SCHEDULE – DATA PROTECTION
of Protected Data:
Standard of care: The Provider must keep and maintain all
Protected Data in strict confidence, using such degree of care as is
appropriate to avoid unauthorised access, use or disclosure.
Usage of Protected Data: The Provider must use and disclose
Protected Data solely and exclusively for the purposes for which the Protected
Data, or access to it, is provided pursuant to the terms and conditions of the
Agreement, and not use, sell, rent, transfer, distribute, or otherwise disclose
or make available Protected Data for the Customer’s own purposes or for the
benefit of anyone other than the Customer, in each case, without Customer’s
prior written consent.
Disclosure: The Provider must not, directly or indirectly,
disclose Protected Data to any person other than Authorised Persons, without
express written consent from the Customer, unless and to the extent required by
government authorities or as otherwise, to the extent expressly required, by
applicable law, in which case, the Provider must use reasonable efforts to
notify the Customer before such disclosure or as soon thereafter as reasonably
Responsibility for Authorised Persons: The Provider is
responsible for and remain liable to the Customer for the actions and omissions
of such Authorised Persons concerning the treatment of such Protected Data as
if they were the Provider’s own actions and omissions.
Written undertaking required from Authorised Persons: The
Provider must require the Authorised Persons that has access to Protected Data
to execute a written undertaking to comply with this Schedule.
Confidential information: All Protected Data
provided by the Customer to the Provider or to which the Provider may be
exposed or acquire in terms of this Agreement, constitutes Confidential
Conflicts: If there is a conflict or
inconsistency between this Schedule and the confidentiality within the main
body of the Agreement, the terms in this Schedule governs and controls.
Cross border transfer: The Provider must not
transfer Protected Data (or allow Authorised Persons to transfer Protected
Data) outside Republic of South Africa unless it receives the Customer’s prior
Additional charges: The Provider may charge
additional fees at their standard rates for activities required by the Customer
to assist them to comply with Data Protection Laws.
Access rights: The Customer may access and
copy any Protected Data in the Provider’s possession or control at any time and
provide reasonable assistance to the Customer to access and copy the Protected
charge their reasonable then-standard fees for any assistance provided under 1.6.
Protected data requests: If the Provider
receives a consumer “right to know,” deletion, “right to be forgotten,” or
similar request related to Protected Data within Protected Data (the “Consumer
Requests”), the Provider must not reply without the Customers written
authorisation and shall, at the Customer’s expense, comply with the Customer’s
reasonable written instructions for Consumer Requests (if any), subject to Data
Audits and certifications:
The Provider must maintain annually updated reports and certifications (as
may be applicable) of compliance with the following:
SOC 2 Type II; and
PCI Level 2.
The Provider must:
provide the Customer a copy of the most current certifications and reports
(as may be applicable) within 30 days of request and thereafter annually within
30 days of completion of thereof; and
if there are any deficiencies identified or changes suggested relating
to the provisions of the Services under the Agreement, the Provider must
exercise reasonable efforts to promptly address such deficiencies and changes.
Notwithstanding anything in this Schedule, the Provider is not required
to permit any audit that may compromise the security of the Provider’ other
Any report provided under this Schedule must be regarded as confidential
If requested by the Customer, the Provider must permit inspection and
security review by the Customer of systems processing Protected Data and on the
Provider’s policies and procedures relating to data security.
The Customer may request an inspection contemplated in 1.9,
every half-yearly starting from the date that this Agreement becomes effective.
Notwithstanding anything in this Schedule, the Provider is not required
to permit any inspection that may compromise the security of the Provider’
other customers’ data.
Data Incidents: If there is a Data Incident,
or if Provider suspects a Data Incident, the Provider must:
and in any case within 24 hours, give notification by telephone, in person, or
by other real-time, in-person communication;
with law enforcement agencies, where applicable, to investigate and resolve the
reasonable assistance in notifying applicable third parties;
with applicable laws governing data breach notification and response;
the Data Incident results from their breach of this Agreement or negligent or
unauthorised act or omission of an Authorised Person, compensate the other
Party for any reasonable expense related to notification of consumers;
the other Party prompt access to such records related to a Data Incident as may
reasonably be requested (such records will be regarded as confidential
information and there will be no obligation to provide access to records that
might compromise the security of the other customers); and
the name and contact information for an employee who shall serve as primary
security contact and must be available to assist 24 hours per day, 7 days per
week as a contact in resolving obligations associated with a Data Incident.
Third-parties and Data Incidents:
The Provider must not inform any third party of any Data Incident
without first obtaining the Customer’s prior written consent, other than to
inform a complainant that the matter has been forwarded to the Customer’s legal
counsel. The Customer has the sole right to determine:
whether notice of the Data Incident is to be provided to any
individuals, regulators, law enforcement agencies, consumer reporting agencies
or others as required by law or regulation, or otherwise in the Customer’s
the contents of such notice, whether any type of remediation may be
offered to affected persons, and the nature and extent of any such remediation.
The Provider must reasonably cooperate at its own expense with the
Customer in any litigation or other formal action deemed reasonably necessary
by the Customer to protect their rights relating to the use, disclosure,
protection and maintenance of Protected Data.
If there is a Data Incident, the Provider must use their reasonable
efforts to prevent a recurrence of any such Data Incident.
Nothing in this Schedule limits other rights or remedies of the
Customer, if any, resulting from a Data Incident.
Deletion of Protected Date:
Except as required by Data Protection Laws or authorised pursuant to a data
deletion policy accepted in writing by each party, the Provider must not erase
Protected Data or any copy thereof without the Customer’s prior written
consent. The Provider must:
request promptly erase all Protected Data from all systems under Provider’s
control and direct and ensure erasure by any and all of its subcontractors that
have access to Protected Data;
30 days of termination of this Agreement, erase all Protected Data in
Provider’s possession or control, including without limitation in the
possession or control of its subcontractors;
erasure leave no data readable, decipherable, or recoverable on its computers
or other media or those of its subcontractors, using the best erasure methods
commercially feasible; and
after any erasure of Protected Data or any part of it, certify such erasure.
Minimum safeguards: In addition to any other safeguards
contemplated in this Schedule, the Provider must ensure at minimum that that:
Personnel each have a unique user ID assigned to them, subject to strict
confidentiality undertakings in terms of a password and confidentiality policy;
are passwords required for any access to Data in line with its password policy;
operating systems are secure and that the security settings in respect thereof
are aligned with good industry practice;
administrator accounts (and records of usage in relation thereto) are stored
securely and can be accessed in the event of any service restoration or fault
to Data be limited to Personnel on a “need to know” basis, which Personal shall
strictly utilise their unique user ID and applicable passwords to access same
(the access to such Data shall be subject to a two-step
Data is backed-up regularly, and to ensure that back up testing is conducted
regularly in order to ensure that Data can be recovered in the event that such
Data is lost, damaged or destroyed;
environment has comprehensive malware protection software employed, which
software is specifically designed to protect against the most recent malware
vulnerability scanning is conducted in order to assess whether any computers,
networks or applications have any vulnerabilities to cyber-attacks; and
designated networks, employ intrusion detection systems and intrusion
prevention systems, and record any security incidents.
IT network infrastructure diagram: Upon
the Customer’s written request, the Customer must provide the Customer with a
network diagram that outlines the Provider’s information technology network
infrastructure and all equipment used in relation to fulfilling of its
obligations under the Agreement, including:
to the Customer’s and all third parties who may access the Provider’s network
to the extent the network contains Protected Data;
network connections including remote access services and wireless connectivity;
access control devices (for example, firewall, packet filters, intrusion
detection and access-list routers);
back-up or redundant servers; and
access through each network connection.
Material breach: Any breach of the
obligations under this Schedule, is deemed a material breach of the Agreement.
The Provider acknowledges that:
no adequate remedy exists at law if it fails to perform or breaches any
of its obligations under this Schedule;
it would be difficult to determine the damages resulting from a breach
of this Schedule, and such breach would cause irreparable harm to the Customer;
a grant of injunctive relief provides the best remedy for any such
breach, without any requirement that the Customer prove actual damage or post a
bond or other security.
To the extent permitted under Data Protection Laws, the Provider waives
any opposition to such injunctive relief contemplated in Section 1.16 or any right to such proof, bond, or other security.
The Provider’s obligations in this Schedule apply likewise to the
Provider’s successors, including without limitation to any trustee in