This agreement governs the processing of personal information by Azania Digital Solutions (Pty) Ltd on behalf of subscribing organisations, in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA).
| Responsible Party | The subscribing school, district office or government department ("the Client") — the entity that determines the purpose and means of processing |
| Operator | Azania Digital Solutions (Pty) Ltd, operating the NutriTrack platform — processes personal information on behalf of the Client |
This DPA forms part of and is incorporated into the End User Licence Agreement (EULA) between the parties. Execution of the EULA constitutes execution of this DPA.
The Operator processes personal information for the purpose of providing the NutriTrack NSNP management platform to the Client.
Processing continues for the duration of the EULA and for such additional period as required for data retention under clause 6.
Storage, retrieval, display, transmission, editing, deletion and export of personal information submitted through the NutriTrack platform.
Azania Digital Solutions (Pty) Ltd, as Operator, agrees to:
Process personal information only in accordance with the Client's instructions as set out in the EULA and this DPA, unless required to do so by law. The Operator will notify the Client if any instruction is believed to violate POPIA or any other applicable law.
Implement and maintain appropriate technical and organisational security measures to protect personal information against:
Current measures include: TLS encryption in transit, bcrypt password hashing, role-based access control, server-side session management, and regular backups.
Ensure that all personnel who process personal information are subject to confidentiality obligations and receive appropriate data protection training.
Not engage any sub-processor (third party who processes data on the Operator's behalf) without informing the Client. Current sub-processors are listed in the Privacy Policy. The Operator will impose equivalent data protection obligations on any sub-processor.
Assist the Client in responding to requests from data subjects exercising their rights under POPIA, including rights of access, correction, deletion and objection. Where a data subject contacts the Operator directly, the request will be forwarded to the Client within 5 business days.
Notify the Client of any personal information breach without undue delay and within 24 hours of becoming aware of it. Notification will include:
The Client (as Responsible Party) is obligated to notify the Information Regulator within 72 hours under POPIA s.22.
Provide reasonable assistance to the Client in conducting data protection impact assessments where required under POPIA.
On termination of the EULA, provide the Client with a full export of all Client Data within 30 days. After 90 days from termination, permanently delete all Client Data from active systems. Backup copies will be deleted within 180 days.
Allow the Client or its designated auditor to conduct audits of the Operator's data processing activities upon 30 days' written notice, no more than once per calendar year. Audit costs are borne by the Client.
The Client agrees to:
All personal information is stored on servers located in the Republic of South Africa (Johannesburg). The Operator will not transfer Client Data outside South Africa without the Client's written consent and only where the destination country provides an adequate level of protection as required by POPIA s.72.
| Data Category | Retention Period | Basis |
|---|---|---|
| NSNP form submissions | 7 years from submission | Government financial records requirements |
| Food handler payment records | 7 years | SARS / tax compliance |
| User account data | 3 years after account closure | Legal dispute resolution |
| System access logs | 12 months | Security monitoring |
| Internal messages | 3 years | Audit trail |
Each party shall be liable for POPIA violations caused by its own non-compliance. Where both parties are at fault, liability shall be apportioned in accordance with each party's degree of responsibility.
The Operator shall not be liable for violations caused by the Client's instructions where the Operator has notified the Client that such instructions would breach POPIA.
| Operator Information Officer | [Name to be appointed] — privacy@nutritrack.co.za |
| Information Regulator (SA) | inforeg@justice.gov.za | Tel: 010 023 5207 |
| Information Regulator Website | inforegulator.org.za |
This DPA is entered into by the parties on the date the Client first accesses the NutriTrack platform or executes the EULA, whichever is earlier. No wet signature is required — electronic acceptance is valid under the Electronic Communications and Transactions Act 25 of 2002 (ECT Act).
For formal procurement purposes where a signed DPA is required by the Client's supply chain management process, a countersigned PDF version is available upon request from legal@nutritrack.co.za.