Partner Legal

Data Processing Agreement

Effective date: 03 February 2026

Last updated: 03 February 2026

Provider: Netallion Limited (NZBN 9429051598730), Auckland, New Zealand ("Data Processor", "Netallion")
Privacy contact: [email protected]

1. Scope and purpose

This Data Processing Agreement ("DPA") supplements the Partner Terms of Service and governs the processing of personal data by Netallion on behalf of the partner ("Data Controller") when providing security scanning, monitoring, and reporting services through the Netallion Partner Program.

This DPA applies to all personal data processed in connection with customer onboarding, domain verification, vulnerability scanning, report generation, and related Partner Program activities.

2. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person, including names, email addresses, IP addresses, and domain ownership records
  • Processing: any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
  • Sub-processor: a third party engaged by Netallion to process Personal Data on behalf of the Data Controller
  • Data Subject: the individual to whom Personal Data relates

3. Data processing details

3.1 Categories of data subjects

  • Partner employees and authorised users
  • Partner customers' designated contacts
  • Domain registrants and DNS administrators

3.2 Types of personal data processed

  • Names and business email addresses
  • IP addresses and domain names
  • DNS records and domain ownership verification data
  • Security scan results and vulnerability data
  • Access logs and audit trails

3.3 Purpose of processing

  • Customer onboarding and identity verification
  • Domain ownership verification via DNS challenges
  • Security scanning and vulnerability assessment
  • Report generation and delivery
  • Audit logging and compliance

4. Obligations of Netallion (Data Processor)

Netallion shall:

  • process Personal Data only on documented instructions from the Data Controller, unless required by applicable law
  • ensure that persons authorised to process Personal Data are bound by confidentiality obligations
  • implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest
  • assist the Data Controller in responding to Data Subject requests (access, rectification, erasure, portability)
  • notify the Data Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach
  • delete or return all Personal Data upon termination of the partnership, unless retention is required by law
  • make available to the Data Controller all information necessary to demonstrate compliance with this DPA

5. Sub-processors

The Data Controller provides general authorisation for Netallion to engage sub-processors. Netallion shall:

  • maintain a list of current sub-processors, available upon request
  • notify the Data Controller of any intended changes to sub-processors with at least 30 days' notice
  • ensure sub-processors are bound by data protection obligations no less protective than those in this DPA
  • remain liable for the acts and omissions of its sub-processors

5.1 Current sub-processors

  • Google Cloud Platform (GCP): Infrastructure hosting, Cloud Run, Cloud SQL, Cloud Storage (Region: australia-southeast1)
  • Keycloak (self-hosted on GCP): Identity and access management
  • ZeptoMail: Transactional email delivery

6. International data transfers

Netallion primarily processes data within the Australia/New Zealand region. Where data is transferred outside this region, Netallion ensures appropriate safeguards are in place, including standard contractual clauses or equivalent mechanisms recognised under applicable data protection law.

7. Data retention

Personal Data is retained in accordance with Netallion's Data Retention Policy. Upon termination of the partnership, Netallion will delete partner and customer data within 90 days, unless a longer retention period is required by law or agreed in writing.

8. Security measures

Netallion implements the following security measures:

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for data at rest
  • Multi-tenant data isolation with partner-scoped access controls
  • httpOnly, Secure, SameSite cookie-based authentication
  • Comprehensive audit logging of all privileged operations
  • Regular security assessments and vulnerability scanning
  • Role-based access control (RBAC) with principle of least privilege

9. Data subject rights

The Data Controller is responsible for responding to Data Subject requests. Netallion will assist the Data Controller by:

  • providing tools and APIs to export or delete Personal Data
  • responding to Data Controller instructions within 10 business days
  • redirecting any direct Data Subject requests to the Data Controller

10. Audit rights

The Data Controller may audit Netallion's compliance with this DPA, subject to reasonable notice (at least 30 days), during business hours, and no more than once per calendar year. Netallion may provide independent third-party audit reports as an alternative to on-site audits.

11. Governing law

This DPA is governed by the laws of New Zealand. For partners subject to the EU General Data Protection Regulation (GDPR), the provisions of the GDPR shall prevail in the event of conflict.

12. Contact

Privacy: [email protected]
Partner Program: [email protected]

Partner Data Processing Agreement | Netallion