Data Processing Agreement

In this DPA:

• "Responsible Party" means the Client (you), who determines the purpose and means of processing personal information.
• "Operator" means Be Relevant (Pty) Ltd, which processes personal information on behalf of the Responsible Party.
• "Data Subject" means any natural person whose personal information is processed.
• "Personal Information" has the meaning given in POPIA and includes any information relating to an identifiable natural person.
• "Processing" means any operation performed on personal information, including collection, storage, use, disclosure, and deletion.

The Client acts as the Responsible Party in respect of all personal information uploaded to or managed through RegDesk. Be Relevant (Pty) Ltd acts as the Operator and processes personal information solely on the documented instructions of the Client and for the purpose of providing the RegDesk service.

The Client is responsible for ensuring that it has a lawful basis for processing any personal information it provides to the platform, including obtaining any necessary consents from Data Subjects.

In the course of providing the service, RegDesk may process the following categories of personal information on behalf of the Client:

• Names, identity numbers, and contact details of Key Individuals (KIs), directors, and compliance officers;
• Professional qualifications, regulatory registration details, and fitness and propriety records;
• Employment history and role information relevant to FSCA regulatory requirements;
• Document metadata and file content uploaded by the Client;
• User account information for platform access (names, email addresses, roles).

Be Relevant (Pty) Ltd undertakes to:

• Process personal information only on documented instructions from the Client and for no other purpose;
• Implement appropriate technical and organisational security measures to protect personal information against unauthorised access, disclosure, alteration, or destruction;
• Ensure that persons authorised to process personal information are subject to confidentiality obligations;
• Not engage any sub-processors without the Client's prior written consent, except as set out in Schedule A;
• Assist the Client in fulfilling its obligations to respond to Data Subject requests under POPIA;
• Notify the Client without undue delay upon becoming aware of a personal information breach that may affect the Client's Data Subjects;
• Delete or return all personal information to the Client upon termination of the service, at the Client's election, subject to any legal retention requirements.

Be Relevant (Pty) Ltd implements the following technical and organisational security measures:

• Encryption of data in transit using TLS 1.2 or higher;
• Encryption of data at rest using AES-256 or equivalent;
• Role-based access controls limiting access to personal information to authorised personnel only;
• Regular security assessments and vulnerability management;
• Audit logging of access to personal information;
• Secure cloud infrastructure hosted within compliant data centres.

The Client authorises Be Relevant (Pty) Ltd to engage the following categories of sub-processors for the purpose of providing the service:

• Cloud infrastructure providers (for hosting and storage);
• Email delivery services (for transactional and notification emails);
• Authentication services (for user identity management).

A current list of specific sub-processors is available on request. We will notify the Client of any intended changes to sub-processors and provide the Client with the opportunity to object.

Where a Data Subject exercises rights under POPIA (including the right to access, correct, or delete their personal information), the Client, as Responsible Party, is responsible for responding to such requests. Be Relevant (Pty) Ltd will assist the Client in responding to such requests to the extent technically feasible and within a reasonable timeframe.

In the event of a personal information breach affecting data processed under this DPA, Be Relevant (Pty) Ltdwill notify the Client within 72 hours of becoming aware of the breach. The notification will include, to the extent available, a description of the nature of the breach, the categories and approximate number of Data Subjects affected, and the measures taken or proposed to address the breach.

Personal information processed under this DPA will be retained for the duration of the service agreement plus a period of 30 days following termination. Upon expiry of this retention period, personal information will be securely deleted or anonymised, unless a longer retention period is required by applicable law.

Personal information processed under this DPA is stored and processed within South Africa or in jurisdictions that provide an adequate level of protection as determined by applicable law. Where cross-border transfers are necessary, Be Relevant (Pty) Ltd will ensure appropriate safeguards are in place in accordance with POPIA.

The Client may, on reasonable written notice and at its own cost, request information from Be Relevant (Pty) Ltd to verify compliance with this DPA. Be Relevant (Pty) Ltd will provide reasonable cooperation with such requests, which may include providing relevant documentation, certifications, or audit reports.

For any queries relating to this DPA or the processing of personal information, please contact our Information Officer at [email protected].

Data Subjects who believe their personal information has been processed unlawfully may lodge a complaint with the Information Regulator of South Africa at www.justice.gov.za/inforeg.