Legal & Trust Centre
Data Processing Agreement
The data-processing terms between MK Assist and business clients under POPIA.
Data Processing Agreement
Contact: tondani@mkassist.co.za
Plain-language summary
This agreement sets out how MK Assist processes personal information as an operator for a client, the client's responsibilities as responsible party, the security and subprocessor requirements, assistance with rights and incidents, international transfers, and return or deletion at the end of the service.
1. Parties and roles
For Client Personal Information processed to provide the client-controlled service, the Client is the responsible party and MK Assist acts as operator on the Client's documented instructions. MK Assist remains an independent responsible party for its own website, account, billing, fraud-prevention, support, security, legal and regulatory records.
2. Scope and term
This Data Processing Agreement is incorporated into the MK Assist subscription contract. It applies from the first processing of Client Personal Information and continues until that information is returned or deleted, except for minimum records that MK Assist must lawfully retain.
Meta, WhatsApp and other providers may have roles under their own terms. The Client remains responsible for ensuring its instruction to disclose or transfer information to them is lawful.
3. Documented instructions
The Client instructs MK Assist to collect, receive, host, organise, retrieve, transmit, generate responses from, secure, support, export, delete and otherwise process Client Personal Information only to provide the Service, comply with the agreement and law, and follow documented Workspace settings. MK Assist must inform the Client if an instruction appears unlawful, unless law prevents it, and may suspend the affected processing.
The Client must not instruct MK Assist to use Client or WhatsApp data for general model training, cross-client learning, prohibited profiling or high-impact decisions.
4. Processing details
Item Description
Subject matter Business-specific WhatsApp customer operations, Workspace administration, support, security and offboarding
Duration Subscription, 30-day export/reactivation window, deletion cycle and lawful retention
Nature Collection, hosting, indexing, retrieval, AI inference, message delivery, handover, support, logging, export and deletion
Purposes Responding to customer enquiries, routing to humans, maintaining approved history, operating and securing the Service
Data subjects Customers, Client personnel, agents, administrators, suppliers and other people in authorised content
Data types Contact identifiers, messages, media, customer details, business information, user accounts, technical metadata and configured records
Special information Not intended by default; permitted only after manual review, necessity, lawful authority and safeguards
5. Client obligations as responsible party
The Client must establish a lawful justification, provide required notices, obtain valid consents and WhatsApp opt-ins, respect rights and opt-outs, ensure information quality, minimise collection, set appropriate retention, assess prior authorisation, regulate children and special information, provide lawful instructions and maintain its own security. The Client will not upload information it has no right to process.
6. Confidentiality and personnel
MK Assist will ensure persons authorised to process Client Personal Information are subject to confidentiality and role restrictions, receive appropriate instructions and access only what they need. Developer or other approved support access must be approved and removed when no longer required.
7. Security measures
MK Assist will implement the Security Measures Schedule and maintain reasonable technical and organisational measures under POPIA section 19. Material controls include tenant separation, RBAC, MFA for privileged users, encryption, secret protection, audit logging, webhook verification, deduplication, handover state, sensitive-data controls, deletion cascades, backup and restoration tests, incident response and restricted production access.
8. Subprocessors
The Client gives general written authorisation for subprocessors on the published list. MK Assist will impose written confidentiality, instruction, security, incident, deletion and transfer obligations that provide protection appropriate to the processing. MK Assist remains responsible for its subprocessor's performance to the extent required by the agreement and law.
MK Assist will normally give 14 days' prior notice of a new material subprocessor. The Client may object on reasonable data-protection grounds. The parties will seek a practical resolution; if none exists, either may terminate the affected future Service without penalty, subject to accrued fees.
9. International transfers
MK Assist will process outside South Africa only where POPIA section 72 permits. It will document the relevant law, binding agreement, consent or other condition, and will publish provider locations and safeguards. The Client authorises listed transfers required for the Service.
10. Data-subject requests
MK Assist will promptly inform the Client of a request relating to Client Personal Information unless prohibited. It will not decide the request except on Client instruction or where MK Assist is independently responsible. It will provide reasonable search, access, correction, restriction, export and deletion assistance. The Client remains responsible for response content and timeframes.
11. Security compromise
MK Assist will notify the Client without undue delay and, where reasonably practicable, within 24 hours after it has sufficient awareness that unauthorised access or acquisition affects Client Personal Information. The initial notice may be incomplete and will be updated. It will include known nature, date, data, data subjects, likely effects, containment, contact and recommended action.
The Client normally makes section 22 notifications to the Information Regulator and data subjects. MK Assist will assist with facts, evidence and communications. MK Assist will not notify on the Client's behalf without written authority unless law requires MK Assist to act as responsible party.
12. Assistance and compliance evidence
Taking into account the processing, MK Assist will reasonably assist with impact assessments, prior-authorisation assessment, regulator enquiries, security reviews and data rights. It will maintain relevant processing, subprocessor, access, incident, deletion and acceptance records.
The Client may request current summaries, test evidence, provider documentation and responses to reasonable security questions. An audit follows the limitations in the Master Agreement and must protect other clients and system security.
13. Return and deletion
During the Service and 30-day window, the Client may export supported Client Data. After the window, MK Assist deletes active Client Personal Information according to the Retention Schedule, including knowledge-derived chunks and embeddings. Backups expire within 90 days and are not restored to ordinary production except for disaster recovery, after which deletion rules are re-applied. Legally retained records are isolated and not used for customer operations.
14. Government and law-enforcement requests
Where a lawful authority requests Client Personal Information, MK Assist will verify authority, disclose only what is legally required, preserve a record and notify the Client before disclosure where permitted. MK Assist will challenge an overbroad request where reasonably appropriate and will not create a surveillance or disclosure capability beyond law and the Service.
15. Liability and termination
Liability follows the Master Agreement, subject to non-excludable POPIA rights and remedies. This DPA survives for as long as MK Assist holds Client Personal Information.