Data Processing Addendum

XGRC® Data Processing Addendum

Strategix Application Solutions (Pty) Ltd
Version: 2.0 | Last updated: 13 April 2026 | Effective: 30 April 2026
Reference: XGRC-DPA-002

This Data Processing Addendum is incorporated into the XGRC® SaaS Agreement by reference. It governs all processing of Personal Information by Strategix in connection with the XGRC® platform service.

1. Purpose and Scope

This Data Processing Addendum (“DPA”) governs the processing of Personal Information contained in Customer Data in connection with the XGRC® platform service (“Service”) provided by Strategix Application Solutions (Pty) Ltd (“Provider” or “Strategix”) to the Customer identified in the applicable Proposal & Order Form.

This DPA is intended to satisfy the requirements of a written operator agreement under section 21 of the Protection of Personal Information Act 4 of 2013 (“POPIA”) and, where the General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies to the Customer’s processing activities, to meet the processor agreement requirements of Article 28 GDPR.

2. Definitions

“Business Days” means any day that is not a Saturday, Sunday, or public holiday in South Africa.

“Customer Data” has the meaning given in the XGRC® SaaS Agreement.

“Personal Information” has the meaning given in POPIA and, where applicable, equivalent terms in other applicable data protection legislation.

“Processing” means any operation performed on Personal Information, including collection, storage, use, disclosure, transmission, and deletion.

“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information.

“Subprocessor” means any third party engaged by Strategix to process Personal Information in connection with the delivery of the Service.

3. Roles of the Parties

For the purposes of applicable data protection law:

The Customer Acts as the Responsible Party / Controller and determines the purpose and means of processing Personal Information.

Strategix Acts as the Operator / Processor and processes Personal Information solely on behalf of and under the documented instructions of the Customer.

The Customer is responsible for ensuring it has a lawful basis for processing and for compliance with its obligations as Responsible Party / Controller under applicable law.

4. Scope of Processing

Strategix processes Personal Information only to the extent necessary to provide and support the Service, including: hosting and storage; system access and user management; technical support and maintenance; backup and recovery; and security monitoring and operations.

The categories of Personal Information processed are determined by the Customer and may include employee, contractor, supplier, stakeholder, or other business-related records uploaded to or generated through the Service.

Strategix shall process Personal Information only on documented instructions from the Customer. If Strategix is required to process Personal Information for any other purpose by applicable law, it will inform the Customer before doing so, unless prohibited by law.

5. Customer Obligations

The Customer warrants that it:

Has a lawful basis to process the relevant Personal Information and has obtained all required notices, consents, or authorisations where applicable;
Complies with its obligations as Responsible Party / Controller under applicable data protection law;
Remains responsible for the legality, quality, accuracy, and relevance of all Personal Information submitted to the Service; and
Will promptly notify Strategix of any change in instructions that may affect how Personal Information is processed.

6. Provider Obligations

Strategix shall:

Process Personal Information only on the Customer’s documented instructions and in accordance with this DPA;
Not use Personal Information for any independent purpose or disclose it to any third party except as necessary to deliver the Service or as required by applicable law;
Ensure that all personnel with access to Personal Information are subject to appropriate confidentiality obligations; and
Implement and maintain appropriate technical and organisational measures to protect Personal Information.

7. Security Measures

Strategix maintains security measures aligned to ISO 27001:2022 certification. These measures include:

Access control and identity management;
Encryption of data in transit and at rest;
Security monitoring and logging;
Vulnerability management and patch management; and
Backup, recovery, and business continuity capabilities.

Full details are available at xgrcsoftware.com/trust/cybersecurity.

8. Subprocessors

The Customer authorises Strategix to engage Subprocessors to support delivery of the Service, subject to the following conditions:

Strategix imposes contractual obligations on Subprocessors that are no less protective than those in this DPA.
Strategix remains responsible for the acts and omissions of its Subprocessors.
A current list of Subprocessors is published at xgrcsoftware.com/trust/subprocessors.
Where a Subprocessor change is material, Strategix will provide not less than 10 Business Days’ advance notice.
The Customer may raise a written objection to a new or changed Subprocessor on reasonable data protection grounds within 10 Business Days of notice.

9. International Transfers

Personal Information may be processed in jurisdictions outside South Africa. Strategix ensures that appropriate safeguards are in place for any cross-border transfer, including contractual protections or other recognised mechanisms. Further information on data hosting is available at xgrcsoftware.com/trust/data-hosting.

10. Data Subject Rights

The Customer remains responsible for responding to data subject requests. Strategix will provide reasonable assistance where technically feasible and necessary, subject to applicable law. Strategix may charge a reasonable fee for assistance outside the scope of standard support.

11. Security Incidents

Strategix will notify the Customer without undue delay, and within 72 hours of becoming aware of a confirmed Security Incident affecting Customer Data. Notification will include, to the extent available: the nature of the incident; categories and approximate number of affected data subjects and records; likely consequences; and remediation steps.

Strategix is not responsible for Security Incidents arising from the Customer’s own configuration, access control decisions, or acts of the Customer’s users, or from systems outside Strategix’s control.

12. Data Retention and Deletion

On termination or expiry of the SaaS Agreement:

The Customer may request a copy of its Customer Data within 30 days of termination.
Strategix will delete or irreversibly anonymise Personal Information within 90 days of the termination date, subject to lawful retention obligations and the standard backup retention cycle.
Personal Information retained in backup systems remains subject to the obligations of this DPA until overwritten.

13. Audit and Compliance

Strategix maintains ISO 27001:2022 certification. On reasonable written request, Strategix will make available relevant certifications, audit summaries, or control statements as evidence of compliance.

On-site audits are not permitted except where required by applicable law or agreed in writing, subject to confidentiality, security, scope, and cost controls.

14. Liability

Liability relating to data protection under this DPA is governed by the limitation of liability provisions of the XGRC® SaaS Agreement. Nothing in this DPA increases or expands Strategix’s liability beyond those limits.

15. Updates to this DPA

Strategix may update this DPA to reflect legal or regulatory changes, operational improvements, or security enhancements. Material changes will be communicated to Customers not less than 30 days before the effective date. Continued use of the Service after the effective date constitutes acceptance of the updated DPA.

16. Governing Law

This DPA is governed by the laws of the Republic of South Africa and is subject to the same dispute resolution provisions as the XGRC® SaaS Agreement.