Data Processing Agreement

The Processor processes personal information on behalf of the Controller for the purpose of providing and operating the AnchorOS platform, including:

• Authenticating and managing user accounts
• Storing and retrieving governance, programme, RAID, and decision data entered by the Controller and its users
• Generating reports, exports, and dashboards from Controller data
• Providing AI-assisted features where enabled by the Controller
• Maintaining an immutable audit trail of all data mutations
• Delivering transactional notifications and support communications

The categories of personal information processed under this DPA include:

• Name, job title, and work email address of organisation users
• Organisational role and access permissions
• Authentication credentials (stored in hashed form)
• Names and contact details of individuals associated with governance records, decisions, programmes, risks, and activities
• Usage activity and audit logs
• Any other personal information submitted by the Controller or its users within their AnchorOS tenant

The Processor processes personal information for the duration of the Principal Agreement, and thereafter in accordance with section 9 of this DPA (Data Return and Deletion).

The Processor processes personal information only on the documented instructions of the Controller, as set out in this DPA and the Principal Agreement, except where required by law. If the Processor is required by law to process personal information in a way not covered by the Controller's instructions, the Processor will notify the Controller before doing so unless prohibited by law from doing so.

The Processor ensures that persons authorised to process personal information are subject to a duty of confidentiality. Access to Controller data is restricted to personnel who need it to perform their role. The Processor does not disclose Controller data to any person except as permitted under this DPA or required by law.

The Processor implements and maintains appropriate technical and organisational measures to protect personal information against unauthorised access, loss, alteration, or disclosure. These measures include, at a minimum:

• Encrypted data transmission (TLS 1.2 or higher)
• Encrypted storage at rest (AES-256)
• One-way cryptographic hashing of passwords
• Zero-trust, multi-tenant architecture with row-level security enforced at the database layer
• Server-side role-based access controls and per-user, per-module permission overrides
• Session token rotation on every request
• Immutable, field-level audit trail of every data mutation
• Rate limiting and server-side file upload validation
• Regular security review

Full details of the security architecture are set out in the AnchorOS Technical and Security Summary, available on request from privacy@anchorand.co.

The Controller authorises the Processor to engage the sub-processors listed in the AnchorOS Privacy Policy. The Processor requires sub-processors to comply with equivalent data protection obligations as set out in this DPA. The Processor remains responsible for the acts and omissions of sub-processors to the same extent as if it were performing the processing directly.

The Processor will notify the Controller of any intended addition or replacement of a sub-processor. If the Controller has reasonable grounds to object to the change, it may raise those grounds with the Processor in writing within 14 days of notification. The parties will seek in good faith to resolve the objection.

The Processor provides reasonable assistance to the Controller to fulfil requests from individuals exercising their rights under the Privacy Act 2020, including requests for access, correction, and complaint. Where a data subject contacts the Processor directly, the Processor will direct the request to the Controller.

If the Processor becomes aware of a security incident affecting Controller data, it will:

• Notify the Controller without undue delay and in accordance with the response commitments in the AnchorOS Technical and Security Summary (within 24 hours of confirmation for a P1 critical incident, within 48 hours for a P2 high incident affecting data)
• Provide sufficient information for the Controller to assess the incident and meet its obligations under the Privacy Act 2020, including whether to notify the Office of the Privacy Commissioner
• Take reasonable steps to contain the incident and prevent further harm

The Processor provides such reasonable assistance to the Controller as the Controller may reasonably request in connection with any privacy impact assessment the Controller is required or chooses to carry out in connection with its use of the platform.

Where the Controller has enabled AI features, the Processor processes operational context (user prompts and excerpts from records the user is authorised to view) via its AI provider, Anthropic. Processing by Anthropic is governed by a Data Processing Agreement between the Processor and Anthropic. Anthropic does not use this data to train AI models. AI feature data is subject to the retention limits in the AnchorOS Privacy Policy. The Controller may disable AI features at any time.

This DPA is governed by the laws of New Zealand. Any dispute arising under this DPA is subject to the non-exclusive jurisdiction of the New Zealand courts.

In the event of a conflict between this DPA and the Principal Agreement on a matter of data protection or personal information handling, this DPA prevails.

This DPA, together with the AnchorOS Privacy Policy, constitutes the complete agreement between the parties on the processing of personal information in connection with the AnchorOS platform.

Privacy enquiries and requests to execute a signed DPA: privacy@anchorand.co

Security incidents: security@anchorand.co