Tsamma Tsamma Tsamma
Platform Flows Assessments White-label Use Cases Book a Demo

Data Processing Agreement

Effective date: 1 May 2026 • Version: 2026.01 • Next review: 1 March 2027

This Data Processing Agreement forms part of the agreement between Tsamma Solutions (Pty) Ltd and the Employer Client that uses Tsamma's recruitment matching platform, governing the processing of Candidates' personal information and ensuring both parties comply with the Protection of Personal Information Act, 4 of 2013 (POPIA).

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Tsamma Solutions (Pty) Ltd ("Tsamma", "we", or "us") and the Employer Client ("Client", "you", or "Employer") that uses Tsamma's recruitment matching platform (the "Services") to receive matched applicant profiles.

This DPA governs the processing of personal information of Candidates ("Data Subjects") that flows between Tsamma and the Client, and ensures both parties comply with the Protection of Personal Information Act, 4 of 2013 ("POPIA").

This DPA applies in addition to any service agreement, master services agreement, or other written agreement between Tsamma and the Client (the "Service Agreement"). In the event of a conflict, this DPA prevails on matters relating to data protection.

2. Definitions

In this DPA, capitalised terms have the meanings given to them in POPIA, unless defined here. Without limitation:

  • Candidates - A person/s who registers on Tsamma's platform with the objective of finding work.
  • Data Breach - A compromise of the security, integrity, or confidentiality of Personal Information.
  • Data Subject - The applicant whose Personal Information is processed (i.e., the job seeker registered with Tsamma).
  • Information Regulator - The Information Regulator established under section 39 of POPIA.
  • Operator - A person who processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party.
  • Personal Information - Information relating to an identifiable, living natural person, as defined in section 1 of POPIA.
  • Processing - Means doing anything with personal data, including gathering it, disclosing it, or combining it with other information.
  • Special Personal Information - Personal information referred to in section 26 of POPIA, including race, health, criminal behaviour, and biometric data.
  • Sub-Operator - Any third party engaged by Tsamma to process Personal Information on behalf of the Client.
  • Responsible Party - The party who determines the purpose of and means for processing Personal Information.

3. Roles of the Parties

Independent Responsible Parties

The parties acknowledge and agree that, in respect of Personal Information shared via the Services:

  • Tsamma is an independent Responsible Party for the processing of applicant Personal Information for the purposes of building, maintaining, and matching applicant profiles, as set out in Tsamma's Privacy Policy;
  • The Client is an independent Responsible Party for the processing of applicant Personal Information that it receives from Tsamma, for its own recruitment, selection, employment, and related purposes.

This DPA reflects the obligations of both parties as independent Responsible Parties working together within a matching ecosystem. To the extent that Tsamma processes Personal Information on the specific instruction of the Client (for example, to support a Client-specific recruitment campaign), Tsamma will act as an Operator for that defined purpose, and Sections 5 to 11 of this DPA will apply to Tsamma's role accordingly.

Compliance Responsibility

Each party is independently responsible for complying with POPIA and other applicable data protection laws in respect of its own processing activities. Neither party is liable for the other party's independent breach of POPIA.

4. Subject Matter, Scope and Duration

Subject Matter

The processing of Personal Information of Data Subjects (Candidates) for the purpose of recruitment matching, screening, and placement.

Categories of Data Subjects

Candidates who have registered with Tsamma Employment via the WhatsApp Flow and consented to having their profile shared with prospective employers.

Categories of Personal Information

The Personal Information shared with the Client may include, depending on the role and matching criteria:

  • Identity details (name, ID number, passport or asylum permit number, document photos);
  • Personal details (date of birth, gender, ethnicity);
  • Contact information (WhatsApp number, email);
  • Residential address;
  • Education and qualifications;
  • Work history (industries, positions, duration, reasons for leaving);
  • Job preferences and availability;
  • Driver's licence, vehicle, and PDP information (with photos);
  • Proof of address;
  • SARS tax number (where relevant for placement);
  • Disclosed criminal record information;
  • Disclosed disability information (only where the Data Subject has voluntarily disclosed);
  • Work condition consents;
  • Literacy and numeracy assessment results.

Special Personal Information

The parties acknowledge that the categories above include Special Personal Information (race, health, criminal behaviour). The Client warrants that it will process such Special Personal Information only:

  • With the express consent of the Data Subject (as obtained by Tsamma at registration);
  • Where authorised by section 27 of POPIA (e.g., for compliance with employment law);
  • For purposes consistent with the original consent.

Duration

This DPA applies for the duration of the Service Agreement and continues to apply to any Personal Information that the Client retains after termination, until that information is lawfully deleted or returned.

5. Client Obligations as Responsible Party

The Client warrants and undertakes that it will:

  • Process lawfully: Process Personal Information received from Tsamma only for legitimate recruitment, selection, and employment-related purposes consistent with the consent obtained at registration;
  • Limit access: Restrict access to Personal Information to authorised personnel on a need-to-know basis;
  • Not exceed scope: Not use Personal Information for unrelated marketing, profiling, or onward sale;
  • Maintain accuracy: Take reasonable steps to keep Personal Information accurate and up to date;
  • Apply security: Implement appropriate technical and organisational measures to protect Personal Information (see Section 8);
  • Honour Data Subject rights: Cooperate with requests from Data Subjects to access, correct, or delete their information;
  • Retain lawfully: Retain Personal Information only as long as necessary for the recruitment purpose, or as required by law (e.g., Employment Equity, tax, or labour record-keeping requirements);
  • Respect withdrawal: Cease processing and delete Personal Information of any applicant whose consent has been withdrawn, except where retention is required by law;
  • Notify breaches: Notify Tsamma without undue delay of any Data Breach involving Personal Information received from Tsamma (see Section 9);
  • Comply with cross-border rules: Not transfer Personal Information outside South Africa except in compliance with section 72 of POPIA.

6. Tsamma Obligations as Responsible Party (and as an Operator where applicable)

Tsamma warrants and undertakes that it will:

  • Obtain valid consent: Obtain appropriate consent from Data Subjects to share their Personal Information with prospective employers;
  • Provide accurate matches: Take reasonable care to share only Personal Information relevant to the role and the matching criteria;
  • Maintain platform security: Implement and maintain appropriate technical and organisational security measures;
  • Manage operators: Engage Sub-Operators only under written agreements that include equivalent data protection obligations;
  • Support Client compliance: Provide reasonable assistance to the Client in responding to Data Subject requests, regulatory inquiries, and breach investigations;
  • Notify breaches: Notify the Client without undue delay of any Data Breach affecting the Client's matched applicants (see Section 9);
  • Provide transparency: Maintain a publicly available Privacy Policy and PAIA Manual;
  • Respect withdrawal: Promptly notify the Client if a Data Subject withdraws consent or requests deletion, where Tsamma reasonably believes the Client may still be processing the information.

7. Confidentiality

Both parties undertake to:

  • Treat all Personal Information shared under this DPA as strictly confidential;
  • Ensure that any personnel with access to Personal Information are bound by written confidentiality obligations;
  • Not disclose Personal Information to any third party except as permitted by this DPA, the Service Agreement, or applicable law.

These confidentiality obligations survive termination of this DPA indefinitely.

8. Security Measures

Each party will implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including:

Technical Measures

  • Encryption of Personal Information in transit;
  • Multi-factor authentication for administrative and privileged access;
  • Role-based access controls and the principle of least privilege;
  • Logging and monitoring of access to Personal Information;
  • Regular security patching and vulnerability management;
  • Backup and disaster recovery procedures.

Organisational Measures

  • Documented information security policies and procedures;
  • Confidentiality obligations in employment and contractor agreements;
  • Privacy and security training for personnel with access to Personal Information;
  • Vendor risk management for Sub-Operators and service providers;
  • Incident response and breach notification procedures;
  • Periodic review and audit of security controls.

9. Data Breach Notification

Notification by Tsamma

If Tsamma becomes aware of a Data Breach affecting Personal Information shared with the Client, Tsamma will notify the Client without undue delay and in any event within 72 hours of becoming aware. The notification will include:

  • A description of the nature and likely consequences of the breach;
  • The categories and approximate number of Data Subjects and records affected;
  • The measures taken or proposed to address the breach;
  • Contact details for further information.

Notification by Client

The Client will notify Tsamma without undue delay and in any event within 72 hours of becoming aware of any Data Breach affecting Personal Information received from Tsamma.

Cooperation

The parties will cooperate in good faith to:

  • Investigate the cause and scope of any Data Breach;
  • Mitigate harm to affected Data Subjects;
  • Notify the Information Regulator and Data Subjects, where required by section 22 of POPIA;
  • Document the breach and remediation actions.

Costs

Each party bears its own costs of investigating and responding to a Data Breach, except where the breach was caused by the other party's negligence or breach of this DPA.

10. Sub-Operators

Tsamma's Use of Sub-Operators

The Client authorises Tsamma to engage Sub-Operators for the provision of the Services, including (but not limited to):

  • Cloud hosting providers;
  • WhatsApp Business Platform / Meta Platforms, Inc.;
  • Verification partners (identity, criminal record, qualifications);
  • Communication and CRM providers;
  • Analytics providers.

A current list of material Sub-Operators is available on request from the Information Officer.

Sub-Operator Obligations

Tsamma will ensure that each Sub-Operator is bound by a written agreement that imposes data protection obligations equivalent to those in this DPA.

Liability for Sub-Operators

Tsamma remains responsible for the acts and omissions of its Sub-Operators in respect of Personal Information processed on the Client's behalf as if they were Tsamma's own acts and omissions.

11. Cross-Border Transfers

Personal Information may be transferred to, or processed in, countries outside South Africa where Sub-Operators operate. The parties agree that any such transfer will be carried out in accordance with section 72 of POPIA, including (where applicable):

  • Transfer to a country with comparable data protection laws;
  • Binding corporate rules or contractual safeguards;
  • Express consent from the Data Subject;
  • Necessity for performance of a contract with the Data Subject.

12. Data Subject Rights

Cooperation

The parties will cooperate to honour Data Subject rights under POPIA, including:

  • Right of access;
  • Right to correction or deletion;
  • Right to object;
  • Right to withdraw consent;
  • Right to data portability (where applicable).

Forwarding Requests

If a party receives a Data Subject request that relates to Personal Information held by the other party, it will forward the request without undue delay and assist the other party in responding.

Response Times

Each party will respond to Data Subject requests within the timeframes required by POPIA (typically 30 days, with possible extension where reasonable).

13. Audit Rights

Information Provided

Upon reasonable written request and subject to confidentiality, Tsamma will provide the Client with information necessary to demonstrate compliance with this DPA, including:

  • Summaries of security policies and procedures;
  • Copies of relevant certifications (if any);
  • Responses to standardised security questionnaires.

On-Site Audits

The Client may conduct an on-site audit of Tsamma's facilities only:

  • Once per year (unless a Data Breach has occurred);
  • After 30 days' written notice;
  • During normal business hours;
  • At the Client's cost; and
  • Subject to confidentiality and security restrictions.

14. Return or Deletion of Personal Information

On Termination

Upon termination of the Service Agreement, the Client will, at Tsamma's option:

  • Return all Personal Information received from Tsamma; or
  • Securely delete or destroy all such Personal Information,

except where retention is required by law or for the establishment, exercise, or defence of legal claims.

Certification

Upon written request, the Client will certify in writing that it has complied with this Section 14.

15. Liability

Allocation of Liability

Each party is liable for damages caused by its own breach of this DPA, POPIA, or other applicable data protection law.

Limitation

To the maximum extent permitted by law, the parties' aggregate liability under this DPA is governed by the limitation of liability clause in the Service Agreement, except that liability for:

  • Breach of confidentiality;
  • Wilful misconduct or gross negligence;
  • Indemnity obligations under this DPA,

is not capped.

Indemnity

Each party indemnifies the other against any administrative fines imposed by the Information Regulator that are directly attributable to the indemnifying party's breach of this DPA or POPIA.

16. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of South Africa. Any dispute is subject to the exclusive jurisdiction of the South African courts.

17. General Provisions

  • Order of precedence: This DPA prevails over the Service Agreement on matters of data protection.
  • Severability: If any provision is found unenforceable, the remaining provisions remain in effect.
  • Amendment: This DPA may only be amended in writing signed by both parties.
  • Survival: Sections 7 (Confidentiality), 9 (Data Breach Notification), 14 (Return or Deletion), 15 (Liability), and 16 (Governing Law) survive termination.
  • No third-party rights: Nothing in this DPA confers any rights on a third party, except that Data Subjects may rely on the protections set out herein to the extent permitted by POPIA.

18. Contact Us

If you have any questions about this Data Processing Agreement, or wish to exercise your rights, please contact us. Our Information Officer is Anro Redelinghuys.

compliance@tsamma.io WhatsApp
Back to Home
Tsamma

The WhatsApp automation platform for high-volume workflows. Born in the Kalahari, built to scale.

Platform

Features Flow Builder Assessment Builder White-label Use Cases

Company

About Contact

Legal & Compliance

Privacy Policy Terms of Service Data Processing Agreement POPIA Compliance Policy Cookie Policy PAIA Manual (PDF)

© 2026 Tsamma. All rights reserved.

Proudly South African πŸ‡ΏπŸ‡¦