POPIA Operator Agreement
Data Processing Agreement · Version 1.0 · May 2026
Issued by Konductro (Pty) Ltd · konductro.com · legal@konductro.com
This Operator Agreement forms part of and is incorporated into the Master Subscription Agreement between the parties. It governs the processing of Personal Information by the Operator on behalf of the Responsible Party as required by the Protection of Personal Information Act 4 of 2013.
Background
This Operator Agreement is entered into between:
Konductro (Pty) Ltd, a company registered in the Republic of South Africa, operating the Konductro platform under licence from its holding company, Konductro Holdings (Pty) Ltd ("Operator" or "Konductro"); and
The entity identified as the Customer in the Master Subscription Agreement ("Responsible Party" or "Customer").
The parties have entered into the Master Subscription Agreement ("MSA") under which the Operator provides the Konductro platform and AI-assisted delivery services. In the course of providing those services, the Operator processes Personal Information on behalf of the Responsible Party. This Agreement sets out the obligations of each party with respect to such processing, as required by POPIA.
1. Definitions
In this Agreement, unless the context requires otherwise:
| Term | Meaning |
|---|---|
| Applicable Laws | POPIA, the Electronic Communications and Transactions Act 25 of 2002, the Cybercrimes Act 19 of 2020, and any other applicable South African or foreign data protection legislation. |
| Data Subject | The natural person to whom Personal Information relates. |
| Information Regulator | The Information Regulator of South Africa established under section 39 of POPIA. |
| Operator | Konductro (Pty) Ltd, which processes Personal Information on behalf of the Responsible Party. |
| Personal Information | Has the meaning assigned to it in section 1 of POPIA, and includes any information relating to an identifiable, living, natural person or juristic person. |
| Platform Metrics Data | Usage, activity, and operational data generated through the Customer's use of the Platform that Konductro processes as a Responsible Party in its own right, as further defined in clause 5.5. |
| POPIA | The Protection of Personal Information Act 4 of 2013, as amended from time to time. |
| Processing | Has the meaning assigned to it in section 1 of POPIA, and includes any operation performed on Personal Information, including collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, use, disclosure, merging, linking, and destruction. |
| Responsible Party | The Customer, who determines the purpose of and means for Processing Personal Information. |
| Security Compromise | Means the unauthorised access to, or acquisition, use, disclosure, modification, or destruction of Personal Information; loss of Personal Information; or unlawful interference with Personal Information. |
| Special Personal Information | Has the meaning assigned to it in section 26 of POPIA, including information concerning religious beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual life, or criminal behaviour. |
| Sub-Operator | Any third party engaged by the Operator to process Personal Information on its behalf in connection with this Agreement, as listed in Annexure B. |
Terms defined in the MSA bear the same meaning in this Agreement unless otherwise defined herein.
2. Scope and Duration of Processing
2.1 The Operator processes Personal Information on behalf of the Responsible Party solely for the purpose of providing the Platform and associated services as described in the MSA.
2.2 The categories of Personal Information processed and the categories of Data Subjects are set out in Annexure A to this Agreement.
2.3 The Operator does not process Special Personal Information unless the Responsible Party has obtained explicit consent from the relevant Data Subject and has notified the Operator in writing. The Platform is not designed or intended for the processing of Special Personal Information.
2.4 This Agreement commences on the Effective Date of the MSA and continues until the MSA is terminated or expires, at which point clause 11 applies.
3. Operator Obligations
3.1 The Operator shall process Personal Information only: (a) in accordance with the lawful instructions of the Responsible Party as set out in the MSA and this Agreement; (b) as necessary for the provision of the Services; and (c) in compliance with Applicable Laws.
3.2 The Operator shall not process Personal Information for its own purposes or for any purpose other than those set out in this Agreement without the prior written consent of the Responsible Party.
3.3 The Operator shall ensure that all personnel with access to Personal Information are bound by confidentiality obligations and have received appropriate training on POPIA compliance and data security.
3.4 The Operator shall implement and maintain appropriate technical and organisational security measures as described in clause 8 of this Agreement.
3.5 The Operator shall notify the Responsible Party without undue delay if it becomes aware of any instruction from the Responsible Party that would breach Applicable Laws, and may suspend processing pending resolution.
3.6 The Operator shall make available to the Responsible Party all information reasonably necessary to demonstrate its compliance with this Agreement, and shall allow and cooperate with audits conducted under clause 12.
3.7 The Operator shall not engage Sub-Operators except in accordance with clause 6.
4. Responsible Party Obligations
4.1 The Responsible Party warrants that it has a lawful basis for providing Personal Information to the Operator and that it has obtained all necessary consents, authorisations, and permissions required by POPIA for the Operator to process such information.
4.2 The Responsible Party shall ensure that it provides accurate and up-to-date Personal Information to the Platform and that it notifies the Operator of any material changes to the categories or volumes of Personal Information being processed.
4.3 The Responsible Party shall, where required by POPIA, notify its employees, contractors, and other Data Subjects about the processing of their Personal Information by the Operator in connection with the Platform, in accordance with the Responsible Party's own privacy notices.
4.4 The Responsible Party shall not instruct the Operator to process Personal Information in a manner that would violate POPIA or any other Applicable Laws.
4.5 The Responsible Party is responsible for the accuracy, quality, and legality of all Personal Information it submits to the Platform.
5. Lawful Basis, Purpose Limitation, and Platform Analytics
5.1 Operator processing. Personal Information processed by the Operator in the course of delivering the Services is processed on the lawful basis of contractual necessity (to perform the obligations under the MSA) and legitimate interests (to maintain platform security and performance). In this capacity the Operator acts on the Responsible Party's instructions as described in this Agreement.
5.2 Prohibitions on Operator processing. In its capacity as Operator, Konductro shall not: (a) train, fine-tune, or improve any AI or machine learning model using the Responsible Party's Personal Information without prior written consent; (b) disclose identifiable Personal Information relating to named Data Subjects to third parties for marketing, advertising, or commercial profiling purposes; or (c) profile or analyse individual Data Subjects for purposes unrelated to the delivery of the Services.
5.3 AI usage within the Platform. When Customer Data is submitted to AI Services (including the Conductor AI assistant), the Operator processes that data to generate responses. The Operator's agreements with its AI service providers (including Anthropic) provide that customer data submitted via API is not used to train foundational models without opt-in consent. The Operator will not opt the Responsible Party in to any such training.
5.4 Operator as Responsible Party — Platform Metrics Data. The parties acknowledge that Konductro also processes certain data relating to the use of the Platform in its own right, as a Responsible Party, and not solely as an Operator acting on the Responsible Party's instructions. This data ("Platform Metrics Data") is defined in clause 5.5 below. The Responsible Party hereby consents to Konductro processing Platform Metrics Data as a Responsible Party for the purposes set out in clauses 5.6 and 5.7. Konductro's processing of Platform Metrics Data is governed by POPIA and Konductro's published Privacy Policy, not by the Operator obligations in clauses 3 and 4 of this Agreement.
5.5 Platform Metrics Data defined. Platform Metrics Data means usage and activity data generated through the Customer's use of the Platform, including: (a) feature adoption and usage frequency (which features are used, how often, and by how many users); (b) platform performance and reliability metrics; (c) aggregate project, task, story, and test case volumes (total counts at the organisational level); (d) aggregate delivery cycle metrics including cycle time ranges, rework rates, sprint cadence, and planning overhead, at the organisational level; (e) AI usage volumes and prompt categories at the organisational level; (f) the industry sector, organisation size, and geographic location of the Customer as provided during account setup or in the Order Form; and (g) AI Usage Cap consumption patterns. Platform Metrics Data does not include: the content of requirements, architecture documents, acceptance criteria, source code, or other Customer Data; named individual user performance data used to identify or evaluate specific employees; or any Special Personal Information.
5.6 Permitted uses of Platform Metrics Data. Konductro may use Platform Metrics Data for the following purposes: (a) operating, monitoring, and improving the Platform; (b) developing aggregated, anonymised industry benchmarks and insights reports describing software delivery patterns, productivity trends, AI adoption rates, and platform usage statistics across its customer base ("Benchmark Reports"); (c) using Benchmark Reports and aggregated statistics derived from Platform Metrics Data in Konductro's marketing materials, website, sales collateral, and public communications, to demonstrate Platform value and industry impact; and (d) internal product research, roadmap planning, and commercial strategy.
5.7 Conditions on marketing and reporting use. The following conditions apply to clause 5.6(b) and (c): (i) No Benchmark Report or marketing material will identify the Responsible Party, any individual Authorised User, or any other specific customer by name, unless the Responsible Party has given separate written consent to being named as a reference customer. (ii) All data included in Benchmark Reports and marketing materials will be aggregated across a minimum of five (5) separate customer organisations before publication, so that no individual customer's data is identifiable. (iii) Konductro will not publish the Responsible Party's specific project counts, delivery cycle times, or other operational metrics in a manner that would allow a competitor or third party to identify the Responsible Party's internal delivery performance. (iv) The Responsible Party may opt out of having its Platform Metrics Data included in Benchmark Reports and external marketing materials by written notice to privacy@konductro.com. Opt-out applies to future Benchmark Reports only and does not require retroactive removal from already-published materials. Opt-out does not affect Konductro's right to use Platform Metrics Data for internal operational and product improvement purposes under clause 5.6(a) and (d).
6. Sub-Operators
6.1 The Responsible Party provides a general authorisation for the Operator to engage the Sub-Operators listed in Annexure B, subject to the conditions in this clause.
6.2 The Operator shall: (a) enter into a written agreement with each Sub-Operator that imposes data protection obligations no less protective than those in this Agreement; (b) remain fully liable to the Responsible Party for the acts and omissions of each Sub-Operator; and (c) ensure each Sub-Operator processes Personal Information only as instructed by the Operator.
6.3 The Operator shall notify the Responsible Party of any changes to its Sub-Operator list (additions or replacements) with at least 30 days' written notice. The Responsible Party may object to a new Sub-Operator on reasonable data protection grounds within 14 days of receiving the notice. If the Responsible Party objects and the Operator cannot accommodate the objection, either party may terminate the MSA on 30 days' notice.
6.4 The current list of Sub-Operators is set out in Annexure B.
7. Data Subject Rights
7.1 If the Operator receives a request from a Data Subject to exercise any right under POPIA (including the right to access, correct, or delete Personal Information), the Operator shall promptly notify the Responsible Party and shall not respond to the Data Subject directly unless authorised to do so by the Responsible Party.
7.2 The Operator shall assist the Responsible Party, as far as reasonably practicable, to respond to Data Subject requests within the timeframes required by POPIA (generally 30 days from receipt of a valid request).
7.3 The Operator shall notify the Responsible Party if, in the Operator's reasonable opinion, a Data Subject request cannot be fulfilled within the required timeframe due to technical constraints.
7.4 The Responsible Party acknowledges that it is the Data Subject's primary point of contact for the exercise of POPIA rights. The Operator is an intermediary that facilitates compliance.
8. Security Measures
8.1 The Operator shall implement and maintain appropriate technical and organisational measures to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (a "Security Compromise"), including but not limited to:
- Encryption of Personal Information in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
- Access controls based on the principle of least privilege
- Regular vulnerability assessments and penetration testing
- Audit logging of access to Personal Information
- Multi-factor authentication for administrative access
- Incident response procedures aligned with the Cybercrimes Act 19 of 2020
8.2 The Operator's security measures are implemented at the infrastructure layer (Amazon Web Services), the application layer (Konductro platform), and the AI services layer (Anthropic API). Each layer implements controls appropriate to the sensitivity of the information processed.
8.3 The Operator shall review and update its security measures at least annually and after any significant change to the Platform or its infrastructure.
9. Security Compromise and Breach Notification
9.1 The Operator shall notify the Responsible Party without undue delay, and in any event within 72 hours of becoming aware of a Security Compromise that involves or is likely to involve Personal Information processed under this Agreement.
9.2 The notification shall include, to the extent available at the time: (a) a description of the nature of the Security Compromise; (b) the categories and approximate number of Data Subjects and records affected; (c) contact details of the Operator's information officer; (d) likely consequences of the Security Compromise; and (e) measures taken or proposed to be taken to address the Security Compromise.
9.3 The Responsible Party is responsible for assessing whether the Security Compromise must be reported to the Information Regulator and for notifying affected Data Subjects in accordance with section 22 of POPIA. The Operator shall cooperate with and assist the Responsible Party in meeting these obligations.
9.4 The Operator shall maintain a Security Compromise register and make it available to the Responsible Party on request.
10. Cross-Border Transfer of Personal Information
10.1 The parties acknowledge that the Platform is hosted on Amazon Web Services infrastructure, which may process Personal Information in data centres outside the Republic of South Africa. The Operator uses AWS regions including eu-west-1 (Ireland) and us-east-1 (United States) for production workloads.
10.2 AI Services within the Platform are provided by Anthropic, Inc., a United States-based company. Personal Information included in AI processing requests is transmitted to Anthropic's API infrastructure in the United States.
10.3 The Operator shall ensure that any transfer of Personal Information across borders is subject to: (a) adequate protection equivalent to that required by POPIA; (b) appropriate contractual safeguards, including data processing agreements with each Sub-Operator; and (c) compliance with section 72 of POPIA.
10.4 By entering into this Agreement, the Responsible Party consents to the cross-border transfers described in this clause 10 as necessary for the delivery of the Services.
11. Retention and Deletion of Personal Information
11.1 The Operator shall retain Personal Information only for as long as necessary to fulfil the purposes described in this Agreement or as required by applicable law.
11.2 On expiry or termination of the MSA, the Operator shall: (a) continue to store Personal Information for a period of 30 days during which the Responsible Party may request a data export; (b) after the 30-day retention period, securely delete or anonymise all Personal Information processed under this Agreement unless the Operator is required by law to retain such information for a longer period.
11.3 The Operator shall, on request, provide the Responsible Party with written confirmation that deletion has been completed.
11.4 Deletion of Personal Information does not apply to anonymised, aggregated data that cannot reasonably be used to identify any Data Subject.
12. Audit and Inspection
12.1 The Responsible Party may, on reasonable written notice of at least 30 days, conduct or commission an audit of the Operator's data processing activities relevant to this Agreement, no more than once per calendar year.
12.2 The Operator shall cooperate with any such audit and shall provide reasonable access to its personnel, systems, and records relevant to the processing of Personal Information under this Agreement.
12.3 Audits shall be conducted at the Responsible Party's expense, during the Operator's normal business hours, and in a manner that minimises disruption to the Operator's operations.
12.4 As an alternative to a direct audit, the Operator may provide the Responsible Party with a current SOC 2 Type II report, ISO 27001 certification, or equivalent third-party security audit report, which the Responsible Party may accept as sufficient evidence of the Operator's compliance.
13. Liability
Each party's liability to the other under this Agreement is subject to the limitations set out in the MSA. Notwithstanding any other provision of the MSA, neither party limits its liability for: (a) a Security Compromise caused by its own gross negligence or wilful misconduct; or (b) fines or enforcement action by the Information Regulator arising from that party's own breaches of POPIA.
14. General
14.1 This Agreement is governed by and construed in accordance with the laws of the Republic of South Africa.
14.2 This Agreement forms part of and is subject to the MSA. In the event of conflict on data protection matters, this Agreement prevails.
14.3 If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions continue in full force and effect.
14.4 Amendments to this Agreement must be in writing and signed by both parties, except that the Operator may update Annexure B (Sub-Operators) in accordance with clause 6.3.
Annexure A — Categories of Personal Information and Data Subjects
This Annexure describes the categories of Personal Information processed by the Operator on behalf of the Responsible Party in connection with the Platform.
| Category of Data Subject | Categories of Personal Information | Approximate Volume | Purpose of Processing |
|---|---|---|---|
| Employees of the Responsible Party (Developers) | First and last name, work email address, platform username, work activity data (commits, PRs, ticket assignments), IDE usage data | Per subscription | User authentication, work assignment, sprint tracking, quality metrics |
| Employees of the Responsible Party (SDMs, Architects, Testers) | First and last name, work email address, platform username, planning activity, review comments, approval records | Per subscription | Delivery workflow orchestration, audit trail, sprint planning |
| Third-party contractors of the Responsible Party | First and last name, work email address, platform username, work activity data | As designated by Customer | User authentication and workflow participation |
| Client UAT users (if applicable) | First and last name, work email address, test feedback | As designated by Customer | Client UAT workflow and feedback capture |
| Customer employees as system administrators | Name, work email, authentication logs, admin actions | Limited (admin users only) | Platform administration and security audit |
Note: Konductro does not process financial data, health data, identity numbers, or other Special Personal Information. Any source code, system architecture documentation, or business requirements submitted to the Platform are treated as Confidential Information and Customer Data, not as Personal Information.
Annexure B — Approved Sub-Operators
The following Sub-Operators are approved by the Responsible Party for the processing of Personal Information in connection with the Platform:
| Sub-Operator | Country of Processing | Purpose | Personal Information Transferred |
|---|---|---|---|
| Amazon Web Services, Inc. | Ireland (eu-west-1); United States (us-east-1) | Cloud infrastructure, database hosting, object storage | All categories in Annexure A |
| Anthropic, Inc. | United States | AI language model API — powers the Conductor AI assistant | Customer Data submitted to AI prompts, including names and project context where included in inputs |
| Microsoft Corporation | European Union; United States | Microsoft Teams integration for notifications and workflow actions (where applicable) | User names, work email addresses, notification content |
| Gitea (self-hosted on Konductro infrastructure) | Same region as AWS above | Konductro-managed Git repository service (where selected by Customer) | Repository metadata, commit author names and emails |
The Operator shall notify the Responsible Party of any material changes to this Sub-Operator list with at least 30 days' written notice, as required by clause 6.3 of this Agreement.