Data Processing Agreement

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"):

• "Controller" means you, the customer, who determines the purposes and means of processing Personal Data
• "Processor" means Ping, which processes Personal Data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data, including collection, storage, transmission, or deletion
• "Data Subject" means the individual to whom Personal Data relates
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "POPIA" means the Protection of Personal Information Act, 2013 (South Africa)

2. Scope of Processing

2.1 Nature and Purpose:

Ping processes Personal Data for the purpose of providing bulk notification services (SMS, WhatsApp, and email) as requested by the Controller.

2.2 Duration:

Processing will continue for the duration of the service agreement, plus any retention period required by law or specified in our Privacy Policy.

2.3 Types of Personal Data:

• Contact information (names, email addresses, phone numbers)
• Message content provided by the Controller
• Delivery and engagement metadata (timestamps, delivery status, read receipts)
• Technical data (IP addresses, device information, usage logs)

2.4 Categories of Data Subjects:

• The Controller's customers, clients, or users
• The Controller's employees, contractors, or partners
• Any other individuals whose contact information the Controller provides

3. Controller Obligations

The Controller agrees to:

• Ensure that processing instructions comply with applicable data protection laws
• Obtain all necessary consents and provide required notices to Data Subjects
• Maintain records of consent and be able to demonstrate lawful processing basis
• Not provide Personal Data to Ping that the Controller has no legal right to process
• Implement appropriate security measures for data before transmission to Ping
• Promptly notify Ping of any Data Subject requests (access, deletion, etc.)

4. Processor Obligations

Ping agrees to:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data have committed to confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with GDPR/POPIA obligations
• Delete or return all Personal Data to the Controller upon termination of services (unless legally required to retain)
• Make available all information necessary to demonstrate compliance with this DPA

5. Security Measures

Ping implements the following security measures:

5.1 Technical Measures:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
• Regular security audits and vulnerability assessments
• Intrusion detection and prevention systems
• Secure API authentication (OAuth 2.0, API keys with rotation)
• Automated backups with encryption

5.2 Organizational Measures:

• Access controls based on principle of least privilege
• Mandatory security training for all employees
• Confidentiality agreements with all personnel
• Incident response and breach notification procedures
• Regular review and update of security policies

6. Sub-Processors

Ping may engage the following sub-processors to assist in providing services. The Controller hereby provides general authorization for the engagement of these sub-processors:

• Cloud Infrastructure: Amazon Web Services (AWS), Google Cloud Platform (GCP) - Data hosting and storage
• SMS Delivery: Twilio, Africa's Talking - SMS routing and delivery
• WhatsApp API: Meta Platforms Inc. - WhatsApp Business API services
• Email Delivery: SendGrid, Amazon SES - Email delivery infrastructure
• Analytics: Google Analytics - Usage analytics (anonymized where possible)

Ping will notify the Controller of any intended changes to sub-processors at least 30 days in advance. The Controller may object to new sub-processors within 14 days of notification.

7. Data Subject Rights

Ping will assist the Controller in fulfilling Data Subject requests, including:

• Right of Access: Providing copies of Personal Data upon request
• Right to Rectification: Correcting inaccurate or incomplete Personal Data
• Right to Erasure: Deleting Personal Data when legally required
• Right to Data Portability: Providing Personal Data in a structured, machine-readable format
• Right to Object: Ceasing processing when requested (subject to legal obligations)

The Controller should submit Data Subject requests to: [email protected]

Ping will respond to valid requests within 30 days (or as otherwise required by applicable law).

8. Data Retention and Deletion

8.1 Retention Period:

Ping retains Personal Data for the duration of the service agreement plus:

• Message content: 90 days after delivery (unless longer retention requested by Controller)
• Contact lists: Until account closure or deletion request
• Delivery logs and metadata: 2 years for compliance and dispute resolution
• Financial records: 7 years as required by accounting regulations

8.2 Deletion Upon Termination:

Within 90 days of service termination, Ping will delete or return all Personal Data unless legally required to retain it. The Controller may request expedited deletion at any time.

9. Data Breach Notification

In the event of a Personal Data breach, Ping will:

• Notify the Controller within 72 hours of becoming aware of the breach
• Provide details of the breach, including categories and approximate number of Data Subjects affected
• Describe likely consequences of the breach and measures taken or proposed to address it
• Provide contact information for further inquiries
• Assist the Controller in notifying supervisory authorities and Data Subjects as required by law

Security incidents should be reported to: [email protected]

10. International Data Transfers

Personal Data may be transferred to and processed in countries outside Zimbabwe, including the European Economic Area (EEA) and United States. Such transfers are subject to appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Data Processing Addenda with sub-processors ensuring equivalent protection

The Controller consents to these transfers as necessary for the provision of services.

11. Audit Rights

Upon reasonable written notice (at least 30 days), the Controller may audit Ping's compliance with this DPA, subject to:

• Audits conducted no more than once per year (unless required by supervisory authority or due to breach)
• Audits conducted during normal business hours without disrupting operations
• Auditor signing confidentiality agreement before accessing facilities or records
• Controller bearing all costs of the audit

Ping may provide third-party audit reports (SOC 2, ISO 27001) in lieu of on-site audits where applicable.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the main service agreement. The Controller agrees to indemnify Ping against any claims arising from the Controller's failure to comply with data protection laws or obtain necessary consents.