This Data Processing Agreement ("Agreement") is incorporated into the main Service Agreement between Beeline Learn (Pty) Ltd (‘we’, ‘us’, ‘Operator’) and the client entity (‘you’, ‘Responsible Party’) who has agreed to these terms.
Unless the context requires otherwise, the following terms shall have the meanings ascribed to them in South Africa's Protection of Personal Information Act, 4 of 2013 ("POPIA"): Child, Competent Person, Data Subject, Personal Information, and Processing.
Data Breach: This means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information.
For the purposes of POPIA, you, the Client, are the Responsible Party and Beeline Learn (Pty) Ltd is the Operator.
We shall only Process Personal Information on your behalf and in accordance with your documented lawful instructions. The specific details of our processing activities are described in Annex A to this Agreement.
As the Operator, we are committed to assisting you in meeting your data protection obligations. We agree to the following:
Security and Confidentiality. We will implement and maintain appropriate, reasonable technical and organisational security measures to protect the integrity and confidentiality of Personal Information, as required by Section 19 of POPIA. We will also ensure that any persons we authorise to process Personal Information have committed themselves to confidentiality.
Data Breach Management. We will notify you without undue delay upon becoming aware of a Data Breach and provide reasonable assistance to you in investigating, mitigating, and managing the breach.
Sub-Processor Engagement. (a) You provide general written authorisation for us to engage third-party Sub-Operators to provide the Services. A complete list of our authorised Sub-Operators as of the effective date of this Agreement is provided in Annex B. (b) We will provide you with prior notice of any intended changes to this list, including the addition or replacement of a Sub-Operator. This will give you the opportunity to object to such changes on reasonable data protection grounds.
Data Handling and Minimisation. We commit to a policy of data minimisation when sharing Personal Information with Sub-Operators, where possible and practical. For Sub-Operators that may process client content (such as AI providers), we will use commercially reasonable efforts to engage versions of such services that contractually prohibit the use of your data for model training and that offer no-data-retention where available.
Data Subject Rights Assistance. We will provide reasonable and timely assistance to enable you to respond to requests from Data Subjects exercising their rights under POPIA.
Comply with all your obligations as a Responsible Party under POPIA.
For any Data Subject who is a Child (a natural person under 18), you unconditionally warrant that you have obtained and will maintain prior, verifiable consent from a Competent Person (the Child's parent or legal guardian) before that Child's Personal Information is processed through our Services. You agree to provide us with written evidence of such consent upon our request and warrant that you will maintain auditable records of such consent and make them available to us for compliance verification purposes.
Ensure that all Personal Information provided to us is accurate, up-to-date, and has been collected and disclosed lawfully.
Be responsible for responding to Data Subjects regarding the exercise of their rights. We shall provide reasonable and timely assistance as specified above to enable you to fulfil these obligations.
You agree to indemnify and hold us harmless from any claims, damages, losses, fines, and legal fees arising from any breach of this Agreement by you or any failure by you to comply with your obligations under POPIA.
Where the processing of Personal Information by us involves a transfer from the United Kingdom or European Economic Area to a country not deemed to provide an adequate level of data protection (such as South Africa), the parties agree that the Standard Contractual Clauses, as approved by the European Commission and adapted for the UK where necessary (via the UK Addendum or IDTA), shall be incorporated by reference into this Agreement.
This Agreement shall commence on the Effective Date of the Service Agreement and will remain in effect for as long as we Process Personal Information on your behalf.
Upon termination of the Service Agreement, we shall, at your choice, either delete or return all Personal Information, unless required by law to retain it.
This Agreement shall be governed by the laws of the Republic of South Africa.
Subject matter of processing To provide our learning and training management system to you and your authorised users.
Duration of processing The processing will continue for the full term of the Service Agreement between the Parties.
Nature and purpose of processing To provide a white-labelled training and management system enabling you to build and manage learning content, distribute training across devices, create user accounts, track learner progress, facilitate engagement, and provide AI-enabled features to support learning.
Types of Personal Information The types of Personal Information processed include:
Categories of Data Subjects The categories of Data Subjects whose information will be processed are:
The list of sub-processors below will be updated as needed. Please reach out for an updated list if you believe it may not be up to date.