TAHUA - DATA PROCESSING AGREEMENT
This Data Processing Agreement ("Agreement") is entered into between:
(1) The entity identified as the “Customer” (also referred to as “Subscriber”) in the Terms of Use, which acts as the Data Controller under applicable Data Protection Laws ("Controller"); and
(2) Tahua Solutions Limited, a New Zealand limited liability company ("Processor").
This Agreement supplements and forms part of the Tahua Terms of Use (the "Principal Agreement") under which Processor provides its Services to the Controller.
Capitalised terms not defined in this Agreement have the meaning given to them in the Principal Agreement. In addition:
- "Data Controller" or "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
- "Data Processor" or "Processor" means the entity that processes Personal Data on behalf of the Controller.
- "Data Protection Laws" means the data protection and privacy laws applicable to the Processing of Personal Data, including:
- the Privacy Act 2020 (New Zealand),
- the Privacy Act 1988 (Cth, Australia), and
- where applicable, the General Data Protection Regulation (EU) 2016/679 ("GDPR").
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
- "Personal Data" means any information relating to a Data Subject.
- "Processing" means any operation performed on Personal Data, such as collection, storage, use, or disclosure.
- "Subprocessor" means a third party engaged by the Processor to process Personal Data on its behalf.
This Agreement governs the Processor’s Processing of Personal Data on behalf of the Controller in connection with the Services provided under the Principal Agreement. This Agreement remains in effect for as long as the Principal Agreement is in force, unless terminated earlier in accordance with its terms.
The Processor will process Personal Data only as necessary to provide the Services, which include grant application and management services, and any associated services described in the Principal Agreement.
- Types of Personal Data: names, contact information, demographic data, user account details, grant application content, and any other data input into the Services by the Controller or End Users.
- Categories of Data Subjects: grant applicants, reviewers, administrators, Authorised Users, and other individuals whose data is submitted via the Services.
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller;
- Ensure that persons authorised to process Personal Data are subject to confidentiality obligations;
- Implement appropriate technical and organisational measures to protect Personal Data;
- Assist the Controller in meeting its obligations under Data Protection Laws, including in relation to data security, breach notification, and data protection impact assessments;
- Delete or return Personal Data at the end of the Services, unless retention is required by law;
- Make available all information necessary to demonstrate compliance with this Agreement and permit audits, subject to confidentiality obligations.
- The Controller authorises the Processor to engage Subprocessors to support the provision of Services.
- A current list of Subprocessors is available in the Privacy Policy.
- The Processor will inform the Controller of any intended changes to the list of Subprocessors, providing the Controller with an opportunity to object.
- The Processor will ensure all Subprocessors are subject to obligations equivalent to those in this Agreement.
- The Processor is based in New Zealand, which is recognised by the European Commission as providing an adequate level of data protection.
- Where Personal Data is transferred internationally, such transfers will comply with applicable Data Protection Laws, including GDPR Chapter V where relevant.
The Processor will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, objection, and data portability.
The Processor will implement and maintain appropriate security measures, including encryption, access controls, regular testing, and incident response procedures. The Processor will notify the Controller without undue delay upon becoming aware of a Personal Data Breach.
Each party’s liability under this Agreement is subject to the limitations of liability set out in the Principal Agreement. The Processor shall be liable only for Processing that is non-compliant with this Agreement or performed outside the lawful instructions of the Controller.
This Agreement is governed by the laws of New Zealand, unless otherwise required under applicable Data Protection Laws. Any disputes shall be subject to the exclusive jurisdiction of the competent courts of New Zealand or as agreed in the Principal Agreement.