Ikigai ADE - Data Processing Agreement (template)
Last updated: 2026-06-24
For: B2B customers (Pro plan; Enterprise by negotiation) who process personal information of EU / UK / SA data subjects using the Ikigai platform.
This DPA forms part of the Ikigai Terms of Service when the customer ("Controller") processes personal information through the platform on which Ikigai acts as Processor.
This is a template. Counter-signed copies are issued on request to enterprise customers. Email mohamedsidiyot@gmail.com.
1. Definitions
- GDPR - Regulation (EU) 2016/679.
- POPIA - Protection of Personal Information Act 4 of 2013 (South Africa).
- Personal Information / Data - as defined under the applicable law.
- Controller - the Customer.
- Processor - Ikigai ADE (Pty) Ltd.
- Subprocessor - any third party engaged by Processor to process Personal Data. Current list at
/legal/subprocessors.
2. Scope and roles
Processor processes Personal Data on documented instructions from Controller, solely to provide the Ikigai services. Processor is a "Processor" under GDPR Article 28 and an "Operator" under POPIA Section 1.
3. Subject matter and duration
| Item | Detail |
|---|---|
| Subject matter | Processing of Personal Data to provide AI-driven growth services (Marketing, GEO, Ads, Sales, Legal, Trading, Finance, Influencer, Voice, and Agency Command intelligence). |
| Duration | While the Subscription Agreement is in force + 30 days post-termination for data return / deletion. |
| Nature and purpose | Storage, organisation, retrieval, agent processing, transmission to LLM providers under per-request DPAs. |
| Categories of data | As specified by Controller in their use of the service. Typically: name, business email, business phone, company, role, conversation history, agent memory. |
| Categories of data subjects | Controller's customers, leads, employees, contractors. |
4. Processor obligations
Processor shall:
- Process only on Controller's documented instructions (the Subscription Agreement + Controller's configuration).
- Ensure persons authorised to process are bound by confidentiality.
- Take appropriate technical and organisational measures (see Annex II).
- Engage subprocessors only with general authorisation (Annex III) and at least 30 days' notice of changes.
- Assist Controller in responding to data-subject requests (access, correction, deletion).
- Assist Controller with compliance obligations (DPIAs, breach notifications, regulator inquiries).
- Delete or return all Personal Data at termination, at Controller's choice.
- Make available all information necessary to demonstrate compliance and allow for audits at reasonable intervals.
5. Personal data breach
Processor notifies Controller without undue delay and within 48 hours of becoming aware of a Personal Data breach affecting Controller's data. Notification includes nature, categories, approximate number of affected subjects/records, likely consequences, and measures taken.
6. Subprocessors
Controller authorises the subprocessors listed in /legal/subprocessors and Annex III. Processor notifies Controller of any addition or replacement at least 30 days in advance via email. Controller may object on reasonable grounds.
7. International transfers
Processor relies on:
- For transfers from the EU/UK to the US: Standard Contractual Clauses (Module 2, Controller to Processor).
- For transfers from South Africa to other jurisdictions: Section 72(1) POPIA - adequate protection in the destination, evidenced by the counterpart's DPA.
8. Liability
Processor's aggregate liability under this DPA is subject to the limitation of liability in the Subscription Agreement.
9. Governing law
This DPA is governed by the laws of South Africa. Disputes are subject to the exclusive jurisdiction of South African courts, unless the Subscription Agreement specifies otherwise.
Annex I - Description of processing
| Item | Detail |
|---|---|
| Categories of data subjects | (per Section 3) |
| Categories of personal data | Name, business email, business phone, role, company, free-text content provided by Controller |
| Special categories | None expected. Controller agrees not to upload special-category data without prior agreement. |
| Frequency of transfer | Continuous, on Controller demand |
| Subject matter, nature and purpose | (per Section 3) |
| Retention | Per /legal/popia-disclosure Section 6 |
Annex II - Technical and organisational measures
- TLS 1.3 in transit, AES-256 at rest.
- Row-Level Security in Postgres; per-tenant isolation verified by automated test suite on every code change.
- Access controlled via Supabase Auth with email-based authentication; service-role keys held in encrypted vault.
- Secrets rotated on a defined schedule.
- Audit logs for service-role access.
- Production deploys gated by an automated security review and human sign-off.
- Encrypted backups with point-in-time recovery on supported plans.
- Incident response runbooks maintained internally.
- Annual third-party penetration test (post first Enterprise contract).
Annex III - Approved subprocessors
See current live list at https://ikigaigrowthconsulting.co.za/legal/subprocessors. Snapshot at signing date forms the initial list; updates per Section 6.
Controller: Name: Title: Signature: Date:
Processor (Ikigai ADE (Pty) Ltd): Name: Mohamed Sidiyot Title: Director / Information Officer Signature: Date: