Data Processing Agreement | Verify Now | Verify ID South Africa

Executive Summary

This Data Processing Agreement ("DPA") forms part of the Verify Now Terms of Service and governs how Verify Now processes personal information on behalf of its customers. This agreement ensures compliance with the Protection of Personal Information Act (POPIA) and other applicable data protection laws.

Key Point: Verify Now acts as a data processor when providing identity verification services, while our customers typically act as data controllers responsible for lawful processing and data subject consent.

For credit-related services, VerifyNow acts as an intermediary platform that securely transmits and displays third-party provider results, and does not compile or maintain consumer credit profiles.

1. Definitions

Personal Information

Information relating to an identifiable, living, natural person, including but not limited to names, identification numbers, location information, online identifiers, biometric data, and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

Any operation or activity or any set of operations performed on personal information, including collection, receipt, recording, organisation, collation, storage, updating, retrieval, alteration, consultation or use, dissemination, making available, alignment, combination, restriction, degradation, erasure or destruction.

Data Controller

The Customer who determines the purposes for and means by which personal information is processed.

Data Processor

Verify Now, which processes personal information on behalf of and according to the instructions of the Data Controller.

2. Appointment as Data Processor

The Customer appoints Verify Now as a data processor to process personal information on the Customer's behalf for the sole purpose of providing identity verification, KYC/AML screening, and related services as outlined in the Terms of Service.

Verify Now agrees to process personal information only in accordance with the Customer's documented lawful instructions and applicable data protection laws.

3. Verify Now's Obligations

3.1 Lawful Processing

Process personal information only as instructed by the Customer
Ensure processing is lawful, fair, and transparent
Implement appropriate technical and organisational measures
Maintain confidentiality of personal information

3.2 Security Measures

Implement industry-standard encryption for data in transit and at rest
Maintain secure access controls and authentication measures
Regular security assessments and penetration testing
Staff training on data protection and security protocols
Secure data centres with physical and logical access controls

3.3 Data Minimisation

Verify Now will only process personal information that is adequate, relevant, and limited to what is necessary for providing the requested verification services.

4. Customer Obligations

4.1 Lawful Basis

The Customer warrants that it has a lawful basis for processing and has obtained all necessary consents, authorisations, and permissions required under applicable data protection laws.

4.2 Data Subject Rights

The Customer is responsible for handling data subject requests for access, correction, deletion, or portability of personal information. Verify Now will assist where technically feasible.

4.3 Instructions

The Customer must provide clear, lawful instructions for processing personal information and notify Verify Now of any changes to processing requirements.

5. Data Breach Notification

In the event of a personal data breach, Verify Now will:

Notify the Customer without undue delay and within 48 hours of becoming aware of a confirmed breach
Provide details of the breach, affected data, and mitigation measures
Assist the Customer in meeting their notification obligations to the Information Regulator
Implement immediate containment and remediation measures
Conduct a thorough investigation and provide a detailed incident report

Personal Data Breach Notification SLA

Verify Now commits to notifying affected Customers within 48 hours of confirming a personal data breach. This notification will include the nature of the breach, categories of data affected, approximate number of data subjects, likely consequences, and measures taken or proposed to address the breach.

6. Cross-Border Data Transfers

Verify Now may transfer personal information to countries outside South Africa only:

Where the Information Regulator has determined adequate protection exists
With appropriate safeguards including standard contractual clauses
With explicit consent from data subjects where required
For specific derogations as permitted by POPIA

Note: Current data processing is primarily conducted within South Africa. Any international transfers will be disclosed and conducted in compliance with POPIA Chapter 9.

7. Subprocessors

Verify Now may engage third-party subprocessors to assist in providing services. Subprocessors are limited to infrastructure and operational services only, including cloud hosting, databases, monitoring, email/SMS delivery, and support tooling.

All subprocessors are bound by equivalent data protection obligations
Customers will receive at least 30 days' notice of any new subprocessors
Verify Now remains fully liable for subprocessor compliance
A register of current subprocessors is available on request

For the current list of subprocessor categories, see our Sub-processors page.

8. Verification Sources

To provide identity verification services, Verify Now accesses authoritative data sources under lawful authority. These verification sources are not subprocessors; they are government and authorised entities that provide authoritative data for verification purposes.

Verification Sources Include:

Department of Home Affairs (DHA) – For South African ID verification
Companies and Intellectual Property Commission (CIPC) – For company verification
Credit Bureaus – For credit and financial verification
Other lawful and authorised sources – As permitted under applicable legislation

Access to these sources is governed by applicable South African legislation and the terms of our lawful authority to access such information for verification purposes.

Third-Party Data Disclaimer

Important: Verify Now makes no warranty, representation, or guarantee regarding the accuracy, completeness, reliability, or timeliness of any information obtained from third-party verification sources. Verification results reflect information as provided by third-party sources at the time of the query. Customers acknowledge that Verify Now is not responsible for any errors, omissions, inaccuracies, or delays in third-party data.

9. Data Retention and Deletion

9.1 Retention Period

Personal information is retained only for as long as necessary to provide the requested services and comply with legal obligations. Standard retention periods are outlined in our Privacy Policy.

9.2 Data Deletion

Upon termination of services or at the Customer's request, Verify Now will securely delete or return all personal information within 30 days, unless retention is required by law.

10. Return and Deletion on Termination

Upon termination or expiry of services, Verify Now will, at the Customer's election:

Return all personal information to the Customer in a commonly used, machine-readable format
Securely delete all personal information (including copies) and provide written confirmation

This obligation does not apply to personal information that Verify Now is required to retain under applicable law (e.g., FICA record retention requirements, audit logs).

Process Timeline:

Customer must specify preference within 30 days of termination
Return or deletion completed within 30 days of receiving instruction
Written confirmation provided upon completion

11. Audit Rights

Customers have the right to audit Verify Now's compliance with this DPA, subject to:

Reasonable advance notice (minimum 30 days)
Limitation to once per year unless required by incident investigation
Confidentiality obligations regarding Verify Now's systems and processes
Customer responsibility for audit costs

Verify Now will also provide documentation of our security practices to demonstrate adherence to data protection standards upon reasonable request.

12. Security Assurance and Reviews

Verify Now commits to maintaining robust security practices through:

Annual security assessments and vulnerability testing
Regular review and updates of security measures
Prompt remediation of identified vulnerabilities
Ongoing staff training on data protection and security protocols

Security assessment summaries are available to Customers upon request, subject to confidentiality obligations. Please contact security@verifynow.co.za for more information.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of South Africa. Any disputes arising from or relating to this agreement will be subject to the exclusive jurisdiction of the South African courts.

This agreement is subject to POPIA and other applicable South African and international data protection regulations.

14. Contact Information

Data Protection Officer

Email: privacy@verifynow.co.za

Address: Verify Now (Pty) Ltd, Cape Town, South Africa

Phone: +27 (0) 21 XXX XXXX

Information Regulator South Africa

Website: https://www.justice.gov.za/inforeg/

Email: complaints.IR@justice.gov.za

15. Amendments

Verify Now may update this DPA to reflect changes in law, regulation, or business practices. Customers will be notified of material changes with at least 30 days' notice. Continued use of services after amendments constitutes acceptance of the updated terms.

Effective Date

This Data Processing Agreement is effective from February 20, 2026, and applies to all processing of personal information by Verify Now on behalf of its customers.