Data Processing Agreement
Effective Date: 9 March 2026 · Version: alpha-v1
This Data Processing Agreement (“DPA”) forms part of the Terms of Use between SpatialEdge (Pty) Ltd (“Processor”, “we”, “us”) and you, the customer (“Controller”, “you”), and governs the processing of personal data by the Processor on behalf of the Controller in connection with the EdgeLogic platform (“Service”).
This DPA is designed to meet the requirements of GDPR Article 28 and POPIA Section 19–21.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1) and POPIA Section 1.
- “Processing” means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- “Sub-Processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Scope & Purpose of Processing
| Detail | Description |
|---|---|
| Subject matter | Provision of the EdgeLogic decision intelligence platform |
| Duration | For the term of the Controller’s use of the Service, plus any post-termination retention period |
| Nature & purpose | Storage, analysis, and AI-assisted processing of Controller’s data to provide decision support, governance, and analytics features |
| Types of Personal Data | Names, email addresses, profile images, user-generated content (decisions, policies, conversations, knowledge base entries), usage data |
| Categories of data subjects | Controller’s employees, contractors, and authorised users of the Service |
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller (including as set out in the Terms of Use and this DPA), unless required by applicable law.
- Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures, including:
- Encryption in transit (TLS 1.2+) and at rest
- Database access controls and network security
- Principle of least privilege for internal access
- Regular security reviews
- Engage Sub-Processors only with the Controller’s general authorisation, subject to the conditions in Section 5 below.
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within reasonable timeframes.
- Assist the Controller in ensuring compliance with data breach notification obligations (see Section 6).
- Delete or return all Personal Data upon termination of the Service, at the Controller’s choice, within 30 days. Encrypted backups will be purged within 60 days.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
4. Controller Obligations
The Controller shall:
- Ensure that Personal Data provided to the Processor is collected lawfully and that data subjects have been informed of the processing in accordance with applicable law.
- Provide documented processing instructions to the Processor.
- Ensure compliance with applicable data protection laws in its use of the Service.
5. Sub-Processors
The Controller provides general authorisation for the Processor to engage Sub-Processors. The current list of Sub-Processors is maintained at our Sub-Processor List page.
The Processor shall:
- Notify the Controller of any intended addition or replacement of Sub-Processors by updating the Sub-Processor List page. Controllers may subscribe to change notifications by emailing privacy@edgelogic.ai.
- Allow the Controller a reasonable period (at least 14 days) to object to a new Sub-Processor on legitimate data protection grounds.
- Impose data protection obligations on Sub-Processors that are no less protective than those in this DPA.
- Remain fully liable to the Controller for the performance of each Sub-Processor’s obligations.
6. Data Breach Notification
In the event of a Data Breach affecting the Controller’s Personal Data, the Processor shall:
- Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach.
- Provide the Controller with sufficient information to enable the Controller to meet its obligations under GDPR Article 33/34 and POPIA Section 22, including:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken or proposed to mitigate the breach
- Cooperate with the Controller in investigating and remediating the breach.
7. International Transfers
The Processor may transfer Personal Data to countries outside the Controller’s jurisdiction (including the United States) where Sub-Processors operate. Such transfers are subject to:
- Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable
- POPIA Section 72 safeguards for cross-border transfers from South Africa
- Binding data protection obligations on all Sub-Processors
8. Liability
The liability of each party under this DPA is subject to the limitations set out in the Terms of Use. Nothing in this DPA limits either party’s liability for breaches of data protection law to the extent that such limitation is not permitted by applicable law.
9. Term & Termination
This DPA remains in effect for the duration of the Controller’s use of the Service. Upon termination, the Processor’s obligations under Sections 3.7 (data deletion/return), 6 (breach notification), and 8 (liability) shall survive.
10. Contact
For questions about this DPA or to request a signed copy, please contact: privacy@edgelogic.ai