1. Introduction and Parties
This Data Processing Agreement ("DPA") is entered into between:
Responsible Party:
The Company (real estate agency) that has subscribed to OptEva, as identified in the applicable Service Agreement ("Responsible Party" or "Company").
Operator:
MPK Development (Pty) Ltd, Registration No: 2014/091288/07, 88 Herman Street, Flora Park, Polokwane, 0700 ("Operator" or "MPK Development").
This DPA governs the processing of personal information by MPK Development as Operator on behalf of the Company as Responsible Party, in accordance with POPIA Section 20 and the conditions for lawful processing.
2. Definitions
Terms used in this DPA have the meanings assigned in POPIA and in the OptEva Terms and Conditions. Key terms:
- "Personal Information" has the meaning in Section 1 of POPIA.
- "Processing" has the meaning in Section 1 of POPIA, including collection, storage, use, disclosure, deletion.
- "Data Subject" means any natural person to whom personal information relates.
- "Special Personal Information" has the meaning in Section 26 of POPIA (e.g., SA ID numbers).
3. Subject Matter and Nature of Processing
MPK Development processes personal information on behalf of the Company in order to provide the OptEva Platform services, including:
- Storing and retrieving contact (Party) records
- Storing and retrieving property records
- Managing user accounts for the Company's personnel
- Facilitating document storage and retrieval
- Sending transactional emails on behalf of the Company's users
- Synchronising reminders with Google Calendar (where enabled by individual users)
4. Categories of Personal Information
MPK Development processes the following categories of personal information as Operator:
- Contact details: Names, email addresses, telephone numbers, physical addresses
- Identification information: South African ID numbers (Special Personal Information)
- Financial information: Property prices, transaction values
- Commercial information: Company registration numbers, VAT numbers
- Professional information: User roles, access logs
- Documents: Uploaded files attached to contacts and properties
5. Obligations of MPK Development as Operator
MPK Development undertakes to:
- Process personal information only on documented instructions from the Company (as implemented through use of the Platform) and as required by applicable law
- Ensure that persons authorised to process personal information are subject to confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures as described in the Privacy Policy
- Assist the Company in fulfilling its obligations to respond to data subject requests under POPIA
- Notify the Company without undue delay upon becoming aware of a personal information security compromise that affects Company data
- At the Company's choice, delete or return all personal information upon termination of the Service (subject to 12-month retention period for legal compliance purposes)
- Make available all information necessary to demonstrate compliance with this DPA
- Not engage a sub-operator without the Company's general authorisation
6. Sub-Operators (Sub-Processors)
The Company grants general authorisation for MPK Development to use the following sub-operators:
| Sub-Operator | Location | Processing Activity |
|---|---|---|
| Railway | USA | Application and PostgreSQL database hosting |
| Cloudflare R2 | Global CDN | Document and file storage |
| Mailgun | EU | Transactional email delivery |
| Google LLC | USA/Global | Calendar event sync (user consent required) |
MPK Development will notify the Company of any intended changes to sub-operators with at least 30 days notice, allowing the Company to object.
7. Obligations of the Company as Responsible Party
The Company, as Responsible Party, undertakes to:
- Ensure that personal information provided to MPK Development for processing has been collected lawfully and with appropriate legal basis
- Ensure data subjects are notified of the processing of their information as required by POPIA
- Handle all data subject rights requests for personal information under its control
- Designate an Information Officer as required by POPIA
- Register as a Responsible Party with the Information Regulator if required by POPIA
- Comply with all applicable provisions of POPIA in respect of personal information captured into OptEva
8. Security Measures
MPK Development implements the following technical and organisational measures to protect personal information:
- bcrypt password hashing for all user credentials
- JWT-based authentication with HTTPS transmission
- Role-based access control limiting data visibility to authorised users
- Pre-signed URLs with 1-hour expiry for document access
- Encrypted data transmission (TLS/HTTPS) for all API communications
- Cloudflare infrastructure providing DDoS protection
- HttpOnly Secure cookie for authentication — inaccessible to client-side scripts
9. Personal Information Security Compromise
In the event of a security compromise affecting personal information processed under this DPA, MPK Development will:
- Notify the Company's designated contact without undue delay and in any event within 72 hours of becoming aware of the compromise
- Provide details of the nature of the compromise, categories of data affected, approximate number of data subjects affected, and measures taken
- Cooperate fully with the Company's investigation and response efforts
The Company, as Responsible Party, is responsible for notifying the Information Regulator and affected data subjects as required by POPIA Section 22.
10. Special Personal Information
The Platform processes South African ID numbers for both users and contacts. The Company confirms it has a lawful basis to process such Special Personal Information (as contemplated by POPIA Section 27) before capturing it in the Platform. MPK Development processes such information solely to the extent necessary to deliver the Service.
11. Data Subject Rights Assistance
MPK Development will assist the Company in fulfilling data subject rights requests (access, correction, deletion, objection) by:
- Providing the Company with tools within the Platform to update or delete personal information
- On written request, providing confirmation of data held in relation to a specific data subject
- Responding to reasonable data subject assistance requests within 15 business days
12. Term and Termination
This DPA remains in force for the duration of the Service Agreement. Upon termination of the Service Agreement, MPK Development will retain Company data for 12 months to allow for data export requests, after which all personal information will be securely deleted unless legal retention obligations require otherwise.
13. Governing Law
This DPA is governed by the laws of the Republic of South Africa, specifically POPIA and associated regulations.
14. Contact and Information Officers
- MPK Development Information Officer: Pieter Klynsmith · info@opteva.co.za
- Information Regulator of South Africa: www.justice.gov.za/inforeg/ · inforeg@justice.gov.za