Data Privacy Agreement

Effective Date: March 21, 2025
Website: www.initforce.com

Definitions

For this Agreement:

  • EU: Refers to the European Union as defined at https://europa.eu/european-union, and the Authority refers to the relevant data protection authority (e.g., the ICO in the UK).
  • Personal Data, Special Categories of Data, Processing, Controller, Processor, Data Subject, and Supervisory Authority have the meanings defined in Regulation (EU) 2016/679 (GDPR) and its UK counterpart.
  • Data Exporter: The Initforce entity transferring personal data outside the EU/UK.
  • Data Importer: The Initforce entity or partner receiving and processing personal data outside the EU/UK under these clauses.
  • Clauses: This agreement, treated as a standalone document for the transfer and protection of personal data.

Details of any specific transfers are described in Annex B of this agreement.

1. Obligations of the Data Exporter (Initforce)

The Data Exporter warrants that:

  • Personal data is collected and transferred in accordance with applicable law.
  • It has ensured the Data Importer can comply with its obligations under this agreement.
  • It will provide information about local data protection laws upon request (where available and not legal advice).
  • It will respond to inquiries from Data Subjects or Authorities unless agreed otherwise.
  • It will provide a copy of these clauses to Data Subjects or Authorities, excluding confidential details where needed.

2. Obligations of the Data Importer (Recipient)

The Data Importer agrees to:

  • Implement appropriate technical and organisational measures to secure personal data.
  • Ensure third parties (e.g. contractors) respect confidentiality and only process data under instruction.
  • Notify the Data Exporter if local laws prevent compliance.
  • Process data only for the purposes listed in Annex B.
  • Provide a designated contact for data inquiries and cooperate in good faith.
  • Allow audits (with notice and within working hours) to verify compliance.
  • Not transfer data onward unless:
    • To an approved jurisdiction (adequacy decision),
    • Under equivalent contractual safeguards,
    • With Data Subject’s informed consent, or
    • If legally required and compliant with GDPR.

3. Liability and Third-Party Rights

  • Each party is responsible for damages it causes by breaching these terms.
  • Data Subjects may enforce specific rights under these clauses, particularly regarding their personal data.
  • If the Data Exporter fails to act on behalf of a Data Subject, that person may pursue the Data Importer directly.

4. Applicable Law

These clauses are governed by the laws of the country where the Data Exporter is based (e.g., New Zealand for Initforce), except where overridden by GDPR obligations.

5. Dispute Resolution

  • Both parties will cooperate to resolve complaints from Data Subjects or Authorities.
  • Parties agree to participate in mediation or alternative dispute mechanisms where applicable.
  • Final decisions from competent courts or data protection authorities will be respected.

6. Termination

The Data Exporter may suspend or terminate this agreement if the Data Importer:

  • Is in breach for more than one month,
  • Is prevented by local law from complying,
  • Repeatedly violates obligations,
  • Is dissolved, or enters insolvency.

Termination does not release either party from obligations related to previously transferred data.

7. Modifications

These clauses may be updated by mutual agreement. Updates to Annex B must be reported to authorities if required by law.

8. Description of Transfers (Annex B)

Data Subjects

  • Initforce staff, contractors, clients, partners, and third-party collaborators.

Purpose of Transfers

  • Delivering Salesforce consulting services.
  • Business operations, support, and project delivery.

Categories of Data

  • Names, emails, phone numbers, job titles.
  • Project-related data, credentials for platforms/tools.
  • (For employees only) limited HR/payroll or health-related data where required.

Recipients

  • Initforce staff and approved third-party partners or suppliers.

Sensitive Data

  • Only collected for Initforce employees or where legally required, e.g.:
    • Medical and health & safety info
    • Union affiliation (if applicable)

Annex A — Data Processing Principles

Initforce and its partners commit to:

  1. Purpose Limitation – Data is used only for defined purposes.
  2. Data Minimization – We collect only what’s necessary.
  3. Transparency – Clear communication about data processing.
  4. Security – Appropriate security measures in place.
  5. Rights of Individuals – Respect rights to access, correct, delete, or object to data use.
  6. Sensitive Data – Extra protections are applied.
  7. Marketing Data – Users may opt-out at any time.
  8. Automated Decisions – None are made without human oversight, unless permitted by law.

Questions?

If you have any questions or concerns about how we handle personal data under this agreement, please contact:

📧 privacy@initforce.com
🌐 initforce.com/contact