Parallo Privacy Policy

Parallo Limited Privacy and Data Policy

1. What this policy covers

This policy explains how Parallo Limited (Parallo a Crayon Company, or our, us or we) collects, holds and processes personal information and other data. We only provide services to our business customers and not directly to individuals, but we recognise that in doing so we will be dealing with our customers’ data which may include personal information of their customers, clients employees, users or others to whom they provide their services.

While we are not currently bound by the European Union’s General Data Protection Regulation (GDPR), as a company strongly committed to privacy and security, we have adopted a policy that is consistent with the principles of the GDPR since we regard that as an appropriately high standard. References to “process” or “processing” in this policy are therefore used as defined in the GDPR. They include collection, storage, and all of the ways we use personal information when we provide our services.

Despite adhering to GDPR principles, this policy is governed by New Zealand law and particularly the New Zealand Privacy Act 1993. Personal information is therefore defined as “information about an identifiable individual”. This is consistent with the definition of “personal data” under the GDPR.

2. Processing attributes of each of our services

We do not collect personal information directly from individuals other than under our contracted services provided to our business customers. We rely on our customers having appropriate authorisation to allow us to process their customers’, users’, clients’, employees’; or other third parties’ data, including personal information. Where a customer does not have that authority, it will indemnify us fully should the lack of that authority cause us any loss, damage or cost (including our full legal costs).

Each customer decides what data (including personal information) is introduced to the systems that we manage or maintain and is therefore the “controller” of that data as that term is defined in the GDPR. Our Terms of Service and the specific contract under which a customer orders services, informed by this policy, set out the contractual terms under which we process data for our customers.

Generally, we do not have the level of access that would enable us to see content in human-readable form, and therefore we do not know what, if any, personal information we process. All service processing activities are undertaken as per our contracted service descriptions and instructions from customers. To explain this in more detail, we have set out below each service we provide and its data processing attributes:

Service 1 – Hybrid and other cloud platform management services

Nature of Service

Cloud storage or cloud management services where data is stored on hardware owned, maintained and managed by third parties with whom we have hosting contracts – read the Parallo Cloud Platform Management service description

Our processing activities

Access to content: We do not have access to the content layer and so cannot see, or enable anyone else to see, data files in a human readable form. Each customer controls who can and cannot see or read any data.

Deletion and disabling access: We are able to delete data or disable access at a platform level, or disable access at a virtual machine level through our maintenance of access and control systems, but not with any degree of granularity. Generally, deletion or disabling access will occur in relation to all data held for a customer.

Retention: Data is retained in a variety of formats depending on customer selection. Once service ceases, Parallo's access to the customer's data will cease.

Data portability: Data can be exported in a variety of formats. The export of data is executed only on the express requirement of the customer who will define the format and destination for the data. Exported data remains the property and responsibility of the Customer.

Service 2 – Parallo IaaS

Nature of Service

A cloud IaaS (Infrastructure as a Service) platform where customer data is stored on hardware owned, maintained and managed by us, located in a secure third-party data centre in Auckland, New Zealand

Our processing activities

Access to content: We do not have access to the content layer and so cannot see, or enable anyone else to see, data files in a human readable form. Each customer controls who can and cannot see or read their data.

Deletion and disabling access: We are able to delete data or disable access to it at a hardware level, or disable access at a virtual machine level through our maintenance of access and control systems, but not with any degree of granularity. Generally, deletion or disabling access will occur in relation to all data held for a customer.

Retention: Data is retained as VMDK files on VMFS data stores and retained as long as we are contracted to provide the service to a customer. Once service ceases, a customer’s VMDK files are deleted and will be rapidly overwritten by other data and effectively become inaccessible due to the technology utilised to provide the Storage Subsystem.

Data portability: Data can be exported by the customer in a variety of formats. Exported data remains the property and responsibility of the Customer.

Service 3 – Data Protection Service (DPS)

Nature of Service

A service where we manage security and backup of customer data stored by us using our Parallo IaaS service or on-premise customer hardware. Backups are regularly written to disk and then backed up on a revolving schedule to physical tape drives which are stored with a third-party secure storage facility in Auckland, New Zealand – read the full Parallo Data Protection Service description

Our processing activities

Access to content: We have access at data file level in order to make and check backups so are able to see data files in a human readable form. Access is only provided to DPS personnel by way of specific individually keyed password and multifactor authentication measures.

Deletion and disabling access: We are able to delete data files by overwriting or disabling access to data files through our maintenance of access and control systems. We are also able to delete backups by overwriting or by the destruction of physical media.

Data is stored on backup storage and backup tapes. In most cases the backup tapes are the property of the customer and are returned on cancellation of service.

Data on Backup storage is deleted and will be rapidly overwritten by other data and effectively become inaccessible due to the technology utilised to provide the Storage Subsystem.

Retention: Files and backups are retained so long as we are contracted to provide the service to a customer. Once service ceases, customer files will be overwritten by other data and effectively become inaccessible. Backup information on tape is securely transported to and from the datacentre to a secure specialist data storage facility. Only authorised personnel may have access to the backup tapes. Backup tapes are tracked and their location is always known.

Data portability: Data portability is controlled by the customer on its own system. Where requested, we can provide copies of backup tapes during the term. All back up tapes are returned on cancellation of service.

3. How we may share data

We do NOT share, sell, rent or trade data, including personal information, with third parties other than as set out in this policy.

Each customer controls whether and how data, including personal information, is shared or used. We act on proper instructions from customers to provide processing activities.

We may however share data, including personal information, with or without customer instructions or consent, in the following circumstances:

Legal purposes. Where it is legally required by a third party or law enforcement authority in any jurisdiction (in which case we will always require a production order or similar court order). Where we are to make any disclosure of customer data, we will provide our relevant customers with as much advance notice as is reasonable in the circumstances, provided we are not prevented by law from doing so.
To enforce our rights and prevent fraud. To protect and defend our rights, property or safety, or that of third parties, to investigate, prevent, or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the safety or health of any person.

4. Access and other rights

To the extent our services enable us to do so, we will assist customers in complying with their obligations to individuals in respect of those individuals’ personal information rights.

5. How long do we keep data?

We will retain data, including any personal information, for as long as we are contracted to provide service to a customer. Once our services are discontinued we will only keep data if it is necessary or required to meet legal or regulatory requirements, resolve disputes, or to prevent fraud or abuse.

6. International transfer of data

We are based in New Zealand. As noted above, our Parallo IaaS service is provided via our systems located in Auckland, New Zealand and our other hybrid and managed cloud services are hosted by Microsoft Azure based in New Zealand and Australia. The European Commission has determined that New Zealand provides an adequate level of data protection for GDPR purposes.

In order to validly safeguard personal information in Australia, we have entered into the Model Contract Clauses for the transfer of personal information which has been approved by the European Commission, with our hosting services provider, Microsoft Azure.

Read more about Microsoft’s privacy and security practices.

7. Security

We take all reasonable steps to ensure the personal information we collect is protected against loss, unauthorised access and disclosure or any other misuse. Examples of such steps include:

utilisation of multi-factor authentication and unique usernames;
application of least privilege user access principles;
a SaaS password service logs all passwords checked out for both customer and internal systems; and
data centre access is restricted to authorised staff upon request basis, approved by management.

8. Data breaches

A data breach occurs when data is lost or subjected to unauthorised access, use, modification or disclosure or other misuse or interference.

If we learn of a data breach involving any of our services we will notify the customer(s) concerned as soon as is reasonably practicable and assist the customer(s) to assess whether or not:

there is a risk of serious harm to any individual or business, particularly where sensitive personal information (such as health records) is involved;
notification to individuals or businesses is advisable or necessary;
there is a requirement to notify any agency, authority or regulator or it is advantageous to do so. For example, we would generally recommend notification to the New Zealand Privacy Commissioner in serious cases. If we consider it reasonably necessary to do so, we may provide such notification to an agency, authority or regulator ourselves without a customer’s consent but we will provide our relevant customers with as much advance notice as is reasonable in the circumstances, provided we are not prevented by law from doing so.

We may also post a notice on our website and otherwise communicate with third parties where we are legally required to do so. We may also pass details of any data breach on to our insurers.

9. Changes to this Policy

We may revise, modify or update this policy. We will notify customers about significant changes in the way we treat data and personal information by sending a notice to the primary email address specified in a customer’s particular Parallo account or by placing a prominent notice on our website prior to the change becoming effective.

This policy was last updated on 11 April 2023.

10. NZ Law

This policy is governed by the laws of New Zealand and we and our customers submit to the jurisdiction of the New Zealand courts.

11. Contacting us

For information about our information security or data protection strategy and approach, please contact dpo@crayon.com.

For urgent security or data protection matters, please contact the Crayon 24/7 Hotline +47 2289 1001