Data Processing Agreement

This DPA applies to the processing of Personal Data by PurposeTech on behalf of the Customer in connection with the provision of our volunteer management services.

The nature and purpose of processing includes:

• Managing volunteer registrations and profiles
• Coordinating volunteer shifts and assignments
• Communicating with volunteers on behalf of the Customer
• Generating reports and analytics on volunteer activities
• Processing any other data as instructed by the Customer

PurposeTech agrees to:

• Process Personal Data only on documented instructions from the Customer
• Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
• Only engage Sub-processors with the Customer's prior authorisation and under a written contract
• Assist the Customer in responding to Data Subject requests
• Assist the Customer in ensuring compliance with security, breach notification, and data protection impact assessment obligations
• Delete or return all Personal Data at the end of the service relationship, at the Customer's choice
• Make available all information necessary to demonstrate compliance with this DPA

The Customer authorises PurposeTech to engage the Sub-processors listed on our Subprocessors page.

PurposeTech will:

• Notify the Customer of any intended changes to Sub-processors
• Give the Customer the opportunity to object to such changes
• Ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA
• Remain liable for the acts and omissions of its Sub-processors

PurposeTech may transfer Personal Data to countries outside New Zealand and the European Economic Area. When doing so, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Transfers to countries with adequate data protection laws
• Other legally approved transfer mechanisms

PurposeTech implements appropriate technical and organisational measures including:

• Encryption of Personal Data in transit and in some cases at rest
• Access controls and authentication mechanisms
• Regular security testing and vulnerability assessments
• Incident response and business continuity procedures
• Staff training on data protection and security

For more details, please see our Security & Trust page.

In the event of a Personal Data breach, PurposeTech will:

• Notify the Customer without undue delay (and in any event within 72 hours where feasible)
• Provide information about the nature of the breach, categories of data affected, and likely consequences
• Describe measures taken or proposed to address the breach
• Cooperate with the Customer in investigating and mitigating the breach

PurposeTech will make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits and inspections conducted by the Customer or an appointed auditor, subject to reasonable notice and confidentiality obligations.

This DPA remains in effect for the duration of our service agreement with the Customer. Upon termination, PurposeTech will, at the Customer's choice, delete or return all Personal Data and certify that it has done so, unless retention is required by law.