DriftHR

Legal

Data Processing Agreement

Effective date: 28 April 2026 · Version 1.0

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Business” or “Controller”) and Loominfo Limited(NZBN 9429052682902, 17A Prictor Street, Papakura, Auckland, New Zealand — the “Processor”) for use of the DriftHR platform (the “Service”). It governs the processing of personal data carried out by the Processor on behalf of the Controller.

This DPA is required where the Controller is subject to the EU General Data Protection Regulation, the UK GDPR, the New Zealand Privacy Act 2020, or equivalent privacy laws. It applies automatically the moment you accept the Terms of Service and process personal data of EU/UK/NZ residents through the Service.

For paying customers who require a separately signed and counter-signed copy, email [email protected] with your business details and we will return an executed copy within 5 business days.

1. Definitions

Terms used here have the meanings given in Article 4 GDPR / equivalent. In particular:

  • Personal Data means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service.
  • Sub-processor means any third party engaged by the Processor to assist in providing the Service. The current list is at /legal/sub-processors.
  • Personal Data Breach has the meaning given in Article 4(12) GDPR.

2. Subject matter, duration, nature and purpose

  • Subject matter: the provision of the DriftHR platform to the Controller.
  • Duration: for as long as the Controller’s account remains active, plus the retention periods set out in our Privacy Policy.
  • Nature and purpose: hosting, storing, displaying, and otherwise processing personal data the Controller uploads or generates through the Service in order to provide the agreed Service to the Controller and its end users.
  • Categories of data subjects: the Controller’s end customers, staff members invited to the Controller’s account, and visitors to the Controller’s storefront.
  • Categories of personal data: contact details (name, email, phone), booking details, order details, shipping addresses, account credentials, business content, and technical data (IP, device, session). The Controller is responsible for not uploading special-category data unless required by their use case and lawful under applicable law.

3. Processor obligations (Article 28(3) GDPR)

The Processor will:

  1. Process only on documented instructions. The Processor will process Personal Data only on the Controller’s documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by Union, Member State, or New Zealand law to which the Processor is subject; in that case, the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
  2. Ensure confidentiality. The Processor ensures that personnel authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement appropriate security measures taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Current measures are described in Privacy Policy §8 and the publicly available SECURITY.md.
  4. Engage Sub-processors only with the Controller’s prior authorisation. The Controller authorises the Processor to engage the Sub-processors listed at /legal/sub-processors. The Processor will inform the Controller of any intended changes to that list at least 30 days in advance, giving the Controller the opportunity to object on reasonable grounds. Where the Controller objects, the Processor will use reasonable efforts to make available an alternative; if no alternative is feasible, the Controller may terminate the affected portion of the Service with pro-rata refund of pre-paid fees.
  5. Assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).
  6. Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and the information available to the Processor.
  7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services and delete existing copies, unless Union, Member State, or New Zealand law requires storage of the Personal Data. Deletion proceeds within 30 days of account closure (longer for items required by tax or accounting law).
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits may be conducted no more than once per year except where there is reasonable suspicion of breach; reasonable cost reimbursement applies.

4. Security measures

Taking into account the state of the art, costs, and the nature of processing, the Processor implements appropriate technical and organisational measures including:

  • Encryption in transit (TLS 1.2+) for all connections.
  • Encryption at rest for credentials (bcrypt) and OAuth tokens (AES-256-GCM).
  • Encrypted database backups (AES-256 GPG symmetric).
  • Network-layer protection (AWS Shield Standard, AWS Global Accelerator).
  • Application-layer protection (nginx rate limits, fail2ban, CrowdSec).
  • Bot protection on public forms (Cloudflare Turnstile when configured).
  • Restricted SSH access to production (allowlisted IP, key-only auth).
  • Audit logging of pricing and subscription changes; operational logs retained at least 14 days.
  • Pinned dependencies with regular npm audit review.

Additional hardening is on the Processor’s pre-launch list and listed publicly in SECURITY.md. The Processor will update this DPA as new controls land.

5. Personal Data Breach notification

Where the Processor becomes aware of a Personal Data Breach affecting the Controller’s data, it will notify the Controller without undue delay and in any event within 72 hours of becoming aware. Notification will include, to the extent known:

  • The nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects and personal-data records concerned.
  • The likely consequences of the Personal Data Breach.
  • The measures taken or proposed to address the Personal Data Breach.
  • A point of contact (the Privacy Officer) for further information.

Notifying the Processor of a Breach does not relieve the Controller of its own notification obligations to supervisory authorities under Article 33 GDPR or to affected data subjects under Article 34 GDPR.

6. International transfers

The Service is hosted in AWS Asia Pacific (Mumbai). Where Personal Data is transferred outside the EU/EEA or UK, transfer is safeguarded by the European Commission’s Standard Contractual Clauses (Module 2: controller-to-processor) and the UK International Data Transfer Agreement, which are incorporated by reference into this DPA. Where required, supplementary measures (encryption in transit and at rest, restricted access) apply.

For data subjects in New Zealand, the Processor complies with Information Privacy Principle 12 of the Privacy Act 2020 by ensuring that overseas recipients are subject to comparable safeguards.

7. Sub-processors

The Controller authorises engagement of the Sub-processors at /legal/sub-processors. The Processor remains liable to the Controller for the performance of any Sub-processor.

8. Liability

The liability of each party under or in connection with this DPA is governed by the limitation of liability section in the Terms of Service. Nothing in this DPA limits liability for breach of mandatory data-protection law where such limitation is not permitted by that law.

9. Term and termination

This DPA takes effect on acceptance of the Terms of Service and continues for the term of the underlying agreement. On termination, the Processor will delete or return Personal Data per clause 3(g). Sections of this DPA which by their nature should survive termination will do so.

10. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. In the event of a conflict between this DPA and the EU Standard Contractual Clauses (where they apply), the SCCs prevail.

11. Governing law

This DPA is governed by New Zealand law and subject to the exclusive jurisdiction of the courts of New Zealand sitting in Auckland, except that nothing in this clause limits the rights of EU/UK data subjects or supervisory authorities under their respective laws.

12. Contact

Privacy Officer: Kiran Pal Singh, [email protected]
Loominfo Limited, 17A Prictor Street, Papakura, Auckland, New Zealand
Company number: 9429052682902

Version 1.0.0-2026-04-28. To request a counter-signed PDF copy, email the Privacy Officer with your business legal name and registered address.