1.1.          Data protection laws means the South African Protection of Personal Information Act 4 of 2013 (POPIA) and, to the extent applicable to the processing, Regulation (EU) 2016/679 (GDPR), together with any related laws the parties agree in writing apply.

1.2.          Personal information means personal information as defined in POPIA and, where the GDPR applies, personal data as defined in the GDPR, in each case processed by Warp on Customer's behalf under the Principal Agreement (Customer Data).

1.3.          Operator, responsible party, data subject and processing have the meanings given in POPIA; where the GDPR applies, they are read as processor, controller, data subject and processing as defined in the GDPR.

1.4.          Security compromise means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to Customer Data (a personal data breach under the GDPR; a security compromise under section 22 of POPIA).

1.5.          Sub-operator means any third party engaged by Warp to process Customer Data in connection with the platform.

1.6.          Principal Agreement has the meaning given above. This DPA supplements the Principal Agreement. In the event of conflict, this agreement prevails on matters of data protection only; the Principal Agreement prevails on all other matters, including limitation of liability as provided in clause 12.

2.1.          Customer is the responsible party and determines the purposes and means of processing. Warp is the operator and processes Customer Data only: (a) on Customer's documented instructions, including as set out in the Principal Agreement and Schedule 1; (b) as necessary to provide, maintain and secure the platform; or (c) as required by law, in which case Warp will inform Customer of the legal requirement before processing unless the law prohibits this.

2.2.          Warp will inform Customer if, in its opinion, an instruction infringes data protection laws. This does not oblige Warp to monitor the laws applying to Customer and is not legal advice.

2.3.          Customer warrants that it has all necessary rights and lawful grounds to provide Customer Data to Warp for processing, and is responsible for privacy notices to and, where required, consent from data subjects.

3.1.          Warp treats all Customer Data as confidential and ensures that all personnel authorised to process Customer Data are bound by contractual or statutory obligations of confidentiality. These obligations survive termination of this agreement.

4.1.          to protect Customer Data against loss, damage, unauthorised destruction and unlawful access, Warp implements and maintains appropriate, reasonable technical and organisational measures as required by section 19 of POPIA and, where applicable, Article 32 of the GDPR, having regard to the state of the art, implementation costs, and the nature, scope, context and purposes of the processing.

4.2.          The measures in place as at the date of this agreement are described in Schedule 2. Warp keeps its measures under continuous review and may update them, provided the overall level of protection is not materially reduced.

4.3.          Both parties are responsible for the secure transfer of data they share with the other, using encrypted connections or other appropriate means.

5.1.          Customer grants Warp general written authorisation to engage the sub-operators listed in Schedule 3, including the cross-border transfers indicated there. The authoritative, current list is maintained at [ordereazi.com/sub-operators] (the “Sub-Operator Page”), where Customer may subscribe to receive notice of changes.

5.2.          Warp will update the Sub-Operator Page, and notify subscribed Customers, at least 14 days before any addition or replacement of a sub-operator takes effect. Customer may object in writing on reasonable data protection grounds within that period; the parties will work in good faith to resolve the objection, failing which Customer may terminate the affected portion of the services and receive a pro-rated refund of prepaid fees for that portion.

5.3.          Warp will bind each sub-operator to data protection obligations compatible with Warp's obligations under this agreement. A sub-operator's standard data processing terms are deemed compatible where they address the mandatory operator requirements of data protection laws (including GDPR Article 28(3) and POPIA section 21) and the sub-operator maintains recognised independent certifications or audit reports (such as ISO 27001 or SOC 2).

5.4.          Warp remains liable for the performance of its sub-operators' data protection obligations, subject to clause 12.

6.1.          Customer Data is stored and processed in the locations set out in Schedule 3. Customer authorises these transfers on conclusion of this agreement.

6.2.          Where Customer Data is processed outside South Africa, Warp ensures the transfer is lawful under section 72 of POPIA: either the recipient is subject to laws or binding rules providing substantially similar protection (including GDPR jurisdictions, section 72(1)(b)), or the recipient is bound by a binding agreement providing such protection (section 72(1)(a)). Where the GDPR applies to a transfer, Warp relies on adequacy decisions or Standard Contractual Clauses as appropriate.

7.1.          Warp will notify Customer of a security compromise affecting Customer Data without undue delay and, in any event, within 72 hours of confirming the compromise.

7.2.          The notification will include, to the extent then known: (a) the nature of the compromise and the categories and approximate number of data subjects and records affected; (b) the likely consequences; (c) the measures taken or proposed to address the compromise and mitigate its effects; (d) the contact details of Warp's Information Security Officer; and (e) recommended actions for affected data subjects, where appropriate. Information may be provided in phases as it becomes available.

8.1.          Taking into account the nature of the processing, Warp will assist Customer with appropriate technical and organisational measures to respond to data subject requests (access, correction, deletion and objection), including through the platform's built-in export, correction and deletion capabilities.

8.2.          Warp will provide reasonable assistance with Customer's obligations regarding security, security compromise notifications, impact assessments and prior consultations with the Information Regulator or a supervisory authority, considering the information available to Warp.

8.3.          Customer bears the reasonable costs of assistance under this clause, except where the assistance arises from Warp's breach of this agreement.

9.1.          Warp will make available to Customer information reasonably necessary to demonstrate compliance with this agreement, including summaries of penetration tests, certifications and independent audit reports, under confidentiality.

9.2.          Customer (or an independent auditor bound to confidentiality and not a competitor of Warp) may audit Warp's compliance with this agreement: (a) no more than once in any 12-month period, except following a confirmed security compromise affecting Customer Data or where required by the Information Regulator or a supervisory authority; (b) on at least 30 days' written notice; (c) during business hours, with minimal disruption and without access to other customers' data; and (d) with each party bearing its own costs.

9.3.          Audits do not extend to the premises or systems of sub-operators. Customer's verification rights regarding sub-operators are satisfied by the third-party certifications and audit reports those sub-operators make available (for example, reports accessible under confidentiality via AWS Artifact).

10.1.          If Warp receives a request or complaint directly from a data subject relating to Customer Data, Warp will not respond on the merits (except to direct the data subject to Customer) and will forward the request to Customer without undue delay.

11.1.          On termination or expiry of the Principal Agreement, or earlier on Customer's written instruction, Warp will, at Customer's choice, return Customer Data in a structured, commonly used format and/or delete it from production systems, and will certify deletion on request.

11.2.          Customer Data contained in backup media is deleted in accordance with Warp's backup rotation cycle and remains encrypted and access-controlled until deletion. Backups are not restored to production except for disaster recovery, in which case the deletion obligation is reapplied to restored Customer Data.

11.3.          Warp may retain Customer Data to the extent required by law, for the legally required period only, protected under the measures in this agreement.

12.1.          Each party's (and its affiliates') total aggregate liability arising out of or related to this agreement is subject to the exclusions and limitations of liability set out in the Principal Agreement.

12.2.          If the Principal Agreement contains no monetary cap on liability, each party's total aggregate liability arising out of or related to this agreement is limited to the fees paid or payable by Customer under the Principal Agreement in the 12 months preceding the event giving rise to the claim, and neither party is liable for indirect, special or consequential loss.

12.3.          Nothing in this clause limits: (a) any individual's data protection rights against either party; (b) liability arising from a party's fraud or wilful misconduct; or (c) liability that cannot be limited under applicable law.

12.4.          Each party indemnifies the other against third-party claims arising from the indemnifying party's breach of this agreement or data protection laws, subject to the limitations in this clause 12 and provided the indemnified party gives prompt notice, allows the indemnifying party to control the defence, provides reasonable assistance and does not admit liability.

13.1.          Commencement and duration. This DPA takes effect when Customer first uses the Services (or on the effective date of the Principal Agreement, if earlier) and continues for as long as Warp processes Customer Data.

13.2.          Contacts. Each party will maintain a named data protection contact and information security contact, recorded in Schedule 4, and will keep these current.

13.3.          Survival. Clauses 3 (confidentiality), 11 (return and deletion) and 12 (liability) survive termination.

13.4.          Governing law and disputes. This agreement is governed by the laws of the Republic of South Africa, and disputes are subject to the dispute resolution and jurisdiction provisions of the Principal Agreement, failing which the competent South African courts.

13.5.          Changes. Warp may update this DPA from time to time. Material changes will be notified at least 30 days in advance by email or in-platform notification, and the Last Updated date will be revised. Changes will not materially reduce the overall protection of Customer Data.

13.6.          Entire agreement. This agreement replaces any earlier data processing terms between the parties relating to the platform.

Warp maintains the following technical and organisational measures for the OrderEazi platform:

Encryption

•       All external traffic encrypted in transit using TLS with a defined minimum protocol version and cipher policy.

•       Encryption at rest across production databases, file and object storage (private, access-controlled buckets) and backup storage media; documented key management, available on request.

Access control and authentication

•       Least-privilege, role-based access control on the platform and infrastructure.

•       Production access restricted to authorised administrative personnel via a centralised, access-controlled credential vault.

•       Multi-factor authentication available across the platform and applied to infrastructure, administrative console and code repository access.

•       Formal joiner, mover and leaver process for prompt provisioning and revocation of access.

Network and application security

•       Edge security layer including a web application firewall and DDoS protection; production in private subnets with controlled security groups; segregated development, staging and production environments.

•       Secure development lifecycle: mandatory code review, branch protection, automated security checks and dependency scanning in CI/CD.

•       Independent penetration testing with tracked remediation.

•       Tenant isolation through dedicated, separate databases per customer.

Logging, monitoring and backup

•       Centralised security event logging (SIEM) with OpenTelemetry-based observability.

•       Administrative access restricted by IP allow-listing and VPN.

•       Daily backups on encrypted media with regularly tested restoration.

People and organisation

•       Confidentiality undertakings in all employment contracts; regular security awareness training.

•       Documented incident response policy with severity classification, and a data breach procedure aligned to POPIA section 22.

•       Ongoing evaluation of measures against industry standards.