Data Processing Agreement

Last updated: January 29, 2026

Important Notice: This Data Processing Agreement (DPA) forms part of our Terms of Service and Privacy Policy, governing how we process personal data on behalf of our customers.

Definitions

Data Controller: The customer who determines the purposes and means of processing personal data.

Data Processor: Kubo Business Management Tool, which processes personal data on behalf of the Data Controller.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, such as collection, storage, use, or disclosure.

Scope and Subject Matter

This DPA governs the processing of personal data by Kubo Business Management Tool as a Data Processor on behalf of our customers (Data Controllers) who use our business management services.

Duration of Processing

Processing shall commence upon the customer's acceptance of our Terms of Service and shall continue for the duration of the service agreement, unless terminated earlier in accordance with this agreement.

Nature and Purpose of Processing

The processing of personal data is necessary for the provision of business management services, including but not limited to:

  • Customer relationship management
  • Invoice and quote generation
  • Financial reporting and compliance
  • Communication with customers and suppliers
  • Payment processing and tracking

Type of Personal Data

The types of personal data processed may include:

  • Customer names, addresses, and contact information
  • Financial information and payment details
  • Company registration numbers and tax information
  • Communication records and transaction history
  • Any other personal data provided by the Data Controller

Obligations of the Data Processor

Security Measures

We shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Pseudonymisation and encryption of personal data
  • Regular testing, assessment, and evaluation of security measures
  • Access controls and authentication mechanisms
  • Secure backup and disaster recovery procedures

Processing Instructions

We shall only process personal data:

  • On documented instructions from the Data Controller
  • As required by South African law
  • For the specific purposes outlined in this agreement
  • Within the scope of the services provided

Confidentiality

All personnel authorized to process personal data shall be bound by confidentiality obligations, whether contractual or statutory.

Sub-processors

We may engage sub-processors only with the prior authorization of the Data Controller. Current sub-processors include:

  • Cloud hosting providers (South Africa-based)
  • Payment processing services
  • Email and messaging service providers

Data Subject Rights

We shall assist the Data Controller in fulfilling data subject rights requests, including:

  • Access to personal data
  • Correction of inaccurate data
  • Deletion of personal data
  • Data portability
  • Objection to processing

Data Security Breaches

In the event of a personal data breach, we shall:

  • Notify the Data Controller without undue delay
  • Provide sufficient information to assess the impact
  • Cooperate with the Data Controller in breach response
  • Take immediate remedial action to mitigate damage

Data Deletion and Return

Upon termination of services, we shall:

  • Delete or return all personal data to the Data Controller
  • Provide certification of data deletion
  • Retain data only as required by law
  • Destroy backup copies as agreed

Audit and Compliance

We shall make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

International Data Transfers

All personal data is stored and processed within South Africa in compliance with POPIA. No international data transfers shall occur without appropriate safeguards and the Data Controller's consent.

Limitation of Liability

Our liability under this DPA shall be limited to direct damages and shall not exceed the fees paid by the Data Controller for the services over the preceding 12 months.

Governing Law

This DPA shall be governed by the laws of South Africa, including POPIA and any applicable data protection regulations.

Termination

This DPA may be terminated by either party with 30 days' written notice, or immediately in the event of a material breach of data protection obligations.

Contact Information

For matters related to this Data Processing Agreement, please contact:

  • Email: sales1@cloudst.co.za
  • Phone: +27 87 821 6494
  • Data Protection Officer: sales1@cloudst.co.za
  • Information Regulator: www.justice.gov.za/inforeg

Data Processing Activities

Specific processing activities we undertake on behalf of Data Controllers include:

  • Collecting and storing customer information
  • Processing financial transactions and payment data
  • Generating invoices and quotes
  • Managing customer communications
  • Providing analytics and reporting services

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities and provide documentation to Data Controllers upon request.

Acceptance: By using our services, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.