Data Processing Agreement
Template version: 1.0 ยท Date: 28 April 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Imbazo and the Researcher. It governs the processing of personal data in connection with studies conducted through the Imbazo platform.
1. Parties
- Data Controller ("Controller"): The Researcher, as identified in their Imbazo account
- Data Processor ("Processor"): Imbazo (Pty) Ltd
2. Scope & Purpose
The Processor processes personal data on behalf of the Controller solely for the purpose of:
- Matching study criteria to eligible participants in the Imbazo panel
- Facilitating communication between Controller and matched participants via WhatsApp
- Tracking study progress, completion status, and quality metrics
- Processing payments to participants on behalf of the Controller
The Processor shall not process personal data for any purpose other than those specified above unless instructed in writing by the Controller.
3. Types of Personal Data Processed
| Category | Data elements | Data subjects |
|---|
| Identification data | Name, phone number, email | Participants |
| Demographic data | Age, gender, country, city, education, employment | Participants |
| Socio-economic data | Income bracket, internet access type | Participants |
| Special personal information | Ethnicity, languages (where applicable) | Participants |
| Study interaction data | Match status, completion timestamps, quality ratings | Participants |
| Payment data | Payment method preferences, transaction references | Participants |
4. Processing Limitations
- The Processor shall process personal data only on documented instructions from the Controller (i.e., the study criteria and parameters set in the platform).
- The Processor shall not sell, rent, or share personal data with third parties except sub-processors listed in Section 8.
- The Processor shall not combine participant data across different Controllers' studies except in aggregate, anonymised form for platform statistics.
5. Security Measures
The Processor implements the following technical and organisational measures:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Database row-level security preventing cross-researcher data access
- Access control with session-based authentication (Clerk)
- Comprehensive audit logging of all data access events
- Regular security dependency updates
- Principle of least privilege for all system components
- Service role separation between public and administrative database access
6. Data Breach Notification
- The Processor shall notify the Controller of any personal data breach without undue delay and no later than 72 hours after becoming aware of it.
- The notification shall include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
- The Processor shall cooperate with the Controller in notifying the Information Regulator (South Africa) or POTRAZ (Zimbabwe) as required by POPIA Section 22.
7. Data Deletion & Return
- Upon study completion or termination, the Controller may request export of all study-related data in a structured format (CSV/JSON).
- The Processor shall delete or anonymise participant personal data associated with the study within 30 days of the Controller's written request, unless retention is required by law.
- Aggregate, anonymised data (study participation counts, quality metrics) may be retained by the Processor for platform improvement.
- Participant panel membership data is not deleted on study completion โ it is retained under the Processor's own lawful basis (participant consent).
8. Sub-Processors
The Controller authorises the use of the following sub-processors. The Processor will notify the Controller at least 14 days before engaging any new sub-processor.
| Sub-processor | Location | Service | Data processed |
|---|
| Supabase Inc. | United States | Database hosting | All participant & study data |
| Meta Platforms (WhatsApp) | US / Ireland | Messaging | Phone numbers, message content |
| Clerk Inc. | United States | Authentication | Researcher email, auth tokens |
| Vercel Inc. | United States | Web hosting | Server logs, request metadata |
Each sub-processor is bound by data processing terms no less protective than this DPA.
9. Cross-Border Transfers
Personal data may be transferred to the United States and Ireland (see sub-processors above). The Processor ensures adequate protection through:
- Contractual safeguards (data processing agreements with sub-processors)
- Sub-processor compliance certifications (SOC 2, PCI DSS where applicable)
- Data minimisation โ only necessary data is transferred to each sub-processor
10. Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests (access, correction, deletion, objection) within 15 business days of the Controller's request.
11. Audit Rights
The Controller may, with 30 days' written notice and at the Controller's expense, audit the Processor's compliance with this DPA. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
12. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.
13. Term & Termination
This DPA is effective for the duration of the Controller's use of the Platform. It survives termination of the Terms of Service with respect to any personal data still held by the Processor.
14. Governing Law
This DPA is governed by the laws of the Republic of South Africa, including POPIA.
Signatures
For the Data Controller (Researcher):
Name: ________________________________
Title: ________________________________
Institution: ________________________________
Date: ________________________________
Signature: ________________________________
For the Data Processor (Imbazo):
Name: ________________________________
Title: ________________________________
Date: ________________________________
Signature: ________________________________