Data Processing Agreement

This Data Processing Agreement (“DPA”) is between Kotive, trading as DC Interactive (“we”, “us”, “Kotive”), and the customer (“you”) who has agreed to our Terms and Conditions (the “Main Agreement”). It covers how we handle personal data on your behalf when you use our Services.

This DPA is written to meet the requirements of both South Africa’s Protection of Personal Information Act (POPIA) and the EU General Data Protection Regulation (GDPR).

1. What the key terms mean

A few definitions to keep things clear:

“Data Protection Law” — the privacy and data protection laws that apply to the processing in question. This includes POPIA, the GDPR, and any other relevant national legislation.

“Controller” — you, the customer. You decide why and how personal data is collected through your use of Kotive. POPIA calls this role the “responsible party.”

“Data Subject” — an identifiable, living person whose personal data is being processed.

“Personal Data” — any information that identifies or can identify a living person. POPIA uses the term “personal information.”

“Processing” — anything done with personal data: collecting it, storing it, reading it, changing it, sharing it, deleting it — all of it.

“Processor” — Kotive, when we handle personal data on your instructions. POPIA calls this role the “operator.”

“Security Incident” — any event where personal data is accidentally or unlawfully lost, destroyed, altered, disclosed, or accessed without authorisation.

“Sub-processor” — a third-party service that Kotive uses to process personal data on your behalf (for example, our hosting provider or email delivery service).

2. When this DPA applies

This DPA kicks in whenever Kotive processes personal data on your behalf as part of delivering the Services. In that relationship, you are the controller and we are the processor.

Schedule 1 at the end of this document describes what data is involved, who it relates to, and why we process it.

3. Your responsibilities

As the controller, you are responsible for:

  • Making sure the personal data you send us was collected lawfully;
  • Giving us instructions that comply with Data Protection Law;
  • Getting any consents or authorisations you need from data subjects before their data reaches Kotive;
  • Informing data subjects about how their data will be processed — including the fact that Kotive processes it on your behalf;
  • Maintaining any registrations or filings required under Data Protection Law.

4. What Kotive commits to

When we process personal data on your behalf, we will:

Follow your instructions. We only process personal data according to your documented instructions. These terms and our privacy policy count as standing instructions. If a law requires us to process data differently, we will let you know beforehand (unless the law says we cannot).

Keep it confidential. Everyone on our team who touches personal data is bound by confidentiality — either contractually or by statute.

Protect it. We maintain technical and organisational safeguards designed to keep personal data secure. This includes encrypting data in transit and at rest, controlling who can access it, and planning for incidents. Schedule 2 has the detail.

Help you respond to data subjects. If someone exercises a right over their personal data (access, correction, deletion, etc.), we will help you deal with the request where we reasonably can.

Support your compliance obligations. We will help you with breach notifications, data protection impact assessments, and any consultations with regulators — to the extent our role and the data involved make that relevant.

Return or delete data when we are done. Once the Main Agreement ends, we will either send you the data in a standard, machine-readable format or delete it — your choice. We will only keep what we are legally required to retain, and we will continue to protect it.

Let you verify. We will give you the information you need to confirm we are meeting our obligations, and we will cooperate with audits (see Section 9).

5. Sub-processors

We use a small number of third-party services to help run parts of Kotive — things like hosting, email delivery, and payment processing. Each of these is a sub-processor.

Here is how we manage them:

  • Every sub-processor signs a written agreement with data protection terms at least as strong as the ones in this DPA;
  • We remain responsible for anything a sub-processor does with your data;
  • We keep an up-to-date list of sub-processors, and we will share it with you on request;
  • If we plan to add or replace a sub-processor, we will let you know in advance.

If you have a genuine data protection concern about a new sub-processor, you can object in writing within 14 days. We will discuss the issue with you and try to find a workable solution. If we cannot reach an agreement, you may terminate the Main Agreement by giving us written notice.

You can request the current sub-processor list at any time by emailing us at support@kotive.com.

6. Transferring data across borders

Some of our sub-processors operate outside South Africa and outside the EEA. When personal data crosses borders, we make sure it stays protected by using recognised safeguards — for example, EU Standard Contractual Clauses, or by transferring only to countries with adequate data protection laws. Where we rely on Standard Contractual Clauses, they form part of this DPA.

7. What happens if there is a security incident

If we discover a security incident that involves personal data we process on your behalf, we will:

  • Tell you as soon as reasonably possible;
  • Describe what happened — what kind of data was affected, roughly how many people and records were involved, and what the likely impact is;
  • Give you a contact point for follow-up questions;
  • Explain what we are doing (or plan to do) to contain the incident and reduce its impact;
  • Work with you to investigate, fix, and learn from the incident.

If we cannot give you the full picture straight away, we will share what we know and follow up as we learn more.

8. Data subject requests

If a data subject contacts us directly about their personal data, we will let you know promptly and wait for your instructions before responding (unless the law requires us to act).

We will assist you in handling data subject requests — including requests for access, correction, deletion, restriction, portability, or objection — using the tools and information available to us.

9. Audits

We will provide you with the information you reasonably need to confirm that we are living up to this DPA.

You (or an auditor you appoint) may carry out an audit, provided that:

  • You give us reasonable notice;
  • The audit takes place during business hours;
  • Your auditor agrees to keep what they see confidential;
  • You cover the costs.

If an audit requires significant time or resources beyond what is needed to show compliance, we may charge a reasonable fee for the additional effort.

10. Duration and what happens at the end

This DPA runs for as long as the Main Agreement is in force.

When the Main Agreement ends, you can ask us to:

  • Return your personal data in a common, machine-readable format; or
  • Delete it — and confirm in writing that we have done so.

We may keep a copy of personal data only if the law requires it, and we will continue to protect and keep that data confidential.

11. Liability

Liability under this DPA is subject to whatever limits are set out in the Main Agreement.

We both acknowledge that our respective compliance depends on the other party holding up their end — in particular, Kotive can only meet its obligations here if you give us accurate information and lawful instructions.

12. General

If this DPA and the Main Agreement conflict on a data protection point, this DPA wins.

We may update this DPA from time to time if Data Protection Law changes. We will give you reasonable notice of anything material.

Governing law. South African law governs this DPA. Where the GDPR applies to the processing in question, its requirements take precedence to the extent they are stricter.

Severability. If any part of this DPA turns out to be unenforceable, the rest stays in effect.

Schedule 1: What we process and why

What is being processed

Personal data that flows through Kotive as part of delivering the Services described in the Main Agreement.

How long

For the duration of the Main Agreement, plus any period where we are legally required to retain certain records.

Why we process it

We process personal data to run the Services for you. In practice, that means:

  • Hosting and running the forms, workflows, and apps you build in Kotive;
  • Storing the data that people submit through your forms and workflows;
  • Connecting to third-party services you have integrated;
  • Providing customer support and technical help;
  • Keeping the Services running smoothly and making improvements.

What types of personal data

That depends on what you build. Common examples include:

  • Names, email addresses, and phone numbers;
  • Job titles and employer details;
  • Whatever other personal data people submit through your forms and workflows.

Whose data

  • Your employees and contractors;
  • Your customers and clients;
  • Anyone who fills out a form or interacts with a workflow you have created;
  • Any other individuals whose data you send into the Services.

Sensitive or special-category data

If you choose to collect sensitive personal data (such as health information, race, ethnicity, religious beliefs, or biometric data), that is your responsibility. You must make sure you have a valid legal basis, appropriate safeguards, and — where required — explicit consent from the data subjects concerned.

Schedule 2: How we keep data safe

Here is a summary of the security measures we have in place. For a fuller picture, see the Security Safeguards section in our Terms and Conditions.

Who can access what

  • Access is role-based — people only see what they need to;
  • Every person who accesses our systems authenticates individually;
  • We enforce strong password requirements;
  • Multi-factor authentication is available for customer accounts.

Protecting the data itself

  • Data is encrypted in transit (TLS 1.2+) and at rest;
  • Credentials and secrets are stored using industry-standard encryption.

Infrastructure

  • Our servers sit inside a virtual private cloud (VPC), isolated from the public internet;
  • Firewalls and network access control lists guard every entry point;
  • We run regular vulnerability scans and security assessments;
  • Intrusion detection is in place.

Keeping things running

  • Our infrastructure spans multiple availability zones for redundancy;
  • Databases are backed up daily with restore points;
  • We have disaster recovery and business continuity plans.

People

  • Team members with access to personal data go through background checks;
  • Employment contracts include confidentiality obligations;
  • We run regular security awareness training.

When things go wrong

  • We have a documented incident response plan;
  • Security events are logged and monitored;
  • Breach notification procedures are in place (see Section 7 above).

Our sub-processors

  • We vet every sub-processor before onboarding them;
  • Each one is held to written data protection obligations;
  • We review their compliance on an ongoing basis.

To sign this DPA or to request our current sub-processor list, email us at support@kotive.com.

Last updated: April 2026