Data Processing Agreement
Last updated: 26 June 2026
This Data Processing Agreement ("DPA") forms part of the Platform Terms between the merchant ("Responsible Party") and VelaCommerce ("Operator") and governs the processing of personal information of the merchant's end-customers on the Platform, in line with the Protection of Personal Information Act 4 of 2013 ("POPIA"), sections 19–22.
1. Subject matter and duration
Processing relates to operating the merchant's storefront — order capture, payment routing, delivery booking, customer communications, and related platform functions — for the duration of the merchant account.
2. Nature and purpose of processing
- Hosting and serving the storefront and merchant console.
- Capturing and storing orders, deliveries, and communications.
- Routing data to payment and delivery sub-processors.
- Securing the Platform and detecting fraud.
3. Categories of data subjects
End-customers of the merchant who place orders, create accounts, or contact the storefront.
4. Categories of personal information
Name, email, phone, delivery address, pickup-point selection, order history, IP address, and any optional fields the merchant configures.
5. Obligations of VelaCommerce as Operator (POPIA s.20–21)
- Process personal information only on the documented instructions of the merchant.
- Treat personal information as confidential.
- Maintain appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised access, or destruction.
- Notify the merchant without undue delay and within 72 hours of becoming aware of a security compromise that affects personal information, with enough detail for the merchant to meet its s.22 notification duty.
- Assist the merchant — at the merchant's cost where the request is not caused by our breach — with data-subject requests, impact assessments, and Regulator engagement.
- On termination, return or securely delete personal information at the merchant's election, subject to legal retention requirements.
6. Sub-processors
The merchant gives general authorisation for VelaCommerce to engage the sub-processors listed in the Sub-processor register. We notify merchants at least 14 days before adding or replacing a sub-processor; the merchant may object in writing on reasonable grounds, in which case we will work with the merchant to find a remedy or terminate the affected service.
7. Cross-border transfers (POPIA s.72)
Where a sub-processor is outside South Africa, we maintain binding contractual protections that provide an adequate level of protection comparable to POPIA.
8. Audit
We make available the information necessary to demonstrate compliance with this DPA. Merchants on enterprise contracts may request an audit once per 12 months on reasonable notice, at the requesting party's cost.
9. Liability and order of precedence
Liability under this DPA is subject to the limits in the Platform Terms. In case of conflict between this DPA and the Platform Terms on privacy matters, this DPA prevails.
10. Counter-signed copy
Enterprise merchants who require a counter-signed PDF of this DPA may request one from legal@velacommerce.co.za.
