This Data Processing Addendum(“Addendum”) forms part of the Terms of Service (“Agreement”) between Doogital Tech (PTY) LTD (“Doo”, “Processor”, “we”, “us”, “our”) and the entity or individual (“Client”, “Controller”, “you”, “your”) using Doo’s services.

Data Protection and Privacy

Doo complies with applicable data protection laws, including the Protection of Personal Information Act, 2013 (POPIA) and the General Data Protection Regulation (GDPR) where applicable. Each party shall process Personal Data only in accordance with the Data Processing Policy and Privacy Policy.

• Client acts as the Controller / Responsible Party; Doo acts as the Processor / Operator.
• Data may be transferred or stored in secure Microsoft Azure data centres (currently South Africa and the United States) subject to lawful transfer mechanisms including Standard Contractual Clauses and Chapter 9 of POPIA.
• Doo will notify Clients without undue delay in the event of a personal data breach, consistent with the Data Processing Addendum.
• EU/UK residents may exercise data protection rights under their local laws.

In the event of any conflict between this Addendum and the Agreement, this Addendum prevails to the extent of the conflict.

Data Processing

1. Roles and Responsibilities

1.1 The Client acts as the Responsible Party / Controller and determines the purpose and means of Processing Personal Data or Personal Information.

1.2 Doo acts as the Operator / Processor and processes such data only on the documented instructions of the Client, except where required by law.

1.3 Both parties shall comply with their respective obligations under POPIA and GDPR and cooperate in good faith to ensure lawful processing.

2. Nature, Purpose and Duration of Processing

2.1 Doo provides cloud-based human resource and business operations software as a service via https://doo.software (the “Service”).

2.2 Doo processes Personal Data to deliver, support, secure, and improve the Service, including functionality such as Core HR, Performance Management, and Recruitment.

2.3 Processing shall continue for as long as the Client maintains an active subscription or until deletion of all Client Data as described in Section 10.

3. Categories of Data and Data Subjects

3.1 The categories of Personal Data processed typically include: employee identifiers, contact details, job titles, HR records, performance data, payroll identifiers, leave balances, and document uploads.

3.2 Data Subjects include employees, contractors, candidates, or other individuals whose information is uploaded or managed by the Client through the Service.

4. Lawful Basis and Instructions

4.1 The Client is responsible for establishing and maintaining a lawful basis for Processing Personal Data under GDPR and POPIA (e.g., consent, contractual necessity, legitimate interest, or legal obligation).

4.2 Doo shall process Personal Data solely on documented instructions from the Client. If Doo believes any instruction infringes data protection law, it shall promptly notify the Client.

5. Security Measures

5.1 Doo shall implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

5.2 Such measures include, but are not limited to:

• Encryption of data at rest and in transit
• Access control and authentication
• Regular vulnerability and patch management
• Multi-factor authentication (MFA)
• Network segmentation and intrusion detection
• Periodic security audits and employee training

5.3 Doo’s security framework aligns with internationally recognised standards such as ISO 27001 and the eight conditions of lawful processing under POPIA.

6. Subprocessors

6.1 Doo may engage Subprocessors to provide hosting, infrastructure, and support services. All Subprocessors are bound by written agreements imposing equivalent data protection obligations.

6.2 Doo remains responsible for acts and omissions of its Subprocessors.

6.3 The Client may request a list of current Subprocessors by contacting support@doogitaltech.com.

7. Cross-Border Data Transfers

7.1 Personal Data may be transferred and stored outside the country of origin, including in secure Azure data centres located in the United States or other jurisdictions.

7.2 For transfers from the EU/EEA or UK, Doo ensures adequate protection using Standard Contractual Clauses (SCCs) or equivalent safeguards approved by applicable data protection authorities.

7.3 For transfers under POPIA, Doo ensures compliance with Chapter 9 (cross-border data flow provisions) by obtaining consent or confirming adequate protection levels.

8. Assistance and Data Subject Rights

8.1 Doo shall, insofar as possible, assist the Client in responding to data subject requests (access, correction, erasure, restriction, portability, objection) within statutory timelines.

8.2 Doo shall promptly forward any direct data subject requests it receives to the Client.

9. Breach Notification

9.1 In the event of a Security Incident involving Personal Data, Doo shall notify the Client without undue delay and, where feasible, within 48 hours after becoming aware.

9.2 Such notice shall include, to the extent known: nature of the breach, categories and volume of data affected, likely consequences, remedial actions taken, and measures to mitigate further risk.

9.3 The Client is responsible for fulfilling regulatory and data subject notifications as required by GDPR Article 33–34 and Section 22 of POPIA.

10. Retention and Deletion

10.1 Upon termination of the Agreement or written request, Doo will delete or return all Client Personal Data (including backups) within 30 days, unless retention is required by law.

10.2 Doo maintains a documented data retention and deletion policy consistent with POPIA and GDPR standards.

11. Audits and Documentation

11.1 Doo shall maintain records of processing activities, security audits, and incidents.

11.2 The Client may, upon reasonable written notice (no more than once per 12 months), request audit evidence or conduct an independent audit, provided such audit:

• does not interfere with operations,
• protects confidentiality of other clients’ data, and
• is limited to evidence relevant to this Addendum.

11.3 Audit costs are borne by the Client unless a material breach is discovered.

12. Information Officer and Data Protection Contact

In accordance with Section 55 of POPIA, Doo has appointed an Information Officer:

13. Liability

Each party is responsible for damages arising from its own failure to comply with applicable data protection laws. The aggregate liability of either party is limited as set out in the main Agreement.

14. Governing Law

This Addendum is governed by the laws of the Republic of South Africa. Where required for GDPR compliance, EU/UK data subjects may also assert their rights under the applicable laws of their member state.

15. Annexes

Annex A – Details of Processing

• Purpose: Delivery of HR, recruitment, and performance management services.
• Nature: Storage, analysis, transmission, and management of HR data via cloud infrastructure.
• Categories of Data: Employee identifiers, contact info, job roles, performance records, leave data, uploaded documents.
• Data Subjects: Employees, contractors, candidates, and system administrators.
• Retention: As long as subscription remains active or as required by law.

Annex B – Security Measures

• Encryption (AES-256 at rest, TLS 1.2+ in transit)
• Firewalls, network isolation, and WAF protection
• Role-based access control (RBAC)
• Multi-factor authentication
• Incident management and recovery plans

Annex C – Subprocessors

Doo operates its platform using secure and reputable third-party infrastructure and services (“Subprocessors”) to deliver, maintain, and improve our HR, performance, and recruitment solutions. These providers only process data as necessary to provide their contracted services to Doo, under strict confidentiality and data protection obligations aligned with GDPR and POPIA.

• Microsoft Azure — primary cloud hosting and database infrastructure. All production servers and data storage are hosted within Microsoft Azure data centres (currently in the United States and South Africa) with encryption at rest (AES-256) and in transit (TLS 1.2+). Azure provides resilience, data redundancy, and security compliance certifications (ISO 27001, SOC 2 Type II).
• Microsoft Entra ID (formerly Azure Active Directory) — identity and access management. Provides secure authentication, role-based access control (RBAC), single sign-on (SSO), and multi-factor authentication (MFA) for users and administrators.
• SimplePay and PaySpace by Deel — optional HRIS and payroll system integrations. When configured by the Client, limited employee identifiers (name, ID number, payroll code) and remuneration data may be exchanged via API for data retrieval.
• SendGrid (by Twilio) — transactional email delivery service used to send system notifications, password resets, performance reminders, and employee engagement mailers. Email events (delivery, bounce, open) are logged for deliverability analytics only.
• Apollo.io — used exclusively by Doo for business-to-business sales outreach and CRM enrichment. Apollo processes only professional contact details of business representatives; no customer HR data or employee information is transmitted.
• Google Analytics 4 — web analytics platform used to understand aggregated site usage, user navigation, and conversion patterns. IP anonymization is enabled and no HR-specific or identifiable employee data is tracked. Data is retained in aggregated form only.
• Hotjar — behavioural analytics and feedback tool used to assess product usability and improve user experience. Session recordings and heatmaps may be used in anonymized or pseudonymized form only. No sensitive HR, candidate, or payroll data is captured.
• Calendarific — public holiday and observance calendar API integrated for leave management and automated scheduling features. Processes country and region metadata only; no personal data is transmitted.

All Subprocessors are subject to contractual obligations that ensure data is processed only on documented instructions, under confidentiality, and with appropriate technical and organisational safeguards. Doo remains fully responsible for their performance and ensures that all data transfers occur under lawful mechanisms, including Standard Contractual Clauses (SCCs) or POPIA Chapter 9 provisions.

16. Execution

By continuing to use Doo, the Client agrees to this Data Processing Addendum as of the date of continued use or renewal.