Legal

Terms Of Service

HEADSPACE TECHNOLOGIES PROPRIETARY LIMITED
Registration Number 2015/192030/07
Applicable as of 1 November 2020

1. PREVAILING TERMS OF SERVICE

Before you use the Commspace service subject to these terms of service, please read this document carefully. This is a legal agreement (the “Agreement”) between Commspace (Proprietary) Limited (“our”, “us”, “we”, the “Company” or “Commspace”), and you and/or the entity that you represent (“you”, “your” or “yourself”) which governs your use of the Commspace internet-based commission tracking and referral management services (the “Service”) and comes into force automatically when you start using the Service (the “Effective Date”). You represent to us that you are lawfully able to enter into contracts (e.g., you are not a minor). If you are entering into this Agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.
This Agreement shall prevail over any term and condition contained in any documentation you may supply or any other documentation.

2. THE COMMSPACE SERVICE

​By paying a monthly Service Fee and as long as you are a client of the Company, you are granted a right to use the Service subject to the restrictions set forth in this Agreement and any other restrictions stipulated to you by us in writing.
You must supply us with current, accurate and complete information to register for the Service.

3. TERM

The term of this Agreement will commence on the Effective Date and will remain in effect until terminated by you or us in accordance with clause 16.

4. YOUR RESPONSIBILITIES

You are solely responsible for the development, content, operation, maintenance, and use of Your Content. For example, you are solely responsible for:
the technical operation of Your Content, including ensuring that commission allocations are correctly set-up and any other information submitted is accurate
compliance of Your Content with the applicable laws
any claims relating to Your Content; and
properly handling and processing commission statements and other
information sent to you (or any of your affiliates).
You are responsible for properly configuring and using the Service and taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content. Commspace log-in credentials and private keys generated by the Services are for your internal use only and you may not sell, transfer or sublicense them to any other entity or person, except that you may disclose your private key to your agents and subcontractors performing work on your behalf.
You are responsible for providing client service (if any) to persons that access or uses your account or otherwise accesses or uses the Service under your account (“End Users”). We do not provide any support or services to End Users unless we have a separate agreement with you or an End User obligating us to provide support or services.

5. SUPPORT

If you would like support for the Services other than the support We generally provide to other users of the Services without charge, you may enrol for client support in accordance with a support agreement to be agreed upon between you and Us.

We agree to provide you with a detailed historical record of all your content in a .csv or other appropriate format to enable you to migrate the historical data to another provider.

6. SERVICE FEES

By selecting the Service and utilising it, you agree to pay the monthly service fees in accordance with our prevailing price list (“Service Fee”) and to continue to pay the Service Fee until you cancel your account with us.
Payment of the Service Fee must be made monthly in advance, without deduction or set-off, on or before the 5th day of every month, unless formally agreed otherwise, in writing, between you and Us, failing which we shall be entitled to suspend your access to the Service with immediate effect, as set out in clause 15.
Payment must be made by way of debit order or similar automatic deduction. Electronic transfer into a bank account nominated by us in writing is acceptable on our sole discretion, only after prior arrangement.
We may revise our Service Fees at any time provided prior notice has been given in writing.

Payments reflecting Service Fees charges for the immediately succeeding month’s use of the Service may be deducted from your authorised credit card/bank account promptly following the start of each calendar month, unless otherwise agreed in writing.

Prices established in this Agreement, and in any schedule, exhibit or related agreement hereto, are exclusive of taxes and other fees which may be imposed on the Company or you for the provision or use of the Service. you will be responsible for such taxes and other fees.

7. MODIFICATION TO THE SERVICE

We may change, suspend, or discontinue all or any part of the Service at any time, with or without reason.

YOU ACKNOWLEDGE THAT THE OPERATION OF THE SERVICE MAY FROM TIME TO TIME ENCOUNTER TECHNICAL OR OTHER PROBLEMS AND MAY NOT NECESSARILY CONTINUE UNINTERRUPTED OR WITHOUT TECHNICAL OR OTHER ERRORS AND WE SHALL NOT BE RESPONSIBLE TO YOU OR OTHERS FOR ANY SUCH INTERRUPTIONS, ERRORS OR PROBLEMS OR AN OUTRIGHT DISCONTINUANCE OF THE SERVICE.

We have no obligation to continue producing or releasing new versions of the Service.

8. SERVICE IMPLEMENTATION, REGISTRATION

You agree to provide true, accurate, current and complete information about yourself as prompted by the Service registration process (such information being the “Registration Data”). You further agree that, in providing such Registration Data, you will not knowingly omit or misrepresent any material facts or information and that you will promptly enter corrected or updated Registration Data via the Service, or otherwise advise us promptly in writing of any such changes or updates. You further consent and authorise us to verify your Registration Data as required for your use of and access to the Service, to the extent reasonably required.

Once you subscribe to the Service, you shall receive a unique username and password in connection with your account (collectively referred to herein as “IDs”). You agree that you will not allow another person to use your IDs to access and use the Service under any circumstances. you are solely and entirely responsible for maintaining the confidentiality of your IDs and for any charges, damages, liabilities or losses incurred or suffered as a result of your failure to do so. We are not liable for any harm caused by or related to the theft of your IDs, your disclosure of your IDs, or your authorisation to allow another person to access and use the Service using your IDs. Furthermore, you are solely and entirely responsible for any and all activities that occur under your account. you agree to immediately notify us of any unauthorised use of your account or any other breach of security known to you.

9. DATA PROTECTION AND PRIVACY

We draw your attention to our Data Privacy Notice which describes our commitments and obligations for data protection in terms of the Protection of Personal Information Act 4 of 2013 (POPIA).

Even though we commit to taking all reasonable measures to protect your data and ensure its privacy, YOU ACKNOWLEDGE THAT THE COMPLETE PRIVACY OF YOUR DATA AND MESSAGES TRANSMITTED WHILE USING THE SERVICE CANNOT BE GUARANTEED.

The Service will store and process financial and client information that you submit to the Service, given that the data submitted complies to the format and size limitations as indicated by the Service.

We are not liable for any losses relating to missing or incorrect information provided by you, or other actions by you or your agents or representatives that are deceptive, fraudulent or otherwise invalid (“Fraudulent Actions”). By using the Service, you hereby release us from any liability arising from Fraudulent Actions. You will also use best efforts to promptly notify us of any Fraudulent Actions which may affect the Service. Commspace reserves the right, in its sole discretion, to terminate your account if you engage in, or enable any other user or client to engage in, Fraudulent Actions.

10. SERVICE USE AND LIMITATIONS

We will make reasonable efforts to keep the Service operational 24 hours a day/7 days a week, except for: (i) planned downtime (of which we will provide at least 8 hours prior notice); or (ii) any unavailability caused by circumstances beyond our control, including but not limited to, acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labour problems or Internet service provider failures or delays or (iii) that result from your equipment, software or other technology and/or third party equipment, software or other technology (other than third party equipment within our direct control) or (vii) arising from our suspension and/or termination of your right to use the Service in terms of clause 6.2 hereof.
You acknowledge that Commspace is a commission tracking and referral management software service and not a salary or compensation payment service. You acknowledge and agree that: (i) we will not be liable for remunerating you or your commission sharers based on information provided by Commspace; and (ii) we are not liable for any incorrect payments, salary or commission payment disputes that may arise from the information obtained from the Service.

11. PROPRIETARY RIGHTS

The Service contains content and technology of the Company that is protected by copyright, trademark, patent, trade secret and other laws. The Company owns intellectual property rights to any protectable part of the Service, including but not limited to the design, artwork, logos, functionality, and documentation (collectively, the “Company Property”). You may not copy, modify, or reverse engineer any part of the Service owned by the Company.
Subject to the terms and conditions hereof, Company hereby grants you a limited, revocable, non-transferable and non-sublicensable license to display the Company Property (excluding any software code) solely for use in connection with viewing the Service or other uses which are expressly permitted by the Company in writing. Notwithstanding such permitted uses and license, you acknowledge that all derivative designs and artwork which utilise the Commspace logo or other Company Property (collectively, “Derivative Works”) are the sole property of the Company. No other rights are granted to you with respect to the Company Property other than those rights granted explicitly herein, including with respect to any Derivative Works.
All right, title and interest in any text, images, or other information, including information relating to your clients, commission and other income (collectively, “Your Content”) loaded onto the Service by you, shall remain your sole property. You may use Your Content in any way without restriction.
In order to operate the Service, the Company needs the right to make certain uses of Your Content and you consent to our use of Your Content to provide the Service to you. We may disclose Your Content to provide the Service to you or any End Users and to comply with any request from a governmental or regulatory body. We shall furthermore be entitled to collect and utilise data inrespect of Your Content only on an aggregated anonymised basis, to which you consent.
The Company reserves the right to remove any Content from the service, at its sole discretion.

12. DISCLAIMER OF WARRANTIES

You expressly understand and agree that

YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK. THE SERVICE IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. THE COMPANY AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, PARTNERS AND LICENSORS EXPRESSLY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, SUBJECT TO AND TO THE EXTENT PERMISSIBLE UNDER THE CONSUMER PROTECTION ACT, ACT 68 OF 2008.

THE COMPANY MAKES NO WARRANTY THAT (I) THE SERVICE WILL MEET YOUR REQUIREMENTS OR EXPECTATIONS, (II) THAT YOUR ACCESS TO OR USE OF THE SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR FREE, (III) THAT ANY DEFECTS IN THE SERVICE WILL BE CORRECTED, OR (IV) THAT THE SERVICE OR ANY SERVER THROUGH WHICH YOU ACCESS THE SERVICE IS FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

YOU UNDERSTAND THAT IN USING THE SERVICE, SENSITIVE INFORMATION WILL TRAVEL THROUGH THIRD PARTY INFRASTRUCTURES WHICH ARE NOT UNDER COMMSPACE’S CONTROL (SUCH AS THIRD PARTY SERVERS). COMMSPACE GIVES NO WARRANTY WITH RESPECT TO THE SECURITY OF SUCH THIRD PARTY INFRASTRUCTURES.

ANY MATERIAL DOWNLOADED OR OTHERWISE OBTAINED THROUGH THE USE OF THE SERVICE IS ACCESSED AT YOUR OWN DISCRETION AND RISK, AND YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM THE DOWNLOAD OF ANY SUCH MATERIAL.

NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM THE COMPANY OR THROUGH OR FROM THE SERVICE SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT.

13. LIMITATION OF LIABILITY AND INDEMNITY

YOU EXPRESSLY UNDERSTAND AND AGREE THAT THE COMPANY AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, PARTNERS AND LICENSORS SHALL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFIT, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF THE COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), RESULTING FROM:
THE USE OR THE INABILITY TO USE THE SERVICE;
THE COST OF PROCUREMENT OF SUBSTITUTE GOODS AND SERVICE RESULTING FROM ANY GOODS, DATA, INFORMATION OR SERVICE PURCHASED OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS ENTERED INTO THROUGH OR FROM THE SERVICE;
UNAUTHORISED ACCESS TO OR ALTERATION OF YOUR CONTENT;
ANY OTHER MATTER RELATING TO THE SERVICE IN ALL INSTANCES SUBJECT TO AND TO THE EXTENT PERMISSIBLE UNDER THE CONSUMER PROTECTION ACT.
EXCEPT FOR THE INDEMNIFICATION OBLIGATIONS OF THE PARTIES SET OUT

HEREIN, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, UNDER NO CIRCUMSTANCES SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY ON ACCOUNT OF ANY CLAIM (WHETHER BASED UPON PRINCIPLES OF CONTRACT, WARRANTY, NEGLIGENCE OR OTHER TORT, BREACH OF ANY STATUTORY DUTY, THE FAILURE OF ANY LIMITED REMEDY TO ACHIEVE ITS ESSENTIAL PURPOSE, OR OTHERWISE) FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO LOST PROFITS, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

If you are dissatisfied with the Service, your sole and exclusive remedy is to discontinue use of the Service. Except for the indemnification and confidentiality obligations of the parties set out herein, in no event shall either party’s liability exceed an amount equal to the Service Fees paid by you under this Agreement, during the last 6 months prior to termination of the Service.

14. PRIVACY

Our collection of information from you, if any, is subject to our Privacy Policy. You understand that through your use of the Service you consent to the collection and use (as set forth in the Privacy Policy) of this information.

15. SUSPENSION

We may suspend your or any End User’s right to access or use any portion or all of the Service immediately upon notice to you if we determine:
your or an End User’s use of or registration for the Service (i) poses a security risk to the Service or any third party, (ii) may adversely impact the Service or the systems or content of any other Commspace client, (iii) may subject us, our affiliates, or any third party to liability, or (iv) may be fraudulent;
you are, or any End User is, in breach of this Agreement, including if you are in default of your payment obligations for more than 15 days; or
you have ceased to operate in the ordinary course, made an assignment for the benefit of creditors or similar disposition of your assets, or become the subject of any insolvency, business rescue, liquidation, dissolution or similar proceeding.
If we suspend your right to access or use any portion or all of the Service:
you remain responsible for all Service Fees and/or charges you have incurred through the date of suspension;
you will not be entitled to any service credits under any Service Level Agreement/-s for any period of suspension; and
we will not erase any of Your Content as a result of your suspension, except as specified elsewhere in this Agreement.
Our right to suspend your or any End User’s right to access or use the Service is in addition to our right to terminate this Agreement pursuant to clause 16.

16. TERMINATION

You may terminate this Agreement for any reason by providing us 30 days advance notice. We may terminate this Agreement for any reason by providing you 30 days advance notice.

Either party may terminate this Agreement for cause upon 30 days advance notice to the other party if there is any material default or breach of this Agreement by the other party, unless the defaulting party has cured the material default or breach within the 30 day notice period.

We may also terminate this Agreement immediately upon notice to you (A) for cause, if any act or omission by you or any End User results in a suspension described in clause 15.1.2, (B) if our relationship with a third party partner who provides software or other technology we use to provide the Service expires, terminates or requires us to change the way We provide the software or other technology as part of the Services, (C) if we believe providing the Services could create a substantial economic or technical burden or material security risk for us, (D) in order to comply with the law or requests of governmental entities, or (E) if we determine use of the Service by you or any End Users or our provision of any of the Services to you or any End Users has become impractical or unfeasible for any legal or regulatory reason.

Information hosted in the organisations application database will be removed after a period of 2 years if not requested by the responsible party otherwise. Other forms of communication will be held for up to five (5) years for legislative purposes, in accordance with our Data Retention Policy.

17. EFFECT OF TERMINATION

Upon any termination of this Agreement:
all your rights under this Agreement immediately terminate;

you remain responsible for all Service Fees and/or charges you have

incurred up to the date of termination;

we will immediately terminate your access to the Service; and

clauses 1, 4, 11 (except the license granted to you in clause 11.2), 12, 13

17.1.4 and 18 will continue to apply in accordance with their terms.

Unless We terminate your use of the Service pursuant to clause 15.2, during the 30 days following termination:
we will not erase any of Your Content as a result of the termination;

you may retrieve Your Content from the Services only if you have paid all

amounts due; and

we will provide you with the same post-termination data retrieval

assistance that we generally make available to all clients.

Any additional post-termination assistance from us is subject to mutual agreement by you and us.

18. MISCELLANEOUS

This Agreement constitutes the entire agreement between you and the Company and supersedes any and all previous us agreements, written or oral, between you and the Company, including previous us versions of the Terms of Service.
The Company may assign this Agreement in whole or part at any time.
This Agreement and the relationship between you and the Company shall be governed by the laws of the Republic of South Africa without regard to its conflict of law provisions. You and the Company agree to submit to the personal and exclusive jurisdiction of the Western Cape High Court, Cape Town.
Any failure of the Company to enforce or exercise a right provided in these terms is not a waiver of that right.
Should any provision of these terms be found invalid or unenforceable, the remaining terms shall still apply.
We will not be liable for any delay or failure to perform any obligation under this Agreement where the delay or failure result from any cause beyond our reasonable control, including acts of God, labour disputes or other industrial disturbances, systemic electrical, telecommunications or other utility failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, acts or orders of government, acts of terrorism or war.

Notices:
We may provide any notice to you under this Agreement by: (i) posting a notice on the Commspace website; or (ii) sending a message to the email address then associated with your account. Notices we provide by posting on the Commspace website will be effective upon posting and notices we provide by email will be effective when we send the email. It is your responsibility to keep your email address current. You will be deemed to have received any email sent to the email address then associated with your account when we send the email, whether or not you actually receive the email.

To give us notice under this Agreement, you must contact Commspace by sending us a message.

Privacy Policy

Applicable as of 1 August 2020

1. GENERAL INFORMATION

1.1 Introduction

Thank you for your interest in our website and our online services. Protecting customers’ / visitors’ / users’ data and using it only in the way our customers/visitors/users expect from us is our highest priority. Thus, the following Policy is designed to inform you about the processing of your Personal Information and your rights regarding this processing according to the Protection of Personal Information Act No. 4 of 2013 (“POPI”) and other data protection laws including the General Data Protection Regulation (“GDPR”) where applicable.

1.2. Responsible Party

We, the Headspace Technologies are the Responsible Party according to POPI and therefore responsible for the data processing explained herein.

1.3. Information Officer

You can contact our Information Officer at any time by using the following contact details:

Address: KWV Head Office, 57 Main Road, Paarl, South Africa
Phone: 0861 477 774
e-mail: iso@headspacetech.com

2. PROCESSING OF PERSONAL DATA DURING YOUR USE OF OUR WEBSITE

Your visit to our website and/or use of our online services will be logged. The IP address currently used by your device, date and time, the browser type and operating system of your device, the pages accessed and additional data may be recorded. This data is collected for the purposes of optimising and improving our website as well as our online services. The processing is legally based on legitimate interest as it is in our legitimate interest to protect our website and to improve the quality of our services. Additionally, your Personal Information is only stored if you provide it to us on your own account, e.g. as part of a registration, a survey, an online application or for online purchase (performance of a contract). We have taken appropriate measures to ensure that the data provided to us during the registration is adequately protected. These measures include, but are not limited to, encryption, access control, segregation of duties, internal audit etc.

2.1. Newsletter Registration

If you wish, you can subscribe for our newsletter on our website https://www.commspace.co.za/contact by filling out the registration form provided there. The Personal Information that is collected in the registration form will only be processed for sending newsletters to your e-mail address and only if you have given your consent to this data processing. Your Personal Information will be processed until you unsubscribe from the newsletter by clicking the link “unsubscribe” which is provided in each newsletter you receive from us. Please note that you will not receive any newsletters from us anymore after you unsubscribe.

2.2. Contact Form

You can use the contact form on our website https://www.commspace.co.za/contact to contact us for any request. The Personal Information that you filled out into the contact form will only be processed for answering your request. Filling in and submitting the contact form constitutes an affirmative action by which you have given your consent to the data processing.

2.3. Cookies

To make your visit to our website more pleasant and to enable the use of certain functions, we may use “cookies” on various pages. Cookies are small text files that are stored on your terminal device. Some of the cookies we use are deleted after the end of the browser session. Other cookies remain on your device and enable us or our partner companies to recognise your browser on your next visit. You can set your browser in such a way that you are informed about the setting of cookies separately and decide individually about their acceptance or exclude the acceptance of cookies for certain cases or generally. For more information, see the help function of your Internet browser. If cookies are not accepted, the functionality of our website may be limited.

To find out more about how we use cookies you can access our “Cookie Policy” at https://legal.commspace.co.za/#cookie-policy

2.4. Data Recipients

We may use third-party service providers to process your Personal Information. These service providers may be located in or outside of South Africa or in countries within and outside the European Union (EU) and the European Economic Area (EEA). We ensure that these service providers process Personal Information in accordance with European data protection guidelines or legislation to guarantee an adequate data protection level, even if Personal Information is transferred into a country outside the EEA for which no adequacy decision of the EU Commission exists. Transfers of Personal Information to other recipients is not performed, except where we are obliged to do so by law. For more information about appropriate safeguards for the international data transfer or a copy of them, please contact our Information Officer.

2.5. Retention Period

Personal Information provided to us via our website will only be stored until the purpose for which it was processed has been fulfilled. Insofar as retention periods under commercial and tax law must be observed, the storage period for certain data can be up to 10 years. However, storage periods may also be amended due to our legitimate interest (e.g. to guarantee data security, to prevent misuse or to prosecute criminal offenders).

3. YOUR RIGHTS

As a Data Subject, you can contact our Information Officer at any time with a notification under the contact information mentioned above under clause 1.3 to make use of your rights. These rights are the following:

The right to receive information about the data processing and a copy of the processed data;

The right to demand the rectification of inaccurate data or the completion of incomplete data;

The right to demand the erasure of Personal Information;

The right to demand the restriction of the data processing;

The right to receive the Personal Information concerning the Data Subject in a structured, commonly used and machine-readable format and to request the transmittance of these data to another controller;
The right to object to the data processing;
The right to withdraw a given consent at any time to stop data processing that is based on your consent;
The right to file a complaint with the competent supervisory authority: inforeg@justice.gov.za.

POPIA Compliance

Applicable as of 1 November 2020

Introduction

The Protection of Personal Information Act (or POPI Act) is South Africa’s equivalent to the EU GDPR. It sets some conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects (both natural and juristic persons). The POPI Act is important because it protects data subjects from harm, like theft and discrimination. The risks of non-compliance include reputational damage, fines and imprisonment, and paying out damages claims to data subjects. The biggest risk, after reputational damage, is a fine for failing to protect PII.

Acronym definitions:

POPIA – Protection of Personal Information Act

ISO – Information Security Officer

ISO27001 – International Standard for Information Security

GDPR – General Data Protection Regulation

ISMS – Information Security Management System

1. Our approach to POPIA compliance

In 2020 we officially became POPIA compliant as part of the process of becoming ISO27001 certified. ISO27001 is an international standard that defines how to manage information security in an organization through the implementation of a robust information security management system (ISMS). To this ISMS we added the additional items required to achieve full POPIA (and GDPR) compliance.

2. How are we meeting POPIA compliance?

We are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information and information-related assets relevant to meet the purpose and goals of the organisation. This includes the handling of personal data or “Personally Identifiable Information” (PII).

Furthermore, we are committed to ensuring compliance with the European Union General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA) 1998 and any other data protection legislation or regulation relevant to our business operations.

In complying with the above-mentioned legislation and regulation, the organisation makes commitments to implement policies and processes related to that compliance and to make staff and relevant third parties aware of their responsibilities when handling personal data.

More detailed policies and processes support this document, including our Information Security Policy. A GDPR compliance workspace is also maintained in line with Information Commissioner Office recommendations. These are located and managed within our ISMS platform. References to these documents can be found below and requested from our ISO.

Data Protection Policy

Information Security Policy

Data Retention Policy

Data Breach Response Plan

3. What are our obligations towards you?

We, Headspace Technologies, are obligated to secure any Personal Identifiable Information (PII) provided to us. We will destroy, move and/or modify PII to the needs of the information owner on request to our ISO. We are obligated to adhere to these requests given the authorization of the information owner and the correct processes are followed. We acquire consent from information owners before processing PII and are obligated to request the consent in a timely manner before we plan to use/process the information for different purposes than for previously given consent.

Your PII will be controlled through secure systems and removed from our ownership based on a retention schedule. These schedules act as audits to ensure that we are not in possession of PII after the agreed/consented period. We are obligated to supply information owners’ copies of our policies and procedures on request to clarify and/or prove the existence of the same. We must also have an accessible environment for information owners to contact, request or demand actions, procedures and/or information regarding their PII and security-related enquiries.

All members of staff have an obligation to report actual or potential data protection weaknesses, events and incidents where compliance may be breached. This allows us to:

Investigate the failure and take remedial steps if necessary

Maintain a register of compliance failures

Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures

The reporting of such weaknesses, events and incidents will be managed through our Information Security Incident Management processes.

4. What are your obligations towards us?

As the information owners of your PII, you are obligated to supply us with consent before we may process your information. You must follow procedures and processes put in place by Headspace Technologies to request any modification, removal or relocation of your PII.

This document will be reviewed regularly to respond to any changes in the business, its risk assessment or risk treatment plan, and at least annually. All employees and relevant interested parties associated with the organisation’s handling of personal data must comply with these policies. Appropriate training and materials to support it are available.

Contact our ISO: iso@headspacetech.com

Data Protection Policy

Applicable as of 1 June 2021

1. GENERAL INFORMATION

1.1. PURPOSE
The purpose of this document is to demonstrate the Board of Directors and management commitment to the protection of personal data.

1.2. RESPONSIBLE PARTY
The Board of Directors and management of Headspace Technologies, located at 57 Main Road, Paarl, South Africa operates primarily in the business of financial technology.

1.3 INTRODUCTION
We are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information and information-related assets relevant to meet the purpose and goals of the organisation. This includes the handling of personal data or “Personally Identifiable Information” (PII).

Furthermore, we are committed to ensuring compliance with the European Union General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA) 1998 and any other data protection legislation or regulation relevant to our business operations.

In complying with the above-mentioned legislation and regulation, the organisation makes commitments to implement policies and processes related to that compliance and to make staff and relevant third parties aware of their responsibilities when handling personal data.

More detailed policies and processes thus support this policy, including our Information Security Policy. A GDPR compliance workspace is also maintained in line with Information Commissioner Office recommendations. These are located and managed within the ISMS.online platform.

This policy will be reviewed regularly to respond to any changes in the business, its risk assessment or risk treatment plan, and at least annually.

2. SCOPE
All employees and relevant interested parties associated with the organisation’s handling of personal data have to comply with this policy. Appropriate training and materials to support it are available.

3. DEFINITIONS
The key definitions of terms used within or referred to by this policy are based upon those in the GDPR or other recognised documentation and are contained in Annex A.

4. ORGANISATIONAL RESPONSIBILITIES
Our Data Protection Officer has overall responsibility for the day-to-day implementation of this policy.

This policy will be reviewed regularly to respond to any changes in the business, its risk assessment or risk treatment plan, and at least annually.

4.1 Staff data protection training
All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.

Training is provided on a regular basis and when specific trigger events occur e.g. threats or incidents affecting all or part of the organisation, its supply chain or other Interested Parties that might impact the organisation financially or reputationally.

It will cover:

The law relating to data protection

Our data protection and related policies and procedures.

Completion of this training is compulsory and where appropriate will be evidenced by task completion in the ISMS.online platform.

Privacy Notice – transparency of data protection

Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation and is required under GDPR. Whenever personal data is being collected we will document and provide a Privacy Notice in line with the requirements of Article 13 of the GDPR.

4.2 Conditions for processing
We will ensure any use of personal data is justified using at least one of the conditions for processing (described further below) and this will be specifically documented in the ISMS.online platform. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.

4.3 Justification for personal data
We will process personal data in compliance with all eight data protection principles.

We will document the additional justification for the processing of sensitive data and will ensure any biometric and genetic data is considered sensitive.

4.4 Sensitive personal data
In most cases where we process sensitive personal data, we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to identify clearly what the relevant data is, why it is being processed and to whom it will be disclosed.

4.5 Fair and lawful processing
We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.

Under GDPR, processing of personal data is lawful only if at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps

at the request of the data subject prior to entering into a contract;

processing is necessary for compliance with a legal obligation to which the controller is subject;

processing is necessary in order to protect the vital interests of the data subject or of another natural person;

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official

the authority vested in the controller;

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,

except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The processing of all personal data must be:

Necessary to deliver our services

In our legitimate interests and not unduly prejudice the individual’s privacy

In most cases, this provision will apply to routine business data processing activities.

Our Terms of Business contains a Privacy Notice to clients on data protection.

The notice:

Sets out the purposes for which we hold personal data on customers and employees

Highlights that our work may require us to give information to third parties such as expert witnesses and other professional advisers

Provides that customers have a right of access to the personal data that we hold about them

4.6 Consent
The data that we collect is subject to active consent by the data subject. This consent can be revoked at any time.

4.7 Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate, you should record the fact that the accuracy of the information is in dispute and inform the Data Protection Officer.

4.8 Data Portability
Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.

A data subject may also request that their data is transferred directly to another system. This must be done for free.

4.9 Right to be forgotten
A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

4.10 Privacy by design and default
Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The Data Protection Officer will be responsible for conducting Privacy Impact Assessments (PIA) and ensuring that all IT and other relevant projects commence with a privacy plan. ISMS.online provides a PIA framework that is used for managing the process and documenting the approach.

When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

4.11 International data transfers
No data may be transferred outside of the EEA without first discussing it with the data protection officer. Specific consent from the data subject must be obtained prior to transferring their data outside the EEA.

4.12 Data security
We must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the Data Protection Officer will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organisations.

The organisation has a documented “Information Security Policy” and a set of subordinate security policies and controls relating to our management of data and information security. These are held within the ISMS.online platform.

4.13 Data retention
We must not retain personal data for longer than is necessary. What is “necessary” will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines.

Data retention schedules will be maintained showing the minimum and maximum periods of retention for each data set.

4.14 Data audit and register
Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

5. STAFF RESPONSIBILITIES
All individual staff members are responsible for playing their part in maintaining the confidentiality, integrity and availability of personal data in compliance with the GDPR, DPA and organisational policies, standards and procedures.

You must familiarise yourself with the requirements contained in this policy and any other relevant security policy and comply with any requirements relating to the proper handling and security of personal data.

5.1 Your personal data
You must take reasonable steps to ensure that the personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the Data Protection Officer or the HR Department so that they can update your records.

5.2 Handling others’ personal data
You must familiarise yourself with the organisational responsibilities detailed above and ensure that you comply with these whenever you are handling personal data. Special care and attention must be given when handling sensitive personal data.

5.3 Processing data in accordance with the individual’s rights
You must abide by any request from an individual not to use their personal data for direct marketing purposes. Notify the Data Protection Officer about any such request if it falls outside of the normal processes or you have any reason to be unsure about the appropriate practice.

Contact the Data Protection Officer for advice on direct marketing before starting any new direct marketing activity to ensure compliance with all relevant data protection and other legislation.

5.4 Reporting breaches
All members of staff have an obligation to report actual or potential data protection weaknesses, events and incidents where compliance may be breached. This allows us to:

Investigate the failure and take remedial steps if necessary

Maintain a register of compliance failures

Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures

The reporting of such weaknesses, events and incidents will be managed through our Information Security Incident Management processes.

5.5 Monitoring
Everyone must observe this policy. The Data Protection Officer has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.