FICAFlow

Operator Agreement (POPIA sections 20 & 21)

Last updated: April 2026

This Operator Agreement ("Agreement") forms part of the contract between the business customer ("Responsible Party") and FICAFlow ("Operator") whenever FICAFlow processes personal information on instruction from the Responsible Party.

1. Scope

The Operator processes personal information of the Responsible Party's data subjects for the sole purpose of enabling the Responsible Party to perform its KYC / FICA onboarding.

2. Authority

The Operator processes personal information only with the knowledge or authorisation of the Responsible Party (POPIA s.20(a)). The Responsible Party remains accountable for compliance with POPIA.

3. Confidentiality

The Operator treats all personal information as confidential (POPIA s.20(b)) and ensures its personnel are bound by confidentiality.

4. Security safeguards

The Operator implements and maintains appropriate technical and organisational measures required by POPIA s.19 and s.21, including:

  • TLS 1.3 in transit, AES-256 at rest.
  • Row-level security and principle of least privilege.
  • MFA for administrative access.
  • Append-only audit logging.
  • Annual penetration testing and continuous vulnerability scanning.
  • Documented incident response and secure SDLC practices.

5. Sub-processors

Current sub-processors (updated as changes occur):

  • Supabase, Inc. — database & storage.
  • Vercel, Inc. — application hosting.
  • Resend, Inc. — transactional email.
  • Paystack (Pty) Ltd — payments.

The Operator will give the Responsible Party 30 days' notice of any new sub-processor.

6. Cross-border transfers

Data is stored by default in the EU or South Africa. Where processing occurs outside South Africa, the Operator relies on contractual clauses with sub-processors that provide substantially similar protection (POPIA s.72(1)(a)(i)).

7. Breach notification

The Operator will notify the Responsible Party without undue delay and in any event within 24 hours of becoming aware of a compromise (POPIA s.21(2)). The Responsible Party remains responsible for notifying the Information Regulator and affected data subjects under POPIA s.22.

8. Data subject requests

The Operator will assist the Responsible Party with access, correction and deletion requests received from data subjects, by providing self-service tooling and API endpoints and, where necessary, support within 7 days of a request.

9. Return or destruction

On termination of the agreement, the Operator will, at the Responsible Party's election, return or securely destroy personal information, subject to retention required by the FIC Act (5 years post-relationship termination).

10. Audit

The Operator makes available information necessary to demonstrate compliance with this Agreement, including its SOC 2 Type II report (once available) or a comparable third-party assurance report. The Responsible Party may audit compliance, at its cost, on 30 days' written notice, no more than annually, provided that acceptance of the assurance report will satisfy standard audit requirements.

11. Governing law

This Agreement is governed by South African law.