This Data Processing Addendum (the "DPA") forms part of, and is subject to, the API Developer Agreement and the Surveyz Terms of Service between FusionSys Technologies (Pty) Ltd, a company incorporated in the Republic of South Africa, trading as Surveyz ("Surveyz") and the customer entity ("Customer").
In the event of any conflict between this DPA and the API Developer Agreement or Terms of Service regarding the Processing of Personal Information, security measures, confidentiality, breach notification, Sub-Operators, or cross-border transfers, this DPA will prevail to the extent of the conflict.
This DPA applies whenever Surveyz processes Personal Information on Customer's behalf in connection with the API.
For the purposes of POPIA:
Capitalised terms not defined here have the meaning given in POPIA or the API Developer Agreement. In particular:
This DPA takes effect on Customer's acceptance and continues for as long as Surveyz processes Personal Information on Customer's behalf. The subject matter of the Processing is the operation of the Surveyz survey platform and developer API on Customer's behalf, as configured by Customer.
| Item | Description |
|---|---|
| Categories of data subjects | Survey respondents and end users to whom Customer distributes surveys. |
| Categories of Personal Information | Identifiers (email addresses, names where supplied), survey answers, IP addresses, device and browser metadata, language preference, consent timestamps, and any further categories Customer elects to collect via custom questions. |
| Special Personal Information (s 26 POPIA) | Surveyz does not request or require Special Personal Information. Customer is solely responsible for any Special Personal Information collected via custom survey questions and warrants compliance with the elevated obligations in sections 27–33 of POPIA. See section 15 of this DPA for additional obligations applicable when Customer collects Special Personal Information. |
| Minor’s information (s 34–35 POPIA) | Surveyz does not knowingly collect personal information from persons under 18. Where Customer's survey targets persons under 18, Customer is solely responsible for compliance with sections 34–35 of POPIA and for obtaining verifiable parental or guardian consent. See section 15 of this DPA for additional obligations. |
| Purpose | To provide the survey platform and API services as configured by Customer; to send transactional and webhook notifications; to maintain audit and security logs; and to comply with Surveyz's legal obligations. |
Surveyz processes Personal Information only on documented instructions from Customer. Customer's instructions are set out in this DPA, the API Developer Agreement, the published Documentation, and the configuration choices Customer makes within the platform and API. Surveyz will inform Customer if, in its opinion, an instruction infringes POPIA or other applicable data-protection law.
Customer warrants that it has all necessary lawful bases, notices, disclosures, and consents required under POPIA to lawfully collect and share Personal Information with Surveyz for the stated purposes, and that it is authorised to provide the documented instructions contemplated by this DPA.
Without limiting the foregoing, Customer is responsible for:
Surveyz maintains appropriate technical and organisational measures designed to ensure a level of security appropriate to the risks presented by the Processing, having regard to section 19 of POPIA.
Such measures are designed (as appropriate to the Services and the nature of the Personal Information processed) to protect against:
This may include administrative, physical, and technical safeguards such as access controls, secure transmission and storage protections, logging and monitoring, vulnerability management, personnel confidentiality and training, and incident response and recovery processes.
Surveyz reviews and updates its security measures from time to time and may make changes that do not materially decrease the protection afforded.
Surveyz will ensure that any person it authorises to process Personal Information on Customer’s behalf (including its personnel, agents, and contractors) is subject to a duty of confidentiality (whether contractual or statutory), accesses Personal Information only on a need-to-know basis for the purposes of providing the Services, and processes Personal Information only in accordance with Customer’s documented instructions and this DPA.
If Surveyz is required by applicable law to disclose Personal Information, Surveyz will (to the extent permitted by law) give Customer reasonable prior notice of such requirement and disclose only the minimum required.
Customer provides Surveyz with a general authorisation to engage Sub-Operators (including Surveyz Affiliates and third-party infrastructure, hosting, communications, analytics, security, and support providers) to assist in providing the platform and API. Surveyz remains responsible for the acts and omissions of its Sub-Operators in respect of Customer Personal Information. Surveyz will impose written data-protection obligations on its Sub-Operators that are no less protective than those in this DPA, including obligations relating to security, confidentiality, and (where applicable) cross-border transfers.
The current list of Sub-Operators includes:
| Sub-Operator | Service | Region |
|---|---|---|
| Microsoft Azure | Cloud hosting, database, blob storage | South Africa North (Johannesburg) |
| Microsoft Azure Communication Services (Email) | Transactional email delivery | Africa (Azure data location grouping; physical datacenter is South Africa North, Johannesburg) |
| PayFast | Payment processing for ZAR billing | South Africa |
| Cloudflare, Inc. | Content delivery network, DDoS protection, DNS — processes all inbound HTTP requests | USA & global edge (transfers subject to POPIA §72 safeguards) |
| Anthropic, PBC | Optional AI insights (only when Customer enables AI features) | United States |
This list may be subject to change, from time to time. Should Surveyz engage with new Sub-Operators, Surveyz will give Customer at least thirty (30) days' notice before engaging a new Sub-Operator that materially changes the categories of Sub-Operators above.
Surveyz will take reasonable steps to engage reputable Sub-Operators appropriate to the Services and will enter into written agreements with its Sub-Operators that impose data-processing and confidentiality obligations no less protective than those in this DPA (including appropriate security measures and, where applicable, cross-border transfer safeguards).
Customer may object to such a change, in writing to the Information Officer, within fourteen (14) days of notice on reasonable data-protection grounds, in which case the parties will discuss the objection in good faith; if it cannot be resolved, Customer's sole remedy is to terminate the affected services.
Customer's primary production data (database, blob storage, and transactional email) is stored within the African data region. Cross-border transfers may occur only where Customer expressly enables features or configurations that require Processing by authorised Sub-Operators located outside South Africa, or that involve access limited Personal Information from outside South Africa. Surveyz will take reasonable steps to provide Customer with notice through the Documentation, Sub-Operator list, or other written communications where Surveyz is aware that a feature or configuration will involve such cross-border Processing.
Where such transfers occur, Surveyz will rely on one or more lawful transfer mechanisms set out in section 72 of POPIA and will ensure appropriate safeguards are in place with the relevant Sub-Operator for the cross-border Processing of Personal Information, which may include binding corporate rules, contractual safeguards substantially equivalent to those in POPIA, or Customer's express consent.
Surveyz will, taking into account the nature of the Processing, provide reasonable assistance to Customer (at Customer's cost where the request is not the result of a fault by Surveyz) to enable Customer to respond to requests by data subjects to exercise their rights under POPIA, including rights of access, correction, deletion or destruction, objection (including objection to Processing for purposes of direct marketing), withdrawal of consent (where Processing is based on consent), and the right to lodge a complaint with the Information Regulator.
Surveyz will provide such assistance within a reasonable time after Customer’s request and in a manner proportionate to the nature of the request and the information available to Surveyz.
If Surveyz receives a request directly from a data subject relating to Personal Information processed on Customer's behalf, Surveyz will, where lawfully possible, promptly notify Customer and redirect the data subject to Customer. If Surveyz is legally required to respond directly to the data subject, Surveyz will (to the extent permitted by law) inform Customer in advance and will limit its response to what is required under applicable law.
Surveyz will notify Customer as soon as reasonably possible after becoming aware of any Personal-Information Breach affecting Customer's data processed by Surveyz, and in any event within seventy-two (72) hours where the breach is confirmed and the circumstances permit. Notification will be made to the Customer contact on record and will include, to the extent known at the time:
Surveyz will provide further updates as additional information becomes available and will cooperate with Customer in mitigating harm to affected data subjects. Where reasonably necessary for Customer to respond to a data-subject request or regulatory enquiry relating to the Processing (including any Processing by Sub-Operators and any cross-border transfers), Surveyz will, on Customer’s request and subject to confidentiality, provide reasonable information about the relevant Sub-Operators and the safeguards relied upon, without being required to disclose confidential details of its internal security or vendor-selection processes.
Customer must notify Surveyz at [email protected] without undue delay upon becoming aware of:
Customer is the Responsible Party and is solely responsible for any notifications it is obliged to make under section 22 of POPIA to the Information Regulator and to affected data subjects. Surveyz will provide reasonable assistance to Customer in preparing such notifications, but responsibility for the notification itself rests with Customer.
Surveyz will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, which may include written responses, summaries of relevant policies and procedures, and (where available) independent third-party audit reports or attestations, in each case subject to confidentiality and reasonable redaction of security-sensitive or proprietary information.
On reasonable prior written notice, and no more than once per twelve-month period (except where required following a Personal-Information Breach or by a competent authority), Customer may request an audit of Surveyz's compliance with this DPA.
Audits will be:
On termination or expiry of this DPA, Customer may export Customer Data via the API and the in-product export tools for a period of thirty (30) days (the "Export Period"). After the Export Period, Surveyz will, at Customer's written election, return Customer Data to Customer or delete (including by anonymisation) the Personal Information processed on Customer's behalf, within a reasonable time, except to the extent retention is required by applicable law (for example, billing records retained for SARS compliance, which Surveyz will not actively process for any other purpose). Upon Customer’s written request, Surveyz will provide written confirmation of deletion or anonymisation.
Surveyz may generate, compile, and use aggregated, anonymised, and de-identified data derived from Customer Data and Respondents’ use of the Services for legitimate business purposes, including analytics, reporting, security, service improvement, product development, benchmarking, and statistical analysis ("Aggregated Data"), provided that: (a) Aggregated Data does not identify, and cannot reasonably be used to identify, any natural person, Respondent, or Customer; (b) Surveyz does not attempt to re-identify Aggregated Data, or permit any third party to do so; (c) Surveyz implements and maintains reasonable technical and organisational measures designed to prevent re-identification and to segregate Aggregated Data from identifiable data; and (d) Surveyz does not disclose Aggregated Data to any third party in a manner that identifies (or could reasonably be used to identify) the Customer, any Respondent, or any Personal Information. For clarity, Aggregated Data is not Personal Information, and nothing in this DPA grants Surveyz any right to use Personal Information for Surveyz’s independent purposes except as necessary to provide the Services in accordance with Customer’s documented instructions.
The limitations of liability set out in the API Developer Agreement and the Terms of Service apply to claims under or in connection with this DPA, except where applicable law (including POPIA) imposes a non-excludable liability or right of action.
Surveyz's Information Officer (as contemplated by section 55 of POPIA) can be contacted at:
This section supplements sections 4 and 5 and addresses the heightened obligations that arise under POPIA when Customer's surveys collect Special Personal Information (as defined in section 26 of POPIA, including information relating to religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinion, health or sex life, biometric information, and criminal behaviour) or personal information of persons under the age of 18 ("Minor Data").
Where Customer collects, or intends to collect, Special Personal Information or Minor Data through the Services, Customer warrants and undertakes that it will:
Notwithstanding the assignment of Responsible Party status to Customer under section 1 of this DPA, Surveyz acknowledges its independent obligations as Operator under section 21 of POPIA, including the obligation to:
Customer may not use the Services to collect Special Personal Information or Minor Data without first notifying Surveyz as set out above. Surveyz reserves the right to suspend access to surveys that are found to be collecting Special Personal Information or Minor Data without prior notification, pending Customer's compliance with this section.