This Data Processing Addendum (“DPA”) forms part of the agreement between Fenko Limited, NZBN 94-29053025449 (“Processor”) and the entity engaging Fenko for services (“Controller”). It applies to all Controller Personal Information that the Controller provides to, or that the Processor accesses on behalf of, the Controller in connection with the Services.
This DPA supplements the engagement agreement and prevails in the event of any conflict regarding data protection matters.
1. Definitions
Personal Information has the meaning given in the New Zealand Privacy Act 2020.
Controller Personal Information means Personal Information processed by the Processor on behalf of the Controller in connection with the Services.
Processing means any operation performed on Controller Personal Information, including collection, storage, access, use, disclosure, return, destruction, and any other handling of that information.
Services means the services described in the engagement agreement between the parties.
Sub-processor means any third party engaged by the Processor to process Controller Personal Information on behalf of the Controller as part of the Services.
Security Incident means an actual or reasonably suspected event that compromises, or may compromise, the confidentiality, integrity, or availability of Controller Personal Information or the systems used to process it.
Data Breach means a Security Incident that results in unauthorised or accidental access to, disclosure of, alteration of, loss of, or destruction of Controller Personal Information.
Applicable Privacy Law means the New Zealand Privacy Act 2020 and any other privacy or data protection law that applies to the Processing of Controller Personal Information under the engagement agreement or due to the nature, location, or scope of the Services.
Approved Jurisdictions means New Zealand, Australia, and any other jurisdiction expressly approved in writing by the Controller for the relevant Services, or required by law.
2. Processing Obligations
The Processor shall:
- process Controller Personal Information only as necessary to perform the Services and only in accordance with the Controller’s documented instructions;
- promptly notify the Controller if, in the Processor’s reasonable opinion, an instruction appears to breach Applicable Privacy Law, unless the Processor is prohibited by law from doing so;
- ensure that personnel authorised to process Controller Personal Information are subject to appropriate confidentiality obligations and receive training appropriate to their role;
- implement and maintain the security measures described in Section 9;
- not disclose Controller Personal Information to any third party, contractor, affiliate, Sub-processor, or AI service without the Controller’s prior written consent, unless disclosure is required by law;
- assist the Controller, without undue delay, with access requests, correction requests, deletion requests, regulatory inquiries, breach-related cooperation, and other reasonable privacy-related matters connected to the Services;
- provide reasonable assistance to the Controller in responding to requests from individuals exercising rights under the Privacy Act 2020 and, where applicable, other Applicable Privacy Law;
- maintain records of the Processing activities carried out for the Controller under this DPA and make those records available to the Controller on reasonable request; and
- on termination or expiry of the Services, return or securely destroy Controller Personal Information in accordance with Section 5.
3. Data Transfers
The Processor’s default position is to keep Controller Personal Information within Approved Jurisdictions. Controller Personal Information may be processed only in Approved Jurisdictions unless the Controller gives prior written approval for another jurisdiction or the transfer is required by law.
Before transferring Controller Personal Information outside New Zealand, the Processor shall take reasonable steps to ensure that the receiving party or jurisdiction provides safeguards consistent with Applicable Privacy Law, including Information Privacy Principle 12 of the Privacy Act 2020 where relevant.
Any approved transfer must be limited to the minimum Controller Personal Information reasonably required for the relevant purpose and be subject to contractual, technical, or operational safeguards appropriate to the risk.
If the Processor becomes aware that Controller Personal Information has been, or may have been, transferred to a jurisdiction that is not an Approved Jurisdiction without the Controller’s authorisation, the Processor shall notify the Controller without undue delay and treat the matter as a Security Incident.
4. Data Breach Notification
The Processor shall notify the Controller of any confirmed or reasonably suspected Data Breach affecting Controller Personal Information within 24 hours of becoming aware of it.
The initial notice shall include the information available at the time, including, where known:
- the nature of the incident;
- the categories of Controller Personal Information affected;
- the systems, services, or environments involved;
- the likely impact on the Controller or affected individuals; and
- the immediate containment or remediation steps taken or proposed.
The initial notice may be supplemented as facts become known. The Processor shall provide follow-up updates on a timely basis until the material facts, containment status, and remediation actions are reasonably clear.
The Processor shall cooperate with the Controller in investigating, containing, remediating, and documenting the Data Breach and in meeting any notification or consultation obligations under Applicable Privacy Law.
The Processor shall preserve relevant logs, records, evidence, and system data relating to the Data Breach for a reasonable period necessary to support investigation, legal assessment, remediation, and any required notifications.
5. Retention and Destruction
Controller Personal Information shall be retained only for the period specified in the engagement agreement or otherwise required by law. If no period is specified, the default retention period is 90 days after completion of the Services.
On expiry of the retention period, termination of the Services, or the Controller’s written request, the Processor shall, at the Controller’s election, return or securely destroy the relevant Controller Personal Information unless retention is required by law.
Where return applies, the Processor shall provide the data in a structured, machine-readable format reasonably agreed with the Controller.
Where destruction applies, the Processor shall securely destroy Controller Personal Information in accordance with NIST SP 800-88 and provide written confirmation of destruction within 10 business days.
If the Processor is required by law to retain any Controller Personal Information, it shall retain only the minimum information required for that purpose, continue to protect it under this DPA, and destroy it once the legal retention requirement ends.
Controller Personal Information may remain in routine backups or archives until overwritten in the ordinary course, provided it is not restored or used except where necessary for continuity, recovery, legal compliance, or incident response, and remains subject to this DPA.
6. Audit and Assurance
The Controller may, on reasonable notice and no more than once per year, request evidence that the Processor is complying with this DPA.
The Processor may satisfy that request in the first instance by providing existing materials reasonably relevant to the Services, including audit reports, policy extracts, security summaries, control descriptions, risk summaries, incident summaries, or other assurance documentation.
If that evidence is reasonably insufficient for the Controller to assess compliance with this DPA, the Controller may make further reasonable inquiries and the Processor shall respond in good faith with additional information proportionate to the risk and scope of the Services.
If a material Security Incident affects Controller Personal Information, the Controller may make additional reasonable assurance requests outside the once-per-year cap, including requests for incident-related summaries, remediation updates, and evidence of corrective action.
Any audit or further assurance activity under this Section must be conducted in a way that protects the Processor’s system security, other customers’ confidential information, and the continuity of the Services.
7. Third Parties, Sub-processors, and AI
The Processor’s standard delivery model is to avoid granting third-party or AI access to Controller Personal Information unless that access is necessary for a specifically agreed service component and has been expressly approved in writing by the Controller.
The Processor shall not engage any Sub-processor, contractor, affiliate, or AI service in connection with Controller Personal Information without the Controller’s prior written approval, unless required by law.
Where a Sub-processor is approved:
- the Processor shall ensure the Sub-processor is bound by written obligations no less protective than this DPA in respect of the relevant Processing;
- the Processor shall remain responsible for the Sub-processor’s acts and omissions as if they were its own; and
- the Processor shall, on request, provide the Controller with a customer-specific list of approved Sub-processors relevant to the Services.
Controller Personal Information must not be used to train, fine-tune, improve, benchmark, or otherwise develop shared or general-purpose models, including LLMs, unless the Controller has separately and expressly authorised that use in writing.
Controller Personal Information must not be used for any secondary purpose unrelated to the Services, including analytics, product improvement, or model evaluation, unless expressly authorised in writing by the Controller.
8. Processing Jurisdictions
| Jurisdiction | Scope | Conditions |
|---|---|---|
| New Zealand | Primary processing, staff access, engagement records | Default location for Controller Personal Information |
| Australia | Approved hosting or backup infrastructure, where required for service delivery | Access restricted to authorised personnel and protected by safeguards consistent with this DPA |
| Other jurisdictions | None by default | Requires the Controller’s prior written authorisation unless disclosure is required by law |
9. Security Measures
The Processor maintains the following security controls for Controller Personal Information:
- Encryption at rest: strong industry-standard encryption where technically supported, with equivalent compensating controls where a platform does not support configurable encryption at rest.
- Encryption in transit: TLS 1.2 minimum (TLS 1.3 preferred)
- Access control: least-privilege access controls and role-based access management for systems handling Controller Personal Information.
- MFA: multi-factor authentication for privileged or administrative access to systems processing Controller Personal Information.
- Access reviews: quarterly access reviews for privileged access and other material access paths.
- Logging and monitoring: security-relevant access and administrative activity is logged, monitored, and retained for at least 90 days, and longer where required by law or the engagement agreement.
- Vulnerability management: periodic vulnerability identification, risk-based remediation, and documented patching practices appropriate to system criticality and exposure.
- Patching: security patches and compensating controls are applied within documented internal timeframes proportionate to the severity of the issue.
- Media disposal: secure disposal of storage media and devices used for Controller Personal Information in line with documented disposal procedures and NIST SP 800-88 where applicable.
- Incident response: a documented incident response process with defined escalation, investigation, containment, and remediation steps.
- Training and confidentiality: personnel with access to Controller Personal Information receive security awareness training and are bound by confidentiality obligations appropriate to their role.
- Assurance framework: security management practices aligned to ISO 27001 principles, without representing certification unless separately stated.
10. Liability
Liability under this DPA forms part of, and is to be read together with, the liability provisions of the engagement agreement.
Without limiting the engagement agreement, each party remains responsible for losses, liabilities, claims, and reasonable costs to the extent caused by its breach of this DPA, breach of confidentiality obligations, or failure to comply with Applicable Privacy Law in connection with the Services.
The Processor remains responsible for approved Sub-processor failures, unauthorised disclosures by its personnel, contractors, or approved third parties, and failures to comply with Sections 2 to 9 of this DPA as if those failures were the Processor’s own.
The Controller remains responsible for the lawfulness of its instructions, the data it chooses to provide to the Processor, and any failure to obtain permissions, notices, or other authorisations required from data subjects or regulators where applicable.
Nothing in this DPA should be read as excluding liability for fraud, wilful misconduct, or deliberate misuse of Controller Personal Information.
11. Term
This DPA remains in effect for the duration of the engagement agreement and for as long as the Processor retains any Controller Personal Information.
Contact
For general contractual matters, contact [email protected].
For privacy and DPA matters, contact Fenko’s Privacy Officer at [email protected].