GIWAHS — trading as Whaitiri Black Limited Whaitiri Black Limited · Review draft
/ GIWAHS Founder Vault · Review draft

GIWAHS Data Processing Addendum (DPA)

Document: 29 · Legal & Compliance Pack Version: 1.0 – Founder Draft (pre-publication) Status: Authored by AI under Doc 09 Autonomous Execution Standard. MUST be reviewed and signed off by qualified data-protection counsel (NZ, EU/UK, US, AU) before being countersigned with any Customer or attached to Founding Partner / Enterprise contracts. Effective Date: To be inserted on countersignature. Last Updated: To be inserted on publication. Cross-references: Docs 24 (Privacy Policy), 25 (Terms of Service), 26 (FP Terms), 28 (Cookie Policy), 30 (Security & IR Policy), 31 (Subprocessor Register).

This DPA forms part of the Agreement between Customer and GIWAHS. It governs the Processing of Personal Data carried out by GIWAHS as a Processor on behalf of Customer as Controller. Where Customer is acting as a Processor for an underlying Controller, this DPA applies on a back-to-back basis.


1. Definitions

In this DPA, capitalised terms have the meanings set out in the EU GDPR (Regulation (EU) 2016/679), the UK GDPR, and the NZ Privacy Act 2020 (as applicable), and the following:

2. Roles and Scope

3. Customer Obligations

Customer warrants that: - it has obtained and will maintain all necessary lawful bases (including consents where required) for the Processing; - it has the right to transfer Customer Personal Data to GIWAHS; - its instructions to GIWAHS comply with Data Protection Laws; - it will not provide Personal Data to GIWAHS that is not strictly required for the purposes in Annex A; - it will respond, as Controller, to data-subject requests and supervisory-authority inquiries, with GIWAHS’s reasonable assistance under Section 8.

4. GIWAHS Obligations

GIWAHS will: - Process Customer Personal Data only on Customer’s documented instructions, except as required by applicable law (in which case GIWAHS will notify Customer in advance unless legally prohibited); - ensure that personnel authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations; - implement and maintain the technical and organisational measures described in Doc 30 (Security & Incident Response Policy) and Annex B of this DPA; - assist Customer, by appropriate technical and organisational measures, in fulfilling Customer’s obligations to respond to data-subject requests (Section 8); - assist Customer in ensuring compliance with the obligations under Articles 32–36 GDPR / UK GDPR (security, breach notification, DPIAs, prior consultation) taking into account the nature of Processing and information available to GIWAHS; - at Customer’s choice, delete or return all Customer Personal Data after the end of the provision of services relating to Processing, and delete existing copies, unless storage is required by applicable law (Section 11); - make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, in accordance with Section 12.

5. Confidentiality

GIWAHS will keep Customer Personal Data confidential, treating it with the same standard of care it applies to its own confidential information of similar importance (and no less than a reasonable standard of care).

6. Subprocessors

6.1 General authorisation

Customer grants GIWAHS general authorisation to engage Subprocessors to Process Customer Personal Data, subject to this Section 6.

6.2 Current Subprocessors

The current list of Subprocessors is set out in Doc 31 (Subprocessor Register) and includes Stripe, Supabase, Resend, Cloudflare, Google Workspace, and OpenAI (where AI features are enabled per D-009 / D-010 — currently disabled at Platform level).

6.3 Changes

GIWAHS will give Customer at least 30 days’ prior notice (by email and/or in-app banner referencing the Subprocessor Register) of any intended addition or replacement of a Subprocessor. During that period, Customer may object on reasonable, documented data-protection grounds. If the parties cannot agree on a resolution within 30 days, Customer may terminate the affected portion of the Agreement, and GIWAHS will refund pre-paid, unused fees for the affected services.

6.4 Subprocessor obligations

GIWAHS will impose on each Subprocessor data-protection obligations no less protective than those in this DPA via written agreement, including the appropriate transfer mechanism (Section 7) where applicable.

6.5 Liability for Subprocessors

GIWAHS remains liable to Customer for Subprocessors’ performance of data-protection obligations to the same extent as if GIWAHS had Processed the Personal Data directly.

7. International Transfers

7.1 Mechanisms

Where Customer Personal Data is transferred to a country not deemed adequate by the European Commission, the UK Information Commissioner, the Swiss FDPIC, or the equivalent NZ authority, the parties will rely on, in this order of preference: 1. an adequacy decision for the destination country; 2. the EU Standard Contractual Clauses (Module 2 Controller-to-Processor or Module 3 Processor-to-Processor, as applicable), with Annex I (data exporter / importer), Annex II (technical and organisational measures — see Annex B and Doc 30), and Annex III (Subprocessors — see Doc 31) of the SCCs deemed completed by this DPA and its Annexes; the optional docking clause is included; the governing-law and forum options are Ireland; 3. the UK International Data Transfer Addendum for transfers from the UK, applied to the EU SCCs; 4. the Swiss addendum for transfers from Switzerland, with adjustments per FDPIC guidance.

7.2 NZ transfers

Where Customer Personal Data originating from New Zealand is transferred offshore, GIWAHS will rely on Information Privacy Principle 12 protections (foreign country with comparable safeguards or contractual safeguards equivalent to NZ Privacy Act 2020).

7.3 Supplementary measures

GIWAHS implements the supplementary technical and organisational measures described in Doc 30 (encryption in transit, encryption at rest, key management, access controls, audit logging, breach notification) to address risks identified in the EDPB Recommendations 01/2020.

8. Data-Subject Rights and Cooperation

GIWAHS will, taking into account the nature of Processing, assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer’s obligations to respond to requests by data subjects to exercise their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection, automated-decision-making).

If GIWAHS receives a request directly from a data subject relating to Customer Personal Data, GIWAHS will, without undue delay, redirect the data subject to Customer and notify Customer.

9. Personal Data Breach Notification

9.1 Notification

GIWAHS will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Customer Personal Data. Notification will be made to the security or privacy contact on file for Customer.

9.2 Content

The notification will include, to the extent then known: - nature of the breach, categories and approximate number of data subjects and records concerned; - likely consequences; - measures taken or proposed to address the breach and mitigate adverse effects; - contact point for further information.

Where information is not available at notification time, GIWAHS will provide it in phases as soon as practicable.

9.3 Cooperation

GIWAHS will cooperate with Customer in meeting Customer’s notification obligations to supervisory authorities and data subjects.

9.4 No determination

GIWAHS’s notification of a Personal Data Breach is not an admission of fault or liability.

10. Data Protection Impact Assessments (DPIAs) and Prior Consultation

Taking into account the nature of Processing and information available to GIWAHS, GIWAHS will provide reasonable assistance to Customer with DPIAs and prior consultations with supervisory authorities under Articles 35 and 36 GDPR / UK GDPR, at Customer’s cost where the request exceeds standard cooperation.

11. Deletion and Return

11.1 On termination

On termination or expiry of the Agreement, GIWAHS will, at Customer’s election: - return Customer Personal Data in a structured, commonly used, machine-readable format; or - delete Customer Personal Data and all existing copies (including from active databases, backups, and Subprocessor systems).

11.2 Timing

Customer must make its election within 30 days of termination. Absent an election, GIWAHS will delete Customer Personal Data within 90 days of termination, subject to Section 11.3.

11.3 Retention exceptions

GIWAHS may retain Customer Personal Data: - in encrypted backups, until the relevant backup is rotated out per Doc 30 (typically within 35 days); - where required to comply with applicable law (e.g., 7-year tax/accounting retention for billing records); - where required to defend, exercise, or establish legal claims; - where retained as aggregated or de-identified data that no longer constitutes Personal Data.

Retained Personal Data remains subject to the obligations of this DPA.

12. Audits

12.1 Standard audits

GIWAHS makes available, on request, the following to demonstrate compliance with this DPA: - the most recent SOC 2 Type II or ISO 27001 reports (or equivalent independent assurance) for GIWAHS and material Subprocessors, once obtained; - penetration-testing summaries (current and historical); - the policies and procedures referenced in Doc 30; - a written response to Customer’s reasonable data-protection due-diligence questionnaires (annually).

12.2 On-site audits

Where the above information does not reasonably satisfy a legal audit obligation under Article 28(3)(h) GDPR / UK GDPR, Customer may, on 30 days’ written notice and not more than once per 12-month period, conduct an on-site audit at Customer’s cost, subject to: (a) reasonable scope; (b) Customer’s auditor signing customary confidentiality obligations; (c) no disruption of GIWAHS’s other customers; (d) coverage of GIWAHS facilities only (Subprocessor audits via Subprocessor’s own audit programme).

12.3 Regulatory audits

On request of a supervisory authority, GIWAHS will cooperate with audits required by that authority under applicable law.

13. Liability

The liability of each party arising out of or in connection with this DPA is subject to the limitations and exclusions set out in the Agreement (Doc 25 §15), including the aggregate liability cap. Each party remains separately liable to data subjects under Article 82 GDPR / UK GDPR where applicable.

14. Term and Termination

This DPA takes effect on the Effective Date and continues for the duration of the Agreement, after which it terminates automatically, except that Sections 5, 9, 11, 12, 13, and 15 survive.

15. Order of Precedence; Conflicts

In the event of conflict between this DPA and any other part of the Agreement, this DPA prevails in matters of data protection. Where SCCs are applicable, the SCCs prevail over this DPA.

16. Governing Law and Jurisdiction

This DPA is governed by the law of New Zealand, except where mandatory EU/UK/Swiss law or the SCCs require otherwise. Jurisdiction follows the Agreement (Doc 25 §17).

17. Signatures

This DPA is countersigned by:

By executing the Agreement, Customer is deemed to have countersigned this DPA on behalf of itself and its affiliates with Whaitiri Black Limited as Processor.


Annex A — Description of Processing

Item Detail
Subject matter Provision of the GIWAHS Platform — fashion, product, and factory intelligence services.
Duration For the term of the Agreement, plus retention period in Section 11.3.
Nature and purpose Hosting Customer accounts; matching buyers and suppliers via RFQs and supplier profiles; processing membership subscriptions; transmitting transactional emails; supplier verification; analytics for service improvement (aggregated/de-identified); customer support.
Categories of data subjects Customer employees and authorised users; buyer organisation contacts; supplier organisation contacts; visitors who voluntarily submit data via forms.
Categories of Personal Data Identifiers (name, business email, account credentials hashed); contact info; organisation affiliation; role/title; billing metadata (no full card numbers); RFQ content and attachments; supplier verification documents; communications; usage and device data (Doc 24 §3).
Special categories Not intended. Customer is instructed not to upload special-category data. Any such data uploaded inadvertently is treated under Section 11.3.
Frequency of transfer Continuous, in real time, for the duration of the Agreement.
Retention Per Doc 24 §7 and Section 11.3 of this DPA.

Annex B — Technical and Organisational Measures (Summary)

The full technical and organisational measures are described in Doc 30 (Security & Incident Response Policy). The summary below is incorporated by reference into the SCCs Annex II.

Domain Measure
Pseudonymisation & encryption TLS 1.2+ in transit; AES-256 at rest; managed keys; tokenisation of sensitive identifiers where feasible.
Confidentiality Role-based access control; least-privilege principle; MFA on production systems; background checks for production engineers.
Integrity Row-level security in the database; audit logging of administrative actions; change-management with code review and CI checks.
Availability & resilience Daily encrypted backups (≥35-day retention); multi-AZ deployment; documented recovery procedures; uptime monitoring.
Testing and evaluation Regular dependency scanning, vulnerability scanning; penetration tests once independent assurance is in place; tabletop incident-response exercises annually.
Breach handling Incident response runbook; 72-hour customer notification commitment (Section 9).
Data minimisation Collect only what is required for the purposes in Annex A.
Data portability and erasure Self-service export and deletion through Customer’s account; service-role assisted deletion on request (Section 11).
Subprocessor management Listed in Doc 31; due-diligence intake; back-to-back data-protection terms.

Annex C — Subprocessors

See Doc 31 (Subprocessor Register).


End of Document 29.