M
MAP Food Nexus
Powered by MAP Food Safety Solutions
Legal · Republic of South Africa

Data Processing Addendum

This Addendum applies where MAP Food Safety Solutions processes personal information on behalf of an enterprise client (the Responsible Party) in the course of providing the Services. It forms part of, and is subject to, the Terms of Service.

Version v1.0Effective 4 June 2026

1. Parties & roles

The Customer is the Responsible Party. MAP is the Operator as defined in POPIA. Each party will comply with its respective obligations under POPIA, the CPA, ECTA and other applicable South African law.

2. Subject matter & duration

Subject matter: processing of personal information necessary to provide the Services. Duration: for as long as the underlying services agreement is in force, plus any additional retention required by law.

3. Instructions & purpose

MAP will process personal information only on the documented instructions of the Customer (which are deemed to include the use of the Services through their normal configuration) and for the purpose of providing the Services. MAP will notify the Customer if it believes an instruction breaches POPIA.

4. Sub-Operators

Customer authorises MAP to engage sub-operators for hosting, calendar integration, payments and email delivery. The current list, refreshed as it changes, is:

  • Lovable Cloud / managed hosting & database
  • Google LLC — Google Calendar & Google Meet
  • Payment processor (regulated PSP)
  • Transactional email provider

MAP imposes data-protection obligations on each sub-operator no less protective than this DPA, and remains liable for their acts and omissions.

5. Security measures

MAP maintains appropriate, reasonable technical and organisational measures, including TLS in transit, encryption at rest, role-based access control, row-level security, password hashing, audit logging, least-privilege service accounts, and regular dependency scans.

6. Breach notification

MAP will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any compromise of personal information processed under this DPA, with sufficient information for the Customer to meet its own notification obligations under POPIA s.22.

7. Data subject requests

MAP will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures to respond to requests from data subjects to exercise their POPIA rights.

8. Audit rights

Once per twelve-month period, on at least 30 days' written notice, the Customer (or an independent auditor bound by confidentiality) may audit MAP's compliance with this DPA, during normal business hours and without disrupting MAP's operations. MAP may meet this obligation by providing recent third-party audit reports (e.g. SOC 2 or ISO 27001) where available.

9. Cross-border transfers

Where personal information is transferred outside South Africa, MAP will ensure the transfer is lawful under POPIA section 72 (recipient subject to binding rules/laws providing adequate protection, or consent / contractual necessity / other lawful basis).

10. Return & destruction

On termination of the services agreement, MAP will, at the Customer's choice, return or securely destroy all personal information within 90 days, except where retention is required by law.

11. Governing law

This DPA is governed by the laws of the Republic of South Africa and is subject to the dispute-resolution clause of the Terms of Service.

Questions about this policy? Email support@mapfoodsafetysolutions.co.za. This document is provided for transparency and does not constitute legal advice.