This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between the Responsible Party (the Customer) and EchoFelix (the Operator). It sets out the terms on which EchoFelix processes Personal Information on the Customer’s behalf under POPIA.
2. Roles and Scope
Responsible Party: Customer (law firm/attorney)
Operator: EchoFelix
Purpose: Transcription of audio and generation of draft documents
Personal Information: Audio recordings, transcripts, user account data, and metadata
Duration: During the subscription term and up to 30 days post-termination (for recovery)
3. Operator Obligations
Process Personal Information only on documented instructions from the Responsible Party.
Ensure personnel are subject to duties of confidentiality.
Implement appropriate technical and organisational measures (encryption in transit and at rest, access controls, logging).
Assist the Responsible Party with data subject requests, security, and impact assessments where reasonable.
Notify the Responsible Party without undue delay of a Personal Information breach and cooperate with remediation.
Delete or return Personal Information upon termination, subject to lawful retention and backup overwrite cycles.
4. Sub‑Processors
The Responsible Party authorises the Operator to engage sub‑processors subject to equivalent data protection obligations.
Cloud Hosting: South Africa–based data centres (AWS South Africa); SA data residency.
Email Services: Transactional email provider for service communications (no card payments processed; EFT only).
The Operator shall maintain a current list of sub‑processors and provide notice of changes, allowing objection on reasonable grounds.
5. Data Location and Transfers
Primary storage is in South Africa.
No cross‑border transfers occur without lawful basis and the Responsible Party’s consent.
6. Security Measures
TLS 1.3 in transit; AES‑256 at rest.
Role‑based access, MFA, and least‑privilege IAM.
Audit‑friendly logs and monitoring.
7. Data Subject Rights
The Operator shall provide reasonable assistance to enable the Responsible Party to respond to requests for access, correction, deletion, objection, and restriction under POPIA.
8. Audit and Assurance
Upon reasonable notice, the Operator will provide information necessary to demonstrate compliance and allow audits as appropriate, subject to confidentiality and security.
9. Return and Deletion
Upon termination, the Operator will delete or return Personal Information within 30 days, excluding backups that are securely overwritten on a rolling schedule (up to 90 days).
10. Liability
Each party is responsible for its own compliance with POPIA. The Operator is liable for processing that violates this DPA or POPIA due to its failure to implement agreed safeguards.