Daybook Data Processing Addendum (DPA)

1. Definitions

1.1. In this DPA, capitalised terms have the meanings given to them below or, if not defined here, in POPIA:

2. Roles, scope and instructions

2.1. Roles. In respect of Customer Data, the Parties acknowledge and agree that:

• 2.1.1. the Customer is the Responsible Party;
• 2.1.2. Daybook is the Operator.

2.2. Subject matter and duration. The subject matter of the processing is the provision of the Service. The duration of the processing is the term of the Agreement, plus any post-termination retention periods set out in clause 6.

2.3. Nature and purpose. Daybook processes Customer Data on Customer’s behalf to:

• 2.3.1. receive Customer’s voice notes and text messages via WhatsApp and extract structured invoice / quote / reminder information using AI;
• 2.3.2. generate draft invoices, quotes, and reminder communications for Customer’s review and approval;
• 2.3.3. send approved invoices, quotes, and reminders from Customer’s authorised email account on Customer’s behalf;
• 2.3.4. read incoming replies from Customer’s debtors, classify them, and surface them to Customer for action;
• 2.3.5. reconcile payment confirmations to outstanding invoices;
• 2.3.6. generate Customer’s weekly activity summary;
• 2.3.7. retain records as required by the Agreement and applicable law;
• 2.3.8. carry out support, security, fraud prevention, and audit activities incidental to the above.

2.4. Categories of Personal Information. Customer Data processed under this DPA includes, in respect of Customer’s debtors (natural or juristic):

• 2.4.1. name, trading name, contact email, contact phone number, postal address;
• 2.4.2. identifiers necessary for invoicing (such as registration number, VAT number);
• 2.4.3. invoice content (description of goods or services, amounts, dates, due dates, VAT);
• 2.4.4. payment status, payment history, communication history.

Customer Data does not — except inadvertently — include Special Personal Information, children’s information, or information of public interest within the meaning of POPIA. Customer undertakes not to instruct Daybook to process Special Personal Information through the Service.

2.5. Categories of Data Subjects. Debtors of the Customer (including individuals and authorised representatives of juristic debtors). The DPA also extends to Personal Information of Customer’s employees, contractors, and counterparties that Customer chooses to submit to the Service.

2.6. Documented instructions. Daybook processes Customer Data only on Customer’s documented instructions, which are:

• 2.6.1. Standing instructions: the Agreement, this DPA, the Daybook Customer Privacy Policy, and configuration choices Customer makes in the Daybook dashboard (such as enabling or disabling specific reminder steps);
• 2.6.2. Specific instructions: instructions given by Customer in writing to intake@daybookcoza.com or through the dashboard.

2.7. Daybook will inform Customer if, in Daybook’s opinion, an instruction infringes POPIA or other applicable data protection law, in which case Daybook may suspend execution of that instruction until it is modified.

2.8. Daybook will not process Customer Data for its own purposes, except: (a) to comply with applicable law (in which case Daybook will, unless prohibited, inform Customer of the legal requirement before processing); (b) to safeguard the security or integrity of the Service; or (c) in de-identified, aggregated form for internal analytics and improvement of the Service.

3. Customer (Responsible Party) obligations

3.1. Customer warrants that:

• 3.1.1. it has a lawful basis under POPIA to process the Customer Data and to instruct Daybook to process it as Operator;
• 3.1.2. it has provided each Data Subject with the information required under POPIA section 18 about the processing, including identifying Daybook (or “an outsourced invoicing and reminders service provider”) as a recipient where required;
• 3.1.3. the Customer Data is accurate, complete, relevant, and not excessive in relation to the purpose for which it is processed;
• 3.1.4. it will not use the Service to invoice, communicate with, or otherwise process Personal Information of any Data Subject in breach of POPIA, the Debt Collectors Act, the National Credit Act, the Consumer Protection Act, the ECT Act, or any other applicable law.

3.2. Customer is responsible for responding to Data Subject requests addressed directly to Customer. Daybook will assist as set out in clause 7.

4. Operator (Daybook) obligations

4.1. Daybook will:

• 4.1.1. process Customer Data only on Customer’s documented instructions (clause 2.6);
• 4.1.2. ensure that persons authorised to process Customer Data are bound by written confidentiality obligations or are under appropriate statutory confidentiality duties;
• 4.1.3. implement appropriate, reasonable technical and organisational security measures as required by POPIA section 19 and detailed in clause 5;
• 4.1.4. comply with the requirements of clause 8 in engaging Sub-operators;
• 4.1.5. taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, in fulfilling Customer’s obligation to respond to requests from Data Subjects exercising rights under POPIA Chapter 3 (Part B);
• 4.1.6. assist Customer in ensuring compliance with Customer’s security and breach-notification obligations under POPIA sections 19, 21, and 22, taking into account the nature of processing and the information available to Daybook;
• 4.1.7. at Customer’s option, return or delete all Customer Data after the end of the provision of the Service, in accordance with clause 6;
• 4.1.8. make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and contribute to audits and inspections in accordance with clause 9.

5. Security measures

5.1. Daybook applies, and will maintain, the following technical and organisational security measures (the “Security Measures”):

5.2. Daybook may update the Security Measures from time to time, provided that no update materially reduces the level of protection.

6. Return and deletion of Customer Data

6.1. Return window (14 days). Within fourteen (14) days of termination or expiry of the Agreement (or earlier, at Customer’s request), Daybook will provide Customer with an export of all Customer Data in a structured, commonly used machine-readable format (such as CSV or JSON).

6.2. Deletion window (14 days). Within fourteen (14) days after the return window in clause 6.1 ends (or earlier, at Customer’s request, once Customer has received its export), Daybook will delete all Customer Data from its production systems, including from:

• 6.2.1. the Notion database used as the Daybook data store;
• 6.2.2. Vercel Blob and any other file storage;
• 6.2.3. the token store, in respect of OAuth tokens;
• 6.2.4. any reasonably accessible copies held by Sub-operators that act on Daybook’s instruction (Daybook will instruct each Sub-operator to delete in accordance with its DPA);
• 6.2.5. internal copies in support tooling and any other production system.

6.3. Statutory retention exceptions. Notwithstanding clause 6.2, Daybook may retain:

• 6.3.1. records required to be kept under section 29 of the Tax Administration Act 28 of 2011 (Daybook’s own tax records relating to fees billed to Customer) — up to seven (7) years where required;
• 6.3.2. records required under the Companies Act 71 of 2008, the FIC Act (if applicable), or court order;
• 6.3.3. records reasonably necessary to enforce or defend legal claims, on a documented legitimate-interests basis under POPIA section 11(1)(f).

Records retained under this clause 6.3 are processed only for the legal purpose for which they are retained, are kept securely, and are deleted once the retention purpose is exhausted.

6.4. Back-ups. Personal Information in encrypted back-ups will be deleted in the ordinary back-up rotation cycle or sooner where reasonably practicable. While in back-ups, the information is not actively processed.

6.5. Certification of deletion. Daybook will, on Customer’s written request, certify deletion in writing once the deletion window in clause 6.2 has been completed.

6.6. OAuth revocation. Customer should revoke Daybook’s OAuth access on its Google or Microsoft account permissions page on or around the date of termination. Daybook will, in any event, invalidate stored OAuth tokens during the deletion window.

7. Data Subject requests and assistance

7.1. Daybook will, taking into account the nature of the processing and the information available to it, assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer’s obligation to respond to:

• 7.1.1. requests from Data Subjects under POPIA sections 23 (access), 24 (correction and deletion), and 11(3) (objection);
• 7.1.2. requests in respect of direct marketing under POPIA section 69; and
• 7.1.3. requests in respect of automated decision-making under POPIA section 71 (noting that Daybook does not perform automated decision-making with legal effect, per clause 3.2 of the Privacy Policy).

7.2. Daybook will not respond directly to Data Subject requests in respect of Customer Data, except: (a) on Customer’s express instruction; or (b) where required to do so by law. Daybook will forward such requests to Customer without undue delay.

7.3. Customer will reimburse Daybook for reasonable costs incurred in providing assistance that exceeds standard configuration, where the request volume or complexity is materially above the ordinary course.

8. Sub-operators

8.1. General written authorisation. Customer grants Daybook general written authorisation to engage Sub-operators for the purpose of providing the Service. The Sub-operators currently engaged are listed in Annex A.

8.2. Notification of changes. Daybook will give Customer at least fourteen (14) days’ prior written notice (by email and / or in-dashboard notice) of the engagement of a new Sub-operator or of a change of a Sub-operator. The notice will describe the Sub-operator’s role and location.

8.3. Right to object. Customer may object on reasonable grounds related to data protection to the engagement of a new Sub-operator by giving written notice to Daybook within the notice period in clause 8.2. If Customer’s objection cannot be resolved on commercially reasonable terms, Customer may terminate the Agreement under clause 10 of the Terms of Service, provided that fees for the unused portion of any prepaid period will be refunded on a pro rata basis.

8.4. Sub-operator obligations. Daybook will:

• 8.4.1. contract with each Sub-operator on terms that impose substantively equivalent data protection obligations to those in this DPA (in particular regarding instructions, confidentiality, security, sub-processing, and assistance);
• 8.4.2. remain liable to Customer for the performance of each Sub-operator’s obligations relating to Customer Data, subject to clause 10 of the Terms of Service.

9. Audits and information rights

9.1. Information requests. On reasonable written request, Daybook will provide Customer with the information reasonably necessary to demonstrate compliance with this DPA, including:

• 9.1.1. Daybook’s then-current security policies and Security Measures summary;
• 9.1.2. Sub-operator list and locations;
• 9.1.3. the relevant DPAs and SCCs in place with Sub-operators (where Daybook is permitted to disclose them);
• 9.1.4. summaries of any audit reports or certifications held by Daybook.

9.2. Audit right. Customer may, on no less than thirty (30) days’ prior written notice and no more than once in any twelve (12) month period (save where an audit is triggered by a confirmed Security Compromise or a written instruction from the Information Regulator), conduct an audit of Daybook’s compliance with this DPA. Audits will:

• 9.2.1. be conducted during ordinary South African business hours;
• 9.2.2. not unreasonably interfere with the Service;
• 9.2.3. respect the confidentiality of Daybook’s other customers and the security of its systems;
• 9.2.4. be carried out by Customer or by a suitably qualified independent third-party auditor bound by confidentiality to Daybook;
• 9.2.5. be at Customer’s own cost, except where the audit reveals a material breach of this DPA by Daybook, in which case Daybook will bear reasonable audit costs.

9.3. Daybook may satisfy an audit request through written responses, evidence packs, and independent attestations (such as SOC 2 reports of Sub-operators), where reasonably available.

10. Personal Information breach notification

10.1. Daybook will notify Customer of a Security Compromise affecting Customer Data without undue delay, and in any event no later than forty-eight (48) hours after becoming aware of the compromise.

10.2. The notice will, to the extent then known and to the extent it can be lawfully shared, include:

• 10.2.1. a description of the nature of the compromise;
• 10.2.2. the categories and approximate number of Data Subjects affected;
• 10.2.3. the categories and approximate volume of Personal Information affected;
• 10.2.4. the likely consequences of the compromise;
• 10.2.5. the measures taken or proposed to address the compromise and to mitigate adverse effects;
• 10.2.6. the name and contact details of a Daybook point of contact for further information.

10.3. Where Daybook does not have all the information required by clause 10.2 at the time of initial notification, Daybook will provide the information progressively as it becomes available, without further undue delay.

10.4. Daybook will, taking into account the nature of the processing and information available to it, support Customer in meeting Customer’s obligations to notify the Information Regulator and affected Data Subjects under POPIA section 22.

10.5. The fact of, or the content of, any breach notification is not in itself an acknowledgement of fault or liability by Daybook.

11. International transfers

11.1. Customer authorises Daybook to transfer Customer Data outside the Republic of South Africa to the extent necessary to provide the Service, including to the Sub-operators listed in Annex A.

11.2. Daybook will only effect such transfers where a lawful basis under POPIA section 72 applies. The basis for each Sub-operator’s transfer is set out in Annex B.

11.3. Where additional safeguards (such as Standard Contractual Clauses, supplementary technical measures, or transfer impact assessments) become a regulatory expectation, Daybook will implement them in cooperation with Customer.

12. Liability

12.1. Each Party’s liability arising out of or in connection with this DPA, whether in contract, delict, statute, or otherwise, is subject to the limitations of liability set out in clause 8 of the Daybook Customer Terms of Service, including the aggregate cap at six (6) months of fees paid.

12.2. Nothing in clause 12.1 limits either Party’s liability for: (a) regulatory fines or penalties imposed directly on that Party by the Information Regulator or a court for that Party’s own breach of POPIA; (b) wilful misconduct or fraud; or (c) any other liability that cannot be excluded or limited under South African law.

12.3. Where the Information Regulator or a court imposes a fine or penalty on one Party arising out of facts that are partly the fault of the other Party, the Parties will cooperate in good faith to determine an equitable apportionment, taking into account each Party’s respective contribution.

13. Governing law and dispute resolution

13.1. This DPA is governed by and construed in accordance with the laws of the Republic of South Africa. POPIA prevails over any conflicting provision of this DPA.

13.2. Disputes are resolved under clause 15 of the Daybook Customer Terms of Service.

14. General

14.1. Incorporation. This DPA is incorporated by reference into the Agreement.

14.2. Order of precedence. In the event of conflict, the order of precedence is: (i) POPIA and other mandatory law; (ii) this DPA; (iii) the Daybook Customer Terms of Service; (iv) the Daybook Customer Privacy Policy; (v) the Daybook Founding Partner Agreement (where applicable to Founding-tier customers); (vi) any other Daybook document.

14.3. Amendments. Daybook may update this DPA from time to time to reflect changes in law, sub-processors, or operational practice, on not less than thirty (30) days’ notice for material changes, in accordance with clause 14 of the Terms of Service.

14.4. Severability. If any provision of this DPA is held invalid or unenforceable, the remainder will continue in force.

14.5. Counterparts and electronic acceptance. Acceptance of the Terms of Service constitutes acceptance of this DPA in accordance with section 13 of the ECT Act.