This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between AgentIX (Pty) Ltd ("AgentIX" or "Operator") and the business entity entering into this Agreement ("Responsible Party"). This DPA applies where AgentIX processes personal information on behalf of the Responsible Party in the course of providing the Services, as required under section 20 and related provisions of POPIA.
1. Definitions
- "Personal Information" — Has the meaning ascribed in POPIA: information relating to an identifiable, living, natural person or an identifiable, existing juristic person.
- "Processing" — Any operation or activity on personal information, including collection, storage, modification, use, distribution, or destruction.
- "Responsible Party" — The party that determines the purpose of and means for processing personal information (your organisation).
- "Operator" — The party that processes personal information on behalf of the Responsible Party (AgentIX (Pty) Ltd).
- "Data Subject" — The individual to whom the personal information relates.
- "Security Compromise" — Unauthorised access to, or acquisition, use, disclosure, modification, or destruction of personal information.
2. Subject Matter and Duration
AgentIX will process personal information on behalf of the Responsible Party in connection with the provision of the Services. This DPA takes effect on the date the Responsible Party first uses the Services and remains in force for the duration of the Services agreement.
3. Nature and Purpose of Processing
AgentIX will process personal information solely for the purpose of providing the Services, including:
- Executing AI-powered automation tasks instructed by the Responsible Party.
- Storing and managing data submitted through the platform.
- Providing technical support and resolving service issues.
- Complying with applicable legal obligations.
AgentIX will not process personal information for any purpose other than as instructed by the Responsible Party or as required by applicable law.
4. Types of Personal Information and Data Subjects
[Complete this section to describe the types of personal information processed and the categories of data subjects, e.g., employees, customers, end-users of the Responsible Party's products]
5. Obligations of the Operator (AgentIX)
AgentIX undertakes to:
- Process personal information only on documented instructions from the Responsible Party, unless required by applicable law.
- Ensure that all personnel with access to personal information are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures to protect personal information.
- Notify the Responsible Party without undue delay upon becoming aware of a security compromise.
- Assist the Responsible Party in responding to requests from data subjects exercising their rights under POPIA.
- Delete or return all personal information upon termination of the Services, as instructed.
- Make available all information necessary to demonstrate compliance and cooperate with reasonable audits.
- Not engage sub-operators to process personal information without prior written authorisation from the Responsible Party.
6. Obligations of the Responsible Party
The Responsible Party undertakes to:
- Ensure that personal information is lawfully collected and that a valid legal basis exists for all processing instructions given to AgentIX.
- Ensure that data subjects have been notified of the processing of their personal information as required by POPIA.
- Provide AgentIX with accurate and complete processing instructions.
- Notify AgentIX of any changes to applicable legal requirements that affect the processing.
7. Security Measures
AgentIX implements security measures including, but not limited to:
- Encryption of personal information in transit (TLS/SSL) and at rest (AES-256 or equivalent).
- Access controls and role-based permissions to limit access to personal information.
- Regular security assessments and penetration testing.
- Employee security training and awareness programmes.
- Incident response procedures for security compromises.
8. Security Compromise Notification
In the event of a security compromise, AgentIX will notify the Responsible Party within 72 hours of becoming aware. The notification will include:
- A description of the nature of the compromise.
- The categories and estimated number of data subjects affected.
- A description of measures taken or proposed to address the compromise.
- Contact details of the AgentIX Information Officer.
9. Sub-Operators
AgentIX may engage sub-operators (subcontractors) to perform certain processing activities. A list of current sub-operators is available upon request. AgentIX will notify the Responsible Party of any changes and will ensure all sub-operators are bound by equivalent data protection obligations. The Responsible Party may object to new sub-operators within 30 days of notification.
10. Cross-Border Transfers
Where personal information is transferred outside South Africa, AgentIX will ensure compliance with section 72 of POPIA, including ensuring that the recipient country provides adequate protection or that appropriate contractual safeguards are in place.
11. Data Subject Rights
AgentIX will assist the Responsible Party in responding to requests from data subjects exercising their POPIA rights. The Responsible Party is responsible for determining whether and how to respond to such requests. AgentIX will provide reasonable technical assistance within agreed timelines.
12. Audit Rights
The Responsible Party may, upon at least 30 days' written notice, request an audit of AgentIX's processing activities covered by this DPA. Audits must be conducted during business hours with minimal disruption to operations. Audit costs are borne by the Responsible Party.
13. Termination and Return of Data
Upon termination of the Services, AgentIX will, at the Responsible Party's choice, securely delete or return all personal information, unless applicable law requires continued retention. Confirmation will be provided in writing.
14. Liability
Each party shall be liable for its own acts and omissions in breach of this DPA. Where a party is held liable for a breach that is wholly or partly attributable to the other party, the liability shall be reduced proportionally.
15. Governing Law
This DPA is governed by the laws of the Republic of South Africa.
16. Contact
| Information Officer | [INFORMATION OFFICER NAME] |
| Email | privacy@[YOUR-DOMAIN].com |
| Address | [REGISTERED ADDRESS], South Africa |