Processes and security
      Back to home
      1. Help Center
      2. Processes and security

      Integration Glue Data Processing Agreement (DPA)

      This Agreement governs the specific requirements of Data Protection Laws for the use of Integration Glue Services

       

      Last modified: April 16th, 2025

      This Data Processing Agreement ("Agreement") forms part of the Contract for Services under Integration Glue Terms and Conditions (the “Principal Agreement") between Integration Glue Limited, 14 Jervois road, Auckland, New Zealand, Company identification number NZBN-9429050781836 (referred to as the "Processor") and the Company using Integration Glue's services (referred to as the "Company”).”

      This Agreement governs the specific requirements of Data Protection Laws to the extent that Company’s use of Integration Glue Services implies the processing of Personal Data subject to Data Protection Laws.

      This Agreement is complementary to our Privacy Policy and forms an integral part of the main service agreement, which serves as the primary reference for our data protection practices and measures.

      The term of this Agreement shall follow the term of the Principal Agreement. Terms not defined herein shall have the meaning as set forth in the Principal Agreement.


      WHEREAS

      A) The Company act as a Data Controller (the "Controller").

      B) The Company wishes to subcontract certain Services (as defined below), which imply the processing of Personal Data, to Integration Glue, acting as a Data Processor (the "Processor").

      C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and other applicable data protection laws.

      D) The Parties wish to lay down their rights and obligations.


      IT IS AGREED AS FOLLOWS:

      1. Definitions and Interpretation

      Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

      1.1) "Agreement" means this Data Processing Agreement and all Schedules;

      1.2) "Company Personal Data" means any Personal Data related to the Company or Company’s customers, prospects or employees Processed in connection with the Principal Agreement;

      1.3) "Contracted Processor" means a Subprocessor;

      1.4) "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

      1.5) "EEA" means the European Economic Area;

      1.6) "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

      1.7) "GDPR" means EU General Data Protection Regulation 2016/679;

      1.8) "Data Transfer" means:

      • 1.8.1) a transfer of Company Personal Data from Controller to the Processor or a Contracted Processor; or
      • 1.8.2) an onward transfer of Company Personal Data from the Processor to a Subprocessor, or between two establishments of a Subprocessor;

      1.9) "Services" means online secure services provided by the Processor, such as apps, integrations, migrations and other services as developed by the Processor. The details and pricing of the Services can be found on the Processor’s website.

      1.10) "Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of Controller in connection with the Agreement.

      The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR or other applicable Data Protection Law, and their cognate terms shall be construed accordingly.

      2. Processing of Company Personal Data

      Processor shall:

      2.1) comply with all applicable Data Protection Laws in the Processing of Company Personal Data;

      2.2)  process Company Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law or other applicable law to which the Processor is subject. The Controller's documented instructions include:
          a) The terms of this Agreement and the Principal Agreement;
          b) The Controller's configuration and use of the Services; and
          c) Any other written instructions provided by the Controller that are consistent with the terms of this Agreement and the Principal Agreement.

      Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws (Note: This last sentence addresses the separate point raised in the review - Article 28(3)(h) - and is often included here or as a separate sub-point).

      Where Processor is required by applicable law to process Company Personal Data outside the documented instructions of the Controller, Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

      The Processor clarifies that while Company Personal Data is processed by the Services as instructed by the Controller, no Company Personal Data is permanently stored or retained by the Processor beyond the extent necessary for the configuration of any integrations and the  transient processing required to facilitate the integration and data transfer between the Company's platforms.

      The Processor's role is to transmit and facilitate the flow of data according to the Company's configuration and use of the Services, and it does not maintain a persistent repository of this data once the processing is complete for the specific integration task.

      Data retention and storage remain the responsibility of the integrated platforms as determined by the Company (Controller).

      Controller instructs Processor to process Company Personal Data to:

      2.3) provide the Services and related technical support;

      2.4) fulfil legal obligations or resolve disputes;

      2.5) exercise any internal task aimed to optimise the security, privacy, confidentiality and functionalities of the Services;

      2.6) exercise internal reporting, financial reporting and other similar internal tasks.

      3. Processor Personnel

      Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and/or to comply with Data Protection Laws and other relevant legislation in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

      4. Security

      The Processor will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Company Personal Data against unauthorized or accidental access, loss, alteration, disclosure, or destruction, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in accordance with Article 32(1) of the GDPR and aim to ensure the security, confidentiality, integrity, and availability of Company Personal Data.

      The Processor shall also assess the risks associated with processing activities and apply measures that are consistent with the requirements set forth in Article 32 (1) GDPR, ensuring the security of Company Personal Data at all times.

      5. Subprocessing

      Subject to this Agreement, the Company grants general authorization to the Processor to engage Subprocessors and disclose or transfer Company Personal Data to them. The Company acknowledges and approves the list of Subprocessors outlined in the Processor’s Privacy Policy, understanding that this list may be updated by the Processor regularly, in which case the company shall be informed by the Processor according to the Privacy Policy notification process. Furthermore, the Company authorizes the Processor to disclose and transfer Personal Data to any company within its corporate group.

      Processor ensures that Subprocessors are subject to an agreement with Processor no less restrictive and protective than the present Agreement with respect to the protection of Company Personal Data to the extent applicable to the nature of the services provided by the Subprocessor.

      6. Data Subject Rights

      Taking into account the nature of the processing, Processor shall reasonably assist Company for the fulfilment of Company’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.

      Taking into account the nature of the processing, the Processor shall provide reasonable assistance to the Controller for the fulfilment of the Controller's obligations to respond to requests from Data Subjects to exercise their rights under Data Protection Laws.

      Processor shall:

      6.1) promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

      6.2) ensure that it does not respond to that request except on the documented instructions of Controller or as required by Applicable Laws. This may include, insofar as possible and taking into account the nature of the processing, implementing appropriate technical and organizational measures to assist the Controller in responding to requests for access, rectification, erasure, restriction of processing, data portability, and to object.

      7. Personal Data Breach

      The Processor shall manage any Personal Data Breach in compliance with applicable Data Protection Laws and its internal Personal Data Breach procedures.

      The Processor shall notify the Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data. The notification shall provide the Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects or Supervisory Authorities of the Personal Data Breach under applicable Data Protection Laws.

      The Processor shall cooperate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach. This notification will include, at a minimum, a description of the nature of the breach (including categories and approximate number of Data Subjects and data records concerned, where possible), the likely consequences, and the measures taken or proposed to be taken to address the breach.

      Each party shall bear the costs of the investigation, remediation, mitigation, and other related costs to the extent a Data Breach is caused by such party.

      Each party shall bear the costs of any fines, penalties, damages, or other related amounts imposed by an authorized regulatory body, governmental agency, or court of competent jurisdiction to the extent arising from such party’s breach of its obligations under this Agreement.

      8. Data Protection Impact Assessment and Prior Consultation

      Processor shall provide reasonable assistance to Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

      9. Deletion or return of Company Personal Data

      In case of cessation of any Service involving the Processing of Company Personal Data, the Processor shall delete all Company Personal Data to the extent permitted by applicable laws and in accordance with Processor’s Terms and Conditions and Privacy Policy. Should the Company require a copy of their data, they must request it before the deletion of their account; requests made after the account has been deleted can no longer be considered.

      10. Audit rights

      Subject to this section 10, Processor shall make available to Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by Company or an auditor mandated by Company in relation to the Processing of the Company Personal Data by the Contracted Processors. Company shall not exercise its audit rights more than once per calendar year except following a Personal Data Breach or an instruction by a regulatory authority. Company shall give Processor at least sixty (60) days prior written notice of its intention to audit Processor pursuant to this Agreement. Audit shall be conducted during Processor’s business hours, shall not disrupt Processor’s operations and shall ensure the protection of the Company’s, Processor’s and other Data Subjects’ Personal Data. Processor and Company shall mutually agree in advance on the date, scope, duration and security and confidentiality controls applicable to the audit. Company acknowledges that the signing of a non-disclosure agreement may be required by the Controller prior to the conduction of the audit.

      Information and audit rights of Company only arise under section 10 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

      11. Data Transfer

      11.1. To the extent possible, the Processor shall primarily process and store Data within New Zealand, the European Union (EU), the European Economic Area (EEA), or countries subject to an adequacy decision by the European Commission under Article 45 GDPR or recognized as adequate under the New Zealand Privacy Act 2020 (collectively, "Permitted Jurisdictions").

      11.2. If Personal Data processed under this Agreement is transferred from a Permitted Jurisdiction to a country outside this scope (a "Third Country"), the Parties shall ensure that the Personal Data remains adequately protected in accordance with Data Protection Laws.

      11.3. To achieve adequate protection for such transfers to Third Countries, the Parties shall rely on appropriate safeguards recognised under Data Protection Laws, which include, where applicable: (a) the EU-approved Standard Contractual Clauses (SCCs), potentially supplemented by the UK's International Data Transfer Addendum or equivalent clauses applicable under relevant Data Protection Laws; (b) for transfers to certified organizations in the United States, the EU-US Data Privacy Framework; or (c) other valid transfer mechanisms or derogations recognised under applicable Data Protection Laws.

      11.4. Processor is authorized to perform transfers of Personal Data to Subprocessors located in Third Countries provided that one of the adequate safeguards mentioned in clause 11.3 (or an equivalent safeguard recognised under applicable Data Protection Laws) is implemented between the Processor and the Subprocessor concerning the relevant transfer.

      12. General Terms

      Compliance with Applicable Laws. Processor will process Company Personal Data in accordance with this Agreement and Data Protection Laws applicable to its role under this Agreement. Processor is not responsible nor liable for complying with Data Protection Laws solely applicable to Company by virtue of its business or industry.

      Confidentiality. Each party must keep any information it receives about the other party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other party except to the extent that:

      (a) disclosure is required by law;

      (b) the relevant information is already in the public domain through no fault of the Parties.

      Notices. All notices and communications given under this Agreement must be in writing and will be sent by email. Controller shall be notified by email sent to the address related to its use of the Services under the Principal Agreement. Processor shall be notified by email sent to the address: security@integrationglue.com

      Governing Law and Jurisdiction. This Agreement shall be governed by New Zealand law, without regard to the choice or conflicts of law provisions of any jurisdiction to the contrary, and disputed, actions, claims or causes of action arising out of or in connection with this Agreement, an order form, any document incorporated by reference, Integration Glue, or the Services shall be subject to the exclusive jurisdiction of Auckland, New Zealand.

      In case of discrepancy between the English version of these Terms and any translated version, the English version shall prevail.

      Annex 1: Details of Processing

      A. Processing Activities

      • Subject matter of the processing: Data will be processed by Integration Glue to facilitate data integration and workflow automation between the Company's connected platforms, as described in the Principal Agreement and the Services. This involves the temporary transit and transformation of data between these platforms.
      • Nature and purpose of the processing: The processing activities performed by Integration Glue include:
        • Data Extraction: Retrieving data from the Company's source platforms as instructed by the Company.
        • Data Transformation: Modifying the format, structure, or content of the data to ensure compatibility between the connected platforms.
        • Data Routing: Transferring the transformed data to the Company's designated destination platforms.
        • Monitoring and Logging: Generating logs for the purposes of tracking data integration processes and troubleshooting.
        • Orchestration of Automated Workflows: Executing automated tasks and data flows defined by the Company within the Integration Glue service.
        • Temporary Buffering: Short-term storage of data in transit as necessary to complete the processing and transfer between systems. It is understood that this is transient and data is not persistently stored within Integration Glue's own platform.
      • Duration of the processing: For the duration of the Principal Agreement between the Company and Integration Glue. Specific processing instances will occur as triggered by the Company's configurations and use of the Services.
      • Categories of data subjects: The personal data processed relates to the categories of data subjects as determined and controlled by the Company within its connected platforms. This may include, but is not limited to, the Company’s:
        • End users (including customers, prospects, and contractors).
        • Employees.
        • Other individuals whose personal data resides in and is processed between the Company's connected platforms.
      • Categories of personal data processed: The categories of personal data processed are determined at the discretion of the Company and depend on the data exchanged between the connected platforms using the Integration Glue Services. This may include, but is not limited to:
        • Personal details and contact information: Name, address, email address, title, position, contact information, phone numbers.
        • Technical data: IP address, unique user IDs (such as cookie IDs), user identifiers, API Key, Access Token, API Logs, Browser Footprint, MAC Address.
        • Behavioral data: Product usage (page views, clicks, browsing behavior).
        • Documents and Content: Documents, images, and content transferred between platforms which may contain any type of Personal Data.
        • Integration Configuration Data: Includes the necessary keys, authorisation and settings to establish and maintain connections between the Company's platforms, enabling the potential transfer and processing of data (which may include Personal Data) as instructed by the Company.
      • Sensitive categories of personal data processed (if applicable): Integration Glue acknowledges that the Company is responsible for ensuring that no sensitive or special categories of personal data (as defined under Data Protection Laws) are processed through the Services unless explicitly agreed upon and with appropriate safeguards in place. Given the nature of the Services as an integration platform, the potential for processing sensitive data depends entirely on the Company's connected systems and configurations, but Integration Glue itself does not seek to capture or retain such data within its own platform. If sensitive data is processed, the Company is responsible for ensuring appropriate legal bases and security measures are in place within their own systems.

      Annex 2: International Data Transfer Safeguards

      Personal Data will primarily be processed and stored within Permitted Jurisdictions.

      For any transfers of Personal Data to Third Countries (outside Permitted Jurisdictions), the Parties will ensure adequate protection in accordance with Data Protection Laws.

      Such safeguards may include EU-approved Standard Contractual Clauses (SCCs), potentially supplemented by the UK's International Data Transfer Addendum, or, for transfers to certified organizations in the United States, the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US DPF, or other valid transfer mechanisms recognized under applicable Data Protection Laws.