# Data Processing Agreement (DPA)

**Cyntech (Pty) Ltd** ("Processor") and the **Customer** identified in the underlying Master Services Agreement, Statement of Work or signed order form ("Controller").

Effective on the date of the underlying agreement.

This DPA reflects the parties' agreement on the processing of Personal Information and applies whenever Cyntech processes Personal Information on behalf of the Controller. It supplements (and, in case of conflict regarding data protection, prevails over) the underlying agreement.

---

## 1. Definitions

Terms not defined here have the meaning given in the **Protection of Personal Information Act 4 of 2013** ("POPIA"), **Regulation (EU) 2016/679** ("EU GDPR"), and the **UK GDPR** as applicable.

- **Personal Information** / **Personal Data** — any information relating to an identified or identifiable natural person.
- **Processing** — any operation performed on Personal Information.
- **Sub-processor** — any third party engaged by Cyntech to process Personal Information.
- **Standard Contractual Clauses (SCCs)** — Commission Implementing Decision (EU) 2021/914 of 4 June 2021, incorporated by reference.
- **UK Addendum** — the International Data Transfer Addendum issued by the UK Information Commissioner under s.119A DPA 2018.

## 2. Subject matter, duration, nature and purpose

- **Subject matter:** Cyntech's provision of engineering software, client portal, document management, support and related services.
- **Duration:** For the duration of the underlying agreement plus any retention period in Annex 1.
- **Nature & purpose:** Hosting, transmission, storage, retrieval, access management, and operational support of Controller data.
- **Categories of data subjects:** Controller's employees, contractors and authorised users.
- **Categories of Personal Information:** Name, business contact details, authentication identifiers, role, activity logs, content uploaded to the platform.

## 3. Roles

Cyntech acts as Operator / Processor. The Controller is the Responsible Party / Controller and is responsible for the lawful basis of its instructions.

## 4. Cyntech obligations

Cyntech shall:

1. Process Personal Information only on documented instructions from the Controller, including with regard to transfers, unless required to do so by law.
2. Ensure that persons authorised to process the Personal Information are bound by confidentiality.
3. Implement the technical and organisational measures set out in **Annex 2**, including encryption in transit (TLS 1.2+) and at rest, role-based access control, MFA enforcement on administrative accounts, audit logging, and a documented incident response process.
4. Assist the Controller with data subject requests and with obligations under Articles 32–36 GDPR and sections 19–22 POPIA, taking into account the nature of processing and information available.
5. Notify the Controller without undue delay, and in any event within **48 hours**, after becoming aware of a Personal Information breach affecting the Controller's data.
6. On termination, delete or return all Personal Information at the Controller's choice, unless storage is required by law.
7. Make available all information necessary to demonstrate compliance and allow for audits (including inspections), conducted by the Controller or a mandated auditor, on reasonable prior notice and subject to confidentiality.

## 5. Sub-processors

The Controller grants general authorisation for Cyntech to engage the Sub-processors listed at <https://cyntech.io/trust>. Cyntech shall:

- Maintain an up-to-date list of Sub-processors on the Trust page;
- Notify the Controller of any intended additions or replacements at least **30 days** before the change takes effect;
- Impose, by contract, data protection obligations on each Sub-processor that are no less protective than those in this DPA.

The Controller may object to a new Sub-processor on reasonable data-protection grounds in writing within 30 days; the parties will work in good faith to resolve, failing which the Controller may terminate the affected services without penalty.

## 6. International transfers

Cyntech is established in the Republic of South Africa. Where Cyntech transfers Personal Data of EU/UK data subjects to a country not benefiting from an adequacy decision:

- The **2021 EU SCCs, Module Two (Controller-to-Processor)** are incorporated by reference, with the following selections: Clause 7 (docking) **enabled**; Clause 9(a) **option 2** (general written authorisation, 30 days); Clause 11 independent dispute resolution **not** selected; Clause 17 governing law: **Republic of Ireland**; Clause 18 forum: **Ireland**; Annexes I, II, III as set out in Annexes 1–3 of this DPA.
- The **UK International Data Transfer Addendum (IDTA Addendum B.1.0)** is incorporated by reference for UK transfers, with Tables 1–4 populated from the equivalent fields of this DPA and the SCCs above.
- For POPIA section 72 transfers, the parties rely on the contractual protections in this DPA as binding agreements ensuring an adequate level of protection.

A Transfer Impact Assessment is available on written request.

## 7. Liability

The parties' liability under this DPA is subject to the limitations and exclusions in the underlying agreement.

## 8. Governing law

This DPA is governed by the laws of the **Republic of South Africa**, except that Clauses 17–18 of the SCCs and the UK Addendum are governed as stated in those instruments.

---

## Annex 1 — Details of processing

| Field | Detail |
|---|---|
| Subject matter | Provision of the Services |
| Duration | Term of underlying agreement + retention period |
| Nature & purpose | As described in Section 2 |
| Categories of data subjects | Customer personnel and authorised users |
| Categories of Personal Information | As described in Section 2 |
| Special categories | None, unless expressly agreed in writing |
| Frequency of transfer | Continuous, on-demand |
| Retention | 30 days after termination, then secure deletion |

## Annex 2 — Technical and organisational measures

1. **Access control** — Role-based access (RBAC) enforced at database and application layer; least-privilege.
2. **Authentication** — Mandatory MFA on administrative accounts; password complexity policy.
3. **Encryption** — TLS 1.2+ in transit; AES-256 at rest for managed storage.
4. **Audit logging** — Administrative actions and authentication events logged with retention.
5. **Backups** — Daily encrypted backups, tested restore.
6. **Vulnerability management** — Dependency scanning, periodic penetration testing, documented patch cadence.
7. **Personnel** — Background-screened where lawful; security training; written confidentiality.
8. **Incident response** — Documented runbook; defined breach-notification clocks for POPIA, GDPR (72h) and CIRCIA.
9. **Physical security** — Sub-processor data centres compliant with ISO 27001 / SOC 2.
10. **Business continuity** — Documented RPO/RTO; recovery exercises.

## Annex 3 — Authorised Sub-processors

Maintained at <https://cyntech.io/trust> and updated as set out in Section 5.

---

### Signature

Signed acceptance of the underlying agreement constitutes acceptance of this DPA. A counter-signed copy is available on request to **privacy@cyntech.co.za**.

*Cyntech (Pty) Ltd — Information Officer: privacy@cyntech.co.za*