Data Processing Addendum

2.1 Roles

You are the Data Controller with respect to personal data you provide to us. We are the Data Processor acting only on your documented instructions. For the purposes of the Privacy Act 2020, we act as your agent in respect of any Personal Data processed through the Services, meaning you (as principal) are treated as holding that information.

2.2 Processing Instructions

We will process personal data only as necessary to provide the Services in accordance with your instructions as set out in the Terms of Use and this DPA.

2.3 Compliance

Each party will comply with its respective obligations under the Privacy Act 2020 and any other applicable data protection laws.

2.4 Financial Advisers Operating Under Another FAP

If you are a financial adviser operating under another FAP's licence (your Engaging FAP), you acknowledge that:

• Your Engaging FAP may be the Data Controller for client data under privacy law
• You are responsible for ensuring your use of our Services complies with your Engaging FAP's data handling policies
• We process data on your instructions, but this does not determine who is the Data Controller under privacy law
• We may provide information to your Engaging FAP to the extent required for their regulatory oversight obligations, as described in Section 4.5 of our Terms of Use

3.1 Categories of Data Subjects

• Your clients receiving KiwiSaver advice
• Prospective clients completing questionnaires
• Your employees and advisers using the platform

3.2 Types of Personal Data

• Names and contact information (email addresses, phone numbers)
• Date of birth
• Financial information and risk profiles
• KiwiSaver account details
• Questionnaire responses
• Advice documentation

3.3 Processing Activities

• Storing client information securely
• Processing questionnaire responses
• Generating advice recommendations
• Creating Statements of Advice
• Providing client portal access
• Enabling communication between FAP and clients

3.4 Processing Duration

We process personal data for the duration of your subscription and as specified in Section 8 (Data Retention and Deletion).

5.1 Use of Sub-processors

We engage third-party sub-processors to assist in providing our Services. These sub-processors may include cloud hosting providers, email delivery services, and data integration services.

5.2 Sub-processor Requirements

We ensure that any sub-processor we engage:

• Is bound by data protection obligations no less protective than those in this DPA
• Only processes personal data on our documented instructions
• Implements appropriate technical and organisational security measures
• Is located in jurisdictions that provide adequate data protection

5.3 Sub-processor Changes

We may update our sub-processors from time to time. Material changes that may significantly impact the security or processing of personal data will be notified to you via email or through our platform. Continued use of our Services after notification constitutes acceptance of new sub-processors.

5.4 Objection to Sub-processors

If you have reasonable grounds to object to a new sub-processor, you may terminate your subscription in accordance with our Terms of Use.

8.1 During Subscription

We retain personal data for as long as necessary to provide the Services and as instructed by you.

8.2 After Termination

Upon termination of your subscription:

• You have 30 days to request a copy of your data or request deletion
• We will provide a copy of your data upon request (reasonable costs may apply)
• We will use reasonable efforts to delete your data upon request
• Some data may be retained if required by law

8.3 Your Obligations

You are responsible for determining appropriate retention periods based on your regulatory obligations (such as the 7-year requirement for financial advice records) and ensuring you export necessary data before termination.