are governed by the laws of Victoria, Australia.

  • If any provision is held invalid, the remainder will remain in effect.

Further information

Security and compliance queries may be directed to [email protected].

Approved by CISO

17 September 2025

Next review before

17 September 2026

PreviousAcceptable Use PolicyNextCloud Services Security

Last updated

Was this helpful?