Data Processing Agreement
Last updated: 4 June 2026
1. Introduction
This Data Processing Agreement ("DPA") describes how Spekboom Tree (Proprietary) Limited ("we", "us", "our") processes personal data and details the third-party data processors we work with to provide our services.
This DPA supplements our Privacy Policy and is part of our commitment to GDPR and POPIA compliance.
2. What is a Data Processor?
A data processor is a third-party service that processes personal data on our behalf. We carefully select processors that meet high standards for data protection and security.
We remain responsible for your data even when processed by third parties, and we ensure all processors comply with GDPR, POPIA, and other applicable data protection laws.
3. Our Data Processors
| Service Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase supabase.com | Database & Authentication | User accounts, bookings, messages, accommodation data | EU (DigitalOcean Frankfurt) |
| Paystack paystack.com | Payment Processing | Payment card data, transaction details, billing information | Nigeria, PCI-DSS Level 1 certified |
| SendGrid (Twilio) sendgrid.com | Email Delivery | Email addresses, names, transactional email content | USA (covered by Standard Contractual Clauses) |
| Cloudinary cloudinary.com | Image & Media Storage | Accommodation photos, user profile images | Global CDN (auto-region selection) |
| Twilio twilio.com | WhatsApp Messaging & SMS | Phone numbers, message content, delivery status | USA (covered by Standard Contractual Clauses) |
| Google Maps Platform Google Cloud | Maps & Location Services | IP addresses, location searches, map interactions | Global (Google Cloud infrastructure) |
| Vercel vercel.com | Website Hosting & CDN | IP addresses, usage logs, performance data | Global edge network (auto-region) |
| Google Analytics analytics.google.com | Website Analytics | IP addresses (anonymized), device info, browsing behavior | USA (IP anonymization enabled) |
| Sentry sentry.io | Error Tracking & Monitoring | Error logs, user IDs (pseudonymized), session data | USA (data filtered for PII) |
4. International Data Transfers
Some of our processors are located outside of South Africa and the European Union. For these transfers, we use appropriate safeguards:
- Standard Contractual Clauses (SCCs): EU-approved contracts for data transfers to non-EU countries
- Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
- Certification Schemes: Processors certified under frameworks like Privacy Shield successor mechanisms
5. Processor Security Requirements
All our data processors must meet these minimum standards:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Regular security audits and penetration testing
- SOC 2 Type II or ISO 27001 certification
- GDPR and POPIA compliance documentation
- Data breach notification procedures
- Staff training on data protection
- Secure data deletion capabilities
6. Sub-Processors
Some of our main processors use their own sub-processors (e.g., cloud infrastructure providers). We ensure all sub-processors meet the same security and privacy standards.
You can find detailed sub-processor information in each processor's documentation linked in the table above.
7. Your Rights Regarding Processor Data
You have the right to:
- Access: Request information about data processed by our processors
- Rectification: Correct inaccurate data held by processors
- Erasure: Request deletion of your data from all processors
- Portability: Receive your data in a machine-readable format
- Object: Object to certain types of processing
- Restriction: Request temporary suspension of processing
To exercise these rights, contact us at privacy@spekboom.org. We will coordinate with our processors to fulfill your request within 30 days.
8. Data Retention by Processors
Processors retain your data only as long as necessary to provide our services. Typical retention periods:
- Supabase (Database): Active account duration + 6 months
- Paystack (Payment): 7 years (legal requirement for financial records)
- SendGrid (Email logs): 30 days
- Cloudinary (Images): Active account duration + deletion on request
- Google Analytics: 26 months (configurable, can be reduced)
- Sentry (Error logs): 90 days
9. Changes to Processors
We may change our data processors from time to time. When we add a new processor that handles personal data, we will:
- Update this page with the new processor information
- Ensure the new processor meets our security standards
- Update our Privacy Policy if necessary
Check this page regularly for updates. Last update date is shown at the top of this page.
10. Contact Us
If you have questions about our data processors or this DPA:
- Email: privacy@spekboom.org
- Company: Spekboom Tree (Proprietary) Limited
- Registration: K2021143449 (South Africa)