• Pricing
  • Enterprise
  • Blog
Log in
  • Pricing
  • Enterprise
  • Blog
  • Log in
Logo
X (Twitter)LinkedInYouTube

Services

  • Admin
  • Sales
  • Customer Support
  • Design & Development
  • Marketing

Products

  • Client Dashboard
  • Kamva
  • Notetaker

Resources

  • Pricing
  • Enterprise
  • Help Center
  • Webinars

Company

  • About
  • Blog
  • We're Hiring
  • Changelog
  • Brand
  • Contact

Compare

  • vsDirect Hire
  • vsUpwork
  • vsAthena
  • vsBelay
  • vsMagicEA

All systems operational

AICPA SOC 2 Type II Certified

© 2026 South Assistants (Pty) Ltd. All rights reserved.

Legal

Data Processing Addendum

The terms under which South Assistants processes personal data on behalf of its business customers.

Effective April 19, 2026

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Data Processing Addendum
  • Subprocessors
  • Acceptable Use Policy

Questions?

legal@southassistants.com

Template notice. This DPA is provided as a structural starting point and must be reviewed by qualified privacy counsel before being signed or relied upon.

This Data Processing Addendum ("DPA") is incorporated into and forms part of the agreement between South Assistants (Pty) Ltd ("Processor") and the Customer ("Controller") for the provision of the South Assistants Service (the "Agreement"). It applies where the Processor processes Personal Data on behalf of the Controller in the course of providing the Service.

1. Definitions

Terms not defined here carry the meaning given to them in POPIA and the GDPR, as applicable. "Personal Data", "Processing", "Data Subject", "Supervisory Authority", "Standard Contractual Clauses" and related terms are interpreted accordingly.

2. Subject matter and duration

The Processor processes Personal Data for the duration of the Agreement and for the purposes described in Annex A (Description of Processing).

3. Roles

The Controller is the responsible party / data controller. The Processor processes Personal Data only on the Controller's documented instructions, including with regard to international transfers.

4. Processor obligations

4.1 Confidentiality of personnel and appropriate non-disclosure obligations.

4.2 Technical and organisational measures consistent with Annex B, reviewed at least annually.

4.3 Assistance to the Controller with data-subject rights, data-protection impact assessments, and regulator consultations, to the extent reasonable.

4.4 Notification of a confirmed Personal Data breach without undue delay and in any case within 72 hours of becoming aware, together with available details and mitigation actions.

5. Subprocessors

5.1 The Controller grants general authorisation for the Processor to engage subprocessors, provided the Processor maintains a current list at /legal/subprocessors and gives at least 30 days' advance notice of any new subprocessor.

5.2 The Controller may object on reasonable grounds related to data protection, in which case the parties will work in good faith to reach a resolution.

5.3 The Processor imposes on each subprocessor data-protection obligations no less protective than those set out in this DPA.

6. International transfers

Where Personal Data is transferred outside the EEA, UK, or South Africa, the transfer is protected by the applicable Standard Contractual Clauses (for GDPR), the UK International Data Transfer Addendum, and POPIA section 72 safeguards (for South African data), which are incorporated by reference.

7. Audits

On not less than 30 days' written notice and not more than once per year (except in response to a confirmed incident), the Controller may audit the Processor's compliance with this DPA, either by reviewing the Processor's SOC 2 Type II report or by engaging a mutually acceptable third-party auditor subject to reasonable confidentiality and scope limits.

8. Return or deletion

On termination of the Service, the Processor will at the Controller's choice return or irrevocably delete all Personal Data within 30 days, unless retention is required by law.

9. Liability

The liability of each party under this DPA is subject to the limitation-of-liability provisions of the Agreement.

10. Governing law

This DPA is governed by the law stated in the Agreement.

Annex A — Description of Processing

Subject matter: Personal Data processed to deliver the South Assistants Service.

Nature of processing: Hosting, storage, retrieval, analysis, transmission.

Purpose: Account administration, service delivery, billing, support, product improvement on de-identified data.

Duration: Term of the Agreement plus retention periods required by law.

Categories of Data Subject: Customer users, Assistants, candidates, meeting attendees whose communications are processed by the Service.

Categories of Personal Data: Identity and contact data, employment and assessment data, usage data, communications content.

Annex B — Technical and Organisational Measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control, single sign-on, and mandatory multi-factor authentication for employee access.
  • Quarterly third-party penetration testing and annual SOC 2 Type II audit.
  • Documented incident-response plan with 24-hour escalation path.
  • Employee data-protection training at hire and annually thereafter.
  • Physical security at hosting locations provided by certified cloud providers.