# STATIX — Data Processing Addendum (DPA) > **DRAFT — NOT YET LEGALLY REVIEWED.** Professional drafting for review by a > qualified South African attorney and a data-protection adviser before use. Not legal > advice. This DPA is mainly relevant once **hosted / cloud features** are enabled — > the offline edition keeps customer data on the customer's device. Complete all > `[bracketed]` items before use. This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the agreement between the Customer and the Provider for the use of STATIX (the "Agreement"). It applies to the extent the Provider **processes Personal Information on behalf of the Customer** in providing the Service. **Provider (Operator / Processor):** N. de Beer, trading as [legal entity], South Africa **Customer (Responsible Party / Controller):** the entity that has entered into the Agreement **Version:** Draft 0.1 · **Effective date:** [to be set] --- ## 1. Definitions 1.1 **"Data-Protection Laws"** means all laws applicable to the processing under this DPA, including the **Protection of Personal Information Act 4 of 2013 (POPIA)** and, where applicable, the **EU/UK GDPR**. 1.2 **"Personal Information" / "Personal Data"**, **"Processing"**, **"Data Subject"**, **"Responsible Party" / "Controller"**, **"Operator" / "Processor"** and **"Sub-processor" / "Sub-operator"** have the meanings in the Data-Protection Laws. 1.3 **"Customer Personal Information"** means Personal Information contained in Customer's content (for example within structural models, files, account or project data) that the Provider processes on the Customer's behalf under the Agreement. 1.4 Capitalised terms not defined here have the meaning in the Agreement. --- ## 2. Roles 2.1 The Customer is the **Responsible Party / Controller** of Customer Personal Information. The Provider is the **Operator / Processor**, acting only on the Customer's documented instructions. 2.2 For the Provider's **own** account, licensing, billing and website data, the Provider is the Responsible Party / Controller and the Privacy Policy applies — this DPA does not change that. --- ## 3. Scope and instructions 3.1 The Provider will process Customer Personal Information only: (a) to provide, secure, maintain and support the Service per the Agreement; (b) on the Customer's documented instructions (including via use of the Service's features); and (c) as required by law (in which case the Provider will, where lawful, inform the Customer first). 3.2 **Subject-matter, duration, nature and purpose:** processing for the duration of the Agreement, to host/store/process and make available the Customer's structural models, files and project/account data within the Service. 3.3 **Categories of data subjects:** the Customer's personnel and any individuals whose Personal Information the Customer chooses to include in its content (the Customer should minimise this). 3.4 **Types of Personal Information:** identifiers and contact details of the Customer's users, and any Personal Information the Customer includes in uploaded content. The Service is **not** intended to process special-category data; the Customer should not upload it. 3.5 If the Provider believes an instruction breaches Data-Protection Laws, it will inform the Customer. --- ## 4. Confidentiality The Provider will ensure that persons authorised to process Customer Personal Information are bound by appropriate confidentiality obligations and process it only as instructed. --- ## 5. Security The Provider will implement and maintain reasonable, appropriate technical and organisational measures to protect Customer Personal Information against unauthorised or unlawful access, loss, destruction or damage, taking into account the state of the art, the risk, and the nature of the data — including, as appropriate: encryption in transit, access controls and least-privilege, secure authentication, logging, and use of reputable infrastructure providers (see Annex B). --- ## 6. Sub-processors 6.1 The Customer **authorises** the Provider to engage Sub-processors to provide the Service. The current Sub-processors are listed in **Annex B** (and/or maintained at [statix.app/legal/subprocessors]). 6.2 The Provider will impose data-protection obligations on each Sub-processor that are **no less protective** than those in this DPA, and remains responsible for its Sub-processors' performance. 6.3 The Provider will give the Customer reasonable notice of any intended addition or replacement of a Sub-processor; the Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve it. --- ## 7. Cross-border transfers The Provider may transfer Customer Personal Information across borders (including outside South Africa and the EU/UK) to the Sub-processors in Annex B, **only** where an adequate level of protection or an appropriate safeguard applies — including POPIA §72 conditions and, for EU/UK data, **Standard Contractual Clauses** or an adequacy decision. Details of the safeguard are available on request. --- ## 8. Assistance to the Customer Taking into account the nature of the processing and the information available, the Provider will provide reasonable assistance to the Customer with: (a) responding to **Data-Subject requests** (access, correction, deletion, objection, portability) — the Provider will, where it cannot action a request itself, redirect or assist; (b) **security**, **breach notification** and, where required, **data-protection / privacy impact assessments** and prior consultation with a regulator. --- ## 9. Personal Information / data breach The Provider will notify the Customer **without undue delay** after becoming aware of a security compromise affecting Customer Personal Information, and will provide the information the Customer reasonably needs to meet its own notification obligations to the Information Regulator / supervisory authority and data subjects under POPIA and GDPR. --- ## 10. Return and deletion On termination or expiry of the Agreement, or on the Customer's written request, the Provider will, at the Customer's choice, **return or delete** Customer Personal Information within [30–90 days], except to the extent retention is required by law; backups are deleted on their normal cycle (within [90 days]). --- ## 11. Audit The Provider will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits on reasonable prior notice, no more than [once per year] (or as a regulator requires), subject to confidentiality and the security of other customers. --- ## 12. Liability The liability of each party under this DPA is subject to the limitations and exclusions of liability in the Agreement (including the EULA and Engineering Disclaimer), to the extent permitted by law. --- ## 13. Conflict and term 13.1 If this DPA conflicts with the Agreement on the processing of Customer Personal Information, this DPA prevails for that subject matter. 13.2 This DPA takes effect when the Agreement does and continues while the Provider processes Customer Personal Information. --- ## Annex A — Processing details - **Subject matter:** provision of the STATIX hosted Service. - **Duration:** the term of the Agreement plus the return/deletion period. - **Nature & purpose:** hosting, storage, processing and making available of the Customer's structural models, files, reports and project/account data. - **Types of Personal Information:** user identifiers and contact details; any Personal Information the Customer includes in its content. - **Categories of Data Subjects:** Customer's users and any individuals the Customer includes in its content. ## Annex B — Authorised Sub-processors (to confirm) | Sub-processor | Service provided | Location | |---|---|---| | [Cloudflare] | Hosting / CDN / security | [region] | | [Lemon Squeezy / Paddle] | Payments (merchant of record), invoicing, licence keys | [region] | | [Paystack] | Payments (ZAR) | South Africa / [region] | | [Authentication provider] | Sign-in / identity | [region] | | [Email provider] | Transactional / support email | [region] | | [Cloud storage / database] | Storage of account data and Customer content (hosted features) | [region] | > Confirm and keep this list current; mirror it in the Privacy Policy and the public > sub-processor list. --- *© [2026] N. de Beer. All rights reserved.* **Reminder: this is a DRAFT for attorney review.**