Skip to main content

Data Processing Agreement

Last updated: March 2026

Contents

1. Introduction

This Data Processing Agreement (“DPA”) applies when you use Keel to process tenant personal information. It outlines the relationship and responsibilities between you (as Data Controller) and Onkeel Limited (as Data Processor) under the Privacy Act 2020.

This DPA is incorporated into our Terms of Service. By using Keel to store tenant information, you agree to this DPA.

2. Definitions

  • Data Controller: The person or entity that determines the purposes and means of processing personal information. For tenant data, you (the landlord/property manager) are the controller.
  • Data Processor: The person or entity that processes personal information on behalf of the controller. Onkeel Limited is the processor.
  • Personal Information: Any information about a natural person that is capable of identifying that person.
  • Processing: Any operation performed on personal information, including collection, storage, use, and disclosure.
  • Sub-processor: A third party engaged by Keel to process personal information on our behalf.
  • Data Breach: Unauthorized access to, loss of, or damage to personal information.

3. Role and Responsibilities

3.1 Your Responsibilities as Data Controller

As the data controller, you are responsible for:

  • Determining what tenant information is collected and processed
  • Ensuring collection and processing is lawful and transparent
  • Obtaining tenant consent where required by law
  • Informing tenants about data use, storage, and security
  • Establishing lawful bases for processing
  • Ensuring data accuracy and currency
  • Managing retention and deletion of information
  • Complying with Privacy Act 2020 Information Privacy Principles
  • Responding to tenant requests for access, correction, and deletion
  • Assessing privacy risks associated with processing
  • Ensuring compliance with applicable laws

3.2 Keel's Responsibilities as Data Processor

Keel is responsible for:

  • Processing personal information only on your documented instructions
  • Ensuring personnel are bound by confidentiality
  • Implementing appropriate technical and organizational security measures
  • Assisting you to fulfill data controller obligations
  • Notifying you of data breaches promptly
  • Deleting or returning personal information upon contract termination
  • Assisting with tenant rights requests (access, correction, deletion)
  • Not engaging sub-processors without your prior written consent
  • Demonstrating compliance with this DPA upon request

4. Processing Instructions

4.1 Permitted Processing

You instruct Keel to process tenant personal information for:

  • Lease and tenancy agreement management
  • Rent payment processing and tracking
  • Maintenance request management
  • Property correspondence and communication
  • Bond management and administration
  • Expense tracking and financial reporting
  • Document storage and access control
  • Generating tenancy reports and correspondence

4.2 Processing Limitations

Keel will not process tenant information for:

  • Marketing or promotional purposes
  • Sharing with third parties without your instruction
  • Purposes other than those outlined above
  • Automated decision-making that produces legal effects

4.3 Data Minimization

You agree to collect and process only tenant personal information that is necessary for the purposes listed above. You will not upload excessive or unnecessary personal information.

5. Data Storage and Security

5.1 Storage Location and Standard

Your data, including tenant information, is stored on:

  • Location: Supabase infrastructure in Sydney, Australia
  • Standard: We maintain security equivalent to NZ standards
  • Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256)

This constitutes a transfer of personal information outside New Zealand. By using Keel, you consent to this transfer and acknowledge your responsibility to comply with Privacy Act 2020 requirements.

5.2 Security Measures

Keel implements the following security measures:

  • Encryption of data in transit and at rest
  • Access controls with authentication via Supabase Auth
  • Firewalls and network security
  • Regular security audits and vulnerability testing
  • Automated backups and disaster recovery
  • Physical security of data centers
  • Security incident response procedures
  • Audit logging of data access

5.3 Your Security Obligations

You are responsible for:

  • Maintaining strong, unique passwords
  • Not sharing login credentials
  • Protecting access to your account
  • Notifying us of suspected unauthorized access
  • Using Keel only on secure networks and devices
  • Ensuring your devices have updated antivirus protection

6. Sub-Processors

6.1 Authorized Sub-Processors

Keel engages the following sub-processors to assist with data processing:

Sub-ProcessorPurposeLocationPrivacy Policy
SupabaseDatabase and storageSydney, AUsupabase.com/privacy
OpenAIAI analysis and suggestionsUSAopenai.com/privacy
VercelPlatform hostingUSA/EUvercel.com/privacy
AWSInfrastructureMultiple regionsaws.amazon.com/privacy
ResendEmail servicesMultiple regionsresend.com/privacy

6.2 Sub-Processor Changes

Keel will notify you at least 30 days in advance of:

  • Adding a new sub-processor
  • Replacing an existing sub-processor
  • Changes to a sub-processor’s data processing activities

If you object to a new sub-processor on reasonable grounds, you may:

  • Suspend the processing
  • Terminate the affected feature
  • Contact Keel to discuss alternatives

6.3 Sub-Processor Data Processing

We ensure all sub-processors are bound by Data Processing Agreements that provide equivalent privacy protections.

7. Tenant Rights

7.1 Access Requests

If a tenant requests access to their personal information, you must:

  1. Forward the request to Keel (cc: sam@onkeel.co.nz)
  2. Allow Keel up to 10 business days to assist
  3. Provide the tenant with their information within 20 working days

Keel will assist by extracting the tenant’s data from the platform.

7.2 Correction Requests

If a tenant requests correction of inaccurate information:

  1. You may correct the information directly in Keel
  2. If the tenant disputes the correction, we will note the disagreement
  3. You remain responsible for data accuracy

7.3 Deletion Requests

If a tenant requests deletion of their information:

  1. You must comply with the request if there is no lawful reason to retain the data
  2. Keel will delete the information from active systems within 10 business days
  3. Backup copies may be retained for disaster recovery purposes

8. Data Breach Notification

8.1 Keel's Notification Obligations

If Keel becomes aware of a data breach affecting tenant information, we will:

  • Investigate the breach promptly and determine scope
  • Notify you within 72 hours with details including:
    • Nature of the breach
    • Personal information affected
    • Likely consequences for affected persons
    • Measures taken to mitigate harm
    • Contact details for further information
  • Cooperate with any Privacy Commissioner investigation

8.2 Your Notification Obligations

You are responsible for:

  • Notifying affected tenants where required by law
  • Notifying the Privacy Commissioner if required
  • Determining whether the breach requires notification based on privacy risk
  • Implementing remedial measures

8.3 Documentation

Both parties will maintain records of any data breaches, including:

  • Date of discovery
  • Scope and nature of the breach
  • Persons affected
  • Investigation results
  • Remedial measures taken

9. Data Deletion and Return

9.1 Upon Termination

When your account is terminated or cancelled:

  • You may export your data, including tenant information, within 30 days
  • After 30 days, all personal information will be permanently deleted
  • Backup copies will be deleted within 90 days

9.2 Deletion Procedure

Upon your request, Keel will:

  1. Delete all active copies of your data
  2. Delete accessible backup copies within 30 days
  3. Confirm deletion in writing
  4. Retain records as required by law

10. Data Subject Rights Assistance

Keel will assist you in responding to tenant requests for:

  • Access to their personal information
  • Correction or deletion of information
  • Information about processing and storage
  • Copies of this DPA or privacy documentation

Assistance will be provided at no additional cost, within reasonable timeframes.

11. Audit and Compliance

11.1 Compliance Demonstrations

Keel will:

  • Maintain records of processing activities
  • Provide compliance documentation upon request
  • Conduct regular security assessments
  • Notify you of privacy risks or concerns

11.2 Your Audit Rights

You have the right to:

  • Request confirmation of our compliance
  • Request security assessment results
  • Audit our security practices with reasonable notice
  • Verify sub-processor compliance

12. International Data Transfers

12.1 Transfer Mechanism

Your tenant information is transferred to Australia for storage with Supabase. This transfer is necessary to provide the Service. By using Keel, you acknowledge and consent to this transfer.

12.2 Equivalent Protections

We maintain security and privacy protections equivalent to New Zealand standards for offshore data storage.

13. Confidentiality

Keel employees and contractors processing tenant information are bound by strict confidentiality obligations. We will not disclose tenant information except:

  • As instructed by you
  • To authorized sub-processors
  • As required by law or valid legal process
  • In case of data breach response or security investigation

14. Term and Termination

14.1 Duration

This DPA applies from the date you first input tenant information into Keel and continues while you maintain an active account.

14.2 Termination

Upon termination of your Keel account:

  • Keel’s obligations continue regarding data already processed
  • You may export data within 30 days
  • All data will be deleted after 30 days (except backup copies, which persist for 90 days)
  • Confidentiality obligations survive termination

15. Liability

15.1 Data Processor Liability

Keel is liable for:

  • Breaches of this DPA
  • Unauthorized processing of personal information
  • Failure to implement required security measures
  • Failure to notify you of data breaches
  • Engaging sub-processors without authorization

15.2 Liability Limitations

Keel’s liability for data processing is subject to the liability limitations in our Terms of Service, except for:

  • Death or personal injury caused by negligence
  • Fraud or willful misconduct
  • Breach of confidentiality
  • Privacy breaches arising from our security failures

16. Dispute Resolution

Any disputes regarding this DPA shall be governed by the Privacy Act 2020 and NZ law. Both parties agree to attempt good faith resolution before pursuing legal action.

17. Policy Updates

Keel may update this DPA to reflect:

  • Changes in processing activities
  • New security measures
  • Sub-processor changes
  • Legal or regulatory requirements

We will notify you of significant changes at least 30 days in advance. Your continued use of Keel following notice constitutes acceptance.

18. Contact Us

For questions about this DPA or data processing: