Customer processing terms

Data Processing Agreement

This Data Processing Agreement governs the processing of personal information by Urban Luxury Brands (Pty) Ltd trading as VerifyNow on behalf of our customers in accordance with POPIA and international data protection standards.

Last updated: May 26, 2026

Executive Summary

This Data Processing Agreement is entered into between the Customer and Urban Luxury Brands (Pty) Ltd trading as VerifyNow, registration number 2007/013732/07. By creating an account, registering for API access, generating or using an API key, or using the VerifyNow API, the Customer agrees to this Data Processing Agreement. This Data Processing Agreement is incorporated into and forms part of the written agreement between the parties. Where VerifyNow processes Personal Information on behalf of the Customer, the parties agree that this Data Processing Agreement records their written operator agreement for purposes of POPIA, including section 21.

Key Point: VerifyNow acts as an operator under POPIA, and as a data processor where that terminology applies, when providing identity verification services. Customers typically act as responsible parties or data controllers responsible for lawful processing, required notices, and data subject consent where consent is legally required.

VerifyNow does not provide consumer credit reports, does not compile or maintain consumer credit profiles, and does not make loan, affordability, or credit-granting decisions. Verification results are processed only for the Customer's documented lawful purpose.

1. Definitions

Personal Information

Information relating to an identifiable, living, natural person, including but not limited to names, identification numbers, location information, online identifiers, biometric data, and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

Any operation or activity or any set of operations performed on personal information, including collection, receipt, recording, organisation, collation, storage, updating, retrieval, alteration, consultation or use, dissemination, making available, alignment, combination, restriction, degradation, erasure or destruction.

Responsible Party / Data Controller

The Customer who determines the purposes for and means by which personal information is processed.

Operator / Data Processor

VerifyNow, which processes personal information on behalf of and according to the instructions of the Responsible Party or Data Controller.

2. Appointment as Operator / Data Processor

The Customer appoints VerifyNow as an operator under POPIA, and as a data processor where that terminology applies, to process personal information on the Customer's behalf for the sole purpose of providing identity verification, KYC/AML screening, and related services as outlined in the Terms of Service.

VerifyNow agrees to process personal information only in accordance with the Customer's documented lawful instructions and applicable data protection laws.

3. Verify Now's Obligations

3.1 Lawful Processing

  • Process personal information only as instructed by the Customer
  • Ensure processing is lawful, fair, and transparent
  • Implement appropriate technical and organisational measures
  • Maintain confidentiality of personal information

3.2 Security Measures

  • Implement industry-standard encryption for data in transit and at rest
  • Maintain secure access controls and authentication measures
  • Regular security assessments and penetration testing
  • Staff training on data protection and security protocols
  • Secure data centres with physical and logical access controls

3.3 Data Minimisation

Verify Now will only process personal information that is adequate, relevant, and limited to what is necessary for providing the requested verification services.

4. Customer Obligations

4.1 Lawful Basis

The Customer warrants that it has a lawful basis for processing, has provided any required notices, and has obtained all consents, authorisations, and permissions required under applicable data protection laws for the selected verification purpose.

4.2 Data Subject Rights

The Customer is responsible for handling data subject requests for access, correction, deletion, or portability of personal information. Verify Now will assist where technically feasible.

4.3 Instructions

The Customer must provide clear, lawful instructions for processing personal information and notify Verify Now of any changes to processing requirements.

4.4 API, Team, and Multiple-Check Use

These obligations apply to every check submitted through the dashboard, API, bulk workflow, automation, integration, or customer team account. The Customer is responsible for controlling its users, protecting API keys, preventing unauthorised access, and ensuring each individual check has a documented lawful purpose before submission.

5. Data Breach Notification

In the event of a personal data breach, Verify Now will:

  • Notify the Customer without undue delay and within 48 hours of becoming aware of a confirmed breach
  • Provide details of the breach, affected data, and mitigation measures
  • Assist the Customer in meeting their notification obligations to the Information Regulator
  • Implement immediate containment and remediation measures
  • Conduct a thorough investigation and provide a detailed incident report

Personal Data Breach Notification SLA

Verify Now commits to notifying affected Customers within 48 hours of confirming a personal data breach. This notification will include the nature of the breach, categories of data affected, approximate number of data subjects, likely consequences, and measures taken or proposed to address the breach.

6. Cross-Border Data Transfers

Verify Now may transfer personal information to countries outside South Africa only:

  • Where the Information Regulator has determined adequate protection exists
  • With appropriate safeguards including standard contractual clauses
  • With explicit consent from data subjects where required
  • For specific derogations as permitted by POPIA

Note: Current data processing is primarily conducted within South Africa. Any international transfers will be disclosed and conducted in compliance with POPIA Chapter 9.

7. Subprocessors

Verify Now may engage third-party subprocessors to assist in providing services. Subprocessors are limited to infrastructure and operational services only, including cloud hosting, databases, monitoring, email/SMS delivery, and support tooling.

  • All subprocessors are bound by equivalent data protection obligations
  • Customers will receive at least 30 days' notice of any new subprocessors
  • Verify Now maintains contractual and oversight controls for subprocessors
  • A register of current subprocessors is available on request

For the current list of subprocessor categories, see our Sub-processors page.

Verify Now remains responsible for its own obligations under this DPA and applicable data protection law, subject to the limitations, exclusions, and allocation of responsibility in the Terms of Service and any signed customer agreement. Verification sources remain independent authoritative or authorised sources and are not treated as Verify Now subprocessors.

8. Verification Sources

To provide identity verification services, Verify Now accesses authoritative data sources under lawful authority. These verification sources are not subprocessors; they are government and authorised entities that provide authoritative data for verification purposes.

Verification Sources Include:

  • Department of Home Affairs (DHA) – For South African ID verification
  • Companies and Intellectual Property Commission (CIPC) – For company verification
  • Authorised South African data providers – For fraud-prevention indicators, trace data, and verification attributes where lawfully permitted
  • Other lawful and authorised sources – As permitted under applicable legislation and source rules

Access to these sources is governed by applicable South African legislation and the terms of our lawful authority to access such information for verification purposes.

Some Verify Now services are fulfilled using authorised third-party verification and data suppliers under their own permitted-use frameworks. Verify Now is not a credit bureau and does not provide credit information.

Third-Party Data Disclaimer

Important: Verify Now makes no warranty, representation, or guarantee regarding the accuracy, completeness, reliability, or timeliness of any information obtained from third-party verification sources. Verification results reflect information as provided by third-party sources at the time of the query. Customers acknowledge that Verify Now is not responsible for any errors, omissions, inaccuracies, or delays in third-party data.

9. Data Retention and Deletion

9.1 Retention Period

VerifyNow does not store full verification reports by default after returning results to the Customer. We retain audit metadata, lawful-basis attestations, consent records where applicable, credit-usage records, request identifiers, and status metadata only for as long as necessary to provide the requested services, support auditability, and comply with legal obligations. Standard retention periods are outlined in our Privacy Policy. Customer payment card details and customer bank-account payment credentials are handled by payment processors and are not stored by VerifyNow.

9.2 Data Deletion

Upon termination of services or at the Customer's request, Verify Now will securely delete or return eligible Customer personal information within 30 days, unless retention of audit metadata, billing metadata, or other records is required by law or needed for dispute, security, accounting, or compliance purposes.

10. Return and Deletion on Termination

Upon termination or expiry of services, Verify Now will, at the Customer's election:

  • Return all personal information to the Customer in a commonly used, machine-readable format
  • Securely delete all personal information (including copies) and provide written confirmation

This obligation does not apply to personal information or metadata that Verify Now is required to retain under applicable law, or that is needed for audit logs, lawful-basis evidence, billing records, security, dispute handling, or compliance.

Process Timeline:

  • Customer must specify preference within 30 days of termination
  • Return or deletion completed within 30 days of receiving instruction
  • Written confirmation provided upon completion

11. Audit Rights

Customers have the right to audit Verify Now's compliance with this DPA, subject to:

  • Reasonable advance notice (minimum 30 days)
  • Limitation to once per year unless required by incident investigation
  • Confidentiality obligations regarding Verify Now's systems and processes
  • Customer responsibility for audit costs

Verify Now will also provide documentation of our security practices to demonstrate adherence to data protection standards upon reasonable request.

12. Security Assurance and Reviews

Verify Now commits to maintaining robust security practices through:

  • Annual security assessments and vulnerability testing
  • Regular review and updates of security measures
  • Prompt remediation of identified vulnerabilities
  • Ongoing staff training on data protection and security protocols

Security assessment summaries are available to Customers upon request, subject to confidentiality obligations. Please contact security@verifynow.co.za for more information.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of South Africa. Any disputes arising from or relating to this agreement will be subject to the exclusive jurisdiction of the South African courts.

This agreement is subject to POPIA and other applicable South African and international data protection regulations.

14. Contact Information

Data Protection Officer

Company: Urban Luxury Brands (Pty) Ltd trading as VerifyNow

Registration number: 2007/013732/07

Email: privacy@verifynow.co.za / hello@verifynow.co.za

Website: www.verifynow.co.za

Information Regulator South Africa

Website: https://www.justice.gov.za/inforeg/

Email: complaints.IR@justice.gov.za

15. Amendments

Verify Now may update this DPA to reflect changes in law, regulation, or business practices. Customers will be notified of material changes with at least 30 days' notice. Continued use of services after amendments constitutes acceptance of the updated terms.

Effective Date

This Data Processing Agreement is effective from May 26, 2026, and applies to all processing of personal information by Urban Luxury Brands (Pty) Ltd trading as VerifyNow on behalf of its customers.

Privacy PolicyTerms of ServiceUsage PolicySub-processorsCookie PolicyInformation SecurityTrust CenterPAIA ManualContact Us