Privacy Policy

Introduction

Karo Data Management Limited (we, us, our) complies with the New Zealand Privacy Act 2020 (the Act) when dealing with personal information. Personal information is information about an identifiable individual (a natural person). This policy sets out how we will collect, use, disclose and protect your personal information. This policy does not limit or exclude any of your rights under the Act. If you wish to seek further information on the Act, see www.privacy.org.nz.

Changes to this policy

We may change this policy by uploading a revised policy onto the website. The change will apply from the date that we upload the revised policy.

Who do we collect your personal information from?

We collect personal information about you from:
you, when you provide that personal information to us, including via the website and any related service, through any registration or subscription process, through any contact with us (e.g. telephone call or email), or when you buy or use our services and products third parties where you have authorised this or the information is publicly available. If possible, we will collect personal information from you directly.

How we use your personal information?

We will use your personal information:
- to verify your identity
- to provide services and products to you
- to market our services and products to you, including contacting you electronically (e.g. by text or email for this purpose)
- to improve the services and products that we provide to you
- to undertake credit checks of you (if necessary)
- to bill you and to collect money that you owe us, including authorising and processing credit card transactions
- to respond to communications from you, including a complaint
- to conduct research and statistical analysis (on an anonymised basis)
- to protect and/or enforce our legal rights and interests, including defending any claim for any other purpose authorised by you or the Act.

Disclosing your personal information

We may disclose your personal information to:
- a credit reference agency for the purpose of credit checking you
- a person who can require us to supply your personal information (e.g. a regulatory authority)
- any other person authorised by the Act or another law (e.g. a law enforcement agency)
- any other person authorised by you.
- A business that supports our services and products may be located outside New Zealand. This may mean your personal information is held and processed outside New Zealand.

Protecting your personal information

We will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse.

Accessing and correcting your personal information

Subject to certain grounds for refusal set out in the Act, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.
In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.
If you want to exercise either of the above rights, email us at [email protected] Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting).
We may charge you our reasonable costs of providing to you copies of your personal information or correcting that information.

Internet use

While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
If you follow a link on our website to another site, the owner of that site will have its own privacy policy relating to your personal information. We suggest you review that site’s privacy policy before you provide personal information.
We use cookies (an alphanumeric identifier that we transfer to your computer’s hard drive so that we can recognise your browser to monitor your use of the website. You may disable cookies by changing the settings on your browser, although this may mean that you cannot use all the features of the website.

Cookies

What are cookies?
Cookies are simple text files that are stored on your computer or mobile device by a website’s server. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier, website’s domain name, and some digits and numbers.

What types of cookies do we use?

Necessary cookies

Necessary cookies allow us to offer you the best possible experience when accessing and navigating through our website and using its features. For example, these cookies let us recognize that you have created an account and have logged into that account to access the content.

Analytical cookies

These cookies enable us and third-party services to collect aggregated data for statistical purposes on how our visitors use the website. These cookies do not contain personal information such as names and email addresses and are used to help us improve your user experience of the website.

How to delete cookies?

If you want to restrict or block the cookies that are set by our website, you can do so through your browser setting. Alternatively, you can visit www.internetcookies.org, which contains comprehensive information on how to do this on a wide variety of browsers and devices. You will find general information about cookies and details on how to delete cookies from your device.
Contacting us

If you have any questions about this cookie policy or our use of cookies, please contact us.


Contact Us

Security Policy

Vulnerability Disclosure Policy

Karo Data Management Limited is committed to ensuring the security of its customers, users and partners by protecting their information. Our Vulnerability Disclosure Policy (VDP) is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities. We encourage you to contact us to report potential vulnerabilities in our systems.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Karo Data Management Limited will not recommend or pursue legal action related to your research.
Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Guidelines

Under this policy, “research” means activities in which you:
Notify us as soon as possible after you discover a real or potential security issue.
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Only use exploits to the extent necessary to confirm a vulnerability’s presence.
Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
Do not submit a high volume of low-quality reports.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test methods

The following test methods are NOT authorized:
Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
Physical testing (e.g. office access, open doors, tailgating).
Social engineering (e.g. phishing, vishing), or Any other non-technical vulnerability testing.

Scope

This policy applies to the following services:
- Halcyon
- Kotahi
- Monitor
- Te Pokapū
- Any Karo integrations including 3rd party and Karo microservices
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing.
Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at [email protected] before starting your research (or at the security contact for the system’s domain name listed in the domain WHOIS).
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

Reporting a vulnerability

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities.
If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Karo Data Management Limited, we may share your report with relevant local cyber security agencies, e.g. CERT, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
We accept vulnerability reports via [email protected]
Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days. We do not support PGP-encrypted emails. For particularly sensitive information, submit through our HTTPS web form.

Out of Scope

The following issues are considered out of scope, do not test or report it:

  • Reports from automated tools or scans without accompanying demonstration of exploitability.
  • Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or Domain-based Message Authentication Reporting and Conformance (DMARC) record issues.
  • Missing best practices.
  • Social engineering-based attacks (e.g., getting a user to click an attacker-controlled link) under any circumstances.
  • Any physical attempts.
  • Subdomain Takeovers.
  • Denial of Service, Rate Limiting, or Spamming issues (e.g., layer 7 DOS attacks, Slowloris, etc.)
  • Clickjacking on pages with no sensitive actions.
  • Man in the Middle (MITM) attacks.
  • Attacks requiring physical access to a user’s device.
  • Vulnerabilities that require privileged access to a victim’s device.
  • Known vulnerable libraries without a working proof of concept.
  • Comma Separated Values (CSV) injection.
  • Content spoofing or text injection (e.g., HTML or CSS injection).
  • IFRAME injection.
  • Software version disclosure without accompanying demonstration of exploitability.
  • Use of a known-vulnerable library without evidence of exploitability.
  • Open redirects.
  • Insecure SSL or TLS issues (e.g., ciphers, certificates, etc.).
  • User existence or enumeration vulnerabilities.
  • Password or account recovery policies (e.g., reset link expiration, password complexity, etc.).
  • Missing security headers (e.g., HTTP Strict-Transport-Security (HSTS), Content Security Policy (CSP), etc.) that do not lead directly to a vulnerability.
  • Presence of the “autocomplete” attribute on web forms.
  • Host header injections unless you can show how they can lead to stealing user data.
  • Insecure cookie settings for non-sensitive cookies.
  • Vulnerabilities affecting users of outdated browsers or platforms.
  • Issues related to software or protocols not under our control.
  • Issues related to descriptive or verbose error messages.
  • Vulnerabilities in third party applications that make use of our APIs.
  • Github leaks without demonstration of impact.

What we would like to see from you

In order to help us triage and prioritize submissions, we recommend that your reports:
Describe the location the vulnerability was discovered and the potential impact of exploitation.
Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful). Be in English, if possible.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible. Within 3 business days, we will acknowledge that your report has been received. To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We will maintain an open dialogue to discuss issues.

Questions

Questions regarding this policy may be sent to [email protected]
We also invite you to contact us with suggestions for improving this policy.

Consent

By using our website and services, you hereby consent to our Privacy Policy and agree to our Terms and Conditions.


Contact Us

Terms and Conditions

Terms and Conditions

Definitions

The following definitions shall have effect in interpreting this Agreement:
“Agreement” means these Terms and Conditions and the associated Statement of Work.
“Organisation” means your entity or business named in the Agreement.
“Karo Data Management” means Karo Data Management Limited a registered, limited liability company.
“GST” means goods and services tax in terms of the Goods and Services Tax Act 1985, at the rate prevailing at the time of the agreement.
“Services” means any function performed by Karo Data Management as set out in the Agreement with the organisation.
“Statement of Work” means the written document and integral part of the Agreement setting out the scope of the Services required by the organisation.

Supply

Karo Data Management agree to supply the Services described in the Agreement, to the organisation.

Term

The Services being provided under this Agreement will commence on the date of acceptance of the agreement and shall continue indefinitely. Either party may terminate this Agreement by giving the other party three months notice in writing as specified under "Termination" in these terms.

Force Majeure

Neither party shall be liable for any failure to comply with or observe any provision of this Agreement during the time that such performance is prevented by reason of a Force Majeure Event.
The party unable to fulfil its obligations under this clause will:
a) notify the other party as soon as reasonably practicable after the Force Majeure Event occurs;
b) endeavour to provide the other party with information regarding the extent of their inability to perform and an estimate of the time likely to be required to overcome the Force Majeure Event; and
c) use their reasonable endeavours to remedy or mitigate the effect of the Force Majeure Event.
For the purposes of this clause, a “Force Majeure Event” means any event or circumstance beyond a party’s control.

Validity

= Charges quoted in our quotes are valid for 7 days and shall become fixed once accepted by the organisation.

Time Estimates

Unless otherwise specified in the Statement of Work the estimated hours and estimated completion date, and any other dates set out in this Agreement represent Karo Data Management reasonable efforts to estimate the time required to perform the Service and are provided for general planning information only. Karo Data Management does not guarantee that the Service will be rendered within the timeframe, however:
Karo Data Management will provide regular progress updates of actual hours and timelines against estimate.
Karo Data Management will notify the organisation as soon as practicable if the estimated hours are likely to be exceeded.
Karo Data Management will not exceed the estimated hours without the organisation's written consent.

Confidentiality and Security

Karo Data Management and the organisation agree that they will keep at all times as strictly confidential any confidential information that is disclosed or provided by one party to the other. Karo Data Management and the organisation shall ensure that all of their respective employees, contractors and advisors are made aware of the obligations of confidentiality prior to use of the information by these persons, which shall be on a strictly need to know basis.

Health and Safety

When visiting or carrying out the Services from your organisations offices, Karo Data Management shall at all times comply with your organisations Health and Safety Policy requirements and any other reasonable instructions given by your personnel.

Karo Data Management Obligations

Karo Data Management will use reasonable commercial efforts to perform the Services as described in the Statement of Work in accordance with the Agreement.
Karo Data Management may select qualified and reputable sub-contractors to perform the Services, as stated in the Statement of Work, and notify the organisation in writing.

Client’s Obligations

The organisation shall comply with the general obligations specified below together with any specific Client obligations described in the Statement of Work, in a timely manner. The organisation acknowledges that Karo Data Management ability to deliver Services is dependent upon the organisation's full and timely co-operation with Karo Data Management, as well as the accuracy and completeness of any information and data, which the organisation provides to Karo Data Management. Accordingly, the organisation shall:
Provide Karo Data Management with access to, and use of, all reasonably required information, data, documentation, and facilities, working space and office services in connection with performance of the Services.
Appoint a representative who shall provide professional and prompt liaison with Karo Data Management, have the necessary expertise and authority to commit the organisation, and be available to meet with Karo Data Management representative at regular intervals to review progress and resolve any issues relating to the Services.
The organisation shall be liable for any delays to the milestone specified in the Statement of Work caused by the organisation or resulting from the organisation's failure to fulfil any of its obligations.
Karo Data Management may, with prior notice, charge the organisation for any additional charges incurred by Karo Data Management as a result of such delays, and may adjust the affected delivery schedule accordingly.
To approve work within 4 weeks of completion. Where the organisation has not provided any feedback following the completion of the required work the organisation will be billed for services in this agreement.

User Acceptance Testing

The PHO is strongly advised to test inside a Patient Management System especially if the form includes:
- Pre-population from demographics, classifications, screening, and lab results
- Setting Recalls
- Writing back classifications and screening terms
- Creates an invoice
The PHO is responsible for signing off that the application is fit for purpose and that all clinical fields have been tested in a PMS by a clinically qualified tester.

Go Live

Best efforts will be made by Karo to deploy any completed work to production by the Go Live date indicated but reserves the right to withhold deployment if:
- There are last minute issues and bugs discovered in the code.
- Karo is not satisfised thorough UAT has taken place including confirmation all clinical fields have been tested by a qualified tester.
- There are any unforeseen problems with Karo’s production lines.

Payment

Karo Data Management shall deliver an invoice for the Services to the organisation at the end of each month and the organisation shall pay Karo Data Management for the invoice on the twentieth day of the month following the date of the invoice.

Invoicing for Services – Time and Materials

Where the Services are charged on Time and Materials basis, Karo Data Management will invoice the organisation according to the hourly rates and billing periods set out in this Agreement for the actual hours worked in each billing period.

Invoicing for Services – Fixed Cost

Where the Services are charged on Fixed Cost basis, Karo Data Management will invoice the organisation the Fixed Cost at the billing periods set out in this Agreement.
All invoices are to include credits for payments or adjustments made in previous months.

Expenses

Unless otherwise specified in this Agreement the organisation will reimburse Karo Data Management for:
special or unusual expenses incurred at the organisation's specific request; and
travelling costs and agreed disbursements incurred in performing the Services.

Interest

Karo Data Management reserves the right to charge interest of up to 5% on any outstanding invoice amounts not paid within 10 days of the due date for payment.

Goods and Services Tax

All amounts stated in any Agreement are exclusive of GST.

Warranties

Karo Data Management shall perform the Services in accordance with generally recognised commercial practices and standards. Karo Data Management shall re-perform any Services not performed in accordance with the foregoing warranty, provided that Karo Data Management receives written notice from the organisation within 30 days after such Services were due to be performed.
The above warranties are exclusive and no other warranty, whether written or oral, is expressed or implied. Karo Data Management specifically disclaims the implied warranties of merchantability and fitness for a particular purpose.

Intellectual Property

Retained Intellectual Property: The following Intellectual Property (including any modification, enhancement or derivative work of that Intellectual Property) remains the property of the current owner, regardless of its use in the Services:
- Intellectual Property that existed prior to the date of the Agreement; and
- Intellectual Property that was developed independently of the Agreement.
- Know how: To the extent not owned by the Supplier, the Client grants the Supplier a royalty-free, transferable, irrevocable and perpetual licence to use for the Supplier’s own business purposes any know how, techniques, ideas, methodologies, and similar Intellectual Property used by the Supplier in the provision of the Services.
All new Intellectual Property created or developed by the Supplier in providing the Services, is owned by the Karo Data Management unless otherwise specified in a written agreement with your organisation.

Limitation of Liability and Indemnity

Karo Data Management liability (together with their servants, agents and contractors) whether in contract, tort, under statute or otherwise, for any loss or damage to person or property, or consequential or indirect loss, or economic loss which is caused, contributed to or otherwise arises from the product or services supplied or any defect in them, or any negligent act or omissions shall be strictly limited to the value of the services supplied by Karo Data Management whether under this Agreement or otherwise to a total sum equal to the amount paid by the organisation to Karo Data Management under the terms of each specific engagement for which there is an approved Statement of Work or Letter of Engagement.
In particular, Karo Data Management will not be liable at all for consequential or indirect loss, or economic loss including loss of profits or savings, loss of opportunities or loss of records or data, or for losses or damages claimed by third parties, unless such loss is caused by Karo Data Management gross negligence or wilful misconduct.
The organisation agrees to indemnify Karo Data Management for any liabilities, claims, losses, costs and expenses (including legal expenses) incurred by Karo Data Management arising out of or in relation to the organisation inappropriate use of the Services.
Where programs and processes are provided by Karo Data Management Limited (Karo) on information provided by you to Karo then you accept that Karo has no knowledge or skill to be able to confirm the validity or accuracy of the information or data provided by you.
Accordingly, neither Karo nor its employees accept any liability, including liability for negligence, nor adverse effects arising from the information provided by you, to you or any third party. For clarity ‘information’ amongst other things includes ‘business rules’ and ‘clinical'.
Karo does not guarantee our forms will pre-populate from the PMS or write back to the PMS everytime a call to the PMS is made. We do not accept any liability for the PMS.
The limitation of liability and the indemnity in any clauses survives the termination of this Agreement.
Your organisation agrees to provide user acceptance testing signoff for any forms built for your organisation prior to production. Karo Data Management will not be liable at all for any programs / forms where User Acceptance Testing has not been completed by your organisation.

Termination

Either party may terminate this agreement by giving either 3 months’ notice in writing of the intention to terminate, or payment in lieu of such notice.
After commencement of this agreement, any amendments shall be notified to and agreed upon and signed by both parties in writing at least 30 days before they take effect unless a different period of notice is agreed between both parties.

Entire Agreement

This agreement sets out the entire agreement between us, and supersedes all prior oral and written representations, understandings, arrangements or agreements.

General

The organisation shall ensure that Karo Data Management is made aware of and Karo Data Management shall comply with any special regulations applicable prior to commencement of any Services at the organisation's site.
No Joint Venture: Nothing contained in this Agreement shall be construed as creating a joint venture, partnership or employment relationship between the parties hereto, nor shall either party have the right, power or authority to create any obligation or duty, express or implied, on behalf of the other party.
No Assignment: Except with respect to Karo Data Management rights regarding the use of subcontractors, neither party may assign any rights or obligations under this Agreement without the prior written consent of the other party.
The laws of New Zealand govern these Terms and the parties agree to submit to the non-exclusive jurisdiction of the courts of New Zealand.
Updated: 06/06/2023


Contact Us