Legal
Data Processing Agreement
Effective 2026-05-26 · Last updated 5 June 2026
Roles
Where you upload or generate personal information inside your Komply workspace, you act as the responsible party under POPIA and Komply acts as your operator. This page sets out the terms on which we handle that information.
Sub-processors
- Supabase — application database, authentication, and file storage. EU region (Ireland).
- Vercel — application hosting and serverless runtime. Serverless functions run in the EU (Frankfurt, Germany).
- Resend — transactional email delivery (sign-in links, monthly digest). United States.
- PayFast — subscription billing.
- Auto Alpha Advisory Audit Engine — the upstream scanner that produces the compliance findings Komply mirrors into your dashboard. Hosted by AAA in Amsterdam.
- Anthropic— large-language-model processing for two purposes: (1) FSCA narrative drafting (ICMP reports, COI policy prose, Ombud responses) — personally-identifying details are redacted before transmission; and (2) B-BBEE own-certificate field extraction — the uploaded certificate is sent unredacted because the document content is required for extraction; this is the tenant's own data, processed on their behalf. Hosted in the United States; we use the zero-data-retention tier so prompts are not retained for model training.
- CIPC APIVerse (CIPC / the dtic, South Africa) — company-registry lookup at onboarding (registration number → public company details and director roster). Data is processed within South Africa. Director ID numbers and dates of birth are stripped at our boundary and never stored.
We notify you in-app and by email at least 14 days before adding or replacing a sub-processor.
Cross-border transfers
Your data crosses South African borders to reach Supabase (Ireland), Vercel (Frankfurt, Germany), and Auto Alpha Advisory (Netherlands), all subject to the EU General Data Protection Regulation which provides protection comparable to POPIA (POPIA s72(1)(a)). Anthropic and Resend process data in the United States under contractual safeguards (POPIA s72(1)(b)); for Anthropic, FSCA drafting is redacted PII and B-BBEE own-certificate extraction is the document content you uploaded on your own behalf, while Resend handles only the recipient address and message content needed to deliver transactional email. CIPC APIVerse processes company-registry data within South Africa. Our contracts with each sub-processor bind them to handle your data in accordance with POPIA.
Security
Tenant isolation is enforced at the application layer: every database query is scoped to your workspace by your authenticated session. Row-Level Security policies provide defense in depth on the database side. Encryption in transit (TLS 1.2+) and at rest (AES-256). OAuth refresh tokens (Xero) are additionally encrypted at the application layer with a tenant-scoped envelope key. Access to production data is limited to named operators and audited quarterly.
Breach notification
If we become aware of a personal-information breach affecting your workspace, we notify you without undue delay and in any case within 72 hours of confirmation, with whatever facts are known at that point. Subsequent updates follow as the investigation continues.
On termination
On cancellation, your workspace data is retained for 12 months (so you can recover if you change your mind), then permanently deleted. You can request earlier deletion at any time via hello@getkomply.co.za.
A signed counterpart
Enterprise customers can request a counter-signed PDF version of this DPA on letterhead. Email hello@getkomply.co.za and we'll send one within two business days.