Last updated: 2026-04-15
Version 1.1 – [30/01/2026]
This Data Processing Addendum ("DPA") forms part of (and is incorporated by reference into) the SAAS First Terms of Use and Privacy Policy or any other written or click-through agreement that governs Customer's use of the SAAS First Service (hereinafter collectively: "Principal Agreement"). It applies if and to the extent Southern Vector Limited (NZBN 9429052764448), 26 Applefield Road, Northwood, Christchurch, 8051, New Zealand ("SAAS First", "Processor", "we", "us", "our") processes Personal Information on behalf of the legal entity that accepted the Principal Agreement ("Customer", "Controller", "you", "your").
By accepting the terms and conditions defined in the Principal Agreement, or using the Services provided, you as a Customer also accept the terms and conditions specified below. If you as a Customer cannot comply or do not agree to be bound by the Principal Agreement and this DPA, or do not have the authority, then please do not provide Personal Information/Personal Data to us or do not use the Services.
This DPA forms an inseparable part of the Principal Agreement.
"Applicable Privacy Laws" means, to the extent applicable to either party or the processing activities:
- (i) New Zealand Privacy Act 2020 ("NZ Privacy Act") and the Privacy Regulations 2020;
- (ii) EU General Data Protection Regulation 2016/679 ("EU GDPR");
- (iii) UK GDPR and Data Protection Act 2018;
- (iv) California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA");
- (v) any substantially similar privacy or data-protection laws in force in the jurisdiction(s) of either party or of any Data Subject whose Personal Information is processed.
"AI Processing" means the use of artificial intelligence systems, including but not limited to chatbots, machine learning models, and automated decision-making tools, to process Personal Information.
"Breach" means a privacy breach or "personal data breach" as defined in NZ Privacy Act 2020 s.73 or GDPR Art 4(12).
"Customer Data" has the meaning in the Principal Agreement and includes Personal Information.
"Data Subject" means an identified or identifiable natural person.
"Personal Information" / "Personal Data" has the meaning given in the NZ Privacy Act or GDPR (as applicable).
"SCCs" means the EU standard contractual clauses for international transfers adopted by Commission Decision (EU) 2021/914, and the UK International Data Transfer Addendum where relevant.
"Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.
"Sub-processor" means any third party engaged by SAAS First to process Personal Information for the purposes of the Service.
in order to avoid unnecessary duplication of the specific normative text, we do not record basic concepts other than mentioned above separately. The concepts and designations used in the DPA correspond to those defined in the GDPR and the NZ Privacy Act and the CCPA.
2.1 Scope. This DPA applies to all Personal Information/Personal Data processed by SAAS First on behalf of Customer in connection with the Service.
2.2 Hierarchy. In case of conflict between the Principal Agreement and this DPA regarding data protection matters, this DPA prevails.
2.3 Legal Basis and Lawful Customer remains responsible for determining and communicating the lawful basis for processing under Applicable Privacy Laws (see. Section 5.).
3.1 Controller-Processor Relationship.
- For Customer End-User/Contact data: Customer is the Controller; SAAS First is the Processor
- For SAAS First's own business data: SAAS First is the Controller (governed by SAAS First's Privacy Policy)
3.2 Customer acknowledge that no joint controller relationship exists or will arise between SAAS First and Customer under this DPA or the Principal Agreement. SAAS First acts solely as a Processor when processing Personal Information/Personal Data in connection with the Services provided by the Terms of Use. Customer retains full and exclusive control over processing purposes, legal basis determination, and essential processing decisions.
3.3 Independent Controllers. Each party acts as an independent controller for its own business operations and employee data.
4.1 Authorized Processing. SAAS First will process Personal Information/Personal Data solely:
- (a) to provide the Service as documented in the Principal Agreement;
- (b) as specified in Annex A (Description of Processing);
- (c) on Customer's written instructions via Service configuration, this DPA, or separate written instructions.
4.2 Purpose Limitation. SAAS First will not process Personal Information for any purpose other than those specified in Section 4.1.
4.3 Instruction Changes. Controller may modify processing instructions through the Service interface or written notice. SAAS First as a processor will implement reasonable instruction changes within 30 days.
4.4 Unlawful Instructions. If SAAS First believes Customer's instructions violate Applicable Privacy Laws, SAAS First will promptly notify Customer and may suspend the unlawful processing pending resolution.
4.5 AI Processing Instructions. For AI Processing activities:
- Processing is limited to knowledge base articles flagged by Customer and recent conversation context
- No Personal Information is used for AI model training or improvement
- Customer may disable AI Processing at any time through Service configuration
5.1 Lawfulness. Customer is responsible for:
- (i) ensuring lawfulness of all Personal Information/Personal Data provided to SAAS First;
- (ii) providing required privacy notices to Data Subjects;
- (iii) obtaining necessary consents and maintaining consent records;
- (iv) ensuring processing instructions comply with Applicable Privacy Laws.
5.2 Data Categories. Customer represents that Personal Information provided will be limited to the categories described in Annex B.
5.3 Prohibited Data. Customer will not provide or instruct processing of:
- Special Category or Sensitive Data (unless explicitly agreed in writing and lawful basis confirmed)
- Payment card primary account numbers
- Government-issued identifiers
- Personal Information of children under 16 (unless parental consent obtained and processing explicitly authorized)
5.4 Data Subject Rights. Customer remains responsible for responding to Data Subject requests, with SAAS First's assistance as specified in Section 7.
5.5 Impact Assessments. Customer will conduct Data Protection Impact Assessments where required by Applicable Privacy Laws and may request SAAS First's assistance per Section 7.3.
6.1 Processing Limitations. SAAS First will:
- Process Personal Information/Personal Data only as instructed by Customer where such instructions are within the terms of the Principal Agreement and this DPA, and regard the manner in which the Processing shall be performed,
- Not disclose Personal Information/Personal Data to third parties except as authorized herein,
- Not use Personal Information/Personal Data in any ways for SAAS First's own purposes
6.2 Personnel Security. SAAS First ensures:
- All personnel authorized to process Personal Information/Personal Data are bound by confidentiality obligations,
- Appropriate background checks and security training for relevant personnel,
- Access controls limiting personnel access to Personal Information/Personal Data based on job requirements
6.3 Technical and Organizational Measures. SAAS First implements and maintains security measures described in Annex C, including:
- Encryption of Personal Information in transit and at rest
- Multi-factor authentication for system access
- Regular security assessments and penetration testing
- Incident response procedures
6.4 Sub-processors. Subject to Section 9 (Sub-processors).
6.5 International Transfers. Subject to Section 10 (International Transfers).
6.6 Records Maintenance. SAAS First maintains records of processing activities as required by Applicable Privacy Laws.
7.1 Data Subject Rights Assistance. SAAS First will assist Customer in responding to Data Subject requests by:
- Providing technical capabilities to search, access, rectify, or delete Personal Information/Personal Data
- Responding to Customer's assistance requests within 48 hours,
- Forwarding any direct Data Subject requests to Customer within 24 hours.
7.2 Data Subject Rights Procedures.
- Access Requests: SAAS First will provide data export functionality
- Rectification: Customer can correct data through Service interface; SAAS First will assist with bulk corrections
- Erasure: SAAS First will delete Personal Information/Personal Data within 30 days of Customer request and if required by Applicable Privacy Laws.
- Portability: SAAS First will provide data in structured, commonly-used format
- Objection/Restriction: SAAS First will implement processing restrictions as instructed
7.3 Regulatory Assistance. SAAS First will provide reasonable assistance for:
- Data Protection Impact Assessments by providing processing information and risk assessments
- Consultations with supervisory authorities by providing necessary documentation
- Regulatory investigations by cooperating with reasonable information requests
8.1 Confidentiality Obligations. SAAS First will:
- Treat all Personal Information/Personal Data as strictly confidential
- Not disclose Personal Information/Personal Data except as authorized by this DPA or required by law
- Limit access to authorized personnel with legitimate need-to-know
8.2 Personnel Confidentiality. All SAAS First personnel with access to Personal Information/Personal Data must execute confidentiality agreements extending beyond employment termination.
8.3 Third-Party Disclosures. SAAS First may disclose Personal Information/Personal Data only:
- To authorized Sub-processors per Section 8
- When legally compelled (with prior notice to Customer where legally permissible)
- With Customer's written consent
8.4 Security Standards. SAAS First maintains security measures meeting or exceeding:
- ISO 27001 standards for information security management
- Industry-standard encryption (AES-256 for data at rest, TLS 1.3 for data in transit)
- Regular vulnerability assessments and penetration testing
8.5 Security Incident Response. Detailed procedures in Annex C and Section 11.
9.1 General Authorization. Customer provides general written authorization for SAAS First to engage Sub-processors listed in Annex D.
9.2 Sub-processor Requirements. SAAS First ensures each Sub-processor:
- Executes data processing agreement with equivalent obligations to this DPA
- Implements appropriate technical and organizational security measures
- Provides necessary assurances regarding international transfer safeguards
9.4 AI Sub-processors. Current AI service providers (OpenAI, Anthropic, Google) are subject to additional restrictions:
- No Personal Information/Personal Data stored beyond inference session
- No use of Personal Information/Personal Data for model training
- Processing limited to real-time service provision
10.1 Transfer Restrictions. SAAS First will ensure that Personal Data remains within the relevant jurisdiction of collection (specifically the EEA for European data subjects and New Zealand for NZ data subjects), unless the transfer is conducted in full compliance with applicable data protection laws (such as the GDPR or the NZ Privacy Act) through the use of adequate safeguards (e.g., Standard Contractual Clauses or Adequacy Decisions).
10.2 Adequacy Decisions. Transfers to jurisdictions with adequacy decisions are permitted.
10.3 Standard Contractual Clauses. Where Customer is subject to EU/UK, GDPR:
- SCC Module 2 (Controller-to-Processor) automatically applies
- Parties select Option 2 (general authorization for Sub-processors)
- Annexes completed using Annex A, B, and C of this DPA
10.4 Additional Safeguards. For transfers without adequacy decisions, SAAS First implements:
- Encryption of Personal Information/Personal Data during transfer and processing
- Contractual restrictions on data access by foreign governments
- Regular assessment of legal environment in destination countries
10.5 Transfer Impact Assessments. SAAS First conducts transfer impact assessments for high-risk jurisdictions and shares summaries with Customer upon request.
11.1 Incident Detection. SAAS First maintains continuous monitoring systems to detect potential security incidents and data breaches.
11.2 Breach Notification Timeline.
- Customer notification: Within 72 hours of SAAS First becoming aware of breach
- Preliminary notice: Within 24 hours for high-severity incidents
- Follow-up reports: Within 30 days with full investigation results
11.3 Notification Contents. Breach notifications include:
- Nature and scope of the breach
- Categories and approximate number of affected Data Subjects and records
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact information for further details
11.4 Incident Response Cooperation. SAAS First will:
- Investigate and contain the incident promptly
- Preserve evidence for regulatory investigations
- Cooperate with Customer's breach response activities
- Assist with regulatory notifications as reasonably requested
11.5 Incident Response Plan. Detailed incident response procedures maintained in GBD’s BCP and Incident Response Tabletop Exercise Report.
12.1 Processing Records. SAAS First maintains records including:
- Categories of processing activities
- Purposes of processing and legal basis
- Categories of Data Subjects and Personal Information/Personal Data
- Sub-processor information and transfer details
- Security measures and breach incidents
12.2 Documentation Requirements. SAAS First provides Customer with:
- Updated Sub-processor lists
- Security measure descriptions
12.3 Record Retention. Processing records maintained for minimum years after relationship termination or as required by applicable law.
13.1 Audit Rights. Customer may audit SAAS First's compliance through:
- Review of documentation and reports per Section 13.2
- On-site audits per Section 13.3
- Third-party audit reports per Section 13.2
13.2 Documentation and Reports. SAAS First provides upon reasonable request:
- Annual compliance self-assessment reports
- Third-party security audit reports (ISO 27001, SOC 2)
- Penetration testing executive summaries
- Sub-processor compliance confirmations
- Maximum frequency: Once every 24 months (unless breach or regulatory requirement)
- Written notice: 30 days minimum
- Confidentiality agreements executed by audit team
- Reasonable time and materials fees at standard rates
- No access to other customers' data or proprietary systems
13.4 Audit Remediation. SAAS First will address audit findings within agreed timeframes and provide remediation evidence.
14.1 Security Training. SAAS First provides regular data protection and security training to all personnel with access to Personal Information/Personal Data.
14.2 Access Management. SAAS First implements:
- Role-based access controls
- Regular access reviews and updates
- Immediate access revocation upon personnel changes
14.3 Background Checks. Appropriate background verification for personnel with access to Personal Information.
15.1 Liability Limitation. Each party's aggregate liability under this DPA is subject to the limitation-of-liability clause in the Principal Agreement, except for:
- Regulatory fines and penalties (each party liable for its own violations)
- Gross negligence or willful misconduct
- Breaches of confidentiality obligations
15.2 Customer Indemnification. Customer indemnifies SAAS First against claims arising from:
- Customer's breach of Section 5 (Controller Obligations)
- Unlawful processing instructions from Customer
- Customer's failure to obtain required consents
15.3 Processor Indemnification. SAAS First indemnifies Customer against claims arising from:
- SAAS First's material breach of this DPA
- Unauthorized processing by SAAS First
- Sub-processor violations (subject to SAAS First's liability limitations)
16.1 Term. This DPA becomes effective on the earlier of:
- Principal Agreement effective date
- First transfer of Personal Information to SAAS First and continues until SAAS First no longer processes Personal Information on Customer's behalf.
16.2 Data Return/Deletion. Upon termination or Customer request:
- Customer may export Personal Information within 30 days
- SAAS First deletes Personal Information within 30 days after export period
- Encrypted backups auto-deleted within 15 days
- Minimal logs retained only for legal compliance (maximum 7 years)
16.3 Survival. The following sections survive termination: 8 (Confidentiality), 11 (Incident Response), 13 (Audits), 15 (Liability), 16 (Termination), and 17 (Governing Law).
17.1 Good Faith Resolution. Parties will attempt good faith resolution of disputes through direct negotiation.
17.2 Mediation. Unresolved disputes subject to mediation via Resolution Institute of New Zealand before litigation.
17.3 Regulatory Cooperation. Nothing herein limits either party's cooperation with data protection authorities.
18.1 Governing Law. Unless otherwise required by Applicable Privacy Laws or SCCs:
- This DPA is governed by New Zealand law
- Disputes subject to exclusive jurisdiction of New Zealand courts
18.2 Regulatory Jurisdiction. Each party submits to jurisdiction of relevant data protection authorities for their respective obligations.
19.1 Amendment. This DPA may be amended only by written agreement, except for updates to Annexes with 30 days' notice.
19.2 Severability. Invalid provisions severed without affecting remainder of DPA.
19.3 Language. English language version controls in case of translation conflicts.
19.4 Counterparts. This DPA may be executed in counterparts, including electronic signatures.
ANNEXES
Annex 1: End User Data
Annex 2: Description of Processing
Annex 3: Technical and Organizational Security Measures
Annex 4: List of Sub-processors (Ask for the complete data processors list: [email protected]
This DPA incorporates by reference the Standard Contractual Clauses adopted by Commission Decision (EU) 2021/914 where applicable to the processing relationship.