M
Mighty Toolkit

Data Processing Agreement

Effective: February 19, 2026Last updated: February 19, 2026

This Data Processing Agreement ("DPA") is entered into between the Subscriber ("Controller") and Mighty Toolkit (Pty) Ltd (registration number 2025/685291/07) ("Processor"), registered in South Africa.

This DPA forms part of the Terms of Service and governs the processing of Customer Data across all Mighty Toolkit products and services (the "Services"), including but not limited to Mighty Workflow, Mighty Monitor, and any other products we offer.

1. Definitions

  • Controller: The Subscriber who determines the purposes and means of processing Customer Data.
  • Processor: Mighty Toolkit (Pty) Ltd, which processes Customer Data on behalf of the Controller.
  • Data Subject: An identified or identifiable natural person whose personal data is processed.
  • Personal Data: Any information relating to a Data Subject contained within Customer Data.
  • Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • Sub-processor: A third party engaged by the Processor to process Customer Data.
  • Customer Data: Any data, files, documents, form responses, or content submitted to the Services by Users.
  • Technical and Organisational Measures (TOMs): Security measures implemented to protect Customer Data.
  • Standard Contractual Clauses (SCCs): EU-approved contractual clauses for international data transfers.
  • Merchant of Record: Dodo Payments Inc., which processes payments independently.

2. Scope

This DPA applies to all Customer Data processed by the Processor solely:

  • As necessary to provide, maintain, and support the Services
  • On documented instructions from the Controller

3. Processor Responsibilities

The Processor shall:

  • Process Customer Data only in accordance with the Controller's documented instructions
  • Ensure that persons authorised to process Customer Data are bound by confidentiality obligations
  • Implement and maintain appropriate Technical and Organisational Measures, including encryption, access controls, logging, and backups
  • Ensure that Sub-processors are bound by equivalent data protection obligations
  • Assist the Controller with data subject rights requests
  • Assist the Controller with data breach notification obligations
  • Notify the Controller of any Personal Data breach without undue delay

4. Controller Responsibilities

The Controller shall:

  • Ensure a lawful basis exists for all processing of Customer Data
  • Obtain all necessary consents from Data Subjects
  • Respond to data subject rights requests
  • Verify that Customer Data complies with applicable data protection laws
  • Ensure accuracy of Customer Data
  • Configure the Services appropriately, including user roles and multi-factor authentication

Where Customer Data includes personal data of children, the Controller bears sole responsibility for ensuring all processing is lawful, including obtaining valid parental or guardian consent.

5. Sub-Processors

The Processor maintains a list of approved Sub-processors and ensures each is bound by data protection obligations equivalent to those in this DPA. The Processor will notify the Controller of any new Sub-processors and permit the Controller to raise reasonable objections. If an objection cannot be resolved, the Controller may terminate the affected Services.

6. International Data Transfers

Our primary servers are located in the European Union. Transfers from South Africa are permitted under POPIA section 72 due to GDPR's adequate level of protection. Any other international transfers are governed by Standard Contractual Clauses or equivalent safeguards approved under applicable data protection law.

7. Payment Processing

Payment details are collected directly by the Merchant of Record (Dodo Payments Inc.), which acts as an independent Controller for payment information. The Processor receives only limited transaction confirmation data necessary to maintain subscription records.

8. Security Measures

The Processor implements the following Technical and Organisational Measures:

  • Encryption of data in transit (TLS) and at rest
  • Secure login and authentication mechanisms
  • Role-based access controls
  • Regular data backups
  • Continuous monitoring and threat detection
  • Regular security patching and updates

Security is a shared responsibility. The Controller must appropriately configure the Services, including setting up user roles, enabling multi-factor authentication, and managing access permissions.

9. Data Breaches

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay. The notification will include:

  • The nature and scope of the breach
  • Categories and approximate number of affected records
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

10. Deletion & Retention

Upon termination of the Services, Customer Data will be retained for 60 days to allow for export or account reactivation. After this period, Customer Data will be securely deleted unless retention is required by applicable law.

11. Duration

This DPA remains in effect for the duration of the Processor's processing of Customer Data. The obligations under this DPA survive termination until all Customer Data has been deleted or returned in accordance with Section 10.

12. Governing Law

This DPA is governed by South African law. Both parties submit to the exclusive jurisdiction of the High Court of South Africa, Western Cape Division, Cape Town.

13. Contact Us

Information Officer / Data Protection Officer: Allister Smith
Email: [email protected]
Address: 2 Willow Ridge, Royal Ascot, Cape Town, Western Cape, 7441, South Africa