Data Processing Agreement (DPA)

GDPR-compliant agreement for data processing activities

GDPR Article 28 Compliance

This Data Processing Agreement (DPA) is designed to comply with Article 28 of the General Data Protection Regulation (GDPR) and governs the processing of personal data by processors on behalf of Kopano as the controller.

Data Processing Agreement

Effective Date: 14 July 2025

This Data Processing Agreement ("DPA") is entered into between Kopano ("Controller" or "Company") and the data processor ("Processor" or "Service Provider") and forms part of the Agreement for services between the parties.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or deletion.
  • "Controller" means the entity that determines the purposes and means of Processing Personal Data.
  • "Processor" means the entity that Processes Personal Data on behalf of the Controller.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Sub-processor" means any third party engaged by the Processor to Process Personal Data.

2. Processing of Personal Data

2.1 Scope and Purpose

The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.

2.2 Duration

The Processing shall continue for the duration of the Agreement between the parties, unless terminated earlier in accordance with this DPA.

2.3 Nature and Purpose of Processing

The nature and purpose of the Processing activities are:

  • Provision of platform services
  • Customer support and service delivery
  • Analytics and service improvement
  • Security and fraud prevention
  • Legal compliance and reporting

2.4 Categories of Data

The types of Personal Data Processed include:

  • Contact information (names, email addresses, phone numbers)
  • Account information (usernames, profile data)
  • Transaction data (purchase history, payment information)
  • Usage data (activity logs, preferences)
  • Communications data (messages, support tickets)

2.5 Categories of Data Subjects

The categories of Data Subjects include:

  • Platform users
  • Business customers
  • Website visitors
  • Service providers
  • Employees and contractors

3. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to Process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational measures to ensure security of Processing
  • Not engage Sub-processors without prior written authorization from the Controller
  • Assist the Controller in responding to Data Subject requests
  • Assist the Controller in ensuring compliance with security, breach notification, and privacy impact assessment obligations
  • Delete or return all Personal Data at the end of the provision of services
  • Make available all information necessary to demonstrate compliance
  • Allow for and contribute to audits conducted by the Controller

4. Security Measures

The Processor shall implement appropriate technical and organizational measures including:

  • Encryption of Personal Data in transit and at rest
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience
  • Ability to restore availability and access to Personal Data in a timely manner
  • Regular testing and evaluation of security measures
  • Pseudonymization where appropriate
  • Access controls and authentication procedures
  • Regular security training for personnel
  • Incident response and business continuity procedures

5. Sub-processors

5.1 Authorization

The Processor shall not engage any Sub-processor without prior specific or general written authorization from the Controller. Where general authorization is given, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors.

5.2 Sub-processor Obligations

When engaging a Sub-processor, the Processor shall ensure that the Sub-processor is bound by written agreement to the same data protection obligations as set out in this DPA.

5.3 Liability

The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

6. Data Subject Rights

The Processor shall promptly notify the Controller of any request received directly from a Data Subject and shall not respond to such request without the Controller's prior written authorization. The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

  • Access to Personal Data
  • Rectification of Personal Data
  • Erasure of Personal Data
  • Restriction of Processing
  • Data portability
  • Objection to Processing

7. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach, providing sufficient information to enable the Controller to meet its obligations under GDPR Article 33. Such notification shall include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records concerned
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

8. International Transfers

The Processor shall not transfer Personal Data outside the European Economic Area without the Controller's prior written consent. Where such transfer is authorized, the Processor shall ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses
  • Binding Corporate Rules
  • Adequacy decisions
  • Other mechanisms approved under GDPR

9. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor shall:

  • Provide access to relevant documents and systems
  • Cooperate with audit procedures
  • Implement recommendations from audits
  • Maintain audit logs and compliance records

10. Termination

Upon termination of the Agreement or this DPA, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data. The Processor shall certify compliance with this requirement in writing.

11. Liability and Indemnification

Each party shall be liable for damages caused by its Processing of Personal Data in breach of the GDPR. The Processor shall indemnify and hold harmless the Controller against any claims, damages, or penalties arising from the Processor's breach of this DPA or applicable data protection laws.

12. Governing Law

This DPA shall be governed by the laws of Botswana and the GDPR. Any disputes arising from this DPA shall be resolved through the dispute resolution mechanisms set out in the main Agreement.

13. Contact Information

Data Protection Officer

Kopano Platform

Email: dpo@kopano.co.bw

Phone: +267 395 0000

Address: Plot 123, CBD, Gaborone, Botswana

Agreement Execution

By entering into the Agreement for services with Kopano, the Processor agrees to be bound by the terms of this Data Processing Agreement.

For questions about this DPA or to request a signed copy, please contact our Data Protection Officer at dpo@kopano.co.bw.