"We", "Us", or "Our" refers to the Company as defined above.

"Customer" refers to any individual, business, or entity anywhere in the world that accesses, uses, or purchases our Services or Products, whether directly or through an authorised representative.

"You" or "Your" refers to the Customer as defined above.

"Supplier" refers to any third-party vendor, service provider, contractor, or licensor that provides products, services, software, or infrastructure used in or integrated with the Company’s Services or Products.

"Third Party" refers to any entity other than the Company, Customer, or their respective affiliates. This may include partners, external service providers, licensors, or users who interact with the Services but are not direct parties to these Terms.

"Personal Data" is any information relating to an identifiable individual, as defined under applicable data protection laws.

"Processor" refers to us as defined above.

"Controller" refers to you as defined above.

"Processing" is any operation performed on Personal Data, including collection, storage, modification, transfer, or deletion.

"Data Subject" is the individual whose Personal Data is being processed.

"Sub-Processor" is any third party engaged by us to process Personal Data on behalf of the Controller.

"Applicable Laws" includes the Protection of Personal Information Act (POPIA - South Africa), General Data Protection Regulation (GDPR - EU), California Consumer Privacy Act (CCPA - USA), UK GDPR (UK), Australian Privacy Act, and other relevant laws governing data protection in jurisdictions where we operate.

This agreement regulates our processing of Personal Data on behalf of the Controller in relation to the services provided.

Unless required by law, we will process Personal Data solely in accordance with the Controller’s instructions, including through our user interface (UI) and application programming interface (API).

This agreement applies to all international customers and adheres to multi-jurisdictional data protection regulations.

Process personal data exclusively for the purposes required by the Controller.

Implement appropriate technical and organisational measures to protect data from unauthorised access, loss, or damage breaches.

Ensure that staff members are authorised to manage personal data and maintain confidentiality.

Assist the Controller in complying with Data Subject requests.

Inform the Controller promptly and within 72 hours in the event of a data breach.

Ensure that all Sub-Processors adhere to equivalent data protection obligations.

Ensure that personal data is collected lawfully and, where required, with appropriate consent.

Provide accurate and legal guidance for data processing.

Inform Data Subjects about their rights and how their data is processed.

Ensure that cross-border data transfers comply with the relevant laws and regulatory frameworks.

Standard Contractual Clauses (SCCs) for EU, UK, and Swiss users.

Binding Corporate Rules (BCRs) where applicable.

Adequacy decisions by regulatory authorities.

Appropriate safeguards for non-EU transfers (e.g., US Data Privacy Framework, contractual clauses, local laws compliance).

We shall implement industry-standard security measures (e.g., encryption, access controls, firewalls, and monitoring).

A Data Breach Notification Procedure is in place to identify and report breaches within required legal timeframes.

All employees, contractors, and Sub-Processors handling Personal Data are required to follow strict confidentiality obligations.

The Processor will assist the Controller in responding to requests from Data Subjects, including:

Right to Access Personal Data.

Right to Rectification of inaccurate data.

Right to Erasure ("Right to be Forgotten"), subject to retention obligations.

Right to Data Portability where applicable.

Right to Object to Processing or restrict certain processing activities.

Requests will be handled within the legally mandated timeframe (e.g., 30 days under GDPR, 45 days under CCPA, "reasonable timeframe" under POPIA).

They comply with similar data protection obligations.

The Controller is notified of any significant changes in Sub-Processor use.

A valid Data Processing Agreement (DPA) is in place with the Sub-Processor.

We shall retain Personal Data only as long as necessary for providing services or as legally required.

Upon termination of services, all data referencing personal information will be deleted within 90 days unless:

Required for legal or regulatory compliance.

The Controller requests an extension or alternative retention period.

We shall notify the Controller within 72 hours if a data breach is detected.

The breach report will include:

Nature of the breach and affected data.

Mitigation steps taken.

Recommendations for additional security measures.

The Controller is responsible for notifying regulators and affected Data Subjects where required.