Data Processing Addendum

This DPA governs how we process personal data on behalf of Financial Advice Providers

Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Use between Nuvano Limited ("Nuvano", "we", "us" or "our") and you ("Customer" or "FAP") and applies whenever Nuvano processes personal data on your behalf.

This DPA automatically applies to all FAPs using our Services and does not require separate signature. In case of any conflict between this DPA and the Terms of Use, this DPA will prevail for data processing matters.

Last updated: December 12, 2025

1. Definitions

Key terms used in this agreement

In this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person, including client names, contact details, financial information, KiwiSaver details, and questionnaire responses.

"Data Controller" means the FAP who determines the purposes and means of processing personal data.

"Data Processor" means Nuvano, who processes personal data on behalf of the Data Controller.

"Data Subject" means the individual to whom the personal data relates (typically your clients).

"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

"Security Incident" means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

2. Relationship of the Parties

Our respective roles in data processing

2.1 Roles

You are the Data Controller with respect to personal data you provide to us. We are the Data Processor acting only on your documented instructions.

2.2 Processing Instructions

We will process personal data only as necessary to provide the Services in accordance with your instructions as set out in the Terms of Use and this DPA.

2.3 Compliance

Each party will comply with its respective obligations under the Privacy Act 2020 and any other applicable data protection laws.

3. Data Processing Details

What data we process and why

3.1 Categories of Data Subjects

  • Your clients receiving KiwiSaver advice
  • Prospective clients completing questionnaires
  • Your employees and advisers using the platform

3.2 Types of Personal Data

  • Names and contact information (email addresses, phone numbers)
  • Date of birth
  • Financial information and risk profiles
  • KiwiSaver account details
  • Questionnaire responses
  • Advice documentation

3.3 Processing Activities

  • Storing client information securely
  • Processing questionnaire responses
  • Generating advice recommendations
  • Creating Statements of Advice
  • Providing client portal access
  • Enabling communication between FAP and clients

3.4 Processing Duration

We process personal data for the duration of your subscription and as specified in Section 8 (Data Retention and Deletion).

4. Security Measures

How we protect personal data

We maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

These measures are designed to provide a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing.

We may update our security measures from time to time as we consider necessary in light of evolving industry practices and emerging threats. Any such updates will not diminish the overall security of our processing.

You acknowledge that you are also responsible for maintaining appropriate security measures for the data you process and for protecting your access credentials to our platform.

5. Sub-processors

Third parties we use to help provide services

5.1 Use of Sub-processors

We engage third-party sub-processors to assist in providing our Services. These sub-processors may include cloud hosting providers, email delivery services, and data integration services.

5.2 Sub-processor Requirements

We ensure that any sub-processor we engage:

  • Is bound by data protection obligations no less protective than those in this DPA
  • Only processes personal data on our documented instructions
  • Implements appropriate technical and organisational security measures
  • Is located in jurisdictions that provide adequate data protection

5.3 Sub-processor Changes

We may update our sub-processors from time to time. Material changes that may significantly impact the security or processing of personal data will be notified to you via email or through our platform. Continued use of our Services after notification constitutes acceptance of new sub-processors.

5.4 Objection to Sub-processors

If you have reasonable grounds to object to a new sub-processor, you may terminate your subscription in accordance with our Terms of Use.

6. Security Incidents

What happens if there's a data breach

If we become aware of a Security Incident, we will inform you without undue delay and will provide reasonable information and cooperation so that you can fulfil any data breach reporting obligations you may have.

We will take reasonably necessary measures to remedy or mitigate the effects of the Security Incident and keep you informed of material developments.

Any notification or response to a Security Incident by us shall not be deemed an acknowledgement of any fault or liability regarding the incident.

7. Data Subject Rights

Helping you respond to client requests

We will assist you in fulfilling your obligations to respond to data subject requests, including:

  • Access: Providing copies of personal data we hold
  • Correction: Updating or correcting personal data
  • Deletion: Deleting personal data where required
  • Portability: Exporting data in a structured format
  • Restriction: Limiting processing where requested

We will respond to your requests for assistance within a reasonable time and provide the support necessary for you to meet your legal obligations.

8. Data Retention and Deletion

How long we keep data and what happens when you leave

8.1 During Subscription

We retain personal data for as long as necessary to provide the Services and as instructed by you.

8.2 After Termination

Upon termination of your subscription:

  • You have 30 days to export all data
  • We retain data for 90 days total for reactivation
  • After 90 days, we securely delete all personal data
  • Some data may be retained if required by law

8.3 Your Obligations

You are responsible for determining appropriate retention periods based on your regulatory obligations (such as the 7-year requirement for financial advice records) and ensuring you export necessary data before termination.

9. International Data Transfers

When data goes overseas

We will not make any international transfer of personal data unless we have first ensured appropriate safeguards are in place as required by applicable data protection laws.

If international transfers become necessary, we will notify you and ensure appropriate mechanisms are in place, such as standard contractual clauses or adequacy decisions.

10. Your Obligations

What you need to do as the Data Controller

As the Data Controller, you must:

  • Ensure you have a lawful basis for processing personal data
  • Obtain necessary consents from data subjects
  • Provide privacy notices to your clients
  • Ensure the accuracy of data you provide to us
  • Comply with all applicable data protection laws
  • Only provide us with personal data necessary for the Services

You warrant that you have complied with all applicable laws in collecting and providing personal data to us.

11. Liability

Responsibility and limitations

Each party's liability under this DPA is subject to the limitations set out in the Terms of Use.

You acknowledge that we are reliant on you for direction as to the extent we are entitled to use and process personal data. Consequently, we will not be liable for any claim brought by a data subject arising from any action or omission by us, to the extent that such action or omission resulted from your instructions.

12. Changes to this DPA

How we update this agreement

We may update this DPA from time to time to reflect changes in law or our practices. We will notify you of any material changes at least 30 days before they take effect.

Continued use of our Services after changes means you accept the updated DPA.

13. Contact Information

How to reach us about data protection

For any questions about this DPA or our data processing activities, please contact us:

Nuvano Limited

Level 4, 125 Queen Street
Auckland Central 1010
New Zealand

Email: info@nuvano.co.nz
Phone: +64 9 242 4767