Data Processing Agreement

Effective: 10 June 2026Version: 1.0

1. Nature of this document

1.1 This Data Processing Agreement (“DPA”) governs Millwater’s processing of Personal Information on behalf of a client in the course of providing the Services. It is incorporated into, and forms part of, the Services Framework Agreement (“SFA”) between Millwater Consulting Limited (“Millwater”) and the client (“Client”) by the incorporation clause of that SFA.

1.2 Where this DPA conflicts with the SFA on any matter concerning the processing of Personal Information, this DPA prevails. On all other matters the SFA prevails. A Statement of Work prevails over both only where it expressly says so.

2. Definitions

2.1 “Personal Information” means information about an identifiable individual, as defined in the Privacy Act 2020 (NZ). Where the Client or any data originates from a jurisdiction whose law uses the term “personal data” (including the EU/UK GDPR), “Personal Information” is read to include “personal data”, and references to the Privacy Act 2020 are read to include that applicable law. “Personal Information” has the same meaning as “Personal Data” where that term is used in the SFA.

2.2 “Agent” has the meaning given in section 11 of the Privacy Act 2020. Millwater processes Personal Information solely as the Client’s Agent. Where GDPR-style terminology applies, the Client is the “controller” and Millwater the “processor”.

2.3 “Processing” means any operation performed on Personal Information, including collecting, holding, storing, using, disclosing, transferring, and destroying.

2.4 “Sub-processor” means any third party engaged by Millwater to process Personal Information in the course of delivering the Services.

2.5 “Privacy Breach” has the meaning given in the Privacy Act 2020 — unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, Personal Information, or an action that prevents the Client from accessing it.

2.6 “Notifiable Privacy Breach” means a Privacy Breach that it is reasonable to believe has caused, or is likely to cause, serious harm — the threshold for notification to the Office of the Privacy Commissioner (“OPC”) and affected individuals under Part 6 of the Privacy Act 2020.

2.7 Terms not defined here have the meaning given in the SFA.

3. Roles and scope

3.1 The Client determines the purposes and means of processing. Millwater processes Personal Information only as the Client’s Agent and only to deliver the Services. Information held by Millwater solely as Agent is treated as held by the Client (s11 Privacy Act 2020), and Millwater does not use it for its own purposes.

3.2 The subject matter, duration, nature, and purpose of the processing, the types of Personal Information, and the categories of individuals are determined by the Services as described in the SFA and each SOW.

3.3 Millwater processes Personal Information only on the Client’s documented instructions (including those in the SFA, an SOW, or a written change request), unless required to do otherwise by law — in which case Millwater notifies the Client before processing, where lawful to do so.

3.4 If Millwater considers an instruction breaches the Privacy Act 2020 or other applicable privacy law, it will inform the Client; Millwater is not obliged to act on an instruction it reasonably believes is unlawful.

4. Client obligations and warranties

4.1 The Client warrants that it has the lawful authority to provide the Personal Information to Millwater for processing, and that it has obtained all authorisations, consents, and notices required under applicable privacy law — including, where the Client acts as a reseller or intermediary, the necessary authority from any End Client and from the individuals whose information is processed.

4.2 The Client’s instructions to Millwater comply with applicable privacy law. The Client is responsible for the accuracy, quality, and legality of the Personal Information and the means by which it was obtained.

4.3 The Client indemnifies Millwater against any claim, loss, fine, or liability arising from a breach of the warranties in clauses 4.1–4.2, including any claim by an End Client, an individual, or a regulator that Personal Information was processed without proper authority. This indemnity is not subject to the limitation of liability cap in the SFA. (This mirrors and is additional to the Client privacy-authority warranty in the SFA data-protection clause.)

5. Millwater obligations

5.1 Confidentiality. Millwater ensures that personnel authorised to process the Personal Information are bound by confidentiality obligations and process it only as needed to deliver the Services.

5.2 Security. Millwater implements appropriate technical and organisational measures to protect Personal Information against a Privacy Breach, commensurate with the sensitivity of the data and the state of the art, including: access control on a least-privilege basis; encryption in transit and at rest where appropriate; secrets held in a managed secret store, not in code or environment variables; audit logging; and segregation of each client’s data.

5.3 Assistance — individual rights. Taking into account the nature of the processing, Millwater assists the Client (by appropriate technical and organisational measures, so far as practicable) to respond to requests by individuals to access or correct their Personal Information (IPP 6 and IPP 7), and to meet the Client’s other obligations under the Privacy Act 2020.

5.4 Assistance — compliance. Millwater provides the Client, on reasonable request, with the information necessary to demonstrate compliance with this DPA, and assists the Client with privacy impact assessments and consultation with the OPC where the processing is likely to result in serious risk.

5.5 Records. Millwater maintains records of the categories of processing carried out on the Client’s behalf sufficient to meet its obligations under this DPA.

6. Sub-processors

6.1 The Client gives general authorisation for Millwater to engage Sub-processors to deliver the Services. The current categories and named Sub-processors are listed in Annex A and on the Millwater website. The Client authorises those listed at the Effective Date.

6.2 Millwater gives the Client at least 10 business days’ notice (by updating the website list and, on request, by email) before adding or replacing a Sub-processor that processes Personal Information. The Client may object on reasonable, privacy-related grounds within that period; if the parties cannot resolve the objection, the Client may terminate the affected Services without penalty for the unaffected work.

6.3 Millwater imposes on each Sub-processor, by written contract, data-protection obligations no less protective than those in this DPA, and remains liable to the Client for each Sub-processor’s acts and omissions in processing Personal Information as if they were Millwater’s own.

7. Cross-border processing (IPP 12)

7.1 The Client acknowledges and authorises that the Services may involve processing Personal Information outside New Zealand — including by cloud infrastructure and AI Sub-processors hosted overseas, and by Millwater personnel located overseas (see Annex A).

7.2 Where Personal Information is processed outside New Zealand, Millwater ensures, consistent with IPP 12 of the Privacy Act 2020, that the overseas recipient is required to protect the information with safeguards comparable to those under the Privacy Act 2020 — through the contractual obligations imposed under clause 6.3, the recipient’s own compliance with comparable privacy law, or both.

7.3 The Client remains responsible, as the agency disclosing the information, for ensuring any onward authority it requires (including from End Clients) extends to overseas processing.

8. Privacy breach

8.1 Millwater notifies the Client without undue delay, and in any event within 72 hours, of becoming aware of a Privacy Breach affecting Personal Information it processes for the Client.

8.2 The notification includes, so far as known: the nature of the breach, the categories and approximate volume of Personal Information and individuals affected, the likely consequences, and the measures taken or proposed to address it and mitigate harm.

8.3 Millwater assists the Client in assessing whether the breach is a Notifiable Privacy Breach and in meeting the Client’s notification obligations to the OPC and affected individuals under Part 6 of the Privacy Act 2020. As between the parties, the Client is responsible for deciding whether and how to notify regulators and individuals, unless the parties agree otherwise.

9. Return and deletion

9.1 On termination or expiry of the Services, or on the Client’s earlier written request, Millwater returns or securely deletes the Personal Information it processes for the Client (at the Client’s election), and deletes existing copies, unless retention is required by law.

9.2 Millwater may retain Personal Information to the extent and for the period required by law or by its routine backup cycle, during which it remains subject to this DPA and is processed only for the purpose of, and to the extent of, that requirement.

10. Audit

10.1 Millwater makes available, on reasonable written request and no more than once a year (or following a Privacy Breach), the information reasonably necessary to demonstrate compliance with this DPA. Any audit is at the Client’s cost, on reasonable notice, during business hours, subject to confidentiality, and must not unreasonably disrupt Millwater’s operations or compromise other clients’ data.

11. Liability, term, governing law

11.1 Liability under this DPA is subject to the limitation of liability in the SFA, except for the Client indemnity in clause 4.3, which is not subject to the cap.

11.2 This DPA takes effect when the SFA is signed and continues for as long as Millwater processes Personal Information for the Client.

11.3 This DPA is governed by the laws of New Zealand and is subject to the dispute resolution and jurisdiction clauses of the SFA.

Annex A — Sub-processors (current)

Maintained current at millwater.consulting/data-processing-agreement.

CategorySub-processor(s)PurposeRegion / Location
Cloud infrastructure & hostingGoogle LLC, Amazon Web Services; Microsoft AzureHosting, compute, storage, data warehousingGlobal; configurable per customer request where possible
Content delivery & edge securityGoogle, Cloudflare; AkamaiCDN, DDoS protection, edge securityGlobal; configurable per customer request where possible
AI / model processingAnthropic, PBC; OpenAI; Google LLCLLM / generative-AI processingGlobal; configurable per customer request where possible
Data integrationScoped per engagementSource-system data integrationAs defined in the applicable MSA, SFA, or SOW
Millwater personnelMillwater team membersDelivery of the ServicesUnited States; Australia; New Zealand; India; Singapore; South Africa

No single processing region is fixed by this Annex. Where a customer requires data residency in a particular region, Millwater will configure the relevant sub-processor(s) to that region where the sub-processor and the Services support it, as agreed in the applicable MSA, SFA, or SOW.

Corporate meeting AI
NOC SOC

Ready to Move Your Business Forward?

Connect with our team to discuss your challenges and discover solutions designed to help your business move forward.

Book a meeting

Book a meeting

SOC NOC
AI Workshop
Corporate meeting AI

Ready to Move Your Business Forward?

Connect with our team to discuss your challenges and discover solutions designed to help your business move forward.

Book a meeting

Book a meeting

Corporate meeting AI
NOC SOC

Ready to Move Your Business Forward?

Connect with our team to discuss your challenges and discover solutions designed to help your business move forward.

Book a meeting

Book a meeting

SOC NOC
AI Workshop
Corporate meeting AI

Ready to Move Your Business Forward?

Connect with our team to discuss your challenges and discover solutions designed to help your business move forward.

Book a meeting

Book a meeting

SOC NOC