Data processing agreement
Effective date: 2026-05-29 Operator: Navrix Solutions (Pty) Ltd (registration number [Navrix Solutions registration number]), trading as Khanyitas. Responsible party: the Customer that has subscribed to the Service.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Khanyitas and the Customer. It governs how Khanyitas processes the personal information about *your data subjects* (your customers, employees, suppliers, prospective customers) that you submit to the Service. For that processing, you are the responsible party and Khanyitas is the operator under POPIA s20 and s21.
A separate Privacy Policy at /legal/privacy-policy describes how Khanyitas processes personal information about *you and your staff* in your role as our customer. That processing is on our own behalf, not on yours.
1. Definitions
Terms in this DPA have the meaning given in POPIA unless otherwise stated. In particular:
- Personal information has the meaning in POPIA s1.
- Operator has the meaning in POPIA s1 — a person processing personal information on behalf of a responsible party.
- Responsible party has the meaning in POPIA s1 — the person determining the purpose and means of processing.
- Customer Content is the personal information you submit to the Service (data-register entries, DSAR records, breach incidents, training-assignment records, customer profile, and similar).
- Sub-operator is an operator that Khanyitas engages to assist with processing under this DPA.
2. Subject matter
2.1 What we process for you
Khanyitas processes Customer Content only to provide the Service to you: storing entries, generating documents, running workflows you trigger, surfacing reminders, computing scores, and producing exports. We do not analyse Customer Content for our own purposes.
2.2 Categories of personal information
Customer Content typically includes — depending on which Service modules you use — categories of personal information about your data subjects: contact details, identity details, demographic details, employment information, financial information, health information (only where you record it for a lawful purpose), and biometric or criminal information (only where you record it for a lawful purpose).
2.3 Categories of data subjects
Typically: your customers, your employees, your prospective customers, your suppliers, and your visitors.
2.4 Duration
We process Customer Content for as long as your subscription is active, plus a 30-day export window after termination, after which we delete Customer Content securely (subject to any legal retention obligation).
3. Your instructions (POPIA s20)
Khanyitas processes Customer Content only with your knowledge or authorisation and only as necessary to provide the Service, unless required by law to do otherwise. You give us those instructions by configuring the Service, submitting Customer Content, and using the workflows we provide. We will not process Customer Content for any other purpose.
4. Confidentiality
We require every person we authorise to process Customer Content to be bound by a duty of confidentiality, either by contract or by statute.
5. Security safeguards (POPIA s19 and s21(1))
We maintain appropriate technical and organisational measures to secure the integrity and confidentiality of Customer Content. Our current measures include:
- Encryption in transit (TLS 1.2 or later, HTTPS everywhere) and at rest (Supabase Postgres and AWS-managed storage)
- Row-Level Security on every customer-scoped table, gated by the signed-in customer's authentication
- Multi-factor authentication on all administrative accounts
- Access logging, periodic access review, and least-privilege role assignments
- Vendor due diligence on every sub-operator
- A documented incident-response procedure with named escalation paths
- Secure software-development practices, dependency scanning, and patching
We update these measures from time to time to keep pace with reasonable industry practice; we do not weaken them.
6. Sub-operators (POPIA s21)
We engage the following sub-operators to assist with processing Customer Content:
| Sub-operator | Purpose | Processing region |
|---|
|---|---|---|
| Supabase | Database, authentication, storage | Ireland (EU) |
|---|---|---|
| AWS | Cloud infrastructure (Supabase + Vercel sub-operator) | af-south-1 (Cape Town) or Ireland depending on service |
| Vercel | Application hosting and edge delivery | United States |
| Resend | Email delivery (account, notifications) | United States |
| Paystack | Subscription billing (your contact + billing details, not Customer Content) | South Africa (with sub-processors in Nigeria and Ireland for the underlying Paystack platform) |
Each sub-operator is bound by a written contract that imposes the same data-protection obligations set out in this DPA, including the security and breach-notification requirements. We remain responsible to you for each sub-operator's compliance.
Adding or replacing a sub-operator. We will notify you at least 30 days before adding or replacing a sub-operator that will process Customer Content. If you have a reasonable objection grounded in data-protection risk, you may terminate the Service for that reason and we will refund the unused portion of any paid Fees.
7. Cross-border processing (POPIA s72)
Some sub-operators process Customer Content on servers outside the Republic of South Africa. We rely on:
- s72(1)(a) — the sub-operator is bound by a written contract that gives effect to principles for the lawful processing of personal information substantially similar to POPIA, including provisions on onward transfer; and
- s72(1)(c) — the transfer is necessary for the performance of the contract between you and us.
We do not authorise any sub-operator to transfer Customer Content onward to a third party in a third country except on the same basis.
8. Personal-information breach notification (POPIA s21(3))
If there are reasonable grounds to believe that Customer Content has been accessed or acquired by an unauthorised person, we will notify you without undue delay, and in any case within 72 hours of confirming the compromise. The notification will include, to the extent we can determine it at the time:
- The nature of the compromise, the systems affected, and the categories of personal information involved
- The approximate number of data subjects affected
- Likely consequences and any containment steps already taken
- A point of contact for further information
We will assist you with the s22 notification obligations you owe to the Information Regulator and to affected data subjects.
9. Assisting you with data-subject requests
The Service is designed to help you respond to data-subject requests (access, correction, deletion, objection, withdrawal of consent) inside the Khanyitas dashboard. If, despite this, your data subject sends a request directly to Khanyitas, we will forward it to you within five business days without responding to the request substantively ourselves (subject to identity-verification gating).
10. Records (POPIA s17)
We keep records of the categories of Customer Content we process on your behalf and the recipients (the sub-operators in section 6 plus any disclosure permitted by you or required by law). You can request a current copy at any time.
11. Return and deletion on termination
When the Service terminates — for any reason — you may export all Customer Content for 30 days from the dashboard. After 30 days we securely delete Customer Content from our active systems and instruct sub-operators to do the same, except where:
- A specific law requires us to retain it (we will tell you which and for how long); or
- It is held in routine backups that cycle out within 90 days, during which we will not restore Customer Content into active processing.
On request after deletion, we will provide written confirmation.
12. Audit and assurance
We make available the information reasonably necessary to demonstrate our compliance with this DPA, including:
- A summary of our security measures (this DPA section 5)
- Sub-operator details (section 6)
- Completed security questionnaires from regulated customers within a reasonable time
- The verifiable compliance trail feature at /verification, which produces a privacy-safe SHA-256 attestation of your compliance activity
Where you have a regulator-mandated audit right, you may exercise it on reasonable notice during normal business hours, at your cost, subject to confidentiality undertakings and not more than once a year unless a regulator requires more frequent audits.
13. Liability
This DPA is part of the Terms of Service. The aggregate liability cap and the excluded-loss provisions in the Terms of Service (section 9 of those terms) apply to this DPA, subject to the same Consumer Protection Act carve-outs.
14. Order of precedence
If anything in the Terms of Service conflicts with this DPA on the processing of Customer Content, this DPA prevails for that processing.
15. Changes to this DPA
We may update this DPA from time to time to reflect changes to our sub-operator list, technical measures, or applicable law. For material changes we will give you at least 30 days' notice by email. If you have a reasonable data-protection objection you may terminate the Service for that reason.
16. Effective date
This DPA is effective from 2026-05-29.
Contact
Questions about this DPA: info-officer@khanyitas.co.za.