Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of and is subject to the Terms of Service ("Principal Agreement") between:

Strix Technology (Pty) Ltd, having its registered office at 581 Opstal Street, Pretoria, 0184, South Africa, operating the service at deskdragon.com (hereinafter "Processor"); and

The entity that has agreed to the Principal Agreement (hereinafter "Controller"),

collectively referred to as the "Parties".

This DPA reflects the Parties' commitment to abide by applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

By using the Deskdragon service, the Controller enters into this DPA on behalf of itself and, to the extent required under applicable data protection laws, in the name and on behalf of its employees and other authorised users.

1. Definitions

In this DPA, unless the context requires otherwise:

"Company Personal Data" means any Personal Data processed by the Processor on behalf of the Controller pursuant to or in connection with the Principal Agreement.
"Data Protection Laws" means the GDPR and all other applicable legislation relating to the processing of Personal Data and privacy that may exist in any relevant jurisdiction, as amended or replaced from time to time.
"Data Subject" means the identified or identifiable natural person to whom Company Personal Data relates.
"Personal Data" has the meaning given to it in the GDPR (Article 4(1)).
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Company Personal Data.
"Processing" has the meaning given to it in the GDPR (Article 4(2)), and "Process", "Processes" and "Processed" shall be construed accordingly.
"Subprocessor" means any third party appointed by the Processor to Process Company Personal Data on behalf of the Controller.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, superseded, or replaced from time to time.
"Supervisory Authority" means an independent public authority established by an EU Member State pursuant to the GDPR.

2. Scope and Purpose of Processing

2.1 This DPA applies to the Processing of Company Personal Data by the Processor as part of the provision of the Deskdragon desk booking service under the Principal Agreement.

2.2 The details of the Processing, including the subject matter, duration, nature, purpose, categories of Data Subjects, and types of Personal Data, are set out in Appendix A.

2.3 The Processor shall Process Company Personal Data only for the purposes described in this DPA and the Principal Agreement, or as otherwise instructed by the Controller in writing.

2.4 The Processor may retain limited Personal Data (such as company name, billing email address, and transaction history) where required by applicable law or where the Processor has a legitimate interest as a Controller in its own right (for example, fraud prevention and dispute resolution). The Processor's handling of such data is governed by the Processor's Privacy Policy.

3. Obligations of the Processor

The Processor shall:

3.1 Process Company Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

3.2 Ensure that persons authorised to Process Company Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Take all measures required pursuant to Article 32 of the GDPR (security of processing), as further described in Section 5 and Appendix B of this DPA.

3.4 Respect the conditions referred to in Article 28(2) and (4) of the GDPR for engaging Subprocessors, as set out in Section 6 of this DPA.

3.5 Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR.

3.6 Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the Processing and the information available to the Processor. This includes providing reasonable assistance, upon the Controller's written request and at the Controller's expense, with Data Protection Impact Assessments (Article 35) and prior consultations with Supervisory Authorities (Article 36), to the extent that the Controller requires such assistance and the Processor is reasonably able to provide it.

3.7 At the choice of the Controller, delete or return all Company Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless European Union or Member State law requires storage of the Personal Data.

3.8 Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and allow for and contribute to audits, including inspections, as further described in Section 10.

3.9 Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other European Union or Member State data protection provisions.

4. Obligations of the Controller

4.1 The Controller warrants and represents that:

(a) it has a lawful basis for Processing Company Personal Data and for instructing the Processor to Process Company Personal Data on its behalf;
(b) it has provided adequate notice to Data Subjects regarding the Processing of their Personal Data, including any information required by Articles 13 and 14 of the GDPR;
(c) it shall comply with all applicable Data Protection Laws in connection with the use of the Deskdragon service; and
(d) its instructions to the Processor shall at all times be in accordance with applicable Data Protection Laws.

5. Security Measures

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

5.2 The Processor shall implement and maintain the technical and organisational measures set out in Appendix B. The Processor may update these measures from time to time, provided that such updates do not materially decrease the overall level of security of the Deskdragon service.

5.3 For further details on the Processor's security practices, please refer to the Security & Trust page.

6. Subprocessors

6.1 The Controller provides general written authorisation to the Processor to engage Subprocessors to Process Company Personal Data. The current list of Subprocessors is maintained at deskdragon.com/subprocessors.

6.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Subprocessors by updating the Subprocessors page at least 14 days before the change takes effect, thereby giving the Controller the opportunity to object to such changes.

6.3 If the Controller does not object within 14 days of the change being published on the Subprocessors page, the Controller shall be deemed to have accepted the new or replacement Subprocessor.

6.4 If the Controller objects to a new Subprocessor on reasonable data protection grounds within the 14-day period, the Parties shall discuss the Controller's concerns in good faith. If the Parties are unable to reach a resolution, the Controller may terminate the affected services by providing written notice to the Processor.

6.5 Where the Processor engages a Subprocessor, the Processor shall impose data protection obligations on the Subprocessor that are no less protective than those set out in this DPA by way of a contract or other legal act under European Union or Member State law. The Processor shall remain fully liable to the Controller for the performance of the Subprocessor's obligations.

7. International Data Transfers

7.1 Company Personal Data is hosted on servers located in Frankfurt, Germany (EU). Offsite encrypted backups are stored in the same region (AWS eu-central-1, Frankfurt). Although the Processor's registered office is in South Africa, the Processor does not routinely store or access Company Personal Data from South Africa. Remote administrative access to production systems may constitute a transfer of Personal Data to South Africa; this transfer is governed by the Standard Contractual Clauses set out in Appendix C.

7.2 The Processor has conducted a Transfer Impact Assessment for the transfer described in Section 7.1 and has implemented the following supplementary measures:

(a) all remote administrative access is encrypted in transit using TLS;
(b) Company Personal Data is not stored or copied to systems located in South Africa;
(c) access to production systems is restricted to authorised personnel and is logged; and
(d) South Africa maintains data protection legislation (the Protection of Personal Information Act, 2013) that is substantively aligned with the GDPR.

7.3 The Processor shall not transfer Company Personal Data to a country outside the European Economic Area ("EEA") unless appropriate safeguards are in place as required by Chapter V of the GDPR.

7.4 Some Subprocessors engaged by the Processor are located outside the EEA. In such cases, transfers are protected by one or more of the following mechanisms:

(a) the Standard Contractual Clauses (EU Commission Implementing Decision 2021/914), as set out in Appendix C;
(b) an adequacy decision by the European Commission pursuant to Article 45 of the GDPR (including the EU-US Data Privacy Framework where applicable); or
(c) any other valid transfer mechanism recognised under Article 46 of the GDPR.

7.5 The following Subprocessors involve transfers outside the EEA:

Subprocessor	Location	Transfer Mechanism
Strix Technology (Processor)	South Africa (administrative access only; data hosted in EU)	SCCs (Module Two, Controller to Processor)
Paddle	United Kingdom	UK adequacy decision (28 June 2021)
Google Workspace	United States	EU-US Data Privacy Framework; SCCs
Cloudflare	United States (Global)	SCCs; EU-US Data Privacy Framework
Firebase Cloud Messaging (Google)	United States	EU-US Data Privacy Framework. Processing is limited to device tokens necessary for message routing; no user profile data or message content is transmitted.

8. Data Subject Rights

8.1 The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, data portability, and the right to object).

8.2 Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to such requests. Such assistance may include:

(a) providing the Controller with the ability to access, rectify, or delete Company Personal Data through the Deskdragon service;
(b) exporting a Data Subject's Personal Data in CSV format upon written request to [email protected]; and
(c) deleting a Data Subject's Personal Data upon written request, within three (3) business days.

8.3 Where a Data Subject request requires effort beyond the standard functionality of the Deskdragon service, the Processor may charge the Controller a reasonable fee for such assistance.

8.4 The Processor shall not independently respond to a Data Subject request unless instructed to do so by the Controller or required by applicable law.

9. Data Breach Notification

9.1 The Processor shall notify the Controller without undue delay, and in any event no later than 48 hours, upon becoming aware of a Personal Data Breach affecting Company Personal Data.

9.2 Such notification shall include, to the extent available:

(a) a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) the name and contact details of the Processor's point of contact from whom more information can be obtained;
(c) a description of the likely consequences of the Personal Data Breach; and
(d) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 The Processor shall co-operate with the Controller and take reasonable steps to assist the Controller in investigating, mitigating, and remediating the effects of a Personal Data Breach.

9.4 Breach notifications shall be sent to the Controller's administrator(s) at the email address(es) associated with their Deskdragon account, or such other contact address as the Controller has provided in writing. The Processor shall not be held responsible for delays in notification caused by inaccurate or outdated contact information provided by the Controller.

10. Audit Rights

10.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR.

10.2 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

(a) the Controller shall give the Processor at least 30 days' prior written notice of any audit;
(b) audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations;
(c) the Controller shall bear its own costs of the audit, unless the audit reveals material non-compliance by the Processor;
(d) audits shall be limited to once per calendar year, unless a Personal Data Breach has occurred or a Supervisory Authority requires an additional audit; and
(e) the auditor shall be bound by appropriate confidentiality obligations.

10.3 Where the Processor has obtained relevant certifications or audit reports (such as SOC 2 or ISO 27001), the Processor may provide these to the Controller as an alternative to a physical audit, where the Controller reasonably determines that such documentation adequately addresses its audit requirements.

11. Term and Termination

11.1 This DPA shall take effect on the date the Controller first uses the Deskdragon service and shall remain in force for as long as the Processor Processes Company Personal Data on behalf of the Controller.

11.2 Upon termination or expiry of the Principal Agreement, or upon written request by the Controller, the Processor shall, at the Controller's choice:

(a) return all Company Personal Data to the Controller in CSV format; or
(b) delete all Company Personal Data from the Processor's live production systems and certify such deletion in writing.

11.3 The Processor shall carry out the Controller's instruction under Section 11.2 within 30 days of receipt of such instruction. Where no instruction is received within 90 days of termination, the Processor shall delete all Company Personal Data.

11.4 For the purposes of this DPA, "deletion" means the removal of Company Personal Data from the Processor's live production systems such that it is no longer accessible or retrievable through the Deskdragon service. Company Personal Data may persist in encrypted backup copies until such backups are overwritten in accordance with the Processor's standard backup rotation schedule, which does not exceed 30 days. The Processor shall not actively restore Company Personal Data from backups after deletion from production systems.

11.5 Notwithstanding the foregoing, the Processor may retain limited data as described in Section 2.4. Such retained data shall be kept confidential and Processed only to the extent and for the duration necessary to comply with the applicable legal obligation or legitimate purpose.

12. Liability

12.1 Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement.

12.2 Nothing in this DPA limits or excludes either Party's liability for damages resulting from a breach of the GDPR where such limitation is not permitted under applicable law.

13. Governing Law and Jurisdiction

13.1 This DPA shall be governed by and construed in accordance with the laws of the Republic of South Africa, without regard to its conflict of law provisions, to the extent that such choice of law does not conflict with mandatory provisions of applicable Data Protection Laws. The governing law of the Standard Contractual Clauses is set out separately in Appendix C and is not affected by this Section.

13.2 Where the GDPR applies, any dispute arising out of or in connection with this DPA that cannot be resolved amicably shall be submitted to the exclusive jurisdiction of the courts of the Republic of South Africa, without prejudice to the right of a Data Subject to lodge a complaint with, or bring proceedings before, a competent Supervisory Authority or court in the EU Member State in which they reside.

14. Amendments

14.1 The Processor may update this DPA from time to time to reflect changes in applicable Data Protection Laws, Subprocessors, or the Processor's technical and organisational measures.

14.2 The Processor shall notify the Controller of material changes by email to the Controller's administrator(s) at least 30 days before the changes take effect, and shall update the DPA at deskdragon.com/dpa accordingly.

14.3 If the Controller does not object in writing within 30 days of receiving such notification, the Controller shall be deemed to have accepted the updated DPA. If the Controller objects, the Parties shall discuss the concerns in good faith. If the Parties are unable to reach a resolution, the Controller may terminate the Principal Agreement by providing written notice to the Processor.

15. General Provisions

15.1 Severability. If any provision of this DPA is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that most closely achieves the original intent of the Parties.

15.2 Entire agreement. This DPA, together with the Principal Agreement and the Appendices hereto, constitutes the entire agreement between the Parties with respect to the Processing of Company Personal Data and supersedes all prior agreements, representations, and understandings relating to the same subject matter.

15.3 Conflict. In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the Processing of Company Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Appendix A: Details of Processing

Subject matter	The provision of the Deskdragon desk booking service as described in the Principal Agreement, including desk reservation management, check-in functionality, booking notifications, and related analytics.
Duration	For the term of the Principal Agreement, plus the period from expiry of the Principal Agreement until deletion of all Company Personal Data by the Processor in accordance with this DPA.
Nature and purpose	The Processing is necessary to provide the Deskdragon service, which enables the Controller's employees to book desks and workspaces. This includes storing user accounts, processing desk bookings, sending booking notifications via email and push, managing check-ins, and generating occupancy analytics for the Controller.
Categories of Data Subjects	Employees, contractors, and other authorised users of the Controller who use the Deskdragon service.
Types of Personal Data	Name (first and last) Email address IP address Push notification device token The above are linked to user profiles solely for the provision of the desk booking service.
Special categories of data	None. The Processor does not intentionally collect special categories of Personal Data as defined in Article 9 of the GDPR.

Appendix B: Technical and Organisational Measures

The Processor implements the following technical and organisational measures to protect Company Personal Data, in accordance with Article 32 of the GDPR:

Encryption

All data in transit is encrypted using TLS 1.3 (or TLS 1.2 where client compatibility requires).
Offsite backups are encrypted before transfer and at rest.
Passwords are stored using a one-way cryptographic hash (bcrypt) and are never stored or transmitted in plaintext.

Confidentiality and Access Control

Access to production systems is restricted to authorised personnel only.
No secrets, API keys, or credentials are committed to source control.
Authentication to the Deskdragon service is via password or OpenID Connect (Google Workspace, Microsoft 365). No offline access tokens are stored.

Availability and Resilience

The application is hosted on DigitalOcean in Frankfurt, Germany (FRA1).
Offsite encrypted backups are performed every six (6) hours and stored on Amazon Web Services in Frankfurt, Germany (eu-central-1).
DNS, CDN, and SSL/TLS termination are provided by Cloudflare for high availability and DDoS mitigation.
System status is monitored and publicly available at status.deskdragon.com.

Data Integrity

Server operating system security updates are applied automatically.
Crash and error monitoring uses anonymised data only (via Crashlytics and Slack alerting); no personal data is transmitted to monitoring services.

Regular Testing

The effectiveness of technical and organisational measures is assessed on an ongoing basis and reviewed periodically.

Data Minimisation

The Processor does not use any third-party advertising or analytics services.
The service does not track users via third-party cookies.
Only information strictly necessary for the operation of the service is collected.

Appendix C: Standard Contractual Clauses

C.1 To the extent that the Processing of Company Personal Data involves a transfer of Personal Data from the EEA to a country outside the EEA that has not received an adequacy decision from the European Commission, the Parties agree that the Standard Contractual Clauses set out in the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 shall apply, as follows:

(a) Module Two (Controller to Processor) shall apply where the Controller transfers Company Personal Data to the Processor.
(b) The optional docking clause (Clause 7) is included, allowing additional parties to accede to the SCCs.
(c) For the purposes of Clause 9(a), Option 2 (General written authorisation) is selected, with a minimum notification period of 14 days before the engagement of a new Subprocessor.
(d) For the purposes of Clause 17, Option 1 is selected: the SCCs shall be governed by the law of the Netherlands.
(e) For the purposes of Clause 18(b), the Parties agree to submit disputes to the courts of the Netherlands.

C.2 For the purposes of Annex I to the SCCs:

The data exporter is the Controller (as identified in the Principal Agreement).
The data importer is the Processor: Strix Technology (Pty) Ltd, 581 Opstal Street, Pretoria, 0184, South Africa. Contact: [email protected].
The categories of Data Subjects, types of Personal Data, and purpose of Processing are as described in Appendix A of this DPA.

C.3 For the purposes of Annex II to the SCCs, the technical and organisational measures are as described in Appendix B of this DPA.

C.4 For the purposes of Annex III to the SCCs, the list of Subprocessors is as maintained at deskdragon.com/subprocessors.

C.5 Where transfers are made to the United Kingdom, the Parties agree that the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) shall also apply.