Back to Urbanlink PMS

Legal

Data Processing Addendum

Effective June 2026· Urbanlink Networks (Pty) Ltd

This Data Processing Addendum (“DPA”) forms part of the Urbanlink PMS Terms of Servicebetween Urbanlink Networks (Pty) Ltd (“Urbanlink”, the “Operator”) and the customer organisation that accepts the Terms (the “Responsible Party”, the “Customer”). It governs the processing of Personal Information by the Operator on behalf of the Responsible Party in connection with the Service, in accordance with sections 19, 20 and 21 of the Protection of Personal Information Act 4 of 2013 (“POPIA”).

1. Definitions

Capitalised terms used and not otherwise defined have the meanings given to them in the Terms of Service. Terms that have a particular meaning under POPIA (such as “Personal Information”, “Processing”, “Data Subject”, “Operator” and “Responsible Party”) have those meanings here. “Sub-operator” means a third party engaged by the Operator to process Personal Information on the Responsible Party’s behalf.

2. Roles of the parties

For the duration of the Terms of Service:

  • the Customer is the Responsible Party in respect of Personal Information uploaded to the Service about its tenants, landlords, vendors, employees and other data subjects;
  • Urbanlink is the Operator and processes such Personal Information only on documented instructions from the Responsible Party. The Responsible Party’s use of the Service constitutes its standing instructions; further specific instructions may be given in writing.

3. Subject-matter, duration and nature of processing

The details required by section 21 of POPIA are set out in Annex 1 below.

4. Operator’s obligations

The Operator will:

  • process Personal Information only on documented instructions from the Responsible Party;
  • implement and maintain the technical and organisational security measures set out in Annex 3, which are no less protective than those required by section 19 of POPIA;
  • ensure that persons authorised to process Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • notify the Responsible Party of any security compromise affecting Personal Information as soon as reasonably possible after becoming aware of it, providing reasonable detail to enable the Responsible Party to discharge its own notification obligations under section 22 of POPIA;
  • provide the in-product DSAR tooling and reasonable assistance to enable the Responsible Party to respond to data-subject requests under POPIA, taking into account the nature of the processing and the information available to the Operator;
  • on termination of the Terms of Service, delete or return all Personal Information to the Responsible Party in accordance with section 16 below;
  • make available to the Responsible Party the information necessary to demonstrate compliance with this DPA and contribute to audits in accordance with section 12 below;
  • immediately inform the Responsible Party if, in its opinion, an instruction contravenes POPIA or other applicable data protection law.

5. Responsible Party’s obligations

The Responsible Party warrants and undertakes that it will:

  • process Personal Information in accordance with POPIA, including in respect of the lawful basis for processing and the provision of notices to data subjects;
  • obtain all necessary consents and provide all necessary notifications to data subjects;
  • give documented instructions to the Operator only for lawful purposes and ensure that those instructions are consistent with POPIA;
  • designate and support an Information Officer as required by section 55 of POPIA.

6. Sub-operators

6.1 General authorisation

The Responsible Party authorises Urbanlink to engage sub-operators to process Personal Information in connection with the Service, subject to the conditions of this section.

6.2 Current sub-operators

The current list of sub-operators is set out in Annex 2.

6.3 New or replacement sub-operators

Where Urbanlink intends to add or replace a sub-operator that processes Personal Information, it will give the Responsible Party at least 30 (thirty) days’ prior notice (by email or in-product notification). The Responsible Party may reasonably object on data protection grounds within that period, in which case the parties will work in good faith to find a mutually acceptable solution; failing such resolution, the Responsible Party may terminate the Service in accordance with the Terms of Service.

6.4 Flow-down

Urbanlink remains liable for the acts and omissions of its sub-operators to the same extent as if they were its own, and will impose data protection obligations on each sub-operator that are no less protective than those set out in this DPA.

7. International transfers

Where Personal Information is transferred to a sub-operator or other recipient outside the Republic of South Africa, the transfer is subject to section 72 of POPIA. Urbanlink will ensure that the recipient is either subject to a law or binding rules that provide an adequate level of protection equivalent to POPIA, or is bound by contractual provisions providing such protection, or that one of the other lawful bases for cross-border transfer applies.

8. Security

Urbanlink implements and maintains the technical and organisational security measures described in Annex 3. Urbanlink may update those measures from time to time provided that the updated measures do not materially diminish the protection of Personal Information.

9. Personal information breach notification

Urbanlink will notify the Responsible Party in writing of any personal information breach affecting the Responsible Party’s Personal Information as soon as reasonably possible after becoming aware of it. The notification will, to the extent known at the time, include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address and mitigate the breach. The Responsible Party remains responsible for performing notifications to the Information Regulator and data subjects under section 22 of POPIA.

10. Data subject requests

The Operator provides the in-product DSAR portal and ancillary tooling to enable the Responsible Party to receive, log, action and respond to data-subject requests. Where the Operator receives a data-subject request directly that relates to a Responsible Party’s data, the Operator will, without responding to the request, promptly redirect the data subject to the relevant Responsible Party.

11. Assistance with regulator engagements

On the Responsible Party’s reasonable request, the Operator will provide such assistance as is necessary to enable the Responsible Party to engage with the Information Regulator (including in respect of prior authorisations under section 57 where applicable), taking into account the nature of the processing and the information available to the Operator.

12. Audit

The Operator will make available to the Responsible Party, no more than once in any 12-month period (and more frequently if required by the Information Regulator), information necessary to demonstrate compliance with this DPA. This may be provided in the form of: (a) a written response to a reasonable security questionnaire; (b) a summary of the Operator’s information security posture; and/or (c) copies of any independent security assessments or certifications obtained by the Operator in the preceding 24 months. On-site audits are not generally permitted but may be agreed by the parties in the event of a material security incident, subject to reasonable confidentiality and operational safeguards.

13. Confidentiality

Personal Information is the Confidential Information of the Responsible Party. The Operator and its sub-operators are bound by confidentiality undertakings in respect of the Personal Information.

14. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits or excludes any liability that cannot lawfully be limited or excluded.

15. Term & termination

This DPA takes effect on the same date as the Terms of Service and continues for as long as the Operator processes Personal Information on behalf of the Responsible Party. Provisions that by their nature should survive termination, including those relating to confidentiality, security and return or deletion of Personal Information, survive termination.

16. Return or deletion of Personal Information

On termination of the Terms of Service, the Responsible Party may export its data through the in-product export tools during the 30-day read-only window. Thereafter, the Operator will delete the Personal Information (and procure that its sub-operators do the same), except to the extent the Operator is required by applicable law to retain any of it, in which case the Operator will continue to protect it in accordance with this DPA.

17. Conflict

In the event of a conflict between this DPA and the Terms of Service or any other agreement between the parties, this DPA prevails to the extent of the conflict in respect of data protection matters.

18. Governing law

This DPA is governed by and construed in accordance with the laws of the Republic of South Africa. The dispute-resolution provisions of the Terms of Service apply to disputes arising under this DPA.

Annex 1 — Details of processing

Subject matter

Provision of the Urbanlink PMS property management software-as-a-service platform.

Duration

The term of the Responsible Party’s subscription to the Service, plus any post-termination retention period required by law.

Nature and purpose

Storage, transmission, processing, generation of reports, syndication to portals, delivery of communications, financial recordkeeping, and provision of compliance tooling.

Categories of data subjects

  • customer organisation users (administrators, staff, agents);
  • tenants and prospective tenants;
  • landlords, property owners and beneficial owners;
  • vendors and service providers;
  • body-corporate members and trustees.

Categories of Personal Information

  • identification data (name, ID/passport number, date of birth, photograph);
  • contact data (physical address, email, telephone, emergency contact);
  • financial data (bank account, income proof, payment history);
  • property and lease records;
  • communication content;
  • FICA records (proof of identity, proof of residence, source of funds, risk rating);
  • audit and access logs.

Annex 2 — Sub-operators

Urbanlink engages the following categories of sub-operators in delivering the Service. The current entity list may be updated from time to time in accordance with section 6.3.

CategoryPurpose
Infrastructure hosting providerCompute, storage and networking that underpins the Service
Edge security and content deliveryTLS termination, DDoS mitigation, web application firewall
Transactional email deliverySending account, security and notification emails
SMS gatewaySending one-time codes and notifications by SMS
WhatsApp Business gatewaySending and receiving WhatsApp messages on behalf of the customer
Payment processorCollection and reconciliation of online payments
Observability and security monitoringError reporting, performance monitoring and security alerting

A current named-entity list is available on written request to [email protected].

Annex 3 — Security measures

The Operator implements appropriate technical and organisational measures to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information, including:

  • Encryption: strong, industry-standard encryption of sensitive data at rest, and of Personal Information in transit.
  • Access control: role-based access control, principle of least privilege, modern password handling, multi-factor authentication for administrative access, periodic access reviews.
  • Tenant isolation: hard per-tenant data isolation enforced beneath the application layer, so that cross-tenant exposure is structurally prevented rather than only rule-checked.
  • Audit logging: tamper-evident, append-only audit logging of access to and modification of Personal Information.
  • Network security: private internal networks for database and back-office services, ingress firewalling, rate limiting on authentication endpoints.
  • Vulnerability management: routine security patching, dependency updates and periodic security testing.
  • Backup & recovery: encrypted daily backups, off-platform storage, documented restore procedures and periodic restore testing.
  • Organisational measures: confidentiality undertakings from staff, background checks where appropriate, documented security policies and an incident response plan.
  • Vendor risk management:assessment of sub-operators’ security posture before engagement and on a recurring basis.

Updates to these measures will not materially diminish the level of protection. Specific technical details are not published here for security reasons but are available under non-disclosure to customers as part of a vendor security review.