Data Security Policy – Aider International Limited

June 2020

1.1 This data security policy (Policy) relates to the access, storage, processing, disclosure, transfer and other use (Use) of data belonging to Aider International Limited (Aider, we, us or our), including any data relating to our customers, personnel and other persons (Our Data). Our Data may include personal data relating to identifiable living individuals (Our Personal Data) and non-personal data such as anonymised and aggregated statistical and analytical data (Our Analytical Data). 

1.2 It is of critical importance to Aider that Our Data is properly secure. The purpose of this data security policy (Policy) is to set out the minimum data security requirements that any business, organisation or other person (you or your) that Uses Our Data must comply with in supplying products or services (Services) to us or in connection with other business arrangements between you and us. 

1.3 Our minimum requirements are set out below. Clearly, these are only minimum, “base level” requirements and our expectation is that you will endeavour to obtain the optimum level of data security for Our Data. 


2.1 You must ensure, and must ensure that your employees, contractors and agents (Personnel), comply with the following minimum technical and operational requirements in relation to your Use of Our Data: 

(a) Encryption of Our Data that is stored and in transit via at least Transport Layer Security (TLS) v1 .2 with no TLS version, with fall-back options enabled. 

(b) Access control and multi-factor user authentication with access rights being subject to an internal audit at least quarterly. All system access is role based and follows the principle of least privilege. 

(c) Documented information security policies and procedures which are reviewed at least annually or when new threats emerge. 

(d) Vulnerability tests are performed quarterly (this may be an internal function) and external penetration tests are performed at least annually and are performed by an accredited external penetration testing company. 

(e) Backing up of Our Data. All of Our Data follows a regular back-up process and Our Data is recoverable in a timely manner following any system issues.

(f) Commercial grade anti-virus protection on all computer hardware. 


3.1 In this Policy, Data Protection Laws means all laws, regulations, legislative and regulatory requirements and codes of practice applicable to your Use of Our Personal Data, including (to the extent applicable and without limitation) the guidance, directions, determinations, codes of practice, circulars, orders, notices or demands issued by any relevant Supervisory Authority (as defined below), and any applicable national, international, regional or other data privacy laws, standards or regulations in any territory which apply to your Use of Our Personal Data or the supply of the Services; and Supervisory Authority means the competent data protection authority in a relevant country or territory. 

3.2 You must comply with, and must ensure that your Personnel comply with, all applicable Data Protection Laws in connection with your Use of Our Personal Data. 


4.1 You must only Use Our Data in accordance with our written instructions to you. 

4.2 If you need to Use Our Data other than in accordance with our written instructions to you, then you must notify us in writing of your proposed Use and provide a reasonable explanation of why you need to Use Our Data other than in accordance with our written instructions. 

4.3 If, in your reasonable opinion, any of our written instructions to you will or may cause you to infringe any Data Protection Laws, you must notify us of the infringement as soon as possible. 


5.1 You must ensure that each of your Personnel that Uses Our Data: 

(a) is properly educated, trained and fully qualified to Use Our Data; 

(b) has been the subject of an appropriate criminal check(s) and has received a satisfactory result in relation to such a check(s); 

(c) has entered into appropriate binding confidentiality obligations with You in relation to the Use of Our Data; and 

(d) receives appropriate and regular training on confidentiality, Data Protection Laws, data security and any other related matters, as they may apply from time to time to the Use of Our Data. 


6.1 In this Policy, a Data Breach means any security incident that affects the confidentiality, integrity or availability of Our Data (including where Our Data is lost, damaged, destroyed, corrupted, compromised or disclosed, if someone accesses Our Data or passes it on without proper authorisation, or if Our Data is made unavailable and this unavailability has a materially negative effect on individuals). 

6.2 You must ensure that you have appropriate policies and procedures in place to identify, assess, mitigate, address and report any Data Breach, in accordance with applicable Data Protection Laws. 

6.3 You must notify us in writing as soon as possible (and in any event within 24 hours) if you become aware of, or suspect, any actual or likely Data Breach. 

6.4 You must provide to us any relevant information relating to a Data Breach as is required to report the Data Breach to any Supervisory Authority or to communicate the Data Breach to affected individuals. Such information will include the nature of the Data Breach, the nature of Our Data that is affected, the categories and number of individuals concerned, the number of records affected, the measures taken by you to address the Data Breach and the possible consequences and adverse effects of the Data Breach. 

6.5 You must maintain an electronic record of all Data Breaches which relate to Our Data, including details of the Data Breaches, and the effects and actions taken to remedy them. 

6.6 You must, at your own cost, promptly take all appropriate measures to restore or reconstruct any of Our Data which is destroyed, lost, damaged, compromised, altered or corrupted as a result of a Data Breach, as soon as reasonably possible and as if it were your own data, and you will provide us with all reasonable assistance and information in this regard. 


7.1 You must implement and maintain appropriate measures to ensure you can provide us with timely assistance in responding to any individuals’ access requests (or other requests for the exercise of individuals’ rights) under applicable Data Protection Laws that may be received from time to time in connection with Our Data. These measures will include you recording all requests and promptly notifying them to us. 


8.1 You must notify us in writing if you wish to engage another party to Use Our Data on your behalf (Subcontractor), including if you wish to transfer or disclose any Our Data to another party. In these circumstances, you will: 

(a) request consent from us for the engagement in advance; and 

(b) enter into a written agreement with the Subcontractor, with obligations that are consistent (and no less strict) with those set out in this Policy. 

8.2 You must remain fully responsible to us for any non-compliance with this Policy by any Subcontractor. 


9.1 You must not, and must ensure that any Subcontractor does not, transfer any of Our Data to any person in any country or territory outside of New Zealand (Overseas Recipient) without obtaining our prior written consent to such transfer. 

9.2 If we consent to the transfer of Your Personal Data to an Overseas Recipient, you must ensure 

that such transfer and any onward transfer to any person after that: 

(a) is made under a written agreement with that person containing obligations relating to the security and confidentiality of Our Data that is consistent with (and no less strict than) those set out in this Policy; and 

(b) is permitted by and otherwise complies with applicable Data Protection Laws. 


10.1 Except as otherwise permitted or required by applicable law, you will only retain Our Personal Data for as long as necessary to fulfil the purposes you collected it for, as required to satisfy any legal, accounting or reporting obligations, or as required to resolve any disputes. 

10.2 Upon request, you must provide us with written details of your policy relating to the retention of Our Data, and of any changes to that policy. 


11.1 You must cease to use Our Data (or any part of it) and must either securely destroy or transfer it to us or our nominee, and must securely delete all existing copies (unless its storage is required by applicable laws, and if so you must notify us of this) in the following circumstances: 

(a) upon termination of your agreement or arrangement with us; 

(b) when you are no longer required to Use Our Data in order to provide Services to us or in connection with any other arrangements with us; or 

(c) when we send you a written notice requiring you to do so. 


12.1 You must maintain complete, accurate and up to date written records relating to the Use of Our Data containing such information as is required under applicable Data Protection Laws and this Policy, and any other information that is reasonably required (Records). 

12.2 Upon request, you must promptly make the Records available to us in order to demonstrate your compliance with your obligations under applicable Data Protection Laws and this Policy. We may disclose the Records to a relevant Supervisory Authority or any other relevant regulatory authority. 

12.3 You will permit us or our representative, at your cost, to conduct data privacy and security audits, assessments and inspections concerning your compliance with this Policy and applicable Data Protection Laws in relation to the Use of Our Data. 

12.4 You must notify us in writing of any locations where Our Data is stored, and of any changes to 

those locations. 

12.5 You must provide us with such assistance and co-operation as we may reasonably require in 

order to comply with applicable Data Protection Laws, including: 

(a) upon our written request, promptly providing us with written information regarding the technical and operational measures which you have implemented to ensure Our Data is secure; 

(b) promptly providing such information and co-operation as we may reasonably require for the purpose of assisting us to carry out a privacy impact assessment; and

(c) to the extent that you are legally permitted to do so: 

(i) notifying us, as soon as possible, of any access request for disclosure of any of Our Data by any government or other regulatory authority or by a court or other authority of competent jurisdiction; and 

(ii) not disclosing or releasing any of Our Data in response to any such request issued to you without first consulting with and obtaining our written consent for disclosure or release. 

12.6 Upon request, you (as data processor) must enter into a data processing agreement with us (as data controller) on our then standard terms, or such other terms as you and we reasonably agree, with regard to your processing of Our Data. 


13.1 You must notify us in writing before you change any Use of Our Data or adopt a new Use of Our Data (including the Use of any new technology in relation to Our Data). We may require you to consult with us before you effect the proposed change or adoption. 

13.2 At our written request, you must participate in a privacy impact assessment if you propose any new or updated Use of Our Data. 

13.3 You must provide reasonable assistance to us in consulting with any Supervisory Authorities in relation to any high-risk Use of Our Data, as may be reasonably required by us from time to time. 


14.1 You will inform us as soon as reasonably possible of any enquiry, complaint, notice or other communication from any Supervisory Authority or individual received by you (or any person on your behalf) in connection with the use of Our Data or your compliance with Data Protection Laws (Enquiry). 

14.2 You will provide all necessary assistance and information to us to enable us to promptly respond to any such Enquiry and to comply with Data Protection Laws. 

14.3 You will not respond to any Enquiry without our prior written consent.


15.1 You must only Use Our Data in accordance with this Policy and the terms of any agreement or arrangement between you and us. You must not Use Our Data for any other purpose including for your own commercial purposes. In particular you must not sell, license or otherwise exploit Our Data except with our prior written consent (and, to avoid doubt, this restriction includes Our Analytical Data, which is of commercial value to us). 

15.2 You must act with due care, skill and diligence and in accordance with good industry practice in relation to your Use of Our Data. 

15.3 Once provided to you, this Policy will be deemed to form part of, and be governed by, the agreement or arrangement between you and us. Any breach by you of this Policy will be deemed to be a breach of that agreement or arrangement. 

15.4 We may change this Policy at any time by notifying you of the change by email. Any change to this Policy will take effect from the date set out in the notice. By continuing to provide Services or having other arrangements with us, you agree to be bound by the amended Policy. You must notify us as soon as reasonably possible if you do not agree to any changes in this Policy. 

15.5 In this Policy, a reference to writing includes email. 

Last updated: June 2020