← Back to STATIX  ·  All legal documents
Legal · Draft

STATIX — Data Processing Addendum (DPA)

DRAFT — NOT YET LEGALLY REVIEWED. Professional drafting for review by a qualified South African attorney and a data-protection adviser before use. Not legal advice. This DPA is mainly relevant once hosted / cloud features are enabled — the offline edition keeps customer data on the customer's device. Complete all [bracketed] items before use.

This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the agreement between the Customer and the Provider for the use of STATIX (the "Agreement"). It applies to the extent the Provider processes Personal Information on behalf of the Customer in providing the Service.

Provider (Operator / Processor): the STATIX design team, trading as [legal entity], South Africa Customer (Responsible Party / Controller): the entity that has entered into the Agreement Version: Draft 0.1 · Effective date: [to be set]

1. Definitions

1.1 "Data-Protection Laws" means all laws applicable to the processing under this DPA, including the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, the EU/UK GDPR.

1.2 "Personal Information" / "Personal Data", "Processing", "Data Subject", "Responsible Party" / "Controller", "Operator" / "Processor" and "Sub-processor" / "Sub-operator" have the meanings in the Data-Protection Laws.

1.3 "Customer Personal Information" means Personal Information contained in Customer's content (for example within structural models, files, account or project data) that the Provider processes on the Customer's behalf under the Agreement.

1.4 Capitalised terms not defined here have the meaning in the Agreement.

2. Roles

2.1 The Customer is the Responsible Party / Controller of Customer Personal Information. The Provider is the Operator / Processor, acting only on the Customer's documented instructions.

2.2 For the Provider's own account, licensing, billing and website data, the Provider is the Responsible Party / Controller and the Privacy Policy applies — this DPA does not change that.

3. Scope and instructions

3.1 The Provider will process Customer Personal Information only: (a) to provide, secure, maintain and support the Service per the Agreement; (b) on the Customer's documented instructions (including via use of the Service's features); and (c) as required by law (in which case the Provider will, where lawful, inform the Customer first).

3.2 Subject-matter, duration, nature and purpose: processing for the duration of the Agreement, to host/store/process and make available the Customer's structural models, files and project/account data within the Service.

3.3 Categories of data subjects: the Customer's personnel and any individuals whose Personal Information the Customer chooses to include in its content (the Customer should minimise this).

3.4 Types of Personal Information: identifiers and contact details of the Customer's users, and any Personal Information the Customer includes in uploaded content. The Service is not intended to process special-category data; the Customer should not upload it.

3.5 If the Provider believes an instruction breaches Data-Protection Laws, it will inform the Customer.

4. Confidentiality

The Provider will ensure that persons authorised to process Customer Personal Information are bound by appropriate confidentiality obligations and process it only as instructed.

5. Security

The Provider will implement and maintain reasonable, appropriate technical and organisational measures to protect Customer Personal Information against unauthorised or unlawful access, loss, destruction or damage, taking into account the state of the art, the risk, and the nature of the data — including, as appropriate: encryption in transit, access controls and least-privilege, secure authentication, logging, and use of reputable infrastructure providers (see Annex B).

6. Sub-processors

6.1 The Customer authorises the Provider to engage Sub-processors to provide the Service. The current Sub-processors are listed in Annex B (and/or maintained at [statix.app/legal/subprocessors]).

6.2 The Provider will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for its Sub-processors' performance.

6.3 The Provider will give the Customer reasonable notice of any intended addition or replacement of a Sub-processor; the Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve it.

7. Cross-border transfers

The Provider may transfer Customer Personal Information across borders (including outside South Africa and the EU/UK) to the Sub-processors in Annex B, only where an adequate level of protection or an appropriate safeguard applies — including POPIA §72 conditions and, for EU/UK data, Standard Contractual Clauses or an adequacy decision. Details of the safeguard are available on request.

8. Assistance to the Customer

Taking into account the nature of the processing and the information available, the Provider will provide reasonable assistance to the Customer with: (a) responding to Data-Subject requests (access, correction, deletion, objection, portability) — the Provider will, where it cannot action a request itself, redirect or assist; (b) security, breach notification and, where required, data-protection / privacy impact assessments and prior consultation with a regulator.

9. Personal Information / data breach

The Provider will notify the Customer without undue delay after becoming aware of a security compromise affecting Customer Personal Information, and will provide the information the Customer reasonably needs to meet its own notification obligations to the Information Regulator / supervisory authority and data subjects under POPIA and GDPR.

10. Return and deletion

On termination or expiry of the Agreement, or on the Customer's written request, the Provider will, at the Customer's choice, return or delete Customer Personal Information within [30–90 days], except to the extent retention is required by law; backups are deleted on their normal cycle (within [90 days]).

11. Audit

The Provider will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits on reasonable prior notice, no more than [once per year] (or as a regulator requires), subject to confidentiality and the security of other customers.

12. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability in the Agreement (including the EULA and Engineering Disclaimer), to the extent permitted by law.

13. Conflict and term

13.1 If this DPA conflicts with the Agreement on the processing of Customer Personal Information, this DPA prevails for that subject matter.

13.2 This DPA takes effect when the Agreement does and continues while the Provider processes Customer Personal Information.

Annex A — Processing details

Annex B — Authorised Sub-processors (to confirm)

Sub-processorService providedLocation
[Cloudflare]Hosting / CDN / security[region]
[Lemon Squeezy / Paddle]Payments (merchant of record), invoicing, licence keys[region]
[Paystack]Payments (ZAR)South Africa / [region]
[Authentication provider]Sign-in / identity[region]
[Email provider]Transactional / support email[region]
[Cloud storage / database]Storage of account data and Customer content (hosted features)[region]

Confirm and keep this list current; mirror it in the Privacy Policy and the public sub-processor list.

© [2026] STATIX design team. All rights reserved.

Reminder: this is a DRAFT for attorney review.

This document is a DRAFT prepared for review by a qualified attorney and does not constitute legal advice. © 2026 STATIX design team, South Africa. All rights reserved.
Legal index · EULA · Terms · Privacy · Cookies · DPA · Engineering Disclaimer