Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Client") and Lumero for use of the Lumero platform. It sits alongside the Terms of Service and Privacy Policy and sets out how Lumero handles survey data on your behalf.

If there is any conflict between this DPA and the Terms of Service on a privacy or data processing matter, this DPA takes precedence.

This DPA is governed by the New Zealand Privacy Act 2020. Clients whose organisations are based in Australia, or whose employees are located in Australia, should also read Schedule A at the end of this document, which sets out additional terms that apply under the Australian Privacy Act 1988 (Cth).

"Client" means the organisation that has entered into an agreement with Lumero to use the platform.

"Personal Information" has the meaning given in the New Zealand Privacy Act 2020 – broadly, any information about an identifiable individual. For Australian Clients, it also includes "personal information" as defined in the Australian Privacy Act 1988 (Cth).

"Survey Data" means the survey response data processed by Lumero on the Client's behalf for reporting purposes – including, in BYO mode, data the Client provides to Lumero, and, in managed-service mode, data collected from the Client's employees through a third-party survey tool engaged by Lumero under the Client's instruction. Survey Data may include survey responses, demographic data, and open-ended comments.

"Processing" means any operation performed on Survey Data – including storing, organising, analysing, displaying, or deleting it.

"Controller" means the party that determines the purposes and means of processing Personal Information. The Client is the Controller of Survey Data.

"Processor" means the party that processes Personal Information on behalf of the Controller. Lumero is the Processor of Survey Data.

"Sub-processor" means a third-party service that Lumero uses to help deliver the Lumero platform, and which may process Personal Information in doing so.

"Survey Collection Sub-processor" means a third-party survey tool engaged by Lumero, on the Client's instruction, to collect survey responses in managed-service mode.

"Australian Client" means a Client whose organisation is incorporated or ordinarily resident in Australia, or whose employees or survey respondents are located in Australia such that the Australian Privacy Act 1988 (Cth) applies to the Client's handling of Survey Data.

Lumero processes Survey Data solely for the purpose of providing the reporting and analysis services described in the Terms of Service.

Lumero will only process Survey Data in accordance with the Client's documented instructions – which, for the purposes of this DPA, are the instructions given by the Client regarding what data to collect or import, how reporting should be configured, and which features to activate. In BYO mode the Client provides Survey Data to Lumero for import. In managed-service mode the Client instructs Lumero to arrange collection through a Survey Collection Sub-processor; Lumero then imports the collected data into the platform for reporting. Lumero will not process Survey Data for any other purpose, including for its own commercial benefit or to train AI models.

If Lumero is ever required by law to process Survey Data in a way inconsistent with the Client's instructions, Lumero will notify the Client in advance unless prohibited from doing so by law.

What data Lumero processes on your behalf

Confidentiality

Lumero will keep Survey Data confidential. Staff or contractors who access Survey Data are bound by confidentiality obligations. Lumero will not disclose Survey Data to any third party except as permitted under this DPA or required by law.

Client-authorised access

Where the Client authorises a third party – such as a Consulting Partner the Client has engaged – to access their Survey Data, that authorisation is a documented instruction under this DPA. Lumero provides that access on the Client's instruction and removes it promptly when the Client withdraws the authorisation in writing. An authorised third party of this kind is not a Sub-processor: they access Survey Data for the Client's own purposes, not to help Lumero deliver the platform.

Security

Lumero will maintain appropriate technical and organisational measures to protect Survey Data. These are described in Section 6.

Sub-processors

Lumero will only share Survey Data with approved sub-processors (listed in Section 5) and will ensure those sub-processors are bound by equivalent data protection obligations.

Assistance with rights requests

If the Client receives a request from an individual to access (IPP 6 of the NZ Privacy Act 2020) or correct (IPP 7) their personal information, Lumero will provide reasonable assistance to help the Client respond. This may include making Survey Data available for review or enabling re-import of corrected data. Australian Clients should also refer to Schedule A for the equivalent obligations under APP 12 and APP 13.

Breach notification

If Lumero becomes aware of a security incident that affects Survey Data, Lumero will notify the Client as soon as practicable. The notification will include what happened, what data was affected, and what steps Lumero is taking in response. Australian Clients should also refer to Schedule A for the notification obligations that apply under the Australian Privacy Act 1988 (Cth) Notifiable Data Breaches scheme.

Deletion

Survey Data is retained for the period set out in the Terms of Service and Privacy Policy – 18 months from the date the Client's contract begins, with Lumero contacting the Client before expiry to confirm renewal. On expiry, termination, or earlier request, Lumero will delete Survey Data in accordance with that retention policy. The Client may request deletion at any time by contacting legal@lumero.works.

Data portability (managed-service mode)

Where Lumero has arranged collection through a Survey Collection Sub-processor, Lumero will provide the Client with a copy of the raw survey response file from that sub-processor once the survey closes, and at any reasonable point on request.

Notification of unlawful instructions

If Lumero believes any instruction from the Client would breach the NZ Privacy Act 2020, the Australian Privacy Act 1988 (Cth), or any other applicable law, Lumero will notify the Client before acting on that instruction.

As the Controller of Survey Data, the Client is responsible for:

• Lawful collection. Ensuring that survey responses were collected from employees in accordance with applicable law, including the NZ Privacy Act 2020 and, for Australian Clients, the Australian Privacy Act 1988 (Cth).
• Employee notification. Making appropriate disclosures to employees about how their survey data will be used, including that it will be processed by a third-party reporting platform. For surveys run on or after 1 May 2026, Clients must also comply with IPP 3A of the NZ Privacy Act 2020, which requires that individuals be notified when personal information is collected from a source other than the individual themselves. This applies in both BYO mode (where the Client's own survey tool collected the data) and managed-service mode (where a Survey Collection Sub-processor collected the data on the Client's instruction).
• Data minimisation. Providing only the data necessary for the reporting purposes intended – not including sensitive personal information that isn't needed for employee survey reporting.
• Access management. Configuring report access levels appropriately so that individual respondents cannot be identified and data is only visible to those who need it.
• Responding to rights requests. Handling any requests from employees to access, correct, or delete their personal information. Lumero will assist where it can, but the obligation to respond rests with the Client.
• Accuracy. Ensuring that data provided to Lumero for import is accurate, as Lumero reports on data as received.
• Survey content (managed-service mode). Where Lumero arranges collection on the Client's behalf, the Client is responsible for authorising the survey content, audience, and respondent communications, and confirming that disclosures provided to employees through the Survey Collection Sub-processor reflect how their data will be used. For surveys run on or after 1 May 2026, the Client must ensure those disclosures also satisfy IPP 3A of the NZ Privacy Act 2020.

Lumero uses approved sub-processors to deliver the platform. The current list – naming each provider, what they do, what data they handle, their location, and which mode or feature they apply to – is maintained at our sub-processors page.

By entering into this DPA, the Client authorises Lumero to use the sub-processors listed on that page. Lumero ensures each sub-processor is bound by data protection obligations equivalent to those in this DPA.

Changes to the sub-processor list

Lumero will update the public sub-processor list before any new sub-processor begins processing Survey Data, and will notify active Clients by email when a new sub-processor is added. If a Client reasonably objects to a new sub-processor on the basis that it represents a material change to their data processing arrangement, the Client should notify Lumero in writing within 30 days of the change being notified; Lumero will work with the Client to find a suitable resolution. If Lumero and the Client cannot agree on a suitable resolution within 30 days of the Client's written objection, the Client may terminate this DPA and their agreement with Lumero on written notice, without incurring any further charges or penalties, and may request deletion of their Survey Data at that time.

Survey Collection Sub-processors (managed-service mode only)

Where the Client engages Lumero's managed service, a Survey Collection Sub-processor (a third-party survey tool) will also process Survey Data for the collection step. The specific provider varies by client and will be named in writing before the survey runs. Survey Collection Sub-processors may store data outside Australia or New Zealand; Lumero will identify the provider's data location at the time of engagement. The 30-day notice rule above does not apply to Survey Collection Sub-processors because they are selected per engagement on the Client's instruction.

Lumero maintains the following technical and organisational security measures:

• Tenant isolation – all client data is strictly separated at both the application layer and the database layer. It is not possible for one client's data to be accessed by another.
• Layered authorisation – access to data passes through multiple independent controls before any data is accessible.
• Encryption in transit – all data transmitted between users and the Lumero platform is encrypted using TLS.
• Encryption at rest – data stored in the Lumero database is encrypted at rest.
• Access logging – administrative access to client data for support and configuration purposes is logged.
• Confidentiality thresholds – no results, including individual comments, are displayed for any group with fewer than the minimum number of respondents (default: 5, configurable). This applies across all report views.
• Incident response – Lumero will notify affected clients of any security breach within 72 hours where practicable.

Lumero will review and update these measures from time to time to maintain an appropriate level of protection.

Lumero's primary infrastructure – application hosting, the production database, and authentication – is located in Australia.

Some sub-processors operate from other regions, and some features (such as opt-in AI-assisted features) involve processing outside New Zealand and Australia. The current location of each sub-processor, and the mode or feature it applies to, is shown on the public sub-processors page.

Where Survey Data or related personal information is processed outside New Zealand, that transfer is made in accordance with IPP 12 of the NZ Privacy Act 2020. Lumero has assessed each sub-processor as having adequate privacy and security protections in place, and each is bound by its own privacy commitments and the obligations set out in Section 5.

For Australian Clients, Lumero also takes reasonable steps to ensure that each overseas sub-processor handles personal information in a manner consistent with the Australian Privacy Principles, so that the Client can rely on those steps for the purposes of APP 8 of the Australian Privacy Act 1988 (Cth). Details of each sub-processor's location and applicable safeguards are published on the sub-processors page.

In managed-service mode, the Survey Collection Sub-processor may also process Survey Data outside Australia or New Zealand. Lumero will tell the Client the provider's data location at the time of engagement so the Client can assess any cross-border transfer against IPP 12 of the NZ Privacy Act 2020 and, for Australian Clients, APP 8 of the Australian Privacy Act 1988 (Cth), before authorising the survey.

Where AI-assisted features are activated, Survey Data is processed by Anthropic (United States). Lumero relies on Anthropic's data processing commitments as the basis for this transfer under IPP 12 and, for Australian Clients, APP 8. Details are on the sub-processors page.

Lumero operates as a one-to-many platform and does not offer direct client-led audits or on-site inspections of its production environment as a standard service.

In place of a direct audit, the Client may request any of the following and Lumero will respond within a reasonable timeframe:

• Written compliance confirmation – a written statement confirming Lumero's compliance with this DPA, the NZ Privacy Act 2020, and, for Australian Clients, the applicable obligations under the Australian Privacy Act 1988 (Cth).
• Security information – Lumero may, at its discretion and subject to appropriate confidentiality arrangements, share internal security documentation to support the Client's own risk assessment.
• Provider certifications – Lumero can direct the Client to security certifications and compliance documentation published by its core infrastructure providers (such as SOC 2 reports or ISO 27001 certificates, where available from the provider). These cover the physical and infrastructure layers where client data is stored and processed. The current list of those providers is at our sub-processors page.

Where a Client has a contractual or regulatory obligation that requires a more specific assurance arrangement not covered above, the Client should raise this with Lumero before entering into an agreement so that an appropriate arrangement can be discussed.

This DPA takes effect when the Client enters into an agreement with Lumero and remains in force for the duration of that agreement.

On expiry or termination of the agreement, Lumero will delete Survey Data in accordance with the retention policy described in the Terms of Service. Obligations of confidentiality and security survive termination.

This DPA is governed by the laws of New Zealand and supplements the Lumero Terms of Service. In the event of a conflict between this DPA and the Terms of Service on any matter relating to data processing or privacy, this DPA takes precedence.

For Australian Clients, Schedule A forms part of this DPA and, to the extent of any inconsistency, takes precedence over the main body of this DPA on matters governed by the Australian Privacy Act 1988 (Cth).

Questions about this DPA:

By using Lumero you agree to this Data Processing Agreement. If your organisation requires a signed copy of this DPA, email legal@lumero.works.

This Schedule applies where the Client is an Australian Client as defined in Section 1. It sets out additional obligations under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"). Where this Schedule is inconsistent with the main body of this DPA, this Schedule takes precedence on matters governed by Australian law.

Application of this Schedule

The Australian Privacy Act 1988 (Cth) applies to Lumero's handling of Survey Data for Australian Clients. This Schedule sets out how Lumero meets its obligations under that Act and supports Australian Clients in meeting their own obligations as APP entities. It does not replace the Client's own obligations under Australian law.

Use and disclosure of Survey Data (APP 6)

Lumero will only use or disclose Survey Data for the purpose the Client collected or authorised its collection – employee survey reporting and analysis. This is consistent with Section 2 of this DPA.

Cross-border disclosure (APP 8)

Before sharing Survey Data with an overseas sub-processor, Lumero takes reasonable steps to ensure that sub-processor handles personal information consistently with the APPs – by contractually binding them to equivalent standards and assessing their practices before engagement. Australian Clients may rely on these steps for the purposes of their own APP 8 obligations. The current list of overseas sub-processors and their data locations is maintained on the sub-processors page. In managed-service mode, Lumero will identify the Survey Collection Sub-processor's data location before the survey runs.

Security (APP 11)

The security measures in Section 6 of this DPA are intended to meet the APP 11 requirement to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. On termination or expiry of the agreement, Lumero will destroy or de-identify Survey Data in accordance with its retention policy, unless retention is required by law.

Access and correction (APP 12 and APP 13)

The assistance obligations in Section 3 of this DPA apply equally to access and correction requests under APP 12 and APP 13. Where Lumero receives a direct access or correction request from an individual, Lumero will refer it promptly to the Client and let the individual know it has been referred.

Notifiable Data Breaches

The breach notification obligations in Section 3 of this DPA also apply under the Australian Notifiable Data Breaches scheme. Where Lumero becomes aware of a security incident that may be an eligible data breach under Australian law – unauthorised access to or disclosure of personal information likely to result in serious harm, where remedial action has not prevented that harm – Lumero will notify the Client as soon as practicable, including what happened, what data was affected, and what steps Lumero is taking. If Lumero suspects but cannot confirm an eligible data breach, Lumero will notify the Client promptly so the Client can conduct its own assessment within the timeframes required by Australian law.

The obligation to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals rests with the Client as the APP entity. Lumero will provide reasonable assistance. The relevant regulator for Australian Clients is the OAIC (oaic.gov.au), not the NZ Office of the Privacy Commissioner. The Client should be aware that the Australian Privacy Act provides for significant civil penalties for serious or repeated privacy interferences, and that a statutory tort for serious invasions of privacy has applied in Australia since June 2025.

Client's own obligations

This Schedule does not replace the Client's own obligations as an APP entity, which include notifying employees about how their personal information will be used and processed (APP 5), maintaining an accurate and current privacy policy (APP 1), and ensuring data provided to Lumero is accurate (APP 10). The Australian Privacy Act small-business exemption currently applies to organisations with annual turnover under AUD 3 million, but is under active government review and may narrow – clients near this threshold should seek their own legal advice.