Data Processing Addendum
Last updated: July 12, 2026
Operator Agreement / Data Processing Addendum
This Operator Agreement / Data Processing Addendum ("DPA") forms part of the agreement between CleverCam (Pty) Ltd ("CleverCam", "we", "us", the Operator) and the business customer that uses our platform ("Customer", "you", the Responsible Party) (together, the "Parties"). It sets out how we process personal information on your behalf under the Protection of Personal Information Act, 2013 ("POPIA").
It should be read together with our POPIA & Data Protection notice, PAIA Manual and Privacy Policy. Where this DPA conflicts with the main terms of service on the processing of personal information, this DPA prevails.
This is a standard template. If you need a signed copy, or terms tailored to your business, contact our Information Officer at legal@clevercam.co.za.
1. Definitions
Words defined in POPIA — including personal information, special personal information, data subject, responsible party, operator, process/processing, and security compromise — have the same meaning here. "Applicable law" means POPIA and any other South African data-protection law in force.
2. Roles of the Parties
- For the personal information you and your users put into the platform, you are the Responsible Party and CleverCam is the Operator. We process that personal information only on your documented instructions and to provide the service, except where the law requires otherwise (in which case we will tell you, unless the law prohibits it).
- You remain responsible for having a lawful basis to collect and process the personal information you place on the platform, for giving any required notices to data subjects, and for the accuracy and lawfulness of your instructions.
- CleverCam is the Responsible Party for its own account, billing and marketing data, as described in the POPIA & Data Protection notice.
3. Subject matter, duration, nature and purpose
- Subject matter and purpose: processing necessary to provide the CleverCam platform — AI camera monitoring, alarm and panic-event handling, armed-response dispatch, and related operations, staff and billing tools.
- Duration: for as long as you use the service, plus the return/deletion period in section 11.
- Nature of processing: collection, recording, storage, organisation, retrieval, use, transmission, and erasure of personal information through the platform.
- Categories of data subjects and personal information: as set out in Annexure A.
4. CleverCam's obligations as Operator (POPIA ss 20–21)
We will:
- process personal information only with your knowledge and authorisation, and only on your instructions;
- treat all personal information as confidential, and ensure that our personnel who process it are bound by confidentiality;
- not disclose personal information unless required by law or in the proper performance of the service;
- maintain the security measures described in section 6 and Annexure C; and
- assist you, so far as reasonably possible, to comply with your own POPIA obligations, including responding to data subjects and to the Information Regulator.
5. Sub-operators (sub-processors)
- You authorise us to appoint sub-operators to help provide the service. Our current sub-operators, what they do and where they are located are listed in the POPIA & Data Protection notice ("Sub-processors") and summarised in Annexure B.
- We impose data-protection and security obligations on each sub-operator that are substantially similar to those in this DPA, and we remain responsible to you for their processing.
- We will give you a reasonable way to learn of intended changes to our sub-operators, and you may raise a reasonable objection on data-protection grounds.
6. Security (POPIA s 19)
We maintain appropriate, reasonable technical and organisational measures to protect personal information against loss, damage and unauthorised or unlawful access, having regard to generally accepted information-security practices. A summary is in Annexure C and in the "How we secure your data" section of the POPIA & Data Protection notice.
7. Personal data breach (POPIA s 21(2) and s 22)
If we become aware of a security compromise affecting personal information we process for you, we will notify you without undue delay so that you can meet your notification obligations to the Information Regulator and to affected data subjects. Our notice will include, to the extent known, the nature of the compromise, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. We will cooperate reasonably with your response.
8. Assisting with data-subject requests
If a data subject contacts us directly about personal information we process for you, we will, unless the law requires otherwise, refer them to you and assist you in responding within the time limits under POPIA and PAIA. We will not respond to the request ourselves except on your instruction.
9. Special personal information and children (POPIA ss 26–27, 34–35)
The platform can hold special personal information — for example camera footage of identifiable people (which may be biometric), and officers' firearm-competency or vetting information (which may relate to criminal behaviour) — and information relating to children. You warrant that, as the Responsible Party, you have a lawful basis and any required consents and notices in place for this processing, and that you have obtained any prior authorisation required from the Information Regulator. We process this information only as your Operator and for the security and response purposes for which you provide it.
10. Use of camera images to improve detection AI
- We use camera images processed on the platform to train and improve our own detection models, for a single, narrow purpose: to distinguish genuine security events from harmless triggers (moving vegetation, animals, shadows, insects and weather) and so reduce false alarms. The models are trained to classify what is in a scene, not to identify individuals — we do not perform facial recognition or build identity profiles. We use the images for this purpose only, and we do not sell or share them or use them to train models for any third party.
- This is a compatible further processing of images that were collected to detect security events (POPIA s 15), and rests on our and your legitimate interest in accurate detection.
- Opt-out. You may opt out of this use at any time, for your account, by emailing legal@clevercam.co.za, and we will stop using your account's images to train our models. Opting out does not affect the core detection service.
- Per-image removal. A user can remove any single event image in the app; once removed it is no longer visible to other platform users or to your control room. A removed image is also excluded from model training and — because it may be evidence — is retained in a restricted, access-controlled archive, recoverable only by an authorised administrator on a lawful request; removals and recoveries are audit-logged. A separate opt-in control lets a user consent to a specific image being used to improve detection.
- Because camera footage may include identifiable people, and you are the Responsible Party for it, you remain responsible for ensuring the system is used for perimeter and unoccupied-area monitoring and for giving appropriate notice to people who may be captured.
11. Return and deletion on termination
On termination of the service, or on your written request, we will return or delete the personal information we process for you, and delete existing copies, unless the law requires us to keep it. Deletion from active systems happens in the ordinary course; residual copies in encrypted backups are deleted on the backup cycle and are isolated from further processing in the meantime.
12. Records and audit
We keep records of our processing activities as an Operator. On reasonable written request, and subject to confidentiality, we will make available information reasonably necessary to demonstrate our compliance with this DPA.
13. Cross-border processing (POPIA s 72)
Some personal information is processed outside South Africa (principally in the European Union), as described in the POPIA & Data Protection notice. You instruct and authorise this processing, which is carried out under contractual protections substantially similar to POPIA and is necessary to provide the service.
14. General
This DPA is governed by the law of the Republic of South Africa. If any provision is found unenforceable, the rest remains in effect. This DPA does not limit any rights a data subject has under POPIA.
Annexure A — Categories of data subjects and personal information
| Category of data subject | Personal information processed |
|---|---|
| Your account administrators and users | Names, contact details, usernames, hashed passwords, role and activity |
| Your end-customers, keyholders and residents | Names, contact details, site/address information, camera images and event footage, alarm/panic events, location |
| Security officers and responders | Profile details and, where recorded, PSIRA registration, competency and firearm-competency records, and firearms-register entries |
| Your billing and payment contacts | Billing details and, via our payment partners, payment and bank information |
Annexure B — Sub-operators
The current list of sub-operators, their function and location is published and kept up to date in the "Sub-processors" section of the POPIA & Data Protection notice. It includes our hosting, database, messaging, mapping, AI and payment providers.
Annexure C — Security measures (summary)
- Encryption in transit (TLS 1.2+); HTTPS-only.
- Encryption at rest (AES-256) for database and object storage.
- Tenant isolation and role-based access control, including row-level security on customer-facing data, and manager-only access to sensitive staff and firearms records.
- Authentication via a dedicated identity service using token-based sessions.
- Private, signed-URL storage for sensitive documents and evidence.
- Server-side-only handling of sensitive integration credentials.
- Append-only audit logging of key activity.
- Regular, encrypted backups.
Last updated: July 12, 2026.
