Reg No. 2020/255888/07
POPIA Compliant
Data Processing Agreement
In terms of the Protection of Personal Information Act 4 of 2013 (POPIA) — Section 20 and Condition 8
The Operator (Data Processor)
Grey Matter Consulting (Pty) Ltd, a South African private company, Registration No. 2020/255888/07, operating the SignZA electronic signature platform at signza.app (“Operator”).
The Responsible Party (Data Controller)
The individual or entity that has registered for and uses the SignZA platform to send and manage documents for signature (“Responsible Party”). The Responsible Party’s details are as captured at the time of account registration.
1. Background and Purpose
The Responsible Party uses the SignZA platform to send, manage, and store electronically signed documents. In providing this service, the Operator processes Personal Information of the Responsible Party’s clients, counterparties, and employees on behalf of the Responsible Party. The Operator is accordingly an “Operator” as defined in Section 1 of POPIA, and this Agreement sets out the terms governing such processing.
2. Personal Information Processed
| Category | Examples | Source |
|---|---|---|
| Identity data | Full name, email address of document signers | Provided by Responsible Party |
| Device and network data | IP address, browser user agent at time of signing | Automatically collected at signing |
| Biometric-adjacent data | Handwritten signature image (drawn or typed by signer) | Provided by signer |
| Document content | PDF documents uploaded by the Responsible Party | Uploaded by Responsible Party |
| Audit trail data | Signing timestamp, consent timestamp, OTP verification log | Automatically generated at signing |
3. Purpose and Lawful Basis of Processing
The Operator processes Personal Information solely for the following purposes:
- Facilitating the electronic signing of documents uploaded by the Responsible Party;
- Generating and storing a legally compliant audit trail under the ECT Act 25 of 2002;
- Sending signing invitations and OTP verification codes to signers via email;
- Storing signed documents and certificates for retrieval by the Responsible Party.
The Operator will not process Personal Information for any purpose other than as instructed by the Responsible Party or as required by applicable South African law.
4. Data Storage and Location
| System | Provider | Location | Data Stored |
|---|---|---|---|
| Application hosting | Vercel Inc. | Global CDN (edge) + US East origin | Application code only — no personal data at rest |
| Database & file storage | Supabase (AWS) | AWS eu-central-1 (Frankfurt, Germany) | All document data, signatures, audit trail, user accounts |
| Transactional email | Resend Inc. | United States | Signer email address and document title (in transit only) |
All data in transit is encrypted via TLS 1.2+. All data at rest is encrypted via AES-256 by the respective cloud provider.
5. Retention Period
| Data Type | Retention Period | Basis |
|---|---|---|
| Signed documents and audit certificates | Until deleted by the Responsible Party, or 5 years from signing date if not deleted | ECT Act evidentiary requirements |
| Unsigned/draft documents | 90 days from creation if not signed | Operational necessity |
| Account and user data | Until account deletion, then 30 days | POPIA Section 14 |
| Email delivery logs | 30 days | Support and compliance purposes |
6. Sub-Operators (Sub-Processors)
The Operator engages the following sub-operators, each bound by data processing terms consistent with this Agreement:
| Sub-Operator | Role | Location |
|---|---|---|
| Supabase Inc. | Database and file storage (AWS Frankfurt) | USA (data in EU) |
| Vercel Inc. | Application hosting and delivery | USA / Global CDN |
| Resend Inc. | Transactional email delivery | USA |
The Operator will notify the Responsible Party of any material change to sub-operators with at least 14 days’ notice.
7. Obligations of the Operator
The Operator undertakes to:
- Process Personal Information only on documented instructions from the Responsible Party;
- Ensure that all persons authorised to process Personal Information are bound by confidentiality obligations;
- Implement and maintain appropriate technical and organisational security measures as required by POPIA Section 19;
- Notify the Responsible Party without undue delay (and within 72 hours where reasonably possible) upon becoming aware of a Personal Information breach affecting the Responsible Party’s data;
- Assist the Responsible Party in responding to requests from Data Subjects exercising their rights under POPIA;
- At the Responsible Party’s choice, delete or return all Personal Information upon termination of this Agreement, unless retention is required by South African law.
8. Obligations of the Responsible Party
The Responsible Party undertakes to:
- Ensure it has a lawful basis to share Data Subject Personal Information with the Operator;
- Provide Data Subjects with appropriate notice that their Personal Information will be processed by the Operator in connection with document signing;
- Ensure that instructions given to the Operator comply with POPIA and all applicable South African law;
- Not instruct the Operator to process Personal Information in a manner that would violate POPIA.
9. Data Subject Rights
Data Subjects have the right to request access to, correction of, or deletion of their Personal Information. Requests received by the Operator that relate to processing carried out on behalf of the Responsible Party will be forwarded to the Responsible Party within 5 business days. Requests received directly by the Responsible Party may be addressed with the Operator’s cooperation upon written request.
10. Security Measures
The Operator maintains the following controls: HTTPS/TLS encryption in transit; AES-256 encryption at rest; Row-Level Security on the database (users can only access their own data); rate limiting and brute-force protection on all authentication endpoints; OTP-based identity verification for signers; audit logging of all signing events.
11. Governing Law and Jurisdiction
This Agreement is governed by the laws of the Republic of South Africa. Any dispute arising from this Agreement shall be subject to the jurisdiction of the South African courts, and the Information Regulator (South Africa) shall have oversight authority in respect of POPIA compliance matters.
12. Contact and Information Officer
Grey Matter Consulting’s Information Officer for POPIA purposes: Craig Haupt · support@signza.app · +27 81 557 1278.
Responsible Parties with data access, correction, or deletion requests should contact the above address.
Signed for and on behalf of the Operator
Grey Matter Consulting (Pty) Ltd
Reg No. 2020/255888/07
Name: Craig Haupt
Capacity: Director
Date: _______________________
Signed for and on behalf of the Responsible Party
Company / Name: ________________
Registration No.: ________________
Authorised signatory: ____________
Capacity: ______________________
Date: _______________________
SignZA · Grey Matter Consulting (Pty) Ltd · Reg No. 2020/255888/07 · signza.app · support@signza.app
This agreement is compliant with the Protection of Personal Information Act 4 of 2013 (POPIA) and the Electronic Communications and Transactions Act 25 of 2002 (ECT Act).