Data Processing Agreement

This Data Processing Agreement governs the processing of personal information by Verify Now on behalf of our customers in accordance with POPIA and international data protection standards.

Last updated: January 12, 2026

Executive Summary

This Data Processing Agreement ("DPA") forms part of the Verify Now Terms of Service and governs how Verify Now processes personal information on behalf of its customers. This agreement ensures compliance with the Protection of Personal Information Act (POPIA) and other applicable data protection laws.

Key Point: Verify Now acts as a data processor when providing identity verification services, while our customers typically act as data controllers responsible for lawful processing and data subject consent.

1. Definitions

Personal Information

Information relating to an identifiable, living, natural person, including but not limited to names, identification numbers, location information, online identifiers, biometric data, and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

Any operation or activity or any set of operations performed on personal information, including collection, receipt, recording, organisation, collation, storage, updating, retrieval, alteration, consultation or use, dissemination, making available, alignment, combination, restriction, degradation, erasure or destruction.

Data Controller

The Customer who determines the purposes for and means by which personal information is processed.

Data Processor

Verify Now, which processes personal information on behalf of and according to the instructions of the Data Controller.

2. Appointment as Data Processor

The Customer appoints Verify Now as a data processor to process personal information on the Customer's behalf for the sole purpose of providing identity verification, KYC/AML screening, and related services as outlined in the Terms of Service.

Verify Now agrees to process personal information only in accordance with the Customer's documented lawful instructions and applicable data protection laws.

3. Verify Now's Obligations

3.1 Lawful Processing

  • Process personal information only as instructed by the Customer
  • Ensure processing is lawful, fair, and transparent
  • Implement appropriate technical and organisational measures
  • Maintain confidentiality of personal information

3.2 Security Measures

  • Implement industry-standard encryption for data in transit and at rest
  • Maintain secure access controls and authentication measures
  • Regular security assessments and penetration testing
  • Staff training on data protection and security protocols
  • Secure data centres with physical and logical access controls

3.3 Data Minimisation

Verify Now will only process personal information that is adequate, relevant, and limited to what is necessary for providing the requested verification services.

4. Customer Obligations

4.1 Lawful Basis

The Customer warrants that it has a lawful basis for processing and has obtained all necessary consents, authorisations, and permissions required under applicable data protection laws.

4.2 Data Subject Rights

The Customer is responsible for handling data subject requests for access, correction, deletion, or portability of personal information. Verify Now will assist where technically feasible.

4.3 Instructions

The Customer must provide clear, lawful instructions for processing personal information and notify Verify Now of any changes to processing requirements.

5. Data Breach Notification

In the event of a personal data breach, Verify Now will:

  • Notify the Customer without undue delay and within 72 hours of becoming aware
  • Provide details of the breach, affected data, and mitigation measures
  • Assist the Customer in meeting their notification obligations to the Information Regulator
  • Implement immediate containment and remediation measures
  • Conduct a thorough investigation and provide a detailed incident report

6. Cross-Border Data Transfers

Verify Now may transfer personal information to countries outside South Africa only:

  • Where the Information Regulator has determined adequate protection exists
  • With appropriate safeguards including standard contractual clauses
  • With explicit consent from data subjects where required
  • For specific derogations as permitted by POPIA

Note: Current data processing is primarily conducted within South Africa. Any international transfers will be disclosed and conducted in compliance with POPIA Chapter 9.

7. Subprocessors

Verify Now may engage third-party subprocessors to assist in providing services, subject to the following conditions:

  • All subprocessors are bound by equivalent data protection obligations
  • Customers will be notified of any new subprocessors
  • Verify Now remains fully liable for subprocessor compliance
  • Current subprocessors are listed in our Privacy Policy

8. Data Retention and Deletion

8.1 Retention Period

Personal information is retained only for as long as necessary to provide the requested services and comply with legal obligations. Standard retention periods are outlined in our Privacy Policy.

8.2 Data Deletion

Upon termination of services or at the Customer's request, Verify Now will securely delete or return all personal information within 30 days, unless retention is required by law.

9. Audit Rights

Customers have the right to audit Verify Now's compliance with this DPA, subject to:

  • Reasonable advance notice (minimum 30 days)
  • Limitation to once per year unless required by incident investigation
  • Confidentiality obligations regarding Verify Now's systems and processes
  • Customer responsibility for audit costs

Verify Now will also provide annual compliance reports and relevant certifications to demonstrate adherence to security and data protection standards.

10. Governing Law and Jurisdiction

This DPA is governed by the laws of South Africa. Any disputes arising from or relating to this agreement will be subject to the exclusive jurisdiction of the South African courts.

This agreement is subject to POPIA and other applicable South African and international data protection regulations.

11. Contact Information

Data Protection Officer

Email: privacy@verifynow.co.za

Address: Verify Now (Pty) Ltd, Cape Town, South Africa

Phone: +27 (0) 21 XXX XXXX

Information Regulator South Africa

Website: https://www.justice.gov.za/inforeg/

Email: complaints.IR@justice.gov.za

12. Amendments

Verify Now may update this DPA to reflect changes in law, regulation, or business practices. Customers will be notified of material changes with at least 30 days' notice. Continued use of services after amendments constitutes acceptance of the updated terms.

Effective Date

This Data Processing Agreement is effective from January 12, 2026, and applies to all processing of personal information by Verify Now on behalf of its customers.

Privacy PolicyTerms of ServicePAIA ManualContact Us