Data Processing Agreement (DPA)
1. Parties and Roles
This Data Processing Agreement ("DPA" or "Agreement") is entered into between:
- SkyL4rk (Pty) Ltd, a company registered in the Republic of South Africa, with its principal place of business at Ballito, KwaZulu-Natal ("Processor"); and
- The Merchant who has registered for the xCrypt Service, as identified in their account profile ("Controller").
The parties agree that, in the context of the Controller's use of the xCrypt platform to manage their Sub-Clients' data:
- The Controller determines the purposes and means of the personal data processing — they decide which Sub-Clients to onboard, what data to collect, and how license credentials are used.
- The Processor (SkyL4rk) processes that personal data only to the extent necessary to provide the xCrypt Service, and only on documented instructions from the Controller.
Where SkyL4rk processes personal data of its Merchants for its own purposes (such as account management and billing), SkyL4rk acts as an independent responsible party / data controller under its own Privacy Policy.
2. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, as defined under POPIA and/or GDPR depending on jurisdiction. |
| Processing | Any operation performed on personal data, whether automated or not, including collection, storage, use, disclosure, erasure, or destruction. |
| Data Subject | The natural person to whom personal data relates — typically the Sub-Client or end user of the Merchant's product. |
| Sub-Processor | A third party engaged by SkyL4rk to process personal data on behalf of the Controller. |
| POPIA | The Protection of Personal Information Act 4 of 2013 (South Africa). |
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). |
| UK GDPR | The retained EU law version of GDPR as it forms part of UK domestic law. |
| Security Incident | Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. |
| EEA | The European Economic Area. |
3. Subject Matter, Nature, and Duration
3.1 Subject Matter
SkyL4rk processes personal data on behalf of the Controller for the purpose of delivering the xCrypt Service, as described in the Terms & Conditions. This includes: registering and managing Sub-Client accounts and credentials, issuing and validating license keys, recording API usage and activation events, delivering webhook notifications, and providing the Merchant dashboard and reporting functions.
3.2 Duration
This DPA remains in force for the duration of the Merchant's active subscription to the xCrypt Service and until all personal data processed under this Agreement has been returned or deleted in accordance with Section 12.
4. Categories of Data Subjects and Personal Data
| Category of Data Subject | Categories of Personal Data Processed |
|---|---|
| Sub-Clients of the Merchant | Name, email address, company name, assigned client ID, API key, webhook URL, license keys, activation records, license status, IP address at point of API call, timestamps of API events |
| End users of Sub-Client products (where applicable) | Device identifiers, activation tokens, IP addresses, and usage metadata submitted through the Merchant's integration |
| Merchant account holders | Processed as a separate responsible party under the SkyL4rk Privacy Policy, not under this DPA |
4.1 Special Categories of Data
The Processor does not, in the ordinary course of delivering the xCrypt Service, process special categories of personal data (as defined under POPIA and GDPR Article 9) on behalf of the Controller. If the Controller's integration involves special category data being transmitted via API payloads or webhook bodies, the Controller is solely responsible for ensuring an appropriate legal basis exists for such processing and must notify SkyL4rk in advance.
5. Obligations of the Processor (SkyL4rk)
5.1 Processing Only on Instructions
The Processor shall process personal data only on documented instructions from the Controller, as set out in this DPA and the Terms & Conditions, unless required to do so by applicable law. In such cases, the Processor shall inform the Controller of the legal requirement before processing, unless that law prohibits disclosure on public interest grounds.
If the Processor believes that an instruction from the Controller infringes POPIA, GDPR, or any other applicable data protection law, it shall promptly notify the Controller and may suspend processing of the affected data until the instruction is clarified or modified.
5.2 Confidentiality
The Processor shall ensure that all personnel authorised to process personal data under this Agreement are bound by enforceable confidentiality obligations, whether by contract or statutory duty. Access to personal data is restricted to personnel who require it for the performance of their duties in connection with the Service.
5.3 Technical and Organisational Security Measures
The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as a minimum:
- Encryption of personal data in transit using TLS 1.2 or higher
- Encryption of personal data at rest using AES-256
- Pseudonymisation of personal data where operationally possible
- Ongoing confidentiality, integrity, availability, and resilience of processing systems
- The ability to restore availability and access to personal data in a timely manner following a physical or technical incident
- A process for regularly testing, assessing, and evaluating the effectiveness of security measures
- Role-based access controls limiting data access to authorised personnel
- Multi-factor authentication for administrative access
- Daily encrypted backups with 30-day rolling retention
Full details of current security measures are published in the Security Policy.
5.4 Assistance with Data Subject Rights
Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Controller's obligations to respond to data subject rights requests under POPIA and GDPR. This includes:
- Access requests — providing a data export of personal data held for a specific Sub-Client upon written request
- Erasure requests — deleting or anonymising Sub-Client data upon verified instruction from the Controller, subject to legal retention obligations
- Correction requests — updating inaccurate records upon instruction
- Restriction or objection — temporarily ceasing processing of specific records upon instruction
The Processor shall respond to requests for assistance within 5 business days. The Controller remains responsible for communicating with data subjects and for any responses provided to data subjects.
5.5 Assistance with Compliance Obligations
The Processor shall assist the Controller in ensuring compliance with data protection impact assessments (DPIAs), prior consultations with supervisory authorities, and security obligations, taking into account the nature of processing and information available to the Processor.
5.6 Record Keeping
The Processor shall maintain records of processing activities carried out on behalf of the Controller, in accordance with POPIA and GDPR Article 30(2). Records are available to the Controller and relevant supervisory authorities upon request.
6. Security Incident Notification
6.1 Notification to the Controller
In the event of a Security Incident affecting personal data processed under this Agreement, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the incident. Notification shall be provided to the primary email address registered on the Merchant's account and, where available, via the dashboard notification system.
6.2 Content of Notification
The initial notification shall include, to the extent available at the time:
- A description of the nature of the Security Incident, including the categories and approximate number of data subjects affected
- The categories and approximate volume of personal data records concerned
- The name and contact details of the Processor's data protection contact
- The likely consequences of the Security Incident
- The measures taken or proposed to address the incident and to mitigate its possible adverse effects
Where not all information is available at the time of initial notification, the Processor shall provide it in phases without undue delay.
6.3 Ongoing Cooperation
The Processor shall cooperate fully with the Controller in relation to any investigation, notification to data subjects, or communication to supervisory authorities arising from the Security Incident. The Processor shall maintain an internal Security Incident register regardless of whether notification to supervisory authorities is required.
6.4 Controller's Notification Obligations
The Controller remains responsible for determining whether and when to notify the relevant supervisory authority (the Information Regulator in South Africa, or the relevant EU/UK supervisory authority where applicable) and affected data subjects, in accordance with their own obligations under POPIA and GDPR.
7. Sub-Processing
7.1 General Authorisation
The Controller provides a general authorisation for the Processor to engage sub-processors, subject to the conditions in this Section. The Processor shall maintain and make available an up-to-date list of approved sub-processors (Schedule 2 below).
7.2 Obligations Regarding Sub-Processors
Before engaging a new sub-processor or making a material change to an existing sub-processor arrangement, the Processor shall:
- Notify the Controller via dashboard notice or email at least 14 days before the change takes effect
- Enter into a data processing agreement with the sub-processor imposing data protection obligations equivalent to those in this DPA
- Remain fully liable to the Controller for the sub-processor's performance of its data protection obligations
7.3 Controller Objection
The Controller may object to a new sub-processor by notifying the Processor in writing within 10 days of notification. If the parties cannot resolve the objection in good faith within 14 days, the Controller may terminate their account with a pro-rata refund of any prepaid fees for unused capacity.
8. International Data Transfers
8.1 Transfers by the Processor
The Processor may transfer personal data to sub-processors located outside the Republic of South Africa, including in the United States, United Kingdom, and European Union. All such transfers are made subject to adequate safeguards, including:
- Adequacy decisions (where the destination country has comparable protections)
- Standard Contractual Clauses (SCCs) under GDPR, incorporated by reference into sub-processor agreements
- Binding Corporate Rules where applicable
- Compliance with POPIA Section 72 conditions for cross-border transfers
8.2 Transfers by the Controller
Where the Controller is subject to GDPR or UK GDPR and instructs the Processor to process data in a manner that constitutes an international transfer, the Standard Contractual Clauses (Module 2 — Controller to Processor) set out in the European Commission's Decision of 4 June 2021 are hereby incorporated into this DPA by reference, with SkyL4rk as the data importer and the Controller as the data exporter, to the extent applicable.
9. Audits and Inspections
9.1 Right to Audit
The Controller has the right to audit the Processor's compliance with this DPA, subject to the following conditions:
- The Controller provides at least 30 days' written notice prior to the proposed audit date
- Audits are conducted during normal business hours and in a manner that minimises disruption to operations
- The Controller may appoint a qualified, independent third-party auditor, subject to that auditor signing a confidentiality agreement acceptable to the Processor
- The cost of any audit is borne by the Controller unless the audit reveals a material breach of this DPA, in which case costs are shared
- No more than one audit per calendar year, except where a Security Incident has occurred
9.2 Audit Reports
In lieu of a direct audit, the Processor may provide the Controller with a copy of any relevant third-party security certification or audit report (such as ISO 27001, SOC 2, or equivalent) upon request, subject to confidentiality obligations.
10. Data Protection Impact Assessments
Upon request and taking into account the nature of processing and information available to it, the Processor shall provide reasonable assistance to the Controller in conducting any data protection impact assessment (DPIA) required under GDPR Article 35 or equivalent POPIA provisions, and in any subsequent prior consultation with a supervisory authority.
11. Controller's Obligations
The Controller warrants and represents that:
- It has a lawful basis for processing the personal data it submits to the xCrypt platform, including for the purposes of registering Sub-Clients and issuing license credentials
- It has provided appropriate privacy notices to its data subjects (Sub-Clients and their end users) explaining how their data will be processed, including through the xCrypt platform
- It will only instruct the Processor to process personal data in a lawful manner consistent with applicable data protection law
- It will promptly inform the Processor of any changes that may affect the lawfulness of processing under this DPA
- It maintains its own records of processing activities for data it controls
- It will not instruct the Processor to process special category data without prior written agreement and confirmation of a valid legal basis
12. Data Return and Deletion
12.1 Upon Termination
Upon termination of the Merchant's xCrypt subscription, the Processor shall, at the Controller's election:
- Delete all personal data processed on the Controller's behalf; or
- Return all personal data to the Controller in a portable format (JSON or CSV) within 30 days of the termination date
The Controller must specify their preference at or before the time of account closure. Where no preference is specified, data will be deleted after 30 days.
12.2 Retention Exceptions
The Processor may retain personal data beyond the deletion period where required to do so by applicable law (including financial record-keeping obligations under the South African Tax Administration Act) or where the data has been anonymised such that re-identification is not possible. The Processor shall notify the Controller of any such retention obligations.
12.3 Backup Copies
Encrypted backup copies of data may persist for up to 30 days after deletion from live systems as part of the standard backup rotation cycle. These copies are subject to the same security measures as live data and will be purged in the normal course of backup rotation.
13. Governing Law
This DPA is governed by and construed in accordance with the laws of the Republic of South Africa. Where the Controller is subject to GDPR, the parties agree that this DPA also satisfies the requirements of GDPR Article 28 to the extent applicable. Disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms & Conditions.
14. Conflict
In the event of any conflict or inconsistency between this DPA and the Terms & Conditions, the terms of this DPA shall prevail in respect of the processing of personal data. In all other respects, the Terms & Conditions shall take precedence.
15. Contact for Data Protection Matters
For all data protection enquiries under this DPA:
- Email: legal@xcrypt.co.za
- Information Officer: Michael Beuster
- Address: SkyL4rk (Pty) Ltd, Ballito, KwaZulu-Natal, South Africa
Schedule 1 — Details of Processing Activities
| Item | Detail |
|---|---|
| Nature of Processing | Collection, storage, retrieval, use, disclosure (via API and webhooks), and deletion of personal data relating to Sub-Clients of the Merchant |
| Purpose of Processing | Delivery of the xCrypt license management and API key platform, including registration of Sub-Clients, issuance and validation of license keys, usage logging, and webhook delivery |
| Duration of Processing | For the term of the Merchant's active subscription plus applicable retention periods |
| Types of Personal Data | Name, email address, company name, client ID, API key, license keys, IP address, usage logs, webhook delivery records, activation records, timestamps |
| Categories of Data Subjects | Sub-Clients of the Merchant; end users of Sub-Client products where applicable |
| Special Categories | None in ordinary course. Controller must notify Processor in advance if special category data is to be transmitted. |
| Transfer Mechanisms | POPIA Section 72; GDPR SCCs Module 2 where applicable |
Schedule 2 — Approved Sub-Processors
The following sub-processors are approved as at the effective date of this DPA. SkyL4rk will update this list and notify Controllers at least 14 days before adding or materially changing a sub-processor.
| Sub-Processor | Location | Purpose | Data Transferred |
|---|---|---|---|
| Google Cloud Platform (GCP) | USA / EU / ZA regions | Cloud hosting, database storage, server infrastructure | All personal data processed through xCrypt |
| PayFast (DPO Group) | South Africa | Payment processing for Merchant subscriptions | Merchant billing details (name, email, payment metadata) |
| Stripe Inc. | USA | Payment processing (international Merchants) | Merchant billing details (name, email, payment metadata) |
| Transactional Email Provider | USA / EU | System notifications, license key delivery emails | Merchant and Sub-Client email addresses, license key content |
| SkyL4rk UK Ltd | United Kingdom | UK business operations and associated data processing | Data relating to UK-based Merchants and interactions |
The current version of this sub-processor list is available on request at legal@xcrypt.co.za.
Schedule 3 — Standard Contractual Clauses Reference
Where personal data of EU/EEA or UK data subjects is processed under this DPA, the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission Decision of 4 June 2021 (Module 2: Controller to Processor), are incorporated by reference into this DPA. The parties agree that:
- Clause 7 (Docking clause): Not applicable
- Clause 9: Option 2 (General written authorisation) applies
- Clause 11 (Redress): The optional language is not included
- Clause 17: South African law governs where POPIA is the primary applicable law; EU law of the Member State of the data exporter's establishment governs where GDPR applies
- Clause 18: Courts in the Republic of South Africa (or the relevant EU Member State where GDPR applies)
- Annex I.A: As set out in Schedule 1 of this DPA
- Annex I.B: As set out in Schedule 1 of this DPA
- Annex II: As set out in Section 5.3 of this DPA (Technical and Organisational Measures)
- Annex III: Sub-processors as listed in Schedule 2 of this DPA