← Privacy Policy

Data Processing Agreement

Version 1.0 · Effective: March 2026

This Data Processing Agreement ("DPA") forms part of the service agreement between JetLog (Pty) Ltd ("JLog", the "Operator") and the subscribing entity ("Responsible Party", "Tenant", "you") and governs the processing of personal information by JLog on behalf of the Tenant in accordance with the Protection of Personal Information Act, 2013 ("POPIA").

1. Definitions

• Personal Information: As defined in Section 1 of POPIA — any information relating to an identifiable, living, natural person or juristic person.
• Processing: Any operation or activity concerning personal information, including collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation, use, dissemination, merging, linking, restriction, degradation, erasure, or destruction.
• Operator: JLog, who processes personal information on behalf of the Responsible Party (Tenant).
• Responsible Party: The Tenant entity that determines the purpose and means of processing personal information through the JLog platform.
• Data Subject: The person to whom personal information relates (e.g. the Tenant's customers, consignees, employees).

2. Scope of Processing

JLog processes personal information on behalf of the Tenant solely for the purpose of providing logistics, shipping, warehousing, and customs clearance services through the JLog platform. The categories of personal information processed include:

• Sender and recipient identity and contact details (name, email, phone, address)
• Shipment data (dimensions, weight, declared values, commodity descriptions)
• Financial and billing information
• Customs and trade compliance documentation
• Delivery GPS coordinates (during active deliveries)

3. Obligations of the Operator (JLog)

JLog shall:

1. Process personal information only on the documented instructions of the Responsible Party, unless required by law.
2. Ensure that persons authorised to process personal information have committed to confidentiality.
3. Implement appropriate technical and organisational security measures, including:
   • Encryption of data in transit (HTTPS/TLS)
   • Encryption of sensitive data at rest (AES-256 for banking details)
   • Password hashing with bcrypt
   • Role-based access control
   • Comprehensive audit logging
   • Regular security reviews
4. Not engage a sub-processor without prior written authorisation of the Responsible Party. Current sub-processors are listed at /legal/processors.html.
5. Assist the Responsible Party in responding to Data Subject requests (access, correction, deletion) within the timeframes required by POPIA.
6. Notify the Responsible Party without undue delay (and in any event within 72 hours) upon becoming aware of a personal information breach.
7. Delete or return all personal information to the Responsible Party upon termination of the service agreement, unless retention is required by law.
8. Make available to the Responsible Party all information necessary to demonstrate compliance with POPIA and allow for audits.

4. Obligations of the Responsible Party (Tenant)

The Tenant shall:

1. Ensure that it has a lawful basis for processing personal information and for instructing JLog to process it on its behalf.
2. Obtain all necessary consents from Data Subjects before submitting their personal information to the JLog platform.
3. Provide clear and transparent privacy notices to Data Subjects.
4. Promptly notify JLog of any Data Subject request that JLog needs to action.

5. Sub-processors

JLog uses the following categories of sub-processors to deliver its services. The current list is maintained at /legal/processors.html:

Sub-processor	Purpose	Location
Railway	Cloud hosting & database	US / EU
FedEx	International shipment processing	US (global)
DHL Express	International shipment processing	DE (global)
Sage One	Accounting & invoicing	ZA
Cartrack	Fleet GPS tracking	ZA
Twilio	WhatsApp notifications	US
Resend	Transactional email delivery	US

JLog will notify the Tenant before adding or replacing a sub-processor and will provide the Tenant with an opportunity to object.

6. Cross-border Transfers

Some personal information may be transferred to countries outside South Africa as part of service delivery (see Section 5). JLog ensures that adequate safeguards are in place for such transfers in accordance with POPIA Section 72, including:

• The recipient country has adequate data protection legislation, or
• The Data Subject has consented to the transfer, or
• The transfer is necessary for the performance of the contract between JLog and the Tenant, or
• The transfer is for the benefit of the Data Subject and it is not reasonably practicable to obtain consent

7. Data Breach Notification

In the event of a personal information breach:

1. JLog will notify the Tenant within 72 hours of becoming aware of the breach.
2. The notification will include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
3. The Responsible Party is responsible for notifying the Information Regulator and affected Data Subjects as required by POPIA Section 22.
4. JLog will cooperate fully with the Responsible Party in investigating and remediating the breach.

8. Data Retention and Deletion

Upon termination of the Tenant's account:

• JLog will delete or anonymise all personal information within 30 days, except where retention is required by law (e.g. SARS customs records — 5 years).
• The Tenant may request a data export before account termination.
• JLog will provide written confirmation of deletion upon request.

9. Audit Rights

The Responsible Party may, upon reasonable notice and during business hours, audit JLog's compliance with this DPA. JLog will cooperate and provide access to relevant records and systems. Audit costs are borne by the requesting party unless the audit reveals material non-compliance.

10. Liability

Each party's liability under this DPA is subject to the limitations set out in the main service agreement. JLog shall be liable for damages caused by processing that infringes POPIA or this DPA, to the extent attributable to JLog's actions or omissions.

11. Term and Termination

This DPA shall remain in effect for the duration of the Tenant's use of the JLog platform. The obligations related to data protection, confidentiality, and deletion survive termination of this agreement.

12. Governing Law

This DPA is governed by the laws of the Republic of South Africa. Any disputes shall be resolved in the courts of the Western Cape Division, Cape Town.