Data Processing Agreement
POPIA Operator Agreement — VulaCheck Platform
Version 1.0 · Effective 27 June 2026 · Last updated 27 June 2026
Parties
This Data Processing Agreement (“this Agreement” or the “DPA”) is entered into between:
VulaCheck (Pty) Ltd, registration number 2026/307850/07, a private company incorporated in the Republic of South Africa, with its registered address at The Circle Business Center, Douglas Crowe Drive, Durban, KwaZulu-Natal, 4420 (“VulaCheck” or the “Operator”); and
the credit provider that accepts this Agreement (the “Client” or the “Responsible Party”); and
each a “Party” and together the “Parties”.
Background
A VulaCheck operates a multi-tenant software platform (the “Platform”) that the Client, as a credit provider registered with the National Credit Regulator, uses to originate, assess, administer and report on credit agreements with its customers.
B In providing the Platform, VulaCheck processes personal information relating to the Client’s data subjects (including the Client’s loan applicants and borrowers, and the Client’s personnel) on behalf of and under the instruction of the Client.
C The Client is the Responsible Party in respect of that personal information, and VulaCheck is its Operator, as those terms are used in the Protection of Personal Information Act 4 of 2013 (“POPIA”). Sections 20 and 21 of POPIA require this relationship to be governed by a written agreement. This Agreement is that written agreement.
D This Agreement forms part of, and is subject to, the VulaCheck Platform Terms of Service accepted by the Client (the “Terms of Service”). The Client accepts this Agreement electronically; the effective date is the date of that acceptance.
1. Definitions and interpretation
1.1 Capitalised terms not defined here have the meanings given to them in POPIA or the Terms of Service.
1.2 “Personal Information”, “Special Personal Information”, “Processing”, “Responsible Party”, “Operator”, “Data Subject” and “Information Regulator” bear the meanings given to them in POPIA.
1.3 “Data Subject Request” means a request by a Data Subject to exercise rights under POPIA (including access, correction, deletion, or objection).
1.4 “Security Compromise” means a breach of the security safeguards described in section 6, including any unauthorised or unlawful access to, acquisition of, loss of, or interference with Personal Information.
1.5 “Sub-Operator” means any third party engaged by VulaCheck to Process Personal Information on the Client’s behalf in connection with the Platform.
2. Status of the Parties
2.1 The Client is the Responsible Party and determines the purpose of and means for the Processing of the Personal Information under this Agreement.
2.2 VulaCheck is the Operator and Processes the Personal Information only on behalf of, and in accordance with the documented instructions of, the Client, except where Processing is required by a law to which VulaCheck is subject (in which case VulaCheck will, unless that law prohibits it, inform the Client before Processing).
2.3 The Client warrants that it has a lawful basis under POPIA for the Processing it instructs, that it has issued the notices and obtained the consents required of a Responsible Party, and that its instructions will not place VulaCheck in breach of POPIA.
2.4 Nothing in this Agreement makes VulaCheck a Responsible Party in respect of the Client’s Data Subjects. VulaCheck’s own Processing as a Responsible Party is governed by the VulaCheck Platform Privacy Policy and is outside the scope of this Agreement.
3. Scope, purpose and instructions
3.1 VulaCheck will Process the Personal Information only for the purposes described in Annexure A and as necessary to provide the Platform, or on the further documented instructions of the Client.
3.2 The Client’s configuration of, and operations performed through, the Platform constitute documented instructions for the purposes of this Agreement.
3.3 VulaCheck will not sell the Personal Information and will not Process it for its own independent commercial purposes. VulaCheck may Process Personal Information in de-identified or aggregated form that cannot be re-linked to a Data Subject, to operate, secure and improve the Platform.
4. Operator obligations
4.1 VulaCheck will Process the Personal Information lawfully and in a manner that does not infringe the privacy of the Data Subjects.
4.2 VulaCheck will treat all Personal Information as confidential and will not disclose it except: (a) to Sub-Operators under section 7; (b) as instructed by the Client; or (c) as required by law, with prior notice to the Client unless prohibited.
4.3 VulaCheck will ensure that persons authorised to Process the Personal Information are subject to a duty of confidentiality, are reliable, and are adequately trained in the care, protection and handling of Personal Information, and will limit access to a need-to-know basis.
5. Special Personal Information
5.1 The Personal Information may include Special Personal Information and the personal information of children, as described in Annexure A, subject to the additional requirements of sections 26 to 35 of POPIA.
5.2 The Client is responsible for ensuring that an authorisation under section 27 (or an applicable exemption) exists for any such information. VulaCheck will apply the heightened safeguards in section 6.
6. Security safeguards (POPIA section 19)
6.1 VulaCheck will secure the integrity and confidentiality of the Personal Information by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of, and unlawful access to or Processing of, the Personal Information.
6.2 To give effect to clause 6.1, VulaCheck will: (a) identify reasonably foreseeable internal and external risks; (b) establish and maintain appropriate safeguards; (c) regularly verify that the safeguards are effectively implemented; and (d) update the safeguards in response to new risks or deficiencies.
6.3 Without limiting clause 6.1, VulaCheck maintains: encryption in transit (TLS) and at rest; role-based access control and database row-level security enforcing tenant isolation; an append-only audit log; per-tenant data separation; encrypted backups; and security monitoring with personal-information scrubbing. Current measures are summarised in Annexure A.
6.4 VulaCheck will have due regard to generally accepted information security practices applicable to it.
7. Sub-Operators
7.1 The Client authorises VulaCheck to engage the Sub-Operators listed in Annexure B.
7.2 VulaCheck will impose on each Sub-Operator, by written agreement, data-protection obligations no less protective than those in this Agreement, and remains responsible to the Client for each Sub-Operator’s performance.
7.3 VulaCheck may add or replace a Sub-Operator on prior notice (which may be given through the Platform or by email). If the Client reasonably objects on data-protection grounds within 10 business days, the Parties will discuss a resolution in good faith; failing resolution, the Client may terminate the affected services.
7.4 Certain recipients are engaged at the Client’s direction rather than as VulaCheck’s Sub-Operators — in particular credit bureaus, payment and collection providers, and SACRRA — as identified in Annexure B. The Client is the Responsible Party for those relationships.
8. Cross-border transfers (POPIA section 72)
8.1 The Personal Information may be Processed outside South Africa by certain Sub-Operators, as disclosed in Annexure B — in particular hosting in the European Union (Ireland) and AI-assisted processing in the United States.
8.2 VulaCheck will ensure that any such transfer complies with section 72 of POPIA, on one or more of these bases: the recipient is subject to a law or binding agreement providing an adequate level of protection; the transfer is necessary for the performance of the contract; or the Data Subject has consented.
9. Data Subject Requests
9.1 Taking into account the nature of the Processing, VulaCheck will assist the Client by appropriate technical and organisational measures, insofar as possible, to respond to Data Subject Requests.
9.2 If VulaCheck receives a Data Subject Request directly, it will not respond substantively (except to confirm receipt and direct the Data Subject to the Client) and will notify the Client without undue delay.
9.3 At the Client’s request, VulaCheck will amend, rectify, transfer, block or destroy Personal Information, and provide information about its Processing, to enable the Client to meet its POPIA obligations and to comply with the lawful instruction of the Information Regulator or a competent court.
10. Security Compromises (POPIA section 22)
10.1 VulaCheck will notify the Client without undue delay, and in any event within 72 hours, after becoming aware of, or having reasonable grounds to suspect, a Security Compromise affecting the Client’s Personal Information.
10.2 The notification will provide, to the extent then known, the nature of the compromise, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed, with updates as further information becomes available.
10.3 VulaCheck will reasonably cooperate in investigating and remediating the Security Compromise. As Responsible Party, the Client is responsible for any notification to the Information Regulator and affected Data Subjects required by section 22; VulaCheck will provide reasonable assistance.
11. Audit and assurance
11.1 VulaCheck will make available to the Client, on reasonable written request and no more than once per year (or following a Security Compromise, or where required by the Information Regulator), information reasonably necessary to demonstrate compliance with this Agreement.
11.2 Any audit will be on reasonable prior notice, during business hours, subject to confidentiality, and conducted so as not to compromise the security or data of other tenants. The Parties bear their own costs unless the audit reveals a material breach by VulaCheck.
12. Return and deletion on termination
12.1 On termination or expiry of the Platform services, VulaCheck will, at the Client’s election, return the Personal Information in a structured, commonly used format, and/or delete it, within 30 days, save to the extent that retention is required by law or for audit-trail purposes.
12.2 The Client acknowledges that, as Responsible Party, it may be required to retain certain records under the National Credit Act (a minimum of three years) and FICA (five years from the last transaction). Where VulaCheck retains Personal Information for such purposes or in routine backups, it will continue to protect it under this Agreement and will not further Process it except as required for those purposes.
13. Liability and indemnity
13.1 Each Party is liable for, and indemnifies the other against, losses, fines, costs and damages arising directly from that Party’s breach of its obligations under this Agreement or POPIA, subject to the limitations and caps in the Terms of Service.
13.2 VulaCheck’s aggregate liability under this Agreement is subject to the limitation of liability in the Terms of Service. Nothing limits liability that cannot be limited under applicable law.
14. Duration and variation
14.1 This Agreement takes effect on the Client’s electronic acceptance and continues for as long as VulaCheck Processes the Personal Information on the Client’s behalf.
14.2 VulaCheck may update this Agreement, including to reflect changes in law or Sub-Operators. Material changes will be notified and a new version published. Where continued use requires acceptance of a new version, the Platform will record the Client’s acceptance (including version, timestamp and the accepting user) before continued use.
15. General
15.1 This Agreement is governed by the laws of the Republic of South Africa, and the Parties submit to the jurisdiction of the South African courts.
15.2 If there is a conflict between this Agreement and the Terms of Service on data protection, this Agreement prevails.
15.3 If any provision is unenforceable, the remaining provisions continue in effect.
15.4 This Agreement, together with the Terms of Service and its annexures, is the entire agreement between the Parties on its subject matter.
Annexure A — Details of the Processing
| Item | Detail |
|---|---|
| Responsible Party | The Client (the accepting credit provider, identified at acceptance) |
| Operator | VulaCheck (Pty) Ltd (reg 2026/307850/07) |
| Categories of Data Subjects | The Client’s loan applicants and borrowers; sureties and references where captured; the Client’s personnel who use the Platform. |
| Categories of Personal Information | Identity data (name, SA ID number, date of birth); contact data (address, email, phone); financial and affordability data (income, expenses, bank statements, payslips); credit and bureau data; loan application, agreement and repayment data; documents uploaded by or about the Data Subject; audit and communications records. |
| Special Personal Information | May include information revealing race (population group, where collected for statutory reporting) and, where uploaded by the Client, health or biometric information. Personal information of children may be Processed where a Data Subject is a minor. |
| Nature and purpose | Hosting, storage, retrieval, organisation, analysis and transmission to enable credit origination, affordability assessment, AI-assisted document extraction and credit analysis (decision-support only), loan administration, collections, regulatory and bureau reporting, communications, and audit. |
| Duration | For the term of the Platform services and any retention required by law or for audit-trail purposes (section 12). |
| Technical & organisational measures | TLS in transit; encryption at rest; role-based access control and row-level security; per-tenant data isolation; append-only audit logging; encrypted backups; security and error monitoring with PI scrubbing; least-privilege access. |
Annexure B — Sub-Operators and recipients
Part 1 — Sub-Operators (process Personal Information on the Client’s behalf via the Platform):
| Sub-Operator | Purpose | Processing location |
|---|---|---|
| Supabase | Database and authentication | European Union (Ireland) |
| Vercel | Application hosting / edge delivery | United States / global edge |
| Amazon Web Services (AWS) | Encrypted backups (S3) and transactional email (SES) | South Africa (af-south-1) |
| Anthropic | AI-assisted document extraction and credit analysis (decision-support) | United States |
| SMSPortal | SMS delivery (incl. OTP) | South Africa |
| Sentry | Error and security monitoring (PI scrubbing configured) | United States |
Part 2 — Recipients engaged at the Client’s direction (the Client is Responsible Party for these relationships):
| Recipient | Purpose | Location |
|---|---|---|
| Credit bureaus (Experian, XDS; TransUnion / Compuscan when enabled) | Credit enquiries and statutory reporting | South Africa |
| NuPay (Altron FinTech) | DebiCheck mandates and collections | South Africa |
| PayStack | Subscription billing | South Africa |
| SACRRA (via VulaCheck as Affiliate Group Leader) | Consumer credit information submission to the bureaus | South Africa |