If ScaleUp Company acts as an operator as defined under Section 1 of the Protection of Personal Information Act (POPIA), the following terms shall apply in accordance with Section 20 and 21 of POPIA.
ScaleUp Company processes personal information on behalf of the Client. This may include names, addresses, contact numbers, email addresses, salutations, and job titles of the Client’s contacts or related parties.
Such information remains the property of the Client and shall not be claimed as owned by ScaleUp Company.
ScaleUp Company will not retain personal information longer than is necessary for fulfilling the purposes of the Agreement, unless otherwise agreed in writing by the Client.
If the Client deems that certain information should no longer be retained, ScaleUp Company shall destroy such data promptly upon written instruction and confirm its destruction in writing.
ScaleUp Company is only responsible for processing personal information as part of the services offered under the Agreement. It is not responsible for any other processing activities by the Client or by third parties unless such parties were appointed by ScaleUp Company.
ScaleUp Company will not transfer personal information outside of South Africa without prior written consent of the Client and compliance with the cross-border transfer provisions under POPIA. Should a transfer be planned, ScaleUp Company will inform the Client in writing and obtain consent before proceeding.
ScaleUp Company will segregate the Client’s personal information from other data processed on behalf of other clients or on its own behalf.
All processing shall be carried out lawfully and in a manner that is reasonable and adequate, in accordance with POPIA and other applicable South African privacy laws.
ScaleUp Company shall implement appropriate technical and organisational measures to secure personal information against loss, unauthorised access, disclosure, alteration or destruction. These measures will be proportionate to the nature of the personal information and the harm that may result from a breach.
We will make reasonable efforts to prevent, detect, and respond to security breaches affecting personal information.
In the event of a security breach or personal information compromise, ScaleUp Company will notify the Client as soon as reasonably possible.
Such notification will include details of the breach, its likely consequences, and proposed mitigation actions.
Only the Client, or a regulatory authority (e.g., the Information Regulator), may communicate with data subjects or third parties about the breach. ScaleUp Company may not do so unless legally required or specifically authorised in writing by the Client.
ScaleUp Company will assist the Client in responding to data subject requests, including access, correction, or deletion of personal information, as and when instructed by the Client.
While we assist as far as reasonably possible, the responsibility for compliance with data subject rights rests with the Client. Any costs incurred by ScaleUp Company in this regard shall be borne by the Client.
The Client may, at its own expense, inspect or appoint an independent auditor to inspect ScaleUp Company’s processing environment to verify compliance with agreed data protection measures.
ScaleUp Company may charge reasonable fees for internal efforts related to such inspections. A copy of the inspection report shall be shared with ScaleUp Company.
