Data Processing Agreement

Parties

This Data Processing Agreement ("DPA") forms part of and is subject to the IntelliDesk Terms of Service, and is entered into by and between:

• i60, a South African business operating the IntelliDesk helpdesk and project-management platform at intellidesk.co (the "Operator"); and
• The customer identified in the signature block below, or (if this DPA is accepted by click-wrap as part of the Terms of Service) the entity on behalf of which the Terms of Service have been accepted (the "Responsible Party").

The Operator and the Responsible Party are each a "Party" and together the "Parties".

Recitals

WHEREAS the Responsible Party and the Operator have entered into or will enter into an agreement under which the Operator provides the IntelliDesk service to the Responsible Party (the "Service Agreement");

WHEREAS in the course of providing the Service, the Operator processes Personal Information on behalf of the Responsible Party;

WHEREAS the Responsible Party is responsible under the Protection of Personal Information Act, 2013 ("POPIA") for ensuring that its processing of Personal Information is lawful, and the Parties wish to record their respective obligations with respect to the processing of Personal Information by the Operator;

NOW THEREFORE the Parties agree as follows:

1. Definitions

Capitalised terms used in this DPA but not defined in this Section or elsewhere in this DPA have the meanings given to them in POPIA or the Service Agreement. The following additional definitions apply:

• "Applicable Data Protection Laws" means POPIA and any other law concerning the processing or protection of Personal Information that applies to the Parties.
• "Customer Data" means Personal Information that the Responsible Party (and its authorised users) submits to or has processed by the Service.
• "Data Subject", "Operator", "Personal Information", "Processing", "Responsible Party", and "Security Compromise" have the meanings given in POPIA.
• "Sub-operator" means any third party engaged by the Operator to process Customer Data in connection with the Service.

2. Scope and role of the parties

2.1 The Operator will process Customer Data as an Operator on behalf of the Responsible Party in connection with the Service. The Responsible Party is and remains the Responsible Party for all Customer Data it submits to the Service.

2.2 The subject-matter and duration of the processing, the nature and purpose of the processing, the types of Personal Information, and the categories of Data Subjects are set out in Schedule A to this DPA.

2.3 The Responsible Party confirms that it has a lawful basis under POPIA for collecting, using, and submitting to the Service the Customer Data that it submits, and that it has complied with its POPIA obligations (including Sections 13 and 14) in respect of such Customer Data.

3. Operator's obligations — processing on instructions

3.1 In accordance with Section 20(b) of POPIA, the Operator will process Customer Data only on the documented instructions of the Responsible Party. The Service Agreement, this DPA, and the Responsible Party's ordinary use of the Service constitute the Responsible Party's documented instructions.

3.2 If the Operator believes that an instruction from the Responsible Party violates POPIA or other Applicable Data Protection Laws, the Operator will inform the Responsible Party without delay.

3.3 The Operator will not process Customer Data for any purpose other than to provide the Service, to comply with the Responsible Party's instructions, or as required by law.

4. Confidentiality

4.1 In accordance with Section 20(a) of POPIA, the Operator will treat all Customer Data as confidential. The Operator will ensure that any personnel authorised to process Customer Data are bound by written confidentiality undertakings or are under an appropriate statutory obligation of confidentiality.

5. Security measures

5.1 In accordance with Section 19 of POPIA, the Operator will implement appropriate, reasonable technical and organisational measures to secure Customer Data against loss, damage, unauthorised destruction, and unlawful access or processing. These measures include:

• Encryption of Customer Data in transit using TLS/HTTPS
• Encryption at rest of sensitive credentials such as API keys, OAuth refresh tokens, and IMAP passwords (AES-256-GCM)
• Tenant-level isolation in the database layer so that one customer's data cannot be accessed by another
• Role-based access controls within the Service so that an authorised user can only access data within helpdesks they are members of
• Multi-factor authentication options via the identity provider (Clerk)
• Audit logging of administrative and data-deletion actions
• Regular review of dependencies and security patching of the code base

5.2 The Operator will, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, update these measures from time to time as appropriate.

6. Sub-operators

6.1 The Responsible Party authorises the Operator to engage Sub-operators to process Customer Data in connection with the Service. The current list of Sub-operators is maintained on the Operator's public compliance page at intellidesk.co/popia#subprocessors.

6.2 Before engaging any new Sub-operator that will process Customer Data, the Operator will:

• Give the Responsible Party at least 30 days' prior written notice (which may be by email or by updating the published Sub-operators list and notifying customers of the change); and
• Ensure that the Sub-operator is bound by a written agreement that imposes obligations on the Sub-operator that are substantially similar to the obligations imposed on the Operator under this DPA.

6.3 If the Responsible Party reasonably objects to the appointment of a new Sub-operator on the basis of a data-protection concern, the Parties will work in good faith to resolve the objection. If the objection cannot be resolved, the Responsible Party may terminate the Service Agreement in respect of the affected service on reasonable notice without penalty.

6.4 The Operator remains liable to the Responsible Party for the acts and omissions of its Sub-operators in relation to the processing of Customer Data to the same extent as if the Operator had performed those acts and omissions itself, subject to the limitation of liability provisions in the Service Agreement.

7. Cross-border transfers

7.1 The Responsible Party acknowledges and authorises that the Operator and its Sub-operators may transfer and process Customer Data outside of South Africa in connection with the Service.

7.2 Where Customer Data is transferred out of South Africa, the Operator will ensure that at least one of the conditions in Section 72 of POPIA is satisfied — ordinarily, that the recipient of the data is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection substantially similar to POPIA and that includes provisions substantially similar to Section 72(1) regarding onward transfer.

8. Assistance to the responsible party

8.1 Taking into account the nature of the processing, the Operator will assist the Responsible Party by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Responsible Party's obligations to respond to requests by Data Subjects exercising their rights under POPIA.

8.2 If the Operator receives a request directly from a Data Subject who identifies themself as an end-user of a Responsible Party (e.g. a support requester for the Responsible Party's customers), the Operator will not respond to that request directly (or will respond only to confirm that the Data Subject should contact the Responsible Party) and will forward the request to the Responsible Party without undue delay.

8.3 The Operator will assist the Responsible Party in ensuring compliance with its security obligations under Section 19 of POPIA, its breach-notification obligations under Section 22, and (if applicable) its obligation to conduct a prior-authorisation assessment in respect of Customer Data.

9. Security compromise notification

9.1 The Operator will notify the Responsible Party without undue delay after becoming aware of a Security Compromise that affects the Customer Data of the Responsible Party. The notification will contain, to the extent known at the time:

• A description of the nature of the Security Compromise
• The categories and approximate number of Data Subjects affected
• The categories and approximate number of Personal Information records affected
• The likely consequences of the Security Compromise
• The measures taken or proposed to be taken to address the Security Compromise and to mitigate its possible adverse effects
• The name and contact details of the Information Officer or other contact point from whom more information can be obtained

9.2 The Parties agree that the Responsible Party remains responsible for complying with its own notification obligations under Section 22 of POPIA (to the Information Regulator and to affected Data Subjects). The Operator will cooperate reasonably with the Responsible Party's compliance with those obligations.

10. Return or deletion of customer data

10.1 On termination of the Service Agreement, or on earlier written request by the Responsible Party, the Operator will within a commercially reasonable timeframe either return all Customer Data to the Responsible Party in a commonly used machine-readable format or delete and cease processing all Customer Data, at the Responsible Party's choice.

10.2 The Operator may retain copies of Customer Data to the extent required by applicable law, or as contained in routine backups that are rotated and over-written on a regular cycle, provided that any retained Customer Data remains subject to the obligations in this DPA.

11. Audit rights

11.1 The Operator will make available to the Responsible Party all information reasonably necessary to demonstrate compliance with this DPA and with the Operator's obligations under Section 19 to 21 of POPIA.

11.2 On the Responsible Party's written request, and no more than once per calendar year (unless a reasonable data-protection concern requires otherwise, or audit is required by a competent regulator), the Operator will permit and contribute to an audit of its processing of Customer Data. The audit may take the form of the Operator providing a completed data-protection questionnaire, sharing a summary of its most recent third-party security assessment, or permitting an on-site or remote audit by the Responsible Party (or a reputable independent auditor the Responsible Party engages).

11.3 Each Party bears its own costs associated with an audit, unless the audit reveals a material non-compliance by the Operator, in which case the Operator will bear the reasonable costs of the audit.

12. Liability

12.1 Each Party's liability arising out of or related to this DPA, whether in contract, delict, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Service Agreement. For the avoidance of doubt, any reference in the Service Agreement to the liability of one Party to the other Party means the aggregate liability of that Party under the Service Agreement and this DPA, taken together.

13. Term and termination

13.1 This DPA is effective from the date on which the Service Agreement becomes effective between the Parties, and will remain in force for as long as the Operator processes Customer Data on behalf of the Responsible Party.

13.2 Termination of this DPA does not release the Operator from its confidentiality obligations, which survive termination.

14. Governing law and disputes

14.1 This DPA is governed by and construed in accordance with the laws of the Republic of South Africa.

14.2 Any dispute arising from or in connection with this DPA shall be resolved in accordance with the dispute-resolution provisions of the Service Agreement.

15. Order of precedence

15.1 In the event of a conflict between this DPA and the Service Agreement with respect to the processing of Personal Information, this DPA will prevail. In all other respects, the Service Agreement remains in full force and effect.

Schedule A — Details of the processing

Subject-matter of the processing: The Operator's provision of the IntelliDesk helpdesk and project-management service to the Responsible Party.

Duration of the processing: For as long as the Service Agreement is in effect, and thereafter only as described in Section 10 of this DPA.

Nature and purpose of the processing:

• Ingesting inbound email from connected Gmail, Outlook, or IMAP mailboxes and converting it into support tickets
• Storing, routing, displaying, and responding to support tickets submitted by the Responsible Party's end-users
• Storing contact and company records for the Responsible Party's customers
• Creating and managing project cards, attachments, comments, checklists, and activity history
• Sending outbound email replies on behalf of the Responsible Party
• Generating internal analytics and reporting within the Service

Types of Personal Information:

• Names, email addresses, phone numbers, and other contact details of the Responsible Party's end-users, contacts, and companies
• The content of email messages, ticket messages, internal notes, attachments, and any Personal Information embedded therein
• Names, email addresses, and role assignments of the Responsible Party's own agents and administrators
• Authentication identifiers and session data for authorised users

Categories of Data Subjects:

• Agents, administrators, and other authorised users of the Responsible Party
• End-users and customers of the Responsible Party who submit support requests or are otherwise the subject of contact records
• Third parties whose Personal Information appears in the content of inbound email or other submissions by end-users

Signature blocks

This DPA is accepted by the Responsible Party on the date on which it agrees to the Service Agreement, whether by click-wrap acceptance or by execution of a separate ordering document that incorporates the Service Agreement. For customers that require a countersigned copy:

To countersign: print this page (Ctrl/Cmd-P in your browser), complete both signature blocks, and email the signed copy to privacy@intellidesk.co. We will countersign and return a copy for your records.