Legal

Client Data Processing Agreement

1. Introduction and Definitions

1.1. Purpose 

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Customer” or “Controller”) and xneelo (the “Processor”). It governs the processing of Personal Data by xneelo when providing hosting and related services to you.

This DPA ensures compliance with the Protection of Personal Information Act (POPIA) in South Africa and the General Data Protection Regulation (GDPR) in the EU/EEA.

1.2. How this DPA Works

When you use xneelo’s hosting services to collect or store data about your customers, website visitors, or users:

  • You are the Data Controller (or Responsible Party under POPIA): You determine what Personal Data is collected and how it is used.
  • We are the Processor (or Operator under POPIA). We process Personal Data on your behalf in accordance with your instructions and this DPA.

It’s important to note that when we manage your account directly, including handling your billing details, responding to your support tickets, or maintaining your customer relationship, we act as a Controller. In those situations, our Privacy Policy governs how we handle your information, not this Agreement.

1.3. Definitions

For the purposes of this Agreement:

  • Controller” or “Customer” means the entity that determines the purposes and means of processing Personal Data. This is you when you use our hosting services to collect or store data about your end users.
  • Data Protection Laws” means all applicable laws and regulations governing the processing of Personal Data, including POPIA, the GDPR and any successor legislation.
  • Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
  • GDPR” means the General Data Protection Regulation (EU) 2016/679.
  • Personal Data” means any information relating to an identified or identifiable natural person that is processed by xneelo on behalf of our Customers.
  • POPIA” means the Protection of Personal Information Act 4 of 2013 (South Africa).
  • Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, deletion, or destruction.
  • Processor” or “xneelo” means xneelo Group of Companies, which includes xneelo (Pty) Ltd and xneelo Limited.
  • Services” means the hosting, infrastructure, and related services provided by xneelo as described in the Terms of Service.
  • Subprocessor” means any third party engaged by xneelo to process Personal Data on behalf of the Customer.
  • Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries.
  • Terms of Service” means the agreement between Customer and xneelo governing the use of xneelo’s Services.

2. What This Agreement Covers 

Scope and Application of this DPA

This DPA automatically applies to all hosting services through which you collect, store, or process Personal Data about your end users.

This DPA supplements and forms part of the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

Processing Instructions

  • xneelo will process Personal Data only in accordance with your documented instructions, as the Controller. These instructions include those provided through your use and configuration of the services, your support requests, and any other written instructions you issue.
  • xneelo shall not process Personal Data for any purpose other than as instructed by the Controller, unless required to do so by applicable law. Where such a legal requirement exists, xneelo will inform the Controller prior to processing, unless prohibited by law.
  • Where processing involves transfers of Personal Data to a third country or international organisation, such transfers shall only occur in accordance with documented instructions from the Controller or applicable Data Protection Laws.

Processing Details 

The subject matter of the processing is our provision of hosting and infrastructure services to you. The processing continues for as long as the Services Agreement remains in place. The nature and purpose of the processing is to host, store, and maintain the infrastructure that supports your websites, applications, databases, and email services.

The Personal Data we process is determined by how you use the services and may include contact details such as names, email addresses, and phone numbers; account login details; transaction and payment information; content created or uploaded by users; technical information such as IP addresses, device details and cookies; and any other Personal Data you choose to upload or transmit through the services.

The categories of persons whose Personal Data may be processed are determined by your use of the services. They may include visitors to your websites, your customers or clients, newsletter subscribers, account holders and your employees or contractors.

3. Roles and Responsibilities 

Legal Compliance

As the Data Controller, you are responsible for ensuring that your collection and use of Personal Data is lawful and compliant with applicable data protection laws. This includes having a valid legal basis for processing Personal Data, obtaining any required consents from your end users, and providing a clear and accessible privacy policy on your website or application.

Data Management 

You are also responsible for managing the Personal Data processed through services hosted with xneelo. This means deciding what Personal Data is collected, implementing appropriate security measures within your own applications and databases, regularly reviewing and deleting Personal Data that is no longer needed, and ensuring that the data you process is accurate and kept up to date.

End User Rights

In addition, you are responsible for managing your end users’ rights. This includes responding to data subject access requests, managing requests for correction, deletion, restriction of processing, or withdrawal of consent, and maintaining records of processing activities where required by law.

Communication 

You are expected to communicate clearly with xneelo regarding how Personal Data should be processed, to notify us of any restrictions or special requirements, and to inform us promptly if you become aware of any security concerns or data breaches affecting the Personal Data you control.

Processor Obligations under Data Protection Laws 

xneelo shall, in relation to any Personal Data processed under this Agreement:

  • Ensure that all persons authorised to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory, and have received appropriate training in data protection and security.
  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries or international organisations, unless required to do so by applicable law.
  • Taking into account the nature of the processing and the information available to xneelo, provide reasonable assistance to the Controller in:
    • Ensuring compliance with obligations relating to data protection impact assessments (DPIAs);
    • Prior consultations with supervisory authorities, where required; and
    • Fulfilling the Controller’s obligations under applicable Data Protection Laws.
  • Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and assist the Controller in responding to requests from supervisory authorities or regulators relating to the processing of Personal Data.

4. Data Security Measures

Technical and Organisational Measures

xneelo implements and maintains appropriate technical and organisational measures to protect Personal Data. These measures include:

  • Encrypting data in transit using TLS or SSL protocols, encrypting data at rest on storage systems, and securing backup systems through encryption. 
  • Access to systems containing Personal Data is restricted through multi-factor authentication for administrative access, role-based access controls that limit access to authorised personnel only, regular reviews of access rights, immediate revocation of access when personnel leave, and logging and monitoring of system access.
  • Our infrastructure security measures include firewalls and intrusion detection or prevention systems; regular security patching and updates; network segmentation and isolation; and protection against distributed denial-of-service attacks. 
  • Physical security is maintained through secure data centre facilities with restricted access, continuous monitoring and surveillance, and appropriate environmental controls and redundancy. 
  • At an organisational level, xneelo ensures that personnel authorised to process Personal Data are subject to confidentiality obligations and receive regular training in data protection and information security. We maintain robust information security policies and procedures, provide ongoing data protection and security training to staff, conduct background checks on personnel with system access, and maintain incident response and business continuity plans.

Security Testing and Monitoring

xneelo carries out regular vulnerability assessments and penetration testing, continuous security monitoring and threat detection, annual third-party security audits, and ongoing reviews and updates of our security measures to ensure they remain effective and appropriate.

Your Security Responsibilities

You are responsible for maintaining the security of your own use of the services. This includes using strong, unique passwords; enabling multi-factor authentication where available; implementing appropriate security controls within your applications; keeping your contact details up to date; securing your devices and access credentials; and reporting any suspicious activity to support@xneelo.com without delay.

Audit and Inspection Rights

xneelo will, on reasonable written notice, provide you with information necessary to demonstrate compliance with this DPA and Article 28 of the GDPR. xneelo will permit audits, subject to:

  • At least 30 days’ prior written notice is required, unless regulatory urgency dictates otherwise. 
  • Audits must take place during normal business hours and should not cause undue disruption. 
  • Appropriate confidentiality obligations must be maintained.
  • You will cover your own costs unless a material non-compliance is identified.

xneelo may meet audit requirements by providing certifications or independent audit reports, where these reasonably demonstrate compliance, in place of an on-site audit

5. Sub-Processors 

You acknowledge that, from time to time, xneelo may use trusted Sub-processors to assist us in delivering our services. We remain responsible for their actions and omissions and ensure that they are held to the same data protection standards that apply to us.

xneelo’s Current Sub-Processors 

Sub-ProcessorServices ProvidedLocationSafeguards 
Payment Processors
MultiData PayGatePayment Processing and transaction verification South AfricaPCI-DSS compliance, DPA and SCCs, where applicable
Domain & Infrastructure
Tucows (OpenSRS/Enom)ZARCDomain registration and DNS servicesCanada, Ireland and GermanyDPA, SCCs
Hetzner OnlineHosting and Security Global, EU data centresDPA and SCCs, where applicable
MicrosoftCM4All Product Add-on, Website building platformGermany, Ireland and the United StatesDPA and SCCs, where applicable
Analytics
Google Cloud (BigQuery)Fraud Prevention ProvidersMicrosoft ClarityUsage analytics, security, fraud detection, risk assessment, behavioural analytics, session replay, and heatmaps.EU, United StatesDPA, SCCs, pseudonymisation and encryption 
Communication Providers
FreshDesk FreshChat3CXSmartPagesMailGunOpenAICustomGPTBulkSMSEmail delivery, SMS, customer communicationsThe United States and the EUEncryption, pseudonymisation, DPA, SCCs where applicable

6. Data Subject Rights

Your Obligations as Controller

As the Controller, you are responsible for receiving and responding to requests from your end users who wish to exercise their data protection rights. This includes verifying the identity of the individual making the request, determining whether the request is valid under applicable law, and ensuring that you respond within the required statutory timeframes, which are typically 30 days under GDPR and POPIA.

xneelo’s Assistance

If a data subject submits a request directly to xneelo, we will not respond on your behalf unless we are legally required to do so. Instead, we will forward the request to you within a reasonable period and inform you if any legal obligation requires us to respond directly. Where appropriate, xneelo will also provide reasonable technical assistance to help you meet your obligations as Controller.

In this regard, xneelo shall, taking into account the nature of the processing, provide reasonable technical and organisational assistance to the Controller in fulfilling its obligations to respond to data subject requests.

7. Data Transfers

Some of our service providers may operate outside of South Africa or the EU/EEA. Where Personal Data is transferred internationally, xneelo ensures that such transfers comply with section 72 of the POPIA and other applicable data protection laws. We rely on one or more of the following bases for such transfers:

  • The recipient country or organisation ensures an adequate level of protection substantially similar to POPIA.
  • The transfer is necessary for the performance of a contract with you, or for the implementation of pre-contractual measures at your request.
  • Appropriate contractual safeguards are in place, including Data Processing Agreements (DPAs) with our service providers.

Where transfers involve EU/EEA data subjects, these agreements incorporate the European Commission-approved Standard Contractual Clauses (SCCs), and Transfer Impact Assessments (TIAs) as required under the GDPR. In addition, we implement appropriate technical and organisational measures, such as encryption and pseudonymisation, to safeguard your Personal Data during transfer and storage.

8. Data Breach 

We take data protection seriously and have measures in place to identify, contain, and address Personal Data breaches. If a breach occurs that poses a risk to your Personal Data, we will notify you and the relevant authorities without undue delay and, where applicable, within the statutory timelines set out in POPIA and the GDPR. Our notification will include information about the nature of the breach, its potential impact, and any steps you may need to take to protect yourself.

Any notification provided by xneelo in relation to a Personal Data breach will not be construed as an admission of fault or liability by xneelo or any third party involved in the processing of Personal Data.

For the purposes of this DPA, a Personal Data breach means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to Personal Data.

9. General Provisions 

9.1 Liability and Indemnities 

xneelo’s data breach notification obligations apply only to Personal Data breaches that occur within xneelo’s systems or infrastructure and that are discovered by xneelo or reasonably should have been identified through xneelo’s security monitoring processes.

Each party shall be responsible for, and liable for damages arising from, its own breach of applicable Data Protection Laws or this DPA, subject to the limitations of liability set out in the Terms of Service. Except where liability cannot be limited by law or is imposed by a competent data protection authority, neither party shall be liable for indirect, consequential, or punitive damages.

You agree to indemnify, defend, and hold harmless xneelo from and against all claims, damages, losses, and reasonable costs arising out of or relating to your acts or omissions in your role as Controller, including your violation of Data Protection Laws, your instructions to xneelo that are unlawful, your failure to obtain required consents or provide appropriate privacy notices, your breach of this DPA, or claims brought by your end users relating to your data collection or processing practices.

9.2. Term, Termination, Deletion, and Retention  

This DPA takes effect on the date you first use xneelo’s services to process Personal Data and remains in force until all services have been terminated.

Upon request or at the termination of our services, xneelo will securely delete all Personal Data from our active systems, delete all copies held in backup systems, and, where requested, provide written confirmation that the deletion has been completed. We aim to complete deletion requests within 10 business days, though backup removal may take up to 90 days.

Notwithstanding the above, xneelo may retain Personal Data to the extent required by applicable law, including tax, accounting, or regulatory obligations, or where retention is necessary for litigation, dispute resolution, or regulatory proceedings. Personal Data stored in backup systems may also be retained for the duration of xneelo’s standard backup retention schedule, after which it will be securely deleted. Any Personal Data retained in accordance with this section will remain subject to the confidentiality and security obligations set out in this DPA.

Sub-processors engaged by xneelo may apply their own data retention periods in accordance with their applicable legal and operational requirements, provided that such retention is consistent with applicable Data Protection Laws.

9.3. Governing Law and Jurisdiction

If you are located in: 

  • South Africa, this DPA is governed by South African law and subject to the jurisdiction of the South African courts, with POPIA as the primary data protection framework.
  • In the EU or EEA, this DPA is governed by the laws of the EU member state in which you are established and is subject to the jurisdiction of that member state’s courts, with the GDPR as the primary data protection framework.
  • In any other jurisdiction, this DPA is governed by South African law and is subject to the jurisdiction of the South African courts, with due regard to any applicable local data protection laws.

9.4. Notices

All notices under this DPA must be in writing and submitted to our Information Officer, who is registered with the Information Regulator, at the following address: information.officer@xneelo.com, and must include:

  • Your full name
  • Account details (if you are a customer)
  • A clear description of your request
  • Proof of identity (for verification purposes). 

We will respond within 30 days of receiving your request. If the request is complex or involves multiple records, the timeframe may be extended to 60 days; however, we will notify you if this occurs.

10. Acknowledgement and Acceptance

By using xneelo’s Services to process Personal Data, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement. This DPA is effective as of the date you first use xneelo’s Services to process Personal Data. 

Back to top