This Data Processing Addendum ("DPA") forms part of the services agreement between Vault33 (Pty) Ltd ("Vault33") and the customer identified in the order form (the "Customer"). Where Vault33 acts as an operator processing personal information on behalf of the Customer as responsible party, this DPA governs that processing under sections 20 and 21 of the Protection of Personal Information Act 4 of 2013 ("POPIA"). It also serves as the written contract required by s 21(2).
1. Definitions
Capitalised terms not defined here carry the meaning given in POPIA. "Services" means the Vault33 platform described in the order form. "Customer Personal Information" means personal information of data subjects that the Customer makes available to Vault33 through the Services.
2. Scope & roles
- The Customer determines the purpose and means of processing. It is the responsible party for Customer Personal Information.
- Vault33 processes Customer Personal Information only on the Customer's documented instructions (including the written instructions captured in the order form, the Services configuration, and any audit-logged gateway requests) as required by s 20.
3. Processing details (s 21(2))
| Field | Particulars |
|---|---|
| Subject matter | Secure storage, retrieval and gateway-mediated disclosure of the Customer's records. |
| Duration | For the term of the services agreement, plus deletion window in clause 10. |
| Nature & purpose | Storage, encryption, indexing, audit-logging, signed checkout to authorised subscribers. |
| Categories of data subjects | As configured by the Customer — typically tenants, clients, beneficial owners, directors. |
| Categories of personal information | Identity, contact, financial, occupational, and where enabled under Health Data Regs 2026, health information. |
| Special PI (s 26) | Only if explicitly enabled; subject to the safeguards in clause 5. |
4. Vault33's obligations as operator (s 20, 21)
- Process Customer Personal Information only on the Customer's documented instructions.
- Treat all Customer Personal Information as confidential (s 20(2)).
- Notify the Customer, without undue delay, of any personal-information breach (s 22) — target SLA 24 hours from detection.
- Make available information reasonably necessary to demonstrate compliance and allow for audits (s 21(3)) on reasonable notice and subject to confidentiality.
- Assist the Customer with data-subject requests under ss 23–25 via the Services' built-in DSAR and revocation tools.
5. Security safeguards (s 19)
Vault33 maintains technical and organisational measures appropriate to the risk, including:
- AWS KMS envelope encryption with per-subject data encryption keys;
- TLS 1.2+ in transit, HMAC-chained append-only audit at the database role;
- Least-privilege IAM, MFA for administrative access, hardware-key signing;
- Annual penetration testing and quarterly vulnerability scanning;
- Written information-security policies aligned to ISO/IEC 27001 Annex A controls.
Where the Customer enables health-information processing, Vault33 applies the additional confidentiality, integrity, availability and secure-disposal measures required by regulation 5 of the Regulations relating to the Processing of Data Subjects' Health Information by Certain Responsible Parties, 2026.
6. Sub-operators
The Customer generally authorises Vault33 to engage sub-operators subject to a written contract containing no fewer obligations than this DPA. Current sub-operators:
- Amazon Web Services EMEA SARL — infrastructure, processed in
af-south-1(Cape Town). - A transactional email provider, processed in the EU/UK under Standard Contractual Clauses and POPIA s 72 safeguards.
Vault33 will give the Customer at least 30 days written notice of any intended change to this list. The Customer may object on reasonable grounds.
7. Cross-border transfers (s 72)
All primary production processing occurs in af-south-1 (Cape Town, South Africa). Any transfer outside the Republic is performed only where permitted by s 72 — typically (a) subject effectively to adequate data-protection law, (b) under binding contractual safeguards, or (c) with the data subject's informed consent.
8. Assistance with DSARs & the Regulator (s 23–25, 40)
Vault33 provides the Customer with built-in tools to fulfil data-subject requests (access, correction, deletion, objection) and to respond to the Information Regulator. Vault33 does not respond to data-subject requests directly unless instructed in writing by the Customer.
9. Audit rights (s 21(3))
On 30 days written notice and no more than once in any 12-month period (unless required by a regulator), the Customer may audit Vault33's compliance with this DPA. Routine audits are satisfied by Vault33 providing its most recent independent assurance report.
10. Return or deletion on termination
On termination, and at the Customer's written election within 30 days, Vault33 will either (a) return Customer Personal Information in a portable format, or (b) delete it — using crypto-erasure of the wrapped data encryption key where retention-law obligations (e.g. FIC Act s 23) prevent immediate destruction of the ciphertext. Audit metadata required by law is retained for the statutory period only.
11. Liability & order of precedence
This DPA is incorporated into the services agreement. In the event of conflict between this DPA and the services agreement in respect of personal-information processing, this DPA prevails.
12. Governing law
This DPA is governed by the laws of the Republic of South Africa. The parties submit to the exclusive jurisdiction of the High Court of South Africa, Western Cape Division.