Data Processing Agreement

This Data Processing Addendum (“DPA”) forms part of, and supplements, any agreement between you (the “Customer”) and DiaMatrix (T/A Domains.co.za) for the provision of services (the “Principal Agreement”). It explains how DiaMatrix handles your data — and your end users’ data — when it processes that data on your behalf.

This DPA is designed to ensure that both parties meet their obligations under the Protection of Personal Information Act 4 of 2013 (“POPIA”) and, where applicable, the EU General Data Protection Regulation (GDPR) and any other relevant data protection laws.

1. Definitions

The following terms have the meanings set out below wherever they appear in this DPA. Any term not defined here carries the meaning given to it in the Principal Agreement.

1.1. “Customer Data” means Personal Information that is uploaded to the Services by you, or on your behalf, when using the Services.

1.2. “Data Subject” means the person to whom Personal Information relates.

1.3. “Data Protection Law” means any law or regulation that governs the processing of Personal Information and that applies to either party, including: (i) POPIA; (ii) the GDPR, to the extent it applies; and (iii) any other applicable data protection or privacy laws enacted from time to time in South Africa or any other relevant country.

1.4. “DPA” means this Data Processing Addendum between DiaMatrix and the Customer.

1.5. “Documented Instructions” means the processing instructions you give to DiaMatrix, as described in clause 4.1.

1.6. “Operator” means a person or entity that processes Personal Information on behalf of a Responsible Party under a contract or mandate, and not under the Responsible Party’s direct authority — broadly equivalent to a “processor” under the GDPR.

1.7. “Party” means DiaMatrix or the Customer; “Parties” means both of them.

1.8. “Personal Information” means any information relating to an identified or identifiable living natural person and, where applicable, an identifiable existing juristic person, as defined in applicable Data Protection Law.

1.9. “POPIA” means the Protection of Personal Information Act 4 of 2013, as amended.

1.10. “Principal Agreement” means the agreement between you and DiaMatrix under which DiaMatrix processes Personal Information for or on your behalf.

1.11. “Processing” means anything done with Personal Information — including collecting, receiving, recording, organising, storing, updating, retrieving, using, disclosing, transferring, merging, linking, restricting, or deleting it. “Process”, “Processes” and “Processed” have the same meaning.

1.12. “Responsible Party” means the person or body that decides why and how Personal Information is processed — broadly equivalent to a “controller” under the GDPR. You are the Responsible Party when you use DiaMatrix’s services to process data about your end users.

1.13. “Services” means all services that DiaMatrix provides to you under the Principal Agreement.

1.14. “Sub-processor” means a third party that DiaMatrix engages to process Personal Information as part of the Services, as described in clause 6.

2. General

2.1. What this DPA covers

When DiaMatrix provides the Services to you, it may access, view or process Personal Information about you, your customers, employees, suppliers or other people connected to your business. This DPA sets out the framework that governs how DiaMatrix handles that information.

2.2. Both parties’ compliance obligations

Each Party confirms that it complies with its own obligations under Data Protection Law and is familiar with what those obligations require. If the law changes in a way that affects either Party’s obligations, each Party will update its practices accordingly.

2.3. What happens if this DPA conflicts with the Principal Agreement

This DPA deals specifically with the processing of Personal Information. If there is any conflict between this DPA and the Principal Agreement on that topic, this DPA takes precedence.

3. DiaMatrix’s Obligations

3.1. DiaMatrix’s role

For the purposes of POPIA, DiaMatrix acts as an Operator — it processes Personal Information on your behalf and in accordance with your instructions. DiaMatrix will comply with all obligations that POPIA places on Operators.

3.2. DiaMatrix only uses your data for the Services

DiaMatrix will only process Personal Information to the extent necessary to provide the Services. It will not process or share your Personal Information for any other purpose unless you give written consent.

3.3. Your data stays yours

DiaMatrix will not acquire any rights or ownership over your Personal Information. Your data, and the data of your end users, remains yours at all times — unless you and DiaMatrix agree otherwise in writing.

3.4. Security measures

DiaMatrix takes the security of your Personal Information seriously. It will put in place, and keep up to date, reasonable technical and organisational measures to protect your Personal Information from accidental or unlawful access, disclosure, loss or destruction. This means DiaMatrix will:

  • identify all reasonably foreseeable risks to your Personal Information, both internal and external;
  • put appropriate safeguards in place to address those risks;
  • check regularly that those safeguards are working; and
  • update its safeguards whenever new risks or weaknesses are identified.

At a minimum, DiaMatrix will do the following:

  • restrict access to your Personal Information to employees, contractors and within related entities who genuinely need it, using unique user IDs and passwords so that all activity can be traced to an individual account. Administrator and database access are limited to authorised personnel only, and any changes to access rights require management approval;
  • encrypt your data both in transit (using TLS/SSL or HTTPS) and at rest where applicable, including storage-level encryption for databases and backup drives;
  • back up your data regularly at server level, and test backup restoration as part of its business continuity and disaster recovery plan at least once a year. API production systems and the network are configured with failover capabilities so that critical operations can resume quickly after an incident;
  • monitor its systems continuously for security threats, deploy intrusion detection and prevention systems (IDS/IPS), and conduct — or commission — vulnerability scans with each major system release;
  • ensure that everyone who works with your Personal Information is bound by confidentiality obligations and has completed data security awareness training;
  • carry out background checks on staff with system access where appropriate and permitted by law; and
  • review its security measures regularly and update them whenever new risks or weaknesses are identified, without reducing the overall level of protection they provide.

3.5. Keeping your data confidential

DiaMatrix will treat your Personal Information as confidential. It will not disclose it to anyone outside of what is necessary to provide the Services or what is required by law. Everyone at DiaMatrix who works with your data is bound by confidentiality obligations.

3.6. Helping you respond to data subject requests

If you receive a request from one of your end users — for example, a request to access, correct, or delete their Personal Information — DiaMatrix will co-operate with you and take any steps reasonably within its control to help you respond. DiaMatrix will not respond or act on your behalf but will assist you in a reasonable manner to allow you to respond. DiaMatrix may bill you per hour for work completed to assist in responding.

4. How DiaMatrix Processes Your Data

4.1. You are in control

DiaMatrix processes Personal Information only on your instructions. Your instructions include everything set out in this DPA and the Principal Agreement — as well as any configuration you make through management tools, consoles or APIs that DiaMatrix makes available. If you want DiaMatrix to do something that falls outside those instructions, you and DiaMatrix need to agree on that in writing first. DiaMatrix may bill you per hour for work completed to assist ou outside of the scope of instructions.

If you are yourself acting as an Operator for another business (the Responsible Party), your instructions to DiaMatrix may flow from that other party’s instructions to you.

4.2. What data is covered

This DPA covers Customer Data — that is, Personal Information that you upload to the Services.

4.3. How long does DiaMatrix process your data

DiaMatrix processes your data for as long as you instruct it to do so, which is usually for as long as the Services remain active.

4.4. Why DiaMatrix processes your data

The purpose is simply to provide the Services you have asked for.

4.5. What DiaMatrix does with your data

DiaMatrix hosts, stores and processes your data as part of providing compute, storage and any other services described in the Principal Agreement.

4.6. What types of Personal Information are involved

The Personal Information covered is whatever you upload to the Services — your Customer Data. You decide what that is.

4.7. Whose data is involved

The data processed may relate to your customers, employees, suppliers, end users or other people whose information you upload to the Services.

5. Your Responsibilities

5.1. You must have a lawful basis for processing

As the Responsible Party, you are responsible for making sure that your collection and use of Personal Information is lawful. By using DiaMatrix’s services, you confirm that:

  • you have all the rights, consents and lawful grounds you need to collect, use and transfer Personal Information to DiaMatrix for the purposes of the Services;
  • your instructions to DiaMatrix and the processing activities you carry out through the Services comply with applicable Data Protection Law and are otherwise lawful; and
  • your instructions will not cause DiaMatrix to break any Data Protection Law.

5.2. You are responsible for your data and your environment

Except where this DPA or the Principal Agreement says otherwise, you are responsible for:

  • deciding what Personal Information to collect and how it is used;
  • the accuracy, quality and legality of your Customer Data;
  • setting up and managing your hosted environments, applications, databases, access controls and security settings; and
  • your own processing activities. DiaMatrix does not check or validate the legality of your Customer Data or how you process it.

5.3. Prohibited uses

You must not use DiaMatrix’s services to:

  • process Personal Information unlawfully;
  • do anything that breaches applicable sanctions, export controls or cybercrime laws;
  • upload or host malicious code, unlawful content or prohibited material; or
  • carry out processing that could reasonably be expected to expose DiaMatrix or its infrastructure to any legal, regulatory or security risk.

5.4. Your security responsibilities

DiaMatrix secures the infrastructure it manages, but you are responsible for your own systems. This means you are responsible for:

  • implementing appropriate security measures within your own applications;
  • managing your users’ access credentials and authentication;
  • endpoint and network security within your own environment;
  • deciding how long to keep Customer Data; and
  • implementing your own encryption, backup and recovery measures appropriate to how you use the Services, unless DiaMatrix has expressly agreed to provide these as part of the Services.
  • Implementing and updating your systems, software, websites and plugins to the latest versions.

5.5. Indemnity

You agree to indemnify DiaMatrix against any claims, losses, fines or costs that arise from your unlawful processing of Personal Information, your breach of Data Protection Law, or your breach of this clause 5 — except to the extent that such loss is caused by DiaMatrix’s own breach of this DPA or applicable law.

6. Sub-processors

6.1. Your general consent to sub-processing

You agree that DiaMatrix may engage Sub-processors to help deliver the Services. DiaMatrix remains responsible for the acts and omissions of its Sub-processors and will ensure that they are held to the same data protection standards that apply to DiaMatrix under this DPA.

6.2. Who DiaMatrix’s Sub-processors are

A list of DiaMatrix’s current Sub-processors is available on the DiaMatrix website. Due to DiaMatrix’s vast and extensive infrastructure and how the internet works, DiaMatrix may add/edit/change/modify any Sub-processors without written notice. If you object to a newly-appointed Sub-processor, you may stop using the specific Service for which that Sub-processor has been engaged.

6.3. Agreements with Sub-processors

Before sharing your Personal Information with a Sub-processor, DiaMatrix will put a written agreement in place with that Sub-processor. That agreement will require the Sub-processor to implement appropriate technical and organisational measures to protect your data and will impose data protection obligations that are at least as protective as those in this DPA.

7. International Data Transfers

7.1. When DiaMatrix may transfer data internationally

Many of DiaMatrix’s service providers or Sub-processors are based outside South Africa. DiaMatrix may transfer your Personal Information to a foreign country only where it is necessary to deliver the Services and where that transfer is permitted under applicable Data Protection Law. This includes but is not limited to domain names, website hosting and email hosting, a well as transfers for storage, or archiving purposes.

7.2. How DiaMatrix protects your data during international transfers

Whenever Personal Information is transferred to another country, DiaMatrix will make sure that the transfer complies with the data protection laws of the receiving country. DiaMatrix must ensure that those laws, along with appropriate contractual safeguards put in place with the recipient of Personal Information in another country will:

  • impose data protection obligations on the recipient that are materially equivalent to those in this DPA read with POPIA; and
  • ensure that the recipient is subject to equivalent restrictions if it transfers the data on to any further third party in another country.

8. Notifications and Co-operation

8.1. When DiaMatrix must notify you

DiaMatrix takes data protection incidents seriously. DiaMatrix will notify you, without undue delay, if it becomes aware of any of the following:

  • a complaint, notice or communication from a Data Subject, a regulator or anyone else relating to the processing of your Personal Information or either party’s compliance with Data Protection Law;
  • an instruction from you that appears to breach applicable Data Protection Law, or a legal requirement that would make it impossible for DiaMatrix to follow your instructions;
  • reasonable grounds to believe that your Personal Information has been accessed or acquired by someone who was not authorised to do so; or
  • reasonable grounds to believe that a security breach has occurred or is likely to occur — whether involving DiaMatrix, its staff, contractors or Sub-processors — that could result in unauthorised access to your Personal Information. DiaMatrix will include full details of the breach or anticipated breach in its notification.

8.2. If your instructions may be unlawful

DiaMatrix is an infrastructure provider and does not always have visibility into how you use the Services. If DiaMatrix forms the view that an instruction you have given it may breach applicable Data Protection Law, it will tell you straight away. You can then decide whether to withdraw or change that instruction.

8.3. Helping you respond to data subjects and regulators

If you receive a complaint or request from one of your end users, or a query from the Information Regulator, DiaMatrix will give you all the reasonable assistance you need to respond. This includes implementing any technical or operational measures needed to address a complaint. DiaMatrix will not communicate directly with your end users or with the Information Regulator on your behalf unless you specifically ask it to do so in writing. DiaMatrix may bill on a per hourly basis for any such assistance. Any billing pricing and hourly rate will vary depending on who is responding. Should DiaMatrix seek external legal or other assistance, DiaMatrix reserves the right to invoice all costs of said external assistance to you. This will need to be paid upfront prior to any services or information provided.

9. Deleting and Returning Your Data

9.1. What happens to your data when the Services end

When the Services terminate or expire, or if you ask us to in writing, DiaMatrix will delete or return your Customer Data and stop processing it. Subject to clauses 9.2 and 9.3, DiaMatrix aims to complete this within 10 business days of receiving your request, although removal from backup systems may take up to 180 days.

9.2. Residual copies in backup systems

Your data may continue to exist for a period in backup, archival, disaster recovery or failover systems after it has been deleted from active production systems. You acknowledge and agree that:

  • any such residual copies remain subject to the confidentiality, security and data protection obligations in this DPA; and
  • DiaMatrix will delete or overwrite those residual copies in line with its standard backup retention and lifecycle management processes, unless the law requires it to keep them for longer.

9.3. When DiaMatrix must retain data for legal or operational reasons

In some cases, DiaMatrix may be required or permitted to keep your data for longer. This applies where:

  • the law requires retention — for example, for tax, accounting or regulatory compliance;
  • retention is necessary for legitimate security, fraud prevention, business continuity or legal compliance purposes; or
  • the data sits in immutable backup, archival or disaster recovery systems that cannot easily be altered.

In any of these cases, DiaMatrix will continue to protect the data in accordance with this DPA and will not actively process it beyond what is needed for the retention purpose.

9.4. Exporting your data before the Services end

It is your responsibility to export or retrieve your Customer Data before the Services terminate. Should you fail to export your data and services are terminated for any reason, DiaMatrix cannot be held responsible for any lost data. If you need help with this, please arrange it with DiaMatrix in advance.

9.5. Confirmation of deletion

You can ask DiaMatrix in writing to confirm that your data has been deleted. DiaMatrix will provide that written confirmation, though — where backup retention under clause 9.2 still applies — the confirmation will be limited to deletion from active production systems.

What Our Customers say...