Legal
Data Processing Agreement
Last updated: 15 May 2026
About this DPA
This Data Processing Agreement ("DPA") applies where you ("Customer", "Controller") use the Kapsule Cloud Services to process personal information about other individuals ("Data Subjects"). It forms part of the Terms of Service between you and Kapsule Group Limited ("Kapsule Cloud", "we", "us", "Processor").
This DPA reflects the requirements of the New Zealand Privacy Act 2020. Where you are subject to other applicable privacy laws (for example, the EU General Data Protection Regulation, UK GDPR, or Australian Privacy Act 1988), the relevant provisions of this DPA, read together with our Privacy Policy and Sub-processors List, are intended to provide protection comparable to those laws. Where additional contractual measures are required to support your compliance with a foreign law, we will consider these on request.
If you are using the Services solely to process your own personal information (and not personal information about other individuals), this DPA does not apply; the Privacy Policy alone applies.
1. Definitions
In this DPA:
"Applicable Privacy Laws" means the Privacy Act 2020 and any other privacy or data protection law applicable to the Customer's processing of personal information using the Services.
"Controller" means the natural or legal person who determines the purposes and means of processing personal information.
"Customer Personal Information" means personal information processed by us on your behalf using the Services in respect of Data Subjects.
"Data Subject" means an identified or identifiable natural person to whom Customer Personal Information relates.
"Notifiable Privacy Breach" has the meaning given in section 112 of the Privacy Act 2020 (a privacy breach that has caused, or is likely to cause, serious harm).
"Personal Information" has the meaning given in the Privacy Act 2020.
"Processor" means a person who processes personal information on behalf of the Controller.
"Processing" means any operation or set of operations performed on personal information, whether or not by automated means.
"Sub-processor" means a third party we engage to process Customer Personal Information on our behalf.
"Standard Contractual Clauses" means the standard data protection clauses adopted by a recognised data protection authority (for example, the European Commission's EU Standard Contractual Clauses) for transfers of personal data from a jurisdiction with restrictive cross-border data transfer rules.
Other capitalised terms have the meanings given in the Terms of Service.
2. Roles, scope, and instructions
2.1 Roles. In relation to Customer Personal Information, you are the Controller and we are the Processor. You are responsible for the lawfulness of your collection and processing of Customer Personal Information, including for providing all required privacy notices, obtaining all required consents, and complying with all Applicable Privacy Laws in your dealings with Data Subjects.
2.2 Documented instructions. We will process Customer Personal Information only: (a) as needed to provide the Services in accordance with the Terms of Service; (b) in accordance with your reasonable, documented instructions (the Terms of Service, the configuration choices you make in KPanel, and any further written instructions you give us are deemed to be your documented instructions); and (c) as required by law applicable to us, in which case we will inform you of the legal requirement before processing, unless prohibited by that law on important grounds of public interest.
2.3 Inconsistent instructions. We will inform you if, in our reasonable opinion, an instruction from you infringes an Applicable Privacy Law. We may decline to process Customer Personal Information where doing so would put us in breach of an Applicable Privacy Law.
3. Confidentiality
3.1 We will ensure that any person authorised to process Customer Personal Information on our behalf is bound by confidentiality obligations, whether through contract or law, and is informed of the confidential nature of the information.
3.2 Access to Customer Personal Information is limited on a need-to-know basis and is protected by access controls, mandatory two-factor authentication, and audit logging.
4. Security
4.1 We will implement and maintain appropriate technical and organisational measures to protect Customer Personal Information against unauthorised or unlawful processing, accidental loss, destruction, or damage. Current measures are summarised in Annex B to this DPA and at kapsulecloud.com/legal/security.
4.2 We will regularly review and update our security measures to account for the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk to the rights and freedoms of Data Subjects.
4.3 We will not materially reduce overall protection without notice to you.
5. Sub-processors
5.1 Authorisation. You authorise us to engage the Sub-processors listed at kapsulecloud.com/legal/sub-processors to process Customer Personal Information.
5.2 Sub-processor terms. We will enter into a written contract with each Sub-processor that imposes data protection obligations no less protective than those in this DPA, including obligations of confidentiality, security, and limited processing.
5.3 Notification of new Sub-processors. We will notify you of any new Sub-processor that will process Customer Personal Information at least thirty (30) days before that Sub-processor begins processing. Notification will be by email and posting to the Sub-processors page.
5.4 Objection. You may object on reasonable grounds (for example, a documented concern about the proposed Sub-processor's security, compliance, or jurisdiction) by emailing [email protected] within the 30-day window. If we cannot reasonably accommodate your objection (for example, by switching Sub-processors or modifying the configuration), you may terminate the affected Service and receive a pro rata refund of any prepaid Fees for the unused portion of the relevant billing cycle.
5.5 Liability for Sub-processors. We remain liable to you for the acts and omissions of our Sub-processors in respect of Customer Personal Information as if they were our own.
6. Data Subject rights
6.1 We will, taking into account the nature of the processing, provide reasonable assistance to help you respond to requests from Data Subjects to exercise their rights under Applicable Privacy Laws, including rights of access, correction, deletion, restriction, and portability.
6.2 If we receive a request from a Data Subject that relates to your use of the Services, we will: (a) refer the Data Subject to you (the Controller); and (b) unless legally prohibited, notify you of the request without undue delay.
6.3 Assistance is provided through the access, export, and deletion features of KPanel where these are sufficient, and through manual support where the technical features cannot meet the request.
6.4 We may charge a reasonable fee for manual assistance that is materially in excess of routine support, where the request is manifestly unfounded or excessive.
7. Personal information breaches
7.1 Notification. We will notify you of any confirmed Notifiable Privacy Breach affecting Customer Personal Information without undue delay, and in any event within seventy-two (72) hours of becoming aware of it.
7.2 Content of notification. The notification will include, to the extent known and reasonably available at the time: (a) the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records affected; (b) the likely consequences of the breach; (c) the measures we have taken or propose to take to address the breach and mitigate its possible adverse effects; and (d) the contact point for further information.
7.3 Subsequent updates. Where some of the information is not available at the time of the initial notification, we will provide it in further updates as soon as practicable.
7.4 Cooperation. We will cooperate reasonably with you in any required investigation, notification to authorities, notification to affected Data Subjects, and remediation.
7.5 Customer's responsibility. You remain responsible for assessing whether a breach is a Notifiable Privacy Breach under your applicable law and for making the necessary notifications to the Office of the Privacy Commissioner, affected Data Subjects, or other regulators. We will provide the information you reasonably need to do so.
8. Audits
8.1 Information. We will make available to you the information necessary to demonstrate compliance with this DPA, including the Security Statement at kapsulecloud.com/legal/security, the Sub-processors list, and any third-party audit reports or certifications we hold (if any).
8.2 On-site audit. Where the information in clause 8.1 is not sufficient to demonstrate compliance with respect to a particular issue you have raised in writing, you may conduct an audit of our compliance with this DPA on the following conditions: (a) audits are conducted at your cost (including our reasonable costs of assisting); (b) you give us at least thirty (30) days' written notice; (c) audits take place during our normal business hours; (d) audits are conducted no more than once in any twelve (12) month period, except after a confirmed Notifiable Privacy Breach affecting you, in which case an additional audit may be conducted on reasonable notice; (e) the audit does not unreasonably interfere with our operations or compromise the confidentiality of other customers' information; (f) the auditor must be qualified, independent of our competitors, and bound by confidentiality obligations on terms acceptable to us; (g) we may, at our option, satisfy our audit obligations by providing copies of third-party audit reports or certifications (where available) or by responding to a security questionnaire.
8.3 You will provide us with a copy of any audit report and any findings, and we will use reasonable efforts to address material findings within an agreed period.
9. International transfers
9.1 You acknowledge that some of our Sub-processors are located outside New Zealand. The current locations are set out at kapsulecloud.com/legal/sub-processors.
9.2 Where Customer Personal Information is transferred outside New Zealand, we will ensure that comparable safeguards apply, including: (a) ensuring the Sub-processor is subject to a privacy law that, in our view, provides comparable protections to the Privacy Act 2020; or (b) entering into contractual safeguards with the Sub-processor that require comparable protections (for example, by reference to Standard Contractual Clauses where appropriate); or (c) obtaining your express authorisation for the transfer.
9.3 By entering this DPA, you authorise the transfers described in clause 7 of the Privacy Policy and clause 5 of this DPA, on the basis of the safeguards in clause 9.2.
10. Return and deletion of Customer Personal Information
10.1 During the term of the Services, you can export Customer Personal Information via KPanel using our standard export tools (CSV, JSON, archive download, or database dump, depending on the data type).
10.2 On termination of the Services and at your option, we will: (a) make Customer Personal Information available for export for thirty (30) days after termination (the "Grace Period"); and (b) thereafter, permanently delete Customer Personal Information from live systems.
10.3 Encrypted backup copies will be purged on the next scheduled rotation cycle, no later than thirty (30) days after deletion from live systems.
10.4 We may retain Customer Personal Information after termination where required by law (for example, billing and tax records under the Tax Administration Act 1994, or to defend a legal claim). Any such retention will be limited to the minimum necessary, and the information will remain subject to the confidentiality and security obligations in this DPA.
11. Liability
11.1 The liability provisions in the Terms of Service (including the limitation of liability in clause 16) apply to this DPA.
11.2 Without prejudice to clause 11.1, nothing in this DPA limits a party's liability for fraud, fraudulent misrepresentation, wilful misconduct, or any liability that cannot lawfully be limited under Applicable Privacy Laws.
11.3 Where we incur a regulatory penalty as a result of, or in connection with, your failure to comply with your obligations under this DPA or Applicable Privacy Laws, the amount of that penalty will be treated as a loss recoverable from you, subject to the limits in the Terms of Service.
11.4 The service credits under the SLA are not credits under this DPA.
12. Term and amendments
12.1 This DPA takes effect when you first use the Services (or 15 May 2026, whichever is later) and continues until the Services are terminated and our deletion obligations under clause 10 are complete.
12.2 We may update this DPA from time to time to reflect changes in law or in our operations. Material changes will be notified at least thirty (30) days in advance.
13. Order of precedence
13.1 If there is a conflict between this DPA and the Terms of Service or Privacy Policy in respect of the processing of Customer Personal Information, this DPA prevails.
13.2 If there is a conflict between this DPA and an applicable mandatory provision of an Applicable Privacy Law, the mandatory provision prevails to the extent of the conflict.
Annex A: Description of processing
A.1 Subject matter. Provision of cloud hosting, domain registration, email hosting, and related services as described in the Terms of Service.
A.2 Duration. For the term of the Services, plus the Grace Period and any retention required by law as set out in clause 10.
A.3 Nature and purpose. Storage, transmission, backup, security, replication, indexing, format conversion (for technical compatibility), abuse prevention, billing, and other processing necessary to operate the Services.
A.4 Categories of Customer Personal Information. As determined and uploaded by you. May include: names, contact details (email, phone, address), account credentials, identity verification information, payment information, transactional data, IP addresses, device identifiers, photos and other images, content of websites and applications, content of email, message metadata, customer relationship management records, support communications, and any other personal information you choose to process via the Services.
A.5 Categories of Data Subjects. As determined by you. May include: your employees, contractors, agents, customers, prospective customers, suppliers, members, end-users, donors, and other individuals whose personal information you choose to process via the Services.
A.6 Special categories. You must not upload to the Services any special-category or sensitive personal information (such as health information, biometric information, criminal records, religious beliefs, sexual orientation, or trade union membership) without our prior written agreement about appropriate additional safeguards. If you upload such information without our agreement, you are responsible for the lawfulness of doing so and indemnify us in respect of any related claims.
A.7 Frequency and duration of processing. Continuous, for the duration of the Services.
Annex B: Technical and organisational measures
We implement the following technical and organisational measures, which we may update from time to time to maintain or improve overall protection:
B.1 Information security policies and governance. Documented information security and privacy policies, reviewed at least annually. Designated Privacy Officer responsible for compliance. Personnel privacy and security training on induction and annually thereafter. Background checks on personnel with access to production systems, where lawful.
B.2 Access controls. Strict role-based access controls based on least-privilege principles. Mandatory two-factor authentication for all personnel with access to production systems. Periodic access reviews and prompt revocation on role change or departure. Separation of production and non-production environments. Privileged access logging.
B.3 Encryption and data protection. TLS encryption (at least TLS 1.2) for all data in transit. Encryption at rest for off-site backups (restic) and for sensitive data stores. Restic-encrypted off-site backups stored in Cloudflare R2 (Oceania region). Secure key management with off-line copies of master recovery keys.
B.4 Network and system security. Network segmentation between customer environments. Web application firewall and DDoS protection via Cloudflare. Regular security patching of operating systems, runtimes, and applications. Vulnerability scanning of internet-facing infrastructure. Periodic penetration testing.
B.5 Logging, monitoring, and incident response. Centralised logging of access, changes, and security events. 24x7 monitoring of platform health and security signals. Documented incident response plan with defined severities and escalation paths. Notifiable Privacy Breach notification procedure aligned with the Privacy Act 2020 and clause 7 of this DPA.
B.6 Backup, business continuity, and disaster recovery. Daily encrypted off-site backups of customer site data and email data. Off-site backup retention of at least thirty (30) days, with longer retention on higher Plans. Documented disaster-recovery procedures and runbooks. Regular restore testing.
B.7 Personnel and sub-processors. Confidentiality undertakings for all personnel. Written contracts with all Sub-processors imposing protections no less protective than this DPA. Annual review of Sub-processors for continued suitability.
B.8 Physical security. Production servers operated in Tier III or equivalent data centres with controlled physical access, 24x7 security, environmental controls, and fire suppression.
B.9 Application security. Secure software development lifecycle, including code review, dependency scanning, and pre-release testing. Use of secrets management (no secrets in source code). Mandatory code review for production changes.
B.10 Data segregation and deletion. Logical segregation of customer data. Documented data deletion procedures aligned with clause 10 of this DPA. Documented procedures for handling Data Subject access, correction, and deletion requests.
A more detailed version of these measures is published at kapsulecloud.com/legal/security and is updated from time to time.