Data Processing Addendum

For business customers: how we process personal information on your behalf as your operator under POPIA, and the list of sub-processors we rely on.

Draft — pending legal review. This page is provided for information only and is not legal advice. It is a working draft and is being finalised by a South African admitted attorney before it becomes binding.

Last updated: 9 June 2026

This Data Processing Addendum (DPA) applies where we process personal information on behalf of a business customer (the responsible party) as their operator under POPIA. It forms part of our Terms of Use.

1. Roles & definitions

For POPIA, the customer is the responsible party and Trade Caravan is the operator. Where the GDPR applies to any data subject, "responsible party" maps to "controller" and "operator" to "processor". "Personal information", "processing", "operator" and "data subject" have the meanings given in POPIA.

2. Subject-matter, nature & purpose

We process personal information only to provide the Real-View SCM service to the customer — principally shipment tracking, notifications and account management — for the duration of the customer's subscription.

3. Categories of data & data subjects

Data subjects include the customer's users and contacts. Personal information may include names, business email addresses and phone numbers, and shipment identifiers entered by the customer.

4. Operator obligations

  • Process personal information only on the customer's documented instructions, including for cross-border transfers, unless the law requires otherwise.
  • Keep personal information confidential and ensure people authorised to process it are bound by confidentiality.
  • Apply appropriate security safeguards (POPIA section 19).
  • Notify the customer without undue delay after becoming aware of a personal-information breach.
  • Assist the customer, as reasonable, with data-subject requests and with security, breach-notification and impact-assessment obligations.
  • Delete or return personal information at the end of the service, subject to retention required by law.

5. Sub-processing

The customer authorises us to engage the sub-processors listed below to deliver the Service. We impose data-protection obligations on each sub-processor that are substantially similar to those in this DPA, and we remain responsible for their performance. We will give notice of changes to this list and the customer may object on reasonable data-protection grounds.

6. Sub-processor list

Sub-processor Service Data processed Location Cross-border?
Amazon Web Services (AWS) Cloud hosting / infrastructure All app data, account & shipment data af-south-1 (Cape Town) primary Primarily in-SA
PayFast Payment processing (ZAR) Billing & contact data (no card data stored by us) South Africa In-SA
Twilio / WhatsApp SMS & WhatsApp notifications Phone number, message content Outside SA (US / global) Yes — s72
MarineTraffic Vessel / AIS tracking data Vessel & shipment identifiers (minimal PI) Outside SA (EU) Yes — s72
Resend Transactional email Email address, message content Outside SA (US) Yes — s72
Sentry Error monitoring Technical/usage data, possibly IP / user IDs Outside SA (US) Yes — s72

7. Cross-border transfers (POPIA section 72)

Where a sub-processor processes personal information outside South Africa, we rely on a section 72 basis — typically a contract binding the recipient to protection substantially similar to POPIA, and/or that the transfer is necessary to perform the contract with the data subject, and/or consent. Each provider's location and cross-border status is shown above.

8. Audit

On reasonable written notice and subject to confidentiality, we will make available information necessary to demonstrate compliance with this DPA.

9. Liability

Liability under this DPA is subject to the limitations in our Terms of Use, except where the law provides otherwise.

← All legal & compliance documents