Data Processing Agreement
Effective date: 03 February 2026
Last updated: 03 February 2026
Provider: Netallion Limited (NZBN 9429051598730), Auckland, New Zealand ("Data Processor", "Netallion")
Privacy contact: [email protected]
1. Scope and purpose
This Data Processing Agreement ("DPA") supplements the Partner Terms of Service and governs the processing of personal data by Netallion on behalf of the partner ("Data Controller") when providing security scanning, monitoring, and reporting services through the Netallion Partner Program.
This DPA applies to all personal data processed in connection with customer onboarding, domain verification, vulnerability scanning, report generation, and related Partner Program activities.
2. Definitions
- Personal Data: any information relating to an identified or identifiable natural person, including names, email addresses, IP addresses, and domain ownership records
- Processing: any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
- Sub-processor: a third party engaged by Netallion to process Personal Data on behalf of the Data Controller
- Data Subject: the individual to whom Personal Data relates
3. Data processing details
3.1 Categories of data subjects
- Partner employees and authorised users
- Partner customers' designated contacts
- Domain registrants and DNS administrators
3.2 Types of personal data processed
- Names and business email addresses
- IP addresses and domain names
- DNS records and domain ownership verification data
- Security scan results and vulnerability data
- Access logs and audit trails
3.3 Purpose of processing
- Customer onboarding and identity verification
- Domain ownership verification via DNS challenges
- Security scanning and vulnerability assessment
- Report generation and delivery
- Audit logging and compliance
4. Obligations of Netallion (Data Processor)
Netallion shall:
- process Personal Data only on documented instructions from the Data Controller, unless required by applicable law
- ensure that persons authorised to process Personal Data are bound by confidentiality obligations
- implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest
- assist the Data Controller in responding to Data Subject requests (access, rectification, erasure, portability)
- notify the Data Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach
- delete or return all Personal Data upon termination of the partnership, unless retention is required by law
- make available to the Data Controller all information necessary to demonstrate compliance with this DPA
5. Sub-processors
The Data Controller provides general authorisation for Netallion to engage sub-processors. Netallion shall:
- maintain a list of current sub-processors, available upon request
- notify the Data Controller of any intended changes to sub-processors with at least 30 days' notice
- ensure sub-processors are bound by data protection obligations no less protective than those in this DPA
- remain liable for the acts and omissions of its sub-processors
5.1 Current sub-processors
- Google Cloud Platform (GCP): Infrastructure hosting, Cloud Run, Cloud SQL, Cloud Storage (Region: australia-southeast1)
- Keycloak (self-hosted on GCP): Identity and access management
- ZeptoMail: Transactional email delivery
6. International data transfers
Netallion primarily processes data within the Australia/New Zealand region. Where data is transferred outside this region, Netallion ensures appropriate safeguards are in place, including standard contractual clauses or equivalent mechanisms recognised under applicable data protection law.
7. Data retention
Personal Data is retained in accordance with Netallion's Data Retention Policy. Upon termination of the partnership, Netallion will delete partner and customer data within 90 days, unless a longer retention period is required by law or agreed in writing.
8. Security measures
Netallion implements the following security measures:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- Multi-tenant data isolation with partner-scoped access controls
- httpOnly, Secure, SameSite cookie-based authentication
- Comprehensive audit logging of all privileged operations
- Regular security assessments and vulnerability scanning
- Role-based access control (RBAC) with principle of least privilege
9. Data subject rights
The Data Controller is responsible for responding to Data Subject requests. Netallion will assist the Data Controller by:
- providing tools and APIs to export or delete Personal Data
- responding to Data Controller instructions within 10 business days
- redirecting any direct Data Subject requests to the Data Controller
10. Audit rights
The Data Controller may audit Netallion's compliance with this DPA, subject to reasonable notice (at least 30 days), during business hours, and no more than once per calendar year. Netallion may provide independent third-party audit reports as an alternative to on-site audits.
11. Governing law
This DPA is governed by the laws of New Zealand. For partners subject to the EU General Data Protection Regulation (GDPR), the provisions of the GDPR shall prevail in the event of conflict.
12. Contact
Privacy: [email protected]
Partner Program: [email protected]
Related partner agreements: