1
First contact — protect confidentiality
Before any platform information, pricing, or architecture is shared, both parties sign the NDA. This protects XGRC® IP during the entire evaluation phase.
Non-Disclosure Agreement v4.0
XGRC-NDA-004
Customer fills: name, reg no, jurisdiction, address, email
Both parties sign + witness
Strategix: pre-filled
2
Discovery — capture requirements
The customer completes the Business Landscape document — recording requirements, user counts, modules needed, and integrations. Strategix uses this for configuration, scoping, and pricing. The customer warrants its accuracy under SaaS Agreement clause 6.1.
Business Landscape
Internal scoping document
Customer completes all fields
No signature required
Customer warrants accuracy — inaccuracy is at customer’s risk
3
Commercial agreement — price and scope
Strategix issues the Proposal with all commercial terms — pricing, licence structure, term, and renewal basis. On signature by both parties it becomes the binding Order Form and the subscription begins.
Proposal & Order Form v2.0
XGRC-PRO-002 · 30-day validity from date of issue
Strategix: completes all commercial fields before sending
Customer: reg no, address, primary contact
Both parties sign + witness
On signature: becomes binding Order Form
4
Legal framework — signed once
The SaaS Agreement is signed alongside the Proposal at deal close. By signing, the customer accepts the DPA and all Website Policies by reference — no separate click-throughs required for any operational policy.
SaaS Agreement v4.0
XGRC-SAAS-004 · 21 clauses · effective date taken from Proposal
Strategix: pre-filled including all 5 Website Policy URLs
Customer: name, reg no, jurisdiction, address, email, notices contact
Both parties sign + witness
Incorporates DPA + 5 Website Policies by reference
Data Processing Addendum v2.0
XGRC-DPA-002 · accepted via SaaS Agreement cl.18.2 — no separate signature
Binding by reference — no re-signing on policy updates
Satisfies POPIA s.21 operator agreement requirement
5
Onboarding & go-live
Platform access is provisioned per the Business Landscape. Any changes to scope after signature require formal change control and may affect price and timelines.
Configuration per Business Landscape
Changes after signing → formal change order required
Support Policy governs all support from day one
6
Active subscription — ongoing obligations
Both parties operate under the SaaS Agreement for the term. Website Policies can be updated on 30 days’ notice without re-signing. Annual fee adjustments apply from 1 March each year on 30 days’ written notice.
7
Renewal
Auto-renews unless 60 days’ written notice is given before term end. New Proposal issued if pricing or scope changes. SaaS Agreement continues — no re-signing required.
New Proposal for pricing changes only
SaaS Agreement continues — no re-signing
60 days’ notice required to cancel
8
Termination
Either party may terminate per the SaaS Agreement. 30-day data export window. All outstanding fees immediately due and payable. Key clauses survive.
30-day data export window (cl.7.4)
All fees immediately due on termination
Survival: clauses 5, 7, 12, 14, 17, 19
XGRC-NDA-004
NDA v4.0
16 clauses · 2-year term · 5-year survival
1Parties
2Definitions
3Confidentiality obligations
4Permitted disclosure
5Intellectual property
6Data protection
7Return and destruction
8Term and survival
9No obligation
10Breach and remedies
11Limitation of liability
12Assignment
13Governing law & disputes
14Notices
15General
16Signatures
AFSA arbitration · Johannesburg
Trade secrets survive indefinitely
No competing use clause
No reverse engineering clause
XGRC-PRO-002
Proposal & Order Form v2.0
10 sections · 30-day validity
1Executive summary
2Customer details
3Proposed XGRC® solution
4Scope and assumptions
5Licence structure
6Commercial terms
7Term and renewal
8Contractual framework
9Customer acknowledgements
10Acceptance / signatures
Becomes Order Form on signature
Discounts: initial term only — no precedent
Annual adjustment from 1 March each year
XGRC-SAAS-004
SaaS Agreement v4.0
21 clauses · master legal framework · signed once
1Parties
2Effective date & structure
3Definitions
4Subscription grant
5Use restrictions
6Customer responsibilities
7Customer data
8Service delivery
9Fees and payment
10Term and renewal
11Termination
12Intellectual property
13Warranties
14Limitation of liability
15Indemnities
16Suspension
17Confidentiality
18Website policies & DPA
19Governing law & disputes
20Notices
21General + signatures
12-month liability cap
Suspension — not interest — for non-payment
30-day data export on termination
Benchmarking prohibition
1 March annual price adjustment
XGRC-DPA-002
Data Processing Addendum v2.0
16 clauses · binding via SaaS cl.18.2 · no separate signature
1Purpose and scope
2Definitions
3Roles of parties
4Scope of processing
5Customer obligations
6Provider obligations
7Security measures
8Subprocessors
9International transfers
10Data subject rights
11Security incidents
12Retention and deletion
13Audit and compliance
14Liability
15Updates to DPA
16Governing law
POPIA s.21 operator agreement
72-hr breach notification
90-day deletion window
Azure West Europe (Netherlands / Ireland)
Binding — incorporated into SaaS Agreement
Trust Centre — procurement & due diligence
Informational — public notices
Legal Hub — /legal
Legal Hub index
/legal ↗
Anchor page. Separates binding documents from public notices. Sets the contractual context explicitly.
Data Processing Addendum
/legal/data-processing-addendum ↗
POPIA s.21 operator agreement. 16 clauses. 72-hr breach notification. Version + date must display clearly.
Acceptable Use Policy
/legal/acceptable-use-policy ↗
Permitted and prohibited platform use. Breach triggers immediate suspension rights.
Support Policy
/legal/support-policy ↗
6 severity levels. Sev 0 covered 24/7. Response targets with customer-caused exclusions.
Privacy Policy
/legal/privacy-policy ↗
POPIA notice for website visitors and prospects.
Cookie Policy
/legal/cookie-policy ↗
Cookie categories and management preferences.
Website Terms of Use
/legal/website-terms ↗
Website access, IP ownership, and no-reliance clause.
Privacy Requests
/legal/privacy-requests ↗
POPIA data subject rights. Contact: info@xgrcsoftware.com
Trust Centre — /trust
Trust Centre index
/trust ↗
Enterprise procurement and security due diligence entry point.
Cybersecurity Policy
/trust/cybersecurity ↗
ISO 27001:2022 alignment. Security controls. Incident handling. Binding in part via SaaS.
Subprocessor List
/trust/subprocessors ↗
Microsoft Azure + Microsoft 365. EU West Europe. 10 Business Days’ notice for material changes.
Data Hosting
/trust/data-hosting ↗
Azure West Europe (Netherlands / Ireland). ISO 27001/27017/27018 + SOC 2 Type II certified.
Non-payment escalation — SaaS cl.9.4
Payment default process cl.9.4
- Day 31: written payment reminder issued to the customer
- Day 45: suspension of access on written notice — subscription keeps running, no credit available, no set-off permitted
- Day 60+: termination right on 7 Business Days’ written notice (cl.11.2)
- On termination: all outstanding fees immediately due and payable
Immediate suspension — SaaS cl.16
Suspension without prior notice cl.16
- Security incident or threat to the platform or other customers on the multi-tenant environment
- Material breach of the Acceptable Use Policy
- Continued access would expose Strategix to legal liability
- Customer notified as soon as reasonably practicable after suspension
Termination for cause — SaaS cl.11.1
Material breach or insolvency cl.11.1
- Material breach not remedied within 14 Business Days of written notice specifying the breach
- Insolvency, liquidation, or business rescue appointment
- All fees for the remainder of any fixed term become immediately due and payable
Security incident — DPA cl.11
Confirmed data breach DPA cl.11
- Notify customer within 72 hours of becoming aware of a confirmed security incident
- Notification must include: nature of incident, data categories affected, and remediation steps
- Not responsible for incidents from customer’s own configuration, users, or systems outside Strategix’s control
Subprocessor change — DPA cl.8
Adding or changing a subprocessor DPA cl.8
- Material change: 10 Business Days’ advance written notice to the customer
- Customer may object in writing within 10 Business Days on data protection grounds
- If unresolved within 30 days: either party may terminate the affected service on written notice
Day −60
Renewal notification
Strategix sends renewal notification confirming fees for the next period
›
Customer reviews
Accept or cancel
60 days’ written notice to cancel. No response = auto-renewal.
›
If pricing changes
New Proposal issued
Customer signs new Proposal only. SaaS Agreement continues unchanged.
›
If no notice given
Auto-renews
Same term, fees per renewal notification or 1 March annual adjustment
| Document | What happens at renewal |
|---|---|
| SaaS Agreement | Continues automatically — no re-signing required |
| Data Processing Addendum | Continues automatically — no re-signing required |
| Website Policies | Continue automatically, updated on 30 days’ notice without re-signing |
| Proposal & Order Form | New Proposal required only if pricing or scope changes |
| NDA | Separate 2-year term — check expiry date and refresh if needed |
Annual Price Adjustment — SaaS Agreement Clause 9.6
The Provider may adjust Fees annually with effect from 1 March each year on not less than 30 days’ prior written notice. Adjustments may reflect inflation, operating cost increases, subprocessor cost changes (including Microsoft Azure infrastructure pricing), enhancements to the Service, and changes in market conditions.
The adjusted Fees apply from the first billing cycle commencing on or after 1 March in the relevant year. If no notice of adjustment is given before 1 March, the Fees from the preceding period continue unchanged until the next annual adjustment cycle. The first annual adjustment shall not take effect earlier than 12 months after the Effective Date.
The adjusted Fees apply from the first billing cycle commencing on or after 1 March in the relevant year. If no notice of adjustment is given before 1 March, the Fees from the preceding period continue unchanged until the next annual adjustment cycle. The first annual adjustment shall not take effect earlier than 12 months after the Effective Date.
