Equerra

Data Processing Agreement

For GDPR-Subject Customers

Effective Date: May 1, 2026
Version: 1.0
Last Updated: April 13, 2026

Introduction

This Data Processing Agreement (DPA) applies when Equerra Limited processes personal data on your behalf that is subject to the General Data Protection Regulation (GDPR), UK GDPR, or Swiss Federal Data Protection Act.

Who This Applies To:

  • Customers in the European Economic Area
  • Customers in the United Kingdom
  • Customers in Switzerland
  • Customers processing data of individuals in these regions

Relationship to Other Documents: This DPA supplements our Terms and Conditions and Privacy Policy. For data protection matters, this DPA takes precedence.

Part 1: Roles and Processing Details

1.1 Your Role (Data Controller)

You determine the purposes and means of processing personal data in the Software. You are the data controller.

Your Responsibilities:

  • Ensuring lawful collection and processing
  • Obtaining necessary consents
  • Providing privacy notices to individuals
  • Enabling individuals to exercise their rights
  • Complying with data protection laws

1.2 Our Role (Data Processor)

We process personal data on your behalf solely to provide the Software. We are the data processor.

Our Responsibilities:

  • Processing only on your instructions
  • Implementing security measures
  • Assisting with individual rights requests
  • Notifying you of data breaches
  • Deleting or returning data after termination

1.3 What Data We Process

Categories of Personal Data:

  • Contact information (names, emails, phone numbers)
  • Employment information (job titles, company)
  • User account data (usernames, credentials)
  • Transaction data entered into the Software
  • Usage data and logs

Categories of Individuals:

  • Your employees and contractors
  • Your customers and vendors
  • End users of your services

Purpose: Providing cloud-based business management software via Microsoft Dynamics 365 Business Central

Duration: Your subscription term plus retention periods (30 days retrieval, 90 days backup)

Part 2: Processing Instructions and Obligations

2.1 Processing on Instructions

We process personal data only on your documented instructions:

  • These Terms and this DPA
  • Your use and configuration of Software features
  • Additional written instructions we agree to follow

If we believe an instruction violates GDPR, we'll inform you immediately and may suspend processing.

2.2 Personnel Confidentiality

All personnel with access to personal data:

  • Are bound by confidentiality obligations
  • Receive data protection training
  • Have access only on a need-to-know basis

2.3 Security Measures

We implement appropriate technical and organizational measures:

  • Encryption (TLS 1.2+ in transit, AES-256 at rest)
  • Access controls and multi-factor authentication
  • Network security and monitoring
  • Regular security assessments
  • Incident response procedures

Full Details: Security Measures

Part 3: Sub-Processors

3.1 Authorization

You authorize us to engage sub-processors listed on our Sub-Processor List.

Current Sub-Processors:

  • Microsoft Corporation (Azure hosting)
  • Microsoft Azure OpenAI (optional AI features when enabled)

3.2 Sub-Processor Requirements

Each sub-processor must:

  • Agree to equivalent data protection obligations
  • Implement appropriate security measures
  • Process data only as instructed

We remain fully liable for sub-processor performance.

3.3 Change Notification

Minimum 30 days' notice before adding or replacing sub-processors.

Your Rights:

  • Object within 15 days stating reasonable grounds
  • If we can't accommodate your objection, you may terminate without penalty

Notification Method: Email to account administrator + updates at www.equerra.com/sub-processors

Part 4: Individual Rights Assistance

4.1 Requests from Individuals

If we receive a request from an individual to exercise their rights, we'll forward it to you unless prohibited by law.

4.2 Our Assistance

We'll assist you in responding to requests for:

Access: Helping retrieve the individual's data

Rectification: Correcting inaccurate data

Erasure: Deleting data when required

Restriction: Limiting processing

Portability: Exporting data in machine-readable format

Objection: Stopping certain processing

How We Assist: Providing technical capabilities and reasonable cooperation given the nature of processing.

Additional Support: Available at reasonable fees for assistance beyond normal support.

Part 5: Data Breach Notification

5.1 Our Notification to You

If we become aware of a personal data breach, we'll notify you within 24 hours (where feasible).

What We'll Include:

  • Description of the breach
  • Categories and approximate numbers affected
  • Likely consequences
  • Measures taken or proposed
  • Contact point for information

5.2 Your Notification Obligations

You're responsible for:

  • Determining whether to notify supervisory authorities (within 72 hours of becoming aware)
  • Determining whether to notify affected individuals
  • Complying with your breach notification obligations

We'll provide reasonable assistance.

5.3 Our Regulatory Notifications

We'll also comply with our own notification obligations:

  • GDPR: Supervisory authority within 72 hours
  • UK GDPR: ICO within 72 hours
  • Swiss DPA: Federal Data Protection Commissioner as required

Part 6: Data Protection Impact Assessments

Upon request, we'll provide information needed for:

  • Data Protection Impact Assessments (DPIAs)
  • Prior consultations with supervisory authorities

We'll provide this taking into account the nature of processing and information available to us.

Fees: May charge reasonable fees for assistance beyond normal support obligations.

Part 7: Audits and Inspections

7.1 Audit Rights

You may audit our compliance through:

Option A: Third-party reports (security certifications, audit summaries)

Option B: Questionnaires (standard data protection questionnaires)

Option C: On-site or remote audits subject to:

  • At least 30 days' advance notice
  • During business hours (9 AM - 5 PM NZST, Monday-Friday)
  • By you or independent auditor acceptable to both parties
  • Auditor signs our NDA
  • At your expense (unless material non-compliance found)
  • Maximum once per 12 months (unless required by regulators)

7.2 Audit Cooperation

We'll provide:

  • Reasonable access to relevant information
  • Cooperation and assistance
  • Response to audit findings

Part 8: International Data Transfers

8.1 Transfer Mechanism

Standard Contractual Clauses: We use EU Commission-approved Standard Contractual Clauses (Decision 2021/914) for transfers outside the EEA/UK/Switzerland.

Modules Used:

  • Module Two: Controller to Processor
  • Module Three: Processor to Sub-Processor

8.2 SCC Details

Governing Law: Ireland

Jurisdiction: Irish courts

Competent Authority: As determined by GDPR Article 13

SCC Annexes:

8.3 Transfer Impact Assessment

We conduct transfer impact assessments for data sent to countries without adequacy decisions.

Supplementary Measures:

  • Encryption in transit and at rest
  • Strict access controls
  • Contractual protections with sub-processors
  • Transparency about data flows
  • Data minimization

8.4 Government Access Requests

No Disclosure Without Notice: If we receive a legally binding request from government authorities for access to personal data:

  • We'll notify you promptly (unless prohibited)
  • We'll challenge overly broad requests
  • We'll seek the narrowest scope possible
  • We won't voluntarily disclose more than required

Legal Protections: Transfer destinations (New Zealand, United States) have legal protections limiting government access.

8.5 Suspension Rights

If we cannot comply with transfer requirements due to legal changes or inability to implement safeguards, we'll notify you. You may suspend transfers or terminate without penalty.

Part 9: Data Retention and Deletion

9.1 During Subscription

Data retained only as necessary to provide services.

9.2 After Termination

Your Choice:

  • Return all data in common electronic format, or
  • Delete all data from our systems

Timeline:

  • 30-day retrieval period
  • Deletion from production after 30 days
  • Deletion from backups within 90 days

Exception: May retain if required by EU or Member State law (we'll inform you).

9.3 Deletion Certification

Upon request (after backup retention expires), we'll certify deletion in writing.

Part 10: General Legal Provisions

10.1 Duration

This DPA remains in effect for as long as we process personal data on your behalf, even after termination of the main Terms.

10.2 Liability

General Liability: Subject to limitations in Terms and Conditions Section 5

SCC Liability: Liability for breach of SCCs governed by the SCCs themselves

Cannot Be Limited:

  • Gross negligence or willful misconduct
  • Liabilities that cannot be limited under GDPR

10.3 Conflict Resolution

Order of Precedence:

  1. Standard Contractual Clauses
  2. This DPA
  3. Main Terms (for non-data protection matters)

10.4 Amendments

Material changes to this DPA require mutual written agreement.

If GDPR, SCCs, or regulatory requirements change requiring DPA updates, we'll notify you and work together in good faith to amend.

10.5 Severability

Invalid provisions will be modified to be valid or severed. Remaining provisions continue in effect.

Part 11: Standard Contractual Clauses

11.1 Incorporation

The Standard Contractual Clauses (Commission Decision 2021/914) are incorporated by reference.

Full SCC Text: Available at European Commission website

11.2 Completion Details

Clause 7 (Docking): Optional, not used

Clause 9 (Sub-processors): Option 2 - General authorization with notification (30 days' notice, 15-day objection)

Clause 11 (Redress): Optional language not included

Clause 17 (Governing Law): Ireland

Clause 18 (Forum): Irish courts

11.3 SCC Updates

If the EU Commission adopts new SCCs:

  • We'll notify you within 30 days
  • We'll implement within 6 months (or sooner if required)
  • You may request updated documentation

Contact Information

Data Protection Inquiries:

Privacy Officer

Equerra Limited

2nd Level

40 Lady Elizabeth Lane

Wellington Central

New Zealand 6011

Email: privacy@equerra.com

Phone: +64 4 4626852

For Legal Notices: legal@equerra.com

Related Documents

Document Control

Version: 1.0

Effective: May 1, 2026

Last Updated: April 13, 2026

Review Frequency: Annually or when regulations change

Equerra Limited
Strategic Solutions for Modern Business

© 2026 Equerra Limited. All rights reserved.