1. Parties and Background

This Data Processing Agreement ("DPA") forms part of the agreement between PropSign (Pty) Ltd ("Operator") and the subscribing agency ("Responsible Party") for the provision of document signing services.

This DPA is entered into to ensure compliance with the Protection of Personal Information Act, 2013 ("POPIA") and establishes the terms under which the Operator processes personal information on behalf of the Responsible Party.

2. Definitions

In this DPA:

• "Data Subject" means the individual whose personal information is processed
• "Personal Information" has the meaning given in POPIA
• "Processing" includes collection, storage, use, and disclosure
• "Security Compromise" means any breach of security leading to unauthorized access

3. Scope of Processing

3.1 Categories of Data Subjects

• Property buyers and sellers
• Tenants and landlords
• Agency employees and agents
• Other parties to real estate transactions

3.2 Types of Personal Information

• Identity information (name, ID number, passport)
• Contact information (address, email, phone)
• Financial information (where required for transactions)
• Document content and signatures
• Audit trail data

3.3 Processing Activities

• Document creation and storage
• Electronic signature capture
• Communication delivery (email, WhatsApp)
• Compliance record keeping
• Backup and disaster recovery

4. Operator Obligations

The Operator shall:

• Process personal information only on documented instructions from the Responsible Party
• Ensure persons authorized to process have committed to confidentiality
• Implement appropriate security measures as required by POPIA
• Engage sub-processors only with prior authorization and appropriate contracts
• Assist the Responsible Party with data subject requests
• Delete or return personal information upon termination
• Provide information necessary to demonstrate compliance

5. Security Measures

The Operator implements the following security measures:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security assessments and penetration testing
• Employee training and confidentiality agreements
• Incident response procedures
• Business continuity and disaster recovery

6. Sub-Processors

The Operator maintains an up-to-date list of sub-processors. The Responsible Party may object to new sub-processors. A current list is available at getpropsign.co.za/legal/sub-processors.

7. Security Compromise Notification

In the event of a security compromise affecting personal information, the Operator shall:

• Notify the Responsible Party without undue delay
• Provide details of the nature and scope of the compromise
• Describe measures taken to address the compromise
• Assist with notifications to the Information Regulator and data subjects

8. International Transfers

Where personal information is transferred outside South Africa, the Operator ensures appropriate safeguards are in place in accordance with POPIA section 72.

9. Data Subject Rights

The Operator shall assist the Responsible Party in responding to requests from data subjects exercising their rights under POPIA, including rights of access, correction, and deletion.

10. Audit Rights

The Responsible Party may audit the Operator's compliance with this DPA upon reasonable notice, subject to confidentiality obligations.

11. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, the Operator shall delete or return all personal information unless retention is required by law.

12. Governing Law

This DPA is governed by the laws of the Republic of South Africa.