Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the master subscription agreement between Regalis Property Group (Pty) Ltd ("Regalis", the Operator) and the agency or organisation that has subscribed to the Regalis platform (the "Customer", acting as Responsible Party). It records the parties' obligations under section 21 of POPIA when Regalis processes personal information on the Customer's behalf.

1. Definitions

• Responsible Party — the party that determines the purpose of and means for processing personal information, as defined in POPIA s.1. Under this DPA, the Customer.
• Operator — a person who processes personal information for a Responsible Party in terms of a contract or mandate, as defined in POPIA s.1. Under this DPA, Regalis.
• Personal Information — has the meaning given in POPIA s.1, and includes all information about the Customer's tenants, landlords, applicants, contractors and staff that is processed through the platform.
• Sub-operator — a third party engaged by Regalis to process personal information on the Customer's behalf, listed at /privacy/subprocessors.
• Security Compromise — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information, as contemplated in POPIA s.22.

2. Purpose and scope

Regalis is appointed as Operator solely to deliver the platform's documented workflows — tenant onboarding, lease management, rent invoicing and reconciliation, deposit handling, maintenance ticketing, statements and tenant communications. Regalis does not process personal information for any other purpose, and never for its own commercial benefit.

3. Operator obligations

Regalis undertakes to:

• Process personal information only on the Customer's documented instructions, including the instructions implicit in the Customer's use of the platform.
• Treat all personal information as confidential, and ensure that staff with access are bound by written confidentiality undertakings.
• Maintain technical and organisational security measures appropriate to the risk, as required by POPIA s.19.
• Notify the Customer in advance of any change to its sub-operators, with a reasonable window for objection.
• Notify the Customer of any Security Compromise within 24 hours of becoming aware of it, with enough detail for the Customer to comply with its own POPIA s.22 reporting duties.
• Cooperate with and assist the Customer's Information Officer in responding to data-subject requests, regulator enquiries and audits.

4. Data subject rights

Where a data subject contacts Regalis directly to exercise rights under POPIA s.23 to s.25, Regalis will route the request to the Customer's Information Officer through our intake form at /privacy/request. Regalis provides tooling inside the platform that lets the Customer fulfil access, correction, deletion and objection requests within the 30-day statutory window.

5. Sub-operators

5.1 Prior general authorisation. By signing this DPA the Customer grants Regalis prior general written authorisation under section 21(2) of POPIA to engage the sub-operators identified on the register described in clause 5.2, on the condition that Regalis (a) imposes processing obligations on each sub-operator that are substantially the same as those Regalis owes the Customer under this DPA, (b) remains liable to the Customer for the acts and omissions of each sub-operator, and (c) makes the current register available to the Customer on the terms set out in clause 5.2 below.

5.2 Register and disclosure. Regalis maintains a current sub-operator register identifying each sub-operator, the personal information it processes, the country in which it processes, and the agreement on file. The Customer may request a copy of the register at any time before signing this DPA, on onboarding, and at any time during the term, by writing to the Information Officer at privacy@regalis.co.za or using the request form at /privacy/subprocessors. Regalis will provide the register to a customer or prospective customer within five business days of a written request, at no charge. The Customer's authorisation under clause 5.1 is given on the basis of the register as so disclosed; the Customer is entitled to review the register before signing and to refuse to sign if any sub-operator is unacceptable.

5.3 Why the register is not published openly.Some of our sub-operator relationships are commercially sensitive (in particular payment partners and screening providers). Restricting the register to authorised requesters does not limit the disclosure obligations under POPIA section 21 or the Customer's right of access under section 23 — the register is provided promptly to anyone with a legitimate interest. The information published in summary form on /privacy/subprocessors describes the categories of services we use without naming each provider.

5.4 Notice of changes.Regalis will give the Customer at least 14 days' advance written notice of any new sub-operator before that sub-operator begins processing personal information. The notice will identify the sub-operator, the processing purpose, the data categories involved, and the country in which processing takes place.

5.5 Right to object. The Customer may object to a new sub-operator on reasonable grounds (relating to data protection, security or compliance) within the 14-day notice period by writing to privacy@regalis.co.za. Regalis will use reasonable efforts to make the affected functionality available without the objected-to sub-operator. If a workable alternative cannot be agreed, the Customer may terminate the affected workflows on written notice and receive a pro rata refund of fees paid for the affected functionality for the unexpired period.

6. Cross-border transfers

Some sub-operators host or process data outside the Republic. Regalis relies on the conditions in POPIA s.72 — comparable foreign law, contractual safeguards mirroring POPIA, or transfers necessary for the contract — and records the basis for each provider on the subprocessor register. The Customer authorises these transfers by signing this DPA, subject to the objection mechanism in clause 5.

7. Security measures

Regalis maintains, at a minimum:

• TLS 1.2+ encryption for all data in transit.
• AES-256 (or equivalent) encryption for data and backups at rest.
• Role-based access controls, with least-privilege defaults and quarterly access reviews.
• Multi-factor authentication for all staff and administrative accounts.
• Append-only audit logs covering authentication, permission changes, exports and data-subject actions.
• A documented retention schedule (set out in our Privacy Policy) and routine purge jobs.
• An incident-response runbook, tabletop-tested annually.

7.1 Verification.On reasonable written notice and no more than once per calendar year (or more frequently following a Security Compromise), Regalis will make available a current SOC 2 Type II report, ISO/IEC 27001 certificate, or equivalent third-party assessment. Where a Customer reasonably requires more information than these reports provide, Regalis will co-operate with a remote audit at the Customer's reasonable cost, conducted on terms that protect the confidentiality and security of other customers' data.

8. Term and termination

This DPA runs for the term of the master subscription agreement. Within 30 days after termination the Customer may elect, in writing, either:

• Bulk export— Regalis will provide a one-off export of the Customer's personal information in a structured, commonly used format, additional to the in-app export tools available throughout the term; or
• Deletion— Regalis will delete or anonymise all personal information held on the Customer's behalf.

Absent an election within the 30-day window, deletion is the default and Regalis will proceed with deletion or anonymisation. Personal information that Regalis is required by law to retain (for example under FICA, the Tax Administration Act, or other audit obligations) is held under continued security controls until the legal retention period expires, after which it is deleted on the next retention sweep.

9. Liability and indemnity

Liability and indemnity arrangements (including caps, exclusions and insurance) are set out in the master subscription terms and are not duplicated here. Where this DPA and the master terms conflict on the subject of personal information processing, this DPA prevails to the extent of the conflict.

10. Governing law

This DPA is governed by the laws of the Republic of South Africa. The parties submit to the exclusive jurisdiction of the High Court of South Africa, Gauteng Division, Johannesburg.

11. Updates to this DPA

Regalis may update this DPA from time to time to reflect platform changes or regulatory developments. Material changes are announced inside the app and on this page at least 30 days before they take effect, except where a shorter period is required by law. The "Last updated" date at the top reflects the current version. The Customer's continued use of the platform after the effective date constitutes acceptance of the updated DPA.

12. Contact

Operational privacy queries should be sent to Liam James Parker at privacy@regalis.co.za. The full subprocessor list is at /privacy/subprocessors and data-subject requests are intaken at /privacy/request.