1. Purpose and roles
1.1 These Data Processing Terms apply where SignalTo Processes Personal Information contained in Customer Data on behalf of the Customer in order to provide the Services.
1.2 As between the parties, the Customer is responsible for the Personal Information in the Customer Data and the purposes for which it is Processed. SignalTo Processes that Personal Information only on the Customer’s documented instructions, which include these terms, the Terms of Service, and the Customer’s use and configuration of the Services. If SignalTo believes an instruction breaches the Privacy Act 2020 or other applicable privacy law, it will tell the Customer.
1.3 Each party will comply with its own obligations under the Privacy Act 2020 and any other privacy law that applies to it.
2. SignalTo’s obligations
SignalTo will:
(a) Process Customer Personal Information only as needed to provide the Services and as instructed by the Customer, and not for its own independent purposes;
(b) take reasonable security safeguards appropriate to the nature of the Personal Information to protect it against loss and against unauthorised access, use, modification, or disclosure;
(c) ensure that personnel authorised to Process the Personal Information are subject to appropriate confidentiality obligations;
(d) assist the Customer, taking into account the nature of the Processing and the information available to SignalTo, to respond to requests from individuals exercising their rights under the Privacy Act 2020, and to meet the Customer’s own privacy obligations including security and breach notification; and
(e) make available the information reasonably necessary to demonstrate compliance with these terms.
3. Subprocessors
3.1 The Customer authorises SignalTo to engage the Subprocessors listed in the Subprocessor list to Process Customer Personal Information.
3.2 SignalTo will impose data protection obligations on each Subprocessor that are materially consistent with these terms, and remains responsible to the Customer for each Subprocessor’s performance of those obligations.
3.3 SignalTo will keep the Subprocessor list current. Where it intends to add or replace a Subprocessor in a way that materially changes the Processing, it will update the list. A Customer who reasonably objects to a new Subprocessor on legitimate data protection grounds may raise that objection with SignalTo, and the parties will work in good faith to address it; if it cannot be resolved, the Customer may terminate the affected Services.
4. Overseas Processing
The Customer acknowledges that some Subprocessors are located outside New Zealand and that Customer Personal Information may be Processed overseas. SignalTo will take reasonable steps, consistent with Information Privacy Principle 12, to ensure that Personal Information disclosed overseas is subject to comparable safeguards to those required under the Privacy Act 2020.
5. Security incidents and breaches
5.1 SignalTo will notify the Customer without undue delay after becoming aware of a privacy breach affecting Customer Personal Information.
5.2 The notification will describe, to the extent known, the nature of the breach, the information affected, the likely consequences, and the measures taken or proposed in response, and SignalTo will provide reasonable further information as it becomes available.
5.3 SignalTo will take reasonable steps to contain and remediate the breach. Where the Customer is the agency required to assess and notify a notifiable privacy breach under the Privacy Act 2020, SignalTo will provide reasonable cooperation to support that assessment and any notification.
6. Assistance and audit
6.1 On reasonable written request, and no more than once in any twelve-month period unless required by a regulator or following a breach, SignalTo will provide the Customer with information reasonably necessary to confirm SignalTo’s compliance with these terms.
6.2 Where documentation is not sufficient to address a specific, reasonable concern, the Customer may request a limited audit, conducted on reasonable notice, during business hours, in a way that does not disrupt SignalTo’s operations or compromise the confidentiality or security of other customers’ data, and at the Customer’s cost.
7. Return and deletion
On termination of the Services, or on the Customer’s written request, SignalTo will delete or return the Customer Personal Information it Processes on the Customer’s behalf, except to the extent it is required to retain a copy by law or holds it in routine backups that are deleted in the ordinary course. Anonymised and aggregated information that no longer identifies an individual is not subject to this clause.
8. Overseas privacy law
If a Customer is subject to a privacy law outside New Zealand that requires specific processor terms (such as the EU or UK General Data Protection Regulation), the parties will, on request, enter into a reasonable addendum reflecting the required terms, and these terms will be read to give effect to that intent in the meantime.
9. Order of precedence
If these Data Processing Terms conflict with the Terms of Service on the handling of Personal Information, these terms prevail to the extent of the conflict.