POPIA Agreement

This Data Processing Agreement (“DPA”) is entered into by and between Hulisa (“Data Processor”) and Netcash and Sage One Accounting (“Data Controller”), collectively referred to as the “Parties,” in accordance with the Protection of Personal Information Act (POPIA).

1. Definitions

1.1 “Data Controller” refers to the entity that determines the purposes and means of the processing of personal data.
1.2 “Data Processor” refers to the entity that processes personal data on behalf of the Data Controller.
1.3 “Personal Data” means any information relating to an identified or identifiable natural person.
1.4 “Processing” means any operation or set of operations which is performed on personal data.

2. Purpose

2.1 The Data Processor agrees to process personal data on behalf of the Data Controller for the purpose of generating debit orders and billing for services subscribed to or signed up for by the Data Controller’s clients, such as bookkeeping services.

3. Obligations of the Data Processor

3.1 The Data Processor shall process personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law.
3.2 The Data Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to encryption of personal data, pseudonymization, and regular testing and evaluation of the effectiveness of such measures.

4. Subprocessing

4.1 The Data Processor shall not engage another processor (“Subprocessor”) without prior specific or general written authorization of the Data Controller. In the case of general written authorization, the Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Subprocessors, thereby giving the Data Controller the opportunity to object to such changes.

5. Security Breach

5.1 In the event of a personal data breach, the Data Processor shall notify the Data Controller without undue delay after becoming aware of the breach. The notification shall include all relevant information known to the Data Processor, including the nature of the breach, the categories and approximate number of data subjects affected, and the likely consequences of the breach.

6. Data Subject Rights

6.1 The Data Processor shall assist the Data Controller in responding to requests from data subjects exercising their rights under POPIA, including but not limited to requests for access, rectification, erasure, and data portability.

7. Data Protection Impact Assessment (DPIA)

7.1 The Data Processor shall assist the Data Controller in carrying out a Data Protection Impact Assessment where required under POPIA.

8. Duration and Termination

8.1 This DPA shall remain in force for the duration of the agreement between the Parties and shall terminate upon the termination of such agreement.
8.2 Upon termination of this DPA, the Data Processor shall, at the choice of the Data Controller, delete or return all personal data to the Data Controller and delete existing copies unless required by law to retain such data.

9. Governing Law

9.1 This DPA shall be governed by and construed per the laws of South Africa.

10. Miscellaneous

10.1 Any amendments or modifications to this DPA shall be made in writing and signed by both Parties.
10.2 This DPA constitutes the entire agreement between the Parties concerning the subject matter hereof and supersedes all prior and contemporaneous agreements and understandings, whether written or oral, relating to such subject matter.

In witness whereof, the Parties have executed this DPA as of the Effective Date.

By: Hulisa (Data Processor)

Date: 05 May 2024

By: Netcash & Sage One Accounting (Data Controller)

Date: 05 May 2024