Excelin Systems - The operational technology division of Excelin Web Limited.
Home/Data Processing Addendum

Data Processing Addendum

General data processing terms for client projects where Excelin Web Limited processes personal information on behalf of a client.

Contact Us
Last updated15 May 2026
CompanyExcelin Web Limited
JurisdictionNew Zealand

This page is intended as a clear public statement for website visitors and clients. It should be read together with any signed agreement, proposal, statement of work, or policy schedule that applies to a specific engagement.

1. Purpose And Application

This Data Processing Addendum, or DPA, sets out general terms that may apply when Excelin Web Limited processes personal information on behalf of a client while delivering design, development, hosting, support, automation, analytics, integration, or managed technology services.

This DPA is intended to support clear privacy and security responsibilities. It becomes binding only when incorporated into a signed agreement, proposal, statement of work, or other written arrangement between Excelin and a client. If a signed client agreement includes different data processing terms, that agreement will control for the relevant engagement.

2. Roles

The client is usually the organisation that determines why and how client personal information is processed. In that role, the client is responsible for having a lawful basis to collect and use the information, giving required notices, handling individual rights requests, and deciding what data should be supplied to the system.

Excelin usually acts as a service provider or processor for client personal information processed inside systems we build, host, maintain, or support. We process that information to provide the agreed services and according to documented client instructions, unless required by law to do otherwise.

3. Processing Instructions

Client instructions may be documented in the statement of work, system configuration, support requests, access permissions, integration settings, data migration plans, or other written communications. We may ask for clarification if an instruction is unclear, technically impractical, inconsistent with the agreed service, or likely to create legal, security, or operational risk.

We will not intentionally use client personal information for unrelated purposes. We will not sell client personal information. We will not use client operational data to train public AI models unless the client expressly agrees in writing.

4. Confidentiality And Personnel

We limit access to client personal information to personnel, contractors, and providers who need it to deliver or support the agreed services. People with access are expected to handle information confidentially and follow reasonable security practices.

Clients should also limit the personal information they provide to what is necessary for the service. Highly sensitive information, regulated data, credentials, and production exports should be shared only through agreed secure methods.

5. Security Measures

We will use reasonable technical and organisational measures appropriate to the nature of the service, the data involved, and the agreed scope. Measures may include access control, authentication, encryption in transit, provider security features, backups, logging, environment separation, vulnerability management, and least-privilege access.

Security measures are shared responsibilities. The client remains responsible for user access decisions, account hygiene, endpoint security, third-party provider accounts controlled by the client, data classification, and internal policies.

6. Subprocessors And Third-Party Providers

We may use subprocessors and third-party providers for hosting, databases, storage, email, analytics, authentication, payments, backups, project management, support, monitoring, AI assistance, or other services needed to deliver the engagement. We choose providers that we believe are appropriate for the service and data involved.

Where a client requires approval of specific subprocessors, data locations, or provider terms, those requirements should be documented in the client agreement. If the client directs us to use a provider, the client is responsible for maintaining its account and accepting that provider's terms unless otherwise agreed.

7. International Processing

Client personal information may be processed in New Zealand or by overseas providers. Where overseas processing is used, we consider provider safeguards, contractual terms, security posture, and the type of information involved.

Clients with specific data residency, transfer, or sector requirements must tell us before work begins. Some requirements may affect architecture, provider selection, cost, timeline, or whether we can accept the engagement.

8. Assistance And Rights Requests

If we receive a request from an individual about client personal information, we may refer the request to the client unless we are legally required to respond directly. The client is usually best placed to decide whether access, correction, deletion, restriction, or other action is appropriate.

Where the agreed service allows, we will provide reasonable assistance to help the client respond to privacy requests, security enquiries, audits, or regulatory communications. Additional work may be chargeable if it falls outside the agreed scope.

9. Breach Notification

If we become aware of a confirmed or suspected security incident affecting client personal information processed by us, we will take reasonable steps to assess and contain the incident and notify the client without undue delay in the circumstances.

The client is responsible for deciding whether notices to individuals, regulators, customers, insurers, or other parties are required, unless the law places a direct notification duty on Excelin. We will provide reasonable information available to us to support that assessment.

10. Return, Deletion, And Survival

At the end of a service, the client may request return or deletion of client personal information where technically feasible and legally permitted. Some information may be retained in backups, logs, financial records, dispute records, or archives for a limited period according to legal, security, or operational needs.

Confidentiality, security, liability, audit, and data handling obligations that by their nature should survive termination will continue for as long as necessary to give them practical effect.

Reference Points

These public resources informed the structure of this page. They are not incorporated as contract terms unless a written agreement says so.