Privacy Policy¶
Zaita is committed to protecting the privacy of individuals whose personal information is processed through the platform. This policy outlines how personal information is collected, used, stored, and disclosed in accordance with the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs) it establishes.
Scope¶
This policy applies to all personal information collected and processed by the Zaita platform, including information provided by account holders, users within customer organisations, and individuals whose details may be associated with certificate lifecycle operations. It covers both the multi-tenant SaaS deployment and single-tenant dedicated deployments.
Information We Collect¶
Zaita collects only the personal information that is necessary to provide and operate the platform. The categories of personal information collected include:
| Category | Examples | Purpose |
|---|---|---|
| Account information | Name, email address, organisation affiliation | User authentication, account management, and communication |
| Authentication data | SSO tokens, session identifiers, federated identity claims | Secure platform access and identity verification |
| Audit and activity records | Login events, certificate operations, administrative actions | Security monitoring, compliance, and incident response |
| Certificate metadata | Subject names, email addresses, and other subject attributes embedded in certificate requests | Certificate generation and lifecycle management |
| Technical identifiers | IP addresses, browser user agent strings, API client identifiers | Platform security, access control enforcement, and troubleshooting |
Zaita does not collect personal information that is unrelated to the operation of the platform, and does not collect sensitive personal information unless it is explicitly provided by a customer as part of certificate subject attributes.
Purpose of Collection¶
Personal information is collected and used for the following purposes:
- Platform operation — Authenticating users, managing accounts, and delivering certificate lifecycle management services
- Security and integrity — Maintaining audit trails, detecting unauthorised access, and supporting incident investigation
- Compliance — Meeting regulatory obligations and enabling customers to satisfy their own audit and compliance requirements
- Communication — Notifying users of platform events, service changes, or security-relevant information related to their accounts
Personal information is not used for marketing, profiling, or any purpose unrelated to the delivery and security of the platform.
Collection from Authorised Sources¶
Where personal information is not collected directly from the individual concerned, it is obtained from authorised sources — typically the customer organisation that manages the individual's account. Customer administrators are responsible for ensuring that individuals within their organisation are aware that their information is being provided to the Zaita platform and for what purposes.
Storage and Security¶
All personal information is stored within the Zaita platform's encrypted data stores. The platform employs multiple layers of encryption, tenant-specific key isolation, and architectural separation between control planes to protect personal information from unauthorised access. For a detailed description of these security measures, refer to the Security page.
Personal information is not stored in locations or systems outside the platform's secured infrastructure, except where explicitly configured by the customer (for example, audit log export to an external SIEM platform).
Access and Correction¶
Individuals have the right to request access to their personal information held by the platform and to request correction of any information that is inaccurate, incomplete, or misleading. These requests should be directed to the customer organisation that administers the individual's account in the first instance.
Where Zaita holds personal information directly (for example, for primary account holders), access and correction requests can be submitted to Zaita's privacy contact. Requests will be responded to within 20 working days, consistent with the timeframes established by the Privacy Act 2020.
Disclosure¶
Zaita does not sell, trade, or otherwise disclose personal information to third parties for commercial purposes. Personal information may be disclosed only in the following circumstances:
- To the customer organisation — Account and activity information is accessible to authorised administrators within the customer's own tenancy
- To service providers — Where third-party infrastructure providers are used to host platform components, appropriate data processing agreements and security controls are in place
- As required by law — Where disclosure is required or authorised by New Zealand law, including in response to lawful requests from regulatory or law enforcement authorities
Cross-Border Data Processing¶
Where personal information is processed or stored in infrastructure located outside New Zealand, Zaita ensures that the receiving jurisdiction provides comparable privacy protections, or that appropriate contractual safeguards are in place, consistent with the requirements of the Privacy Act 2020 for cross-border disclosure of personal information (IPP 12).
Customers requiring data residency within New Zealand or a specific jurisdiction should refer to the available Hosting Options for single-tenant deployments.
Retention¶
Personal information is retained for the duration necessary to fulfil the purposes for which it was collected and to meet the platform's security, audit, and compliance obligations. For full details on data retention periods, refer to the Data Retention policy.
Complaints¶
Individuals who believe their privacy has been breached may raise a complaint with Zaita's privacy contact. Zaita will investigate all complaints and respond within 20 working days. If the matter cannot be resolved, individuals have the right to lodge a complaint with the Office of the Privacy Commissioner of New Zealand.
Changes to This Policy¶
This policy may be updated from time to time to reflect changes in platform functionality, legal requirements, or operational practices. Material changes will be communicated to customers through the platform or by direct notification.
Contact¶
For privacy-related enquiries, access requests, or complaints, contact Zaita at [email protected].