TrustEasyGo — Data Processing Agreement (Draft)
⚠️ AWAITING ATTORNEY REVIEW — NOT LEGALLY BINDING IN THIS FORM
This draft is the POPIA §21 operator-agreement skeleton. It must be reviewed by an SA-admitted attorney with POPIA experience before publication or signature.
Version: Draft 1.0
Date prepared: 2026-06-02
Codebase reference: develop post-PR #206
Capacity: Annexure A to the TrustEasyGo Terms of Service.
1. Parties
1.1. This Data Processing Agreement ("DPA") is entered into between:
(a) the legal practice that has subscribed to the TrustEasyGo Service under the Terms of Service ("the Firm", acting in its capacity as Responsible Party under POPIA in respect of the Personal Information of its clients processed within the Service); and
(b) TrustEasyGo (Pty) Ltd (registration number [ATTORNEY TO VERIFY]) ("TrustEasyGo", acting in its capacity as Operator under POPIA in respect of that same Personal Information).
1.2. This DPA gives effect to the Firm's and TrustEasyGo's obligations under POPIA, in particular section 21, and forms part of the Terms of Service.
2. Definitions
Unless the context indicates otherwise, defined terms in this DPA have the meanings given in POPIA. In addition:
- "Client Personal Information" means Personal Information of the Firm's clients (and of persons acting on behalf of those clients, such as natural-person principals, beneficial owners, signatories) that is captured in or uploaded to the Service by the Firm or by Users on the Firm's behalf.
- "Processing" has the meaning given in POPIA.
- "Sub-operator" means an operator engaged by TrustEasyGo to process Client Personal Information on TrustEasyGo's behalf in performing the Service.
- "Security Compromise" means a security compromise as defined in POPIA §22.
3. Subject matter and duration
3.1. Subject matter: the provision of the TrustEasyGo Service to the Firm.
3.2. Duration: for the duration of the Firm's subscription to the Service, and for any post-termination retention period referenced in clause 11.
3.3. Nature and purpose of processing: to operate the Service for the Firm, including storage of client matters, financial transactions, FICA evidence, documents, reports, and reconciliations, and to make those records accessible to the Firm and its authorised Users.
3.4. Categories of data subjects: the Firm's clients and persons related to those clients (signatories, beneficial owners, fee-payers).
3.5. Categories of Personal Information processed (verified against the codebase as at the reference commit):
| Category | Examples | Where stored |
|---|---|---|
| Client identity | Matter name, client name, file number | file.File |
| Client contact | Email, cell number | file.File |
| Client address | Physical and postal address | file.File |
| Special PI — identity | ID number, passport number | file.File (FICA fields) |
| FICA/KYC compliance | Verification status, verification date, expiry date, risk rating, FICA notes | file.File |
| Matter narrative | Notes, consultation summaries, meeting records | legal_practice.Note, Consultation, Meeting |
| Documents | Uploaded files (bank statements, invoices, FICA evidence, audit packs) | DigitalOcean Spaces (production), MinIO (development) |
| Financial transactions | Journal entries, transaction lines, fee agreements | je.JournalEntry, je.Transaction, legal_practice.FeeAgreement |
| Reconciliation records | Three-way trust reconciliations | bank.BankReconciliation |
| Shortfall alerts | Trust-shortfall detection records | legal_practice.TrustShortfallAlert |
3.6. Special Personal Information. ID numbers and FICA-related information stored as part of compliance with the Financial Intelligence Centre Act 38 of 2001 are processed as Special Personal Information under POPIA §27 only to the extent lawful for the purpose specified. The Firm warrants that its collection of such information is itself lawful under POPIA §26.
4. TrustEasyGo's obligations as Operator
TrustEasyGo undertakes that it will:
4.1. Process only on the Firm's instructions. Process the Client Personal Information only for the purpose of providing the Service and only on the documented instructions of the Firm. The Terms of Service together with the Firm's use of the Service constitute the Firm's documented instructions for routine processing.
4.2. Confidentiality. Ensure that persons authorised to process the Client Personal Information are bound by confidentiality undertakings (whether by contract or statutory duty).
4.3. Security. Implement and maintain appropriate, reasonable technical and organisational measures to protect the Client Personal Information from loss, damage, unauthorised destruction, unauthorised or unlawful access, in accordance with POPIA §19. The currently implemented measures are described in Schedule 1.
4.4. Engagement of Sub-operators. Engage Sub-operators only where strictly necessary for the provision of the Service, only on terms substantially equivalent to this DPA, and only with the Firm's prior general or specific written authorisation. The Firm hereby gives general authorisation for the Sub-operators identified in Schedule 2. TrustEasyGo will notify the Firm of any addition or replacement of Sub-operators at least [ATTORNEY TO VERIFY — notice period, suggest 30 days] in advance, and the Firm may object on reasonable grounds, in which case the parties will discuss the matter in good faith (with termination of the Service as the Firm's ultimate remedy if no resolution is found).
4.5. Data subject rights assistance. Taking into account the nature of the processing, assist the Firm by appropriate technical and organisational measures, insofar as possible, to fulfil the Firm's obligation to respond to requests from data subjects exercising their rights under POPIA Chapter 3.
4.6. Security-compromise notification. Notify the Firm without undue delay (and in any event within [ATTORNEY TO VERIFY — period, suggest 72 hours]) after becoming aware of any Security Compromise affecting the Client Personal Information, and assist the Firm in meeting the Firm's notification obligations under POPIA §22.
4.7. Records. Maintain a register of the processing activities carried out on behalf of the Firm, and make this available to the Firm on reasonable request.
4.8. Return or deletion on termination. On termination of the subscription, and at the Firm's choice, return all Client Personal Information to the Firm in a commonly readable format or delete it, save where TrustEasyGo is required by law to retain it (notably the 5-year financial-record retention applicable to trust accounting records). The post-termination retention window for the Firm to take its export is [ATTORNEY TO VERIFY — suggest 90 days].
4.9. Audits. Make available to the Firm information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Firm or an auditor mandated by the Firm, subject to reasonable notice and confidentiality. [ATTORNEY TO VERIFY — whether to limit audits to once per year save in event of suspected breach, and to limit cost to the Firm.]
4.10. Cross-border transfers. Where the provision of the Service involves the transfer of Client Personal Information across the borders of the Republic of South Africa, TrustEasyGo will ensure that such transfer takes place only in compliance with POPIA §72 — see Schedule 3.
5. The Firm's obligations as Responsible Party
The Firm undertakes that it will:
5.1. Lawful collection. Ensure that its collection of the Client Personal Information was itself lawful under POPIA and is processed within the Service in accordance with POPIA.
5.2. Notice to data subjects. Where required by POPIA §18, give appropriate notice to its clients that their Personal Information is processed using a software-as-a-service operator.
5.3. Authorisation. Ensure that the persons it authorises to use the Service have a proper basis to access the Client Personal Information for their roles.
5.4. Instructions. Provide lawful, documented instructions for any processing outside the scope of routine Service use.
5.5. Information Officer. Designate an Information Officer to whom TrustEasyGo may direct notifications and inquiries arising under this DPA.
6. Data subjects' rights
6.1. Where a data subject submits a request to TrustEasyGo (rather than to the Firm) to exercise a POPIA right (access, correction, deletion, objection, complaint), TrustEasyGo will not respond directly to the request, save to acknowledge receipt and direct the data subject to the Firm. TrustEasyGo will forward the request to the Firm's designated Information Officer without undue delay.
6.2. TrustEasyGo will assist the Firm to fulfil the right where the Firm reasonably requires the assistance and the technical means exist within the Service.
7. Security measures
7.1. The security measures implemented by TrustEasyGo as at the date of this draft are described in Schedule 1.
7.2. Disclosed gap. As at the date of this draft, uploaded documents stored in object storage carry a public-read access-control-list setting. This is a known issue being remediated. Remediation will:
- (a) change the default access-control-list to private;
- (b) cause uploaded documents to be served only via signed time-limited URLs issued by authenticated Service endpoints;
- (c) migrate the access-control-list of existing uploaded documents to private at the same time.
TrustEasyGo will complete the remediation before [ATTORNEY TO VERIFY — target date] and will notify the Firm on completion.
7.3. TrustEasyGo will review and update its security measures from time to time as appropriate. Material changes will be communicated to the Firm.
8. Sub-operators
8.1. The Sub-operators authorised at the effective date of this DPA are listed in Schedule 2.
8.2. TrustEasyGo remains liable to the Firm for the acts and omissions of its Sub-operators in respect of the Client Personal Information.
9. Cross-border transfers
9.1. TrustEasyGo's hosting and storage providers may process Client Personal Information outside the Republic of South Africa. The relevant Sub-operators and their processing jurisdictions are identified in Schedule 3.
9.2. Where Client Personal Information is transferred to a jurisdiction outside South Africa, the lawful basis for the transfer under POPIA §72 is:
[ATTORNEY TO SELECT AND COMPLETE]
- [ ] §72(1)(a) — the data subject consents to the transfer.
- [ ] §72(1)(b) — the destination country provides an adequate level of protection.
- [ ] §72(1)(c) — the transfer is necessary for performance of a contract or pre-contractual steps.
- [ ] §72(1)(d) — the transfer is for the data subject's benefit.
10. Liability and indemnity
10.1. The parties' liability under this DPA is governed by the limitation of liability clause in the Terms of Service, save that nothing in this DPA limits liability under POPIA itself.
11. Term, termination, and post-termination
11.1. This DPA commences on the Firm's acceptance of the Terms of Service and continues for as long as TrustEasyGo processes Client Personal Information on the Firm's behalf.
11.2. On termination of the subscription, the post-termination data-handling regime in clause 4.8 applies.
11.3. Clauses that by their nature should survive termination (notably clauses 4.6, 4.8, 6, and 10) do survive.
12. General
12.1. Order of precedence. In the event of a conflict between this DPA and the Terms of Service, this DPA governs in respect of the processing of Client Personal Information.
12.2. Governing law and forum: as per the Terms of Service.
12.3. Severability. If any clause is held invalid, it is severed and the remainder remains in force.
Schedule 1 — Security measures currently implemented
(Verified against the codebase as at the reference commit; subject to ongoing improvement.)
| Domain | Control |
|---|---|
| Identification & authentication | Email + password (PBKDF2-hashed) login; account lockout after 5 failed attempts for 15 minutes; password policy of minimum 12 characters in production with complexity validators; 2FA scaffolding present (TOTP rollout pending) |
| Session security | 1-hour idle timeout; expire-at-browser-close; SESSION_COOKIE_SECURE in production; CSRF_COOKIE_SECURE in production |
| Transport security | HTTPS in production (terminated at Railway edge); HSTS enabled in production (30-day max-age) |
| Authorisation | Per-company access via UserCompanyAccess; external accountant access via AccountantAccess; account-owner role distinguished from company-user role |
| Application security headers | X-Frame-Options DENY; SECURE_CONTENT_TYPE_NOSNIFF; SECURE_BROWSER_XSS_FILTER; SECURE_REFERRER_POLICY same-origin |
| Audit logging | Immutable AuditLog capturing user, action, model name, object id, description, IP address; trust-shortfall alerts immutable per TrustShortfallAlert model |
| Backup & recovery | [ATTORNEY TO VERIFY — describe backup arrangements] |
| Incident detection | Trust-shortfall detection (real-time signal + daily cron); login lockout; bank-statement import crash alerts |
| Personnel | [ATTORNEY TO VERIFY — describe staff confidentiality undertakings] |
| Known gap | Uploaded-document object storage uses public-read ACL pending remediation (clause 7.2) |
Schedule 2 — Authorised Sub-operators
| Sub-operator | Purpose | Categories of data processed | Jurisdiction (verify) |
|---|---|---|---|
| Anthropic, PBC | AI-assistant feature — invoked by user choice; transmits aggregated financial summaries and matter summaries to Claude language model | Limited summaries of Firm Data; technical safeguards in code restrict transmission of client identifying information | United States [ATTORNEY TO VERIFY] |
| SendGrid (Twilio Inc.) | Transactional email — primarily password reset, system notifications | User email address, first name, system-generated reset URLs | United States [ATTORNEY TO VERIFY] |
| PayFast (Pty) Ltd | Subscription payment processing | Subscription transactions, user/firm identifiers, payment instrument tokens (no card numbers stored locally) | South Africa |
| BookXperts | Subscription entitlement verification | User email address; response cached locally for 6 hours | [ATTORNEY TO VERIFY] |
| Railway Corp | Application hosting | All Firm Data processed in-application | [ATTORNEY TO VERIFY — Railway deployment region] |
| DigitalOcean LLC | Object storage (Spaces) for uploaded documents | Uploaded documents (bank statements, invoices, FICA evidence, audit packs) | [ATTORNEY TO VERIFY — Spaces region] |
Schedule 3 — Cross-border transfer particulars
[ATTORNEY TO COMPLETE based on Schedule 2 jurisdictions; document the §72 lawful basis selected in clause 9.2 against each Sub-operator that processes outside South Africa.]
Questions for the attorney
- Is the Firm's general authorisation of Sub-operators in clause 4.4 (with 30 days' notice for changes) sufficient, or should specific consent be required for each new Sub-operator?
- Is the 72-hour breach notification in clause 4.6 appropriate, given POPIA §22 does not itself specify a timeframe?
- Confirm appropriate POPIA §72 lawful bases for each non-SA Sub-operator (clause 9.2 / Schedule 3).
- Should audit rights in clause 4.9 be restricted (frequency, cost-bearer, scope)?
- Confirm the categorisation of FICA-collected ID numbers as Special Personal Information processing in clause 3.6.
- Decide the post-termination retention window in clause 4.8.
- Should the DPA include a specific damages cap separate from the Terms' limitation, given POPIA §99 (civil action) caps?
- Confirm staff confidentiality undertaking statement in Schedule 1.
- Confirm backup arrangements description in Schedule 1.
Attorney sign-off
| Field | Value |
|---|---|
| Attorney name | _______________________________________ |
| LPC roll number | _______________________________________ |
| Firm | _______________________________________ |
| Date of review | _______________________________________ |
| Codebase version reviewed | develop post-PR #206 |
I confirm that I have reviewed this draft Data Processing Agreement and that, subject to the amendments marked in my redline (attached), it is fit for use as the POPIA §21 operator agreement between TrustEasyGo (Pty) Ltd and the subscribing legal practice.
Signature: _______________________________________
Date: _______________________________________
End of draft.
Questions about this document? Contact us via the sub-processor list page or your account manager.