ShearCore – Industry Led Innovation
The Shearing Board

Data Processing Addendum

DPA — ShearCore Ltd / The Shearing Board™

Parties

This Data Processing Addendum (DPA) forms part of the agreement between:

  • ShearCore Ltd (Processor); and
  • [Customer legal name] (Controller)

and supplements the Trial Agreement, Terms of Use, or other agreement between the parties governing Customer's use of The Shearing Board™ (Platform) (the Principal Agreement).

Terms defined in the Principal Agreement have the same meaning in this DPA unless otherwise stated.

1. Definitions

  • Customer Data means all data (including Personal Information) submitted to the Platform by or on behalf of Controller or its users.
  • Personal Information has the meaning given in the Privacy Act 2020 (NZ).
  • Sensitive Information means Personal Information that, by its nature, requires additional care, including health and medical information, financial identifiers (IRD numbers, bank account details), and anonymous reports relating to workplace conduct or wellbeing.
  • Aggregated Data means data derived from Customer Data that has been combined with other data and is de-identified so that it does not identify, and is not reasonably likely to identify, any individual or Controller.
  • Sub-processor means any third party engaged by Processor to process Customer Data on Processor's behalf.

2. Scope and Purpose of Processing

Processor processes Customer Data solely for the following purposes:

  • Employment management and payroll administration
  • Job scheduling and team allocation
  • Health & safety compliance and incident reporting
  • Animal welfare compliance and reporting
  • Employee induction and onboarding
  • Internal communications and document acknowledgement tracking
  • Operating, maintaining, securing, and improving the Platform

Processor will not process Customer Data for any purpose other than as set out in this DPA or as otherwise instructed in writing by Controller.

3. Categories of Data Subjects

  • Employees and contractors (shearers, woolhandlers, pressers, AWOs, team leaders, cooks, and other staff)
  • Farmers and clients
  • Third parties mentioned in reports (e.g. witnesses, injured persons)

4. Categories of Personal Data Processed

4.1 Staff Personal Data

  • Full name, preferred name, email address, phone number
  • Date of birth, home address
  • Emergency contact details

4.2 Staff Employment Data

  • Job title, employment type, pay rate, hours
  • Employment history, training records, certifications and licences

4.3 Sensitive / Financial Data

Requires additional safeguards

  • IRD number, bank account details, tax code, KiwiSaver details, benefit status
  • ACC claims, medical appointments, injury details, body parts affected
  • Anonymous reports (workplace conduct, wellbeing)

4.4 Farmer / Client Data

  • Name, email, phone, billing address, company name

4.5 Operational Data

  • GPS / location coordinates for farms and job sites
  • Tally logs, job schedules, team assignments
  • Health & safety reports, animal welfare reports
  • Communications and messages within the Platform

5. Controller Obligations

Controller warrants that it:

  • has all necessary rights, authorities, and consents to provide Customer Data (including Personal Information and Sensitive Information) to Processor
  • has provided appropriate privacy notices to data subjects
  • is responsible for the accuracy and legality of Customer Data
  • will manage user access (including promptly removing access for departing staff/contractors)
  • will keep login credentials secure and ensure no shared logins
  • will comply with all applicable privacy and employment laws

6. Processor Obligations

Processor will:

  • process Customer Data only in accordance with Controller's documented instructions and the purposes set out in this DPA
  • maintain reasonable technical and organisational safeguards designed to protect Customer Data against loss, unauthorised access, use, modification, or disclosure
  • ensure that persons authorised to process Customer Data are subject to appropriate confidentiality obligations
  • assist Controller (at Controller's cost) in responding to data subject access or correction requests, to the extent reasonably practicable
  • not process Sensitive Information for any purpose beyond what is strictly necessary to provide and support the Platform

7. Sub-processors

7.1 Controller authorises Processor to engage sub-processors to assist in providing the Platform, provided Processor:

  • imposes data protection obligations on each sub-processor that are no less protective than those in this DPA
  • remains responsible for the acts and omissions of its sub-processors to the extent required by law

7.2 Processor will maintain a list of current sub-processors and make it available on request.

7.3 Processor will give Controller reasonable notice of any new sub-processor. If Controller objects on reasonable data protection grounds, the parties will discuss in good faith.

8. Security Measures

Processor will implement and maintain reasonable technical and organisational measures to protect Customer Data, including:

  • Role-based access controls (least-privilege)
  • Encryption of data in transit
  • Regular backups
  • Logging and monitoring of access to Customer Data
  • Incident response procedures

9. Data Breach Notification

9.1 If Processor becomes aware of a suspected or confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data, Processor will:

  • notify Controller without undue delay (and in any event within 72 hours of becoming aware)
  • provide reasonable information about the nature and scope of the breach
  • take reasonable steps to contain and remediate the breach
  • cooperate with Controller in any investigation or notification obligations

10. International Transfers

Customer Data may be stored or processed outside New Zealand (including the United States) using the Platform's hosting infrastructure. Processor will take reasonable steps to ensure that overseas service providers handle Customer Data in a way that is consistent with this DPA and the Privacy Act 2020 (NZ).

11. Aggregated and De-identified Data

11.1 Processor may create Aggregated Data from Customer Data for benchmarking, trend analysis, and industry reporting purposes.

11.2 Processor will take reasonable steps to ensure Aggregated Data is de-identified and presented at a level of aggregation intended to prevent re-identification.

11.3 Controller may opt out of external sharing of Aggregated Data at any time by written notice to Processor.

11.4 For further detail on aggregated reporting safeguards, see the Privacy Policy (section 7).

12. Retention and Deletion

12.1 On expiry or termination of the Principal Agreement, Controller may request an export of Customer Data within 14 days.

12.2 Following expiry or termination, Processor may delete Customer Data in accordance with its normal retention and deletion processes, subject to any legal requirement to retain it (including backups).

12.3 Processor will confirm deletion to Controller on request.

13. Audit

Processor will make available to Controller, on reasonable request, information reasonably necessary to demonstrate compliance with this DPA. Any audit or inspection must be conducted at Controller's cost, on reasonable notice, and must not unreasonably interfere with Processor's operations.

14. Term and Survival

14.1 This DPA applies for the duration of the Principal Agreement and continues until all Customer Data has been deleted or returned.

14.2 Clauses that by their nature should survive termination (including confidentiality, liability, and data deletion) will survive.

15. Governing Law

This DPA is governed by the laws of New Zealand. The parties submit to the exclusive jurisdiction of the courts of New Zealand.

16. Contact

For questions about this DPA, contact: [email protected]

Questions about this addendum?

Get in touch and we'll walk you through it.

Contact us
Effective date: 22 April 2026