Legal · All documents
How VETos processes personal information on your behalf, with AU/NZ/UK annexes.
Version: 1.0 · Last updated: 13 June 2026
This Data Processing Addendum (DPA) forms part of the VETos Master Subscription Agreement and applies wherever Supplier processes personal data, personal information or learner data within Customer Data.
1.1 The Customer is the controller (or the agency, in New Zealand terms) of personal data within Customer Data. Supplier is the processor, acting on the Customer's documented instructions.
1.2 The subject matter, nature, purpose and duration of processing, the categories of data subjects (including students and learners, staff and assessors) and the categories of personal data are described in Annex 1.
Supplier will:
2.1 process personal data only on the Customer's documented instructions, including in respect of international transfers, unless required by law to do otherwise (in which case Supplier will inform the Customer before processing, unless prohibited);
2.2 ensure persons authorised to process the data are bound by confidentiality obligations;
2.3 implement appropriate technical and organisational security measures, as described in Annex 2, including encryption in transit and at rest, access controls, logging, and secure development practices;
2.4 not engage a sub-processor without the general authorisation in clause 4, and flow down obligations no less protective than this DPA;
2.5 taking into account the nature of the processing, assist the Customer in responding to requests from individuals exercising their rights (access, correction, deletion and equivalents);
2.6 assist the Customer in meeting its security, breach notification and impact assessment obligations;
2.7 notify the Customer without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach affecting Customer Data, providing the information the Customer reasonably needs to meet its own notification obligations;
2.8 at the Customer's election on termination, return or delete personal data within Customer Data (subject to legal retention requirements), and certify deletion on request; and
2.9 make available information reasonably necessary to demonstrate compliance with this DPA, and allow and contribute to audits, including by providing current third-party certifications and reports, and where those are insufficient, permitting an audit on reasonable notice, no more than once per year, at the Customer's cost.
3.1 Supplier will not use personal data within Customer Data, including AI inputs and Outputs, to train or improve any foundation or general-purpose AI model.
3.2 Sub-processing by third-party AI model providers is on a no-training, no-retention basis (or limited retention solely for abuse monitoring) as described in the sub-processor list.
4.1 The Customer gives general authorisation for the sub-processors listed at the sub-processor list. Supplier will give at least 30 days' notice of any addition or replacement. The Customer may object on reasonable data protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected Order Form and receive a pro-rata refund of prepaid, unused fees.
5.1 Supplier processes Customer Data in the hosting region(s) stated in the Order Form or Annex 1.
5.2 Transfers from the United Kingdom to New Zealand rely on the UK adequacy regulations for New Zealand. Transfers to any country without an applicable adequacy decision will be made only under an appropriate transfer mechanism (for the UK, an IDTA or the UK Addendum to the EU SCCs, with a transfer risk assessment where required).
A.1 Supplier will comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles in respect of personal information within Customer Data, and will not do anything that would cause the Customer to breach the APPs.
A.2 Supplier will notify the Customer in accordance with clause 2.7 of any eligible data breach or suspected eligible data breach under the notifiable data breaches scheme, and will reasonably assist the Customer's assessment and any OAIC and individual notifications.
A.3 Overseas disclosure of personal information will only occur in accordance with APP 8 and the transfer terms of this DPA.
B.1 Supplier will comply with the Privacy Act 2020 and the Information Privacy Principles in respect of personal information within Customer Data held as the Customer's agent.
B.2 Supplier will notify the Customer in accordance with clause 2.7 of any privacy breach that is or may be a notifiable privacy breach, and will reasonably assist the Customer's notifications to the Privacy Commissioner and affected individuals.
C.1 Part A of this DPA constitutes the contract terms required by Article 28(3) UK GDPR. Supplier will additionally comply with the Data Protection Act 2018 in respect of personal data within Customer Data.
C.2 If the UK adequacy regulations for New Zealand cease to apply, the parties agree the IDTA template at the IDTA (available on request) automatically takes effect for affected transfers, populated with the details in Annex 1, pending any replacement mechanism.
| Item | Description |
|---|---|
| Subject matter | Provision of VETos and onboarding services |
| Duration | The Subscription Term plus the export and deletion window |
| Nature and purpose | Hosting, storage, content generation, compliance mapping, support |
| Data subjects | Students and learners, staff, assessors, Customer contacts |
| Categories of data | Names, contact details, enrolment and assessment records, learner progress data, identifiers such as the Unique Student Identifier (USI, Australia) and National Student Number (NSN, New Zealand), support communications |
| Special categories | VETos is not designed to process special-category or sensitive personal information. To the extent the Customer chooses to input any, it is handled as Customer Data under this Addendum; any known special-category data is identified in the applicable Order Form. |
| Hosting regions | Australia — Amazon Web Services, Sydney (ap-southeast-2) — with backups held within Australia. Cross-border processing applies only to AI inference where no regional endpoint is available for a required model (see the Sub-processors page). |
Encryption of Customer Data in transit (TLS 1.2+) and at rest (AES-256, with keys managed in AWS Key Management Service); role-based, least-privilege access control with multi-factor authentication enforced for administrative access; logical separation of development, staging and production environments, with no production data used in non-production environments; centralised, tamper-resistant logging and monitoring, with audit logs retained for at least 12 months; vulnerability management and patching (critical patches within 48 hours), independent annual penetration testing, and continuous dependency and image scanning; multi-zone backups with point-in-time recovery and regular restoration testing; personnel vetting (including criminal-history checks for privileged roles), confidentiality obligations and annual security training; and a secure development lifecycle aligned to the OWASP Top 10 with peer review and automated testing.
Supahuman is not currently certified to ISO 27001 or SOC 2. Its information security management system is designed against ISO 27001 controls and the New Zealand Information Security Manual (NZISM), and is independently penetration-tested each year. The underlying hosting provider (Amazon Web Services, Sydney) holds ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS and IRAP (PROTECTED) certifications, which are inherited where applicable.
Version: 1.0 · Last updated: 13 June 2026 · © Supahuman Limited (NZBN 9429050314928). All rights reserved.