This Data Processing Addendum ("DPA") applies to every Business or Institution customer ("Customer") who uses FICAVault to process personal information of third parties (such as its clients, employees or beneficial owners). It forms part of the Terms of Service. Where the two conflict on data processing, this DPA prevails.
1. Roles
With respect to third-party personal information uploaded by the Customer, the Customer is the responsible party and FICAVault is the operator, as defined in POPIA. FICAVault processes such personal information only on the Customer's documented instructions, subject to this DPA.
2. Subject matter and duration
Subject matter: hosting and processing of FICA/KYC documents and related metadata for the Customer's clients. Duration: the term of the Customer's FICAVault subscription plus any post-termination retention required by law.
3. Nature and purpose
- Secure storage of client documents.
- Expiry monitoring and notifications.
- Facilitation of consent-based sharing between clients and the Customer.
- Audit and reporting to support the Customer's own compliance obligations.
4. Categories of data subjects and personal information
Data subjects: the Customer's clients, beneficial owners, directors and authorised representatives. Personal information: identity, contact, residential/business address, tax, banking and other FICA-relevant information.
5. Operator obligations
- Process personal information only on the Customer's documented instructions.
- Ensure that persons authorised to process the data are bound by confidentiality.
- Implement the security measures described in clause 7.
- Assist the Customer with data-subject requests and with security-incident notifications.
- Notify the Customer without undue delay after becoming aware of a personal-information breach.
- Delete or return personal information at the end of the engagement, subject to legal retention.
- Make available information necessary to demonstrate compliance and allow reasonable audits (see clause 9).
6. Sub-processors
The Customer authorises FICAVault to engage sub-processors for hosting, email delivery, analytics, payment processing and support. FICAVault imposes obligations on sub-processors that are materially equivalent to this DPA and remains liable for their performance. A current list of sub-processors is available on request to privacy@ficavault.app.
7. Security
FICAVault implements appropriate technical and organisational measures including: encryption in transit and at rest, role-based access control, multi-factor authentication for administrators, OTP-based sharing consent, signed and time-limited share links, network isolation, logging and monitoring, secure software-development practices, backup and business-continuity procedures, and staff training.
8. Cross-border transfers
Where personal information is transferred outside South Africa, FICAVault relies on the safeguards described in the Privacy Policy, including adequacy findings and contractual protections that require a comparable level of protection.
9. Audits
On reasonable prior written request (not more than once per year, unless required by a regulator or after a material incident) FICAVault will provide the Customer with the information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports where available.
10. Return and deletion
On termination, FICAVault will make client data available for export for 30 days and then delete or anonymise it, unless a legal retention obligation requires longer retention.
11. Liability
Each party's liability under this DPA is subject to the limitation of liability in the Terms of Service.

