Daybook Data Processing Addendum (DPA)
- Effective date
- 24 May 2026
- Processor / Operator
- DAYBOOK TECHNOLOGIES (Pty) Ltd, a private company registered in the Republic of South Africa, trading as Daybook (“Daybook”) - the processor under the UK GDPR and the Operator under POPIA. Registered office: 36 Protea Drive, Gordons Bay, Cape Town, Western Cape, 7140, South Africa - email intake@daybookcoza.com. Registration number 2026/502753/07 (CIPC, registered 25 June 2026). Enterprise number K2026502753.
- Controller / Responsible Party
- The Daybook Customer identified in the Daybook account registration (“Customer” or “you”) - the controller under the UK GDPR and the Responsible Party under POPIA
- Each a
- “Party”, and together the “Parties”
This Data Processing Addendum (this “DPA”) forms part of, and is governed by, the Daybook Customer Terms of Service between the Parties (the “Agreement”). In the event of conflict between this DPA and the Agreement, this DPA prevails to the extent the conflict concerns the processing of Personal Information. This DPA is designed to satisfy both Article 28 of the UK GDPR (where UK data protection law applies) and section 21 of POPIA (where South African law applies).
1. Definitions
1.1. In this DPA, capitalised terms have the meanings given to them below or, if not defined here, in the UK GDPR (where UK data protection law applies) or in POPIA (where South African law applies):
| Term | Meaning |
|---|---|
| UK GDPR | The retained EU General Data Protection Regulation (Regulation (EU) 2016/679) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018, read together with the Data Protection Act 2018. |
| UK Data Protection Law | The UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), in each case as amended. |
| POPIA | The Protection of Personal Information Act 4 of 2013 of the Republic of South Africa, and its regulations. |
| Data Protection Law | UK Data Protection Law and / or POPIA, as applicable to the relevant processing. |
| Personal Information / Personal Data | “Personal data” as defined in UK GDPR Article 4(1) and / or “personal information” as defined in POPIA section 1 (information relating to an identifiable, living, natural person and, where applicable under POPIA, an identifiable, existing juristic person). |
| Special Personal Information | “Special category data” under UK GDPR Article 9 and data on criminal convictions and offences under Article 10, and / or “special personal information” as defined in POPIA section 26. |
| Controller / Responsible Party | The party determining the purpose and means of the processing - the “controller” under the UK GDPR and the “Responsible Party” under POPIA. Under this DPA, the Customer. |
| Processor / Operator | The party processing Personal Information for the controller / Responsible Party - the “processor” under the UK GDPR and the “Operator” under POPIA. Under this DPA, Daybook. |
| Sub-processor / Sub-operator | A third party engaged by Daybook to process Personal Information on Daybook’s behalf in connection with the Service (a “sub-processor” under the UK GDPR; a “sub-operator” under POPIA). |
| Customer Data | All Personal Information that Customer (or anyone acting on Customer’s behalf) submits to, or causes to be processed by, the Service, including Personal Information about Customer’s debtors. |
| Data Subject | The identified or identifiable person to whom Personal Information relates. |
| Service | The Daybook software-as-a-service platform described in clause 2 of the Agreement. |
| Personal Data Breach / Security Compromise | A “personal data breach” within the meaning of UK GDPR Article 4(12) and / or a “security compromise” within the meaning of POPIA section 22 - in each case a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information. |
| Supervisory Authority | The Information Commissioner’s Office (ICO) under UK Data Protection Law and / or the Information Regulator established under POPIA section 39, as applicable. |
2. Roles, scope and instructions
2.1. Roles. In respect of Customer Data, the Parties acknowledge and agree that:
- 2.1.1. the Customer is the controller (UK GDPR) / Responsible Party (POPIA);
- 2.1.2. Daybook is the processor (UK GDPR) / Operator (POPIA).
2.2. Subject matter and duration. The subject matter of the processing is the provision of the Service. The duration of the processing is the term of the Agreement, plus any post-termination retention periods set out in clause 6.
2.3. Nature and purpose. Daybook processes Customer Data on Customer’s behalf to:
- 2.3.1. receive Customer’s voice notes and text messages via WhatsApp and extract structured invoice / quote / reminder information using AI;
- 2.3.2. generate draft invoices, quotes, and reminder communications for Customer’s review and approval;
- 2.3.3. send approved invoices, quotes, and reminders from Customer’s authorised email account on Customer’s behalf;
- 2.3.4. read incoming replies from Customer’s debtors, classify them, and surface them to Customer for action;
- 2.3.5. reconcile payment confirmations to outstanding invoices;
- 2.3.6. generate Customer’s weekly activity summary;
- 2.3.7. retain records as required by the Agreement and applicable law;
- 2.3.8. carry out support, security, fraud prevention, and audit activities incidental to the above.
2.4. Categories of Personal Information. Customer Data processed under this DPA includes, in respect of Customer’s debtors (natural or juristic):
- 2.4.1. name, trading name, contact email, contact phone number, postal address;
- 2.4.2. identifiers necessary for invoicing (such as registration number, VAT number);
- 2.4.3. invoice content (description of goods or services, amounts, dates, due dates, VAT);
- 2.4.4. payment status, payment history, communication history.
Customer Data does not - except inadvertently - include Special Personal Information, children’s information, or information of public interest within the meaning of POPIA. Customer undertakes not to instruct Daybook to process Special Personal Information through the Service.
2.5. Categories of Data Subjects. Debtors of the Customer (including individuals and authorised representatives of juristic debtors). The DPA also extends to Personal Information of Customer’s employees, contractors, and counterparties that Customer chooses to submit to the Service.
2.6. Documented instructions. Daybook processes Customer Data only on Customer’s documented instructions, which are:
- 2.6.1. Standing instructions: the Agreement, this DPA, the Daybook Customer Privacy Policy, and configuration choices Customer makes in the Daybook dashboard (such as enabling or disabling specific reminder steps);
- 2.6.2. Specific instructions: instructions given by Customer in writing to intake@daybookcoza.com or through the dashboard.
2.7. Daybook will inform Customer if, in Daybook’s opinion, an instruction infringes the UK GDPR, POPIA, or other applicable Data Protection Law (UK GDPR Article 28(3), final paragraph), in which case Daybook may suspend execution of that instruction until it is modified.
2.8. Daybook will not process Customer Data for its own purposes, except: (a) to comply with applicable law (in which case Daybook will, unless prohibited, inform Customer of the legal requirement before processing); (b) to safeguard the security or integrity of the Service; or (c) in de-identified, aggregated form for internal analytics and improvement of the Service.
3. Customer (controller / Responsible Party) obligations
3.1. Customer warrants that:
- 3.1.1. it has a lawful basis under the UK GDPR (Article 6, and Articles 9-10 for any special category data) and / or POPIA to process the Customer Data and to instruct Daybook to process it as processor / Operator;
- 3.1.2. it has provided each Data Subject with the transparency information required under UK GDPR Articles 13-14 and / or POPIA section 18, including identifying Daybook (or “an outsourced invoicing and reminders service provider”) as a recipient or category of recipient where required;
- 3.1.3. the Customer Data is accurate, complete, relevant, and not excessive in relation to the purpose for which it is processed;
- 3.1.4. it will not use the Service to invoice, communicate with, or otherwise process Personal Information of any Data Subject in breach of UK Data Protection Law, POPIA, the South African Debt Collectors Act, the National Credit Act, the Consumer Protection Act, the ECT Act, the equivalent UK consumer-protection and debt-collection rules, or any other applicable law.
3.2. Customer, as controller / Responsible Party, is responsible for responding to Data Subject requests addressed directly to Customer, and (where the UK GDPR applies) for carrying out any required data protection impact assessment and, where applicable, prior consultation with the ICO. Daybook will assist as set out in clauses 7 and 9.
4. Operator / processor (Daybook) obligations
4.1. Daybook will, in line with UK GDPR Article 28(3) and POPIA sections 19-22:
- 4.1.1. (Art. 28(3)(a)) process Customer Data only on Customer’s documented instructions (clause 2.6), including with regard to international transfers, unless required to do otherwise by applicable law (in which case Daybook will, unless prohibited by that law, inform Customer of the legal requirement before processing);
- 4.1.2. (Art. 28(3)(b)) ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- 4.1.3. (Art. 28(3)(c)) implement appropriate technical and organisational security measures as required by UK GDPR Article 32 and POPIA section 19, as detailed in clause 5;
- 4.1.4. (Art. 28(2) and (4)) comply with the requirements of clause 8 in engaging Sub-processors / Sub-operators;
- 4.1.5. (Art. 28(3)(e)) taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer’s obligation to respond to requests from Data Subjects exercising rights under UK GDPR Chapter III and / or POPIA Chapter 3 (Part B);
- 4.1.6. (Art. 28(3)(f)) assist Customer in ensuring compliance with its obligations regarding security of processing, personal data breach notification, data protection impact assessments and prior consultation under UK GDPR Articles 32-36, and with Customer’s security and breach-notification obligations under POPIA sections 19, 21, and 22, taking into account the nature of processing and the information available to Daybook;
- 4.1.7. (Art. 28(3)(g)) at Customer’s option, return or delete all Customer Data after the end of the provision of the Service, in accordance with clause 6;
- 4.1.8. (Art. 28(3)(h)) make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and with Article 28, and allow for and contribute to audits and inspections in accordance with clause 9.
5. Security measures
5.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to Data Subjects, Daybook applies and will maintain the following technical and organisational security measures (the “Security Measures”) to meet UK GDPR Article 32 and POPIA section 19:
| Control | Implementation |
|---|---|
| Encryption in transit | TLS 1.2 or higher on all Daybook public endpoints (dashboard, API, webhooks); HTTPS only; HSTS where applicable; HMAC signature verification on inbound WhatsApp webhooks using constant-time comparison. |
| Encryption at rest - OAuth tokens | Refresh and access tokens for Customer’s Gmail / Microsoft accounts are stored in an encrypted token store (Vercel Blob with provider-side encryption, or env-var encryption, as applicable). Tokens are never written to application logs. |
| Encryption at rest - Customer Data records | Stored within Notion’s encrypted-at-rest infrastructure as Daybook’s database. Notion’s published security commitments apply (AES-256 at rest). |
| Encryption at rest - file storage | PDF invoices and other Customer artefacts stored in Vercel Blob with provider-side encryption. |
| Access control - Daybook personnel | The Daybook administrative dashboard is restricted to the Information Officer (currently Liam Clarke) under password authentication. Multi-factor authentication on all Daybook accounts with Sub-operators where supported. Role-based access control will be enforced when additional personnel are onboarded. |
| Access control - Customer email accounts | Daybook acts on Customer’s email account only through scoped OAuth grants (send and read scopes for the Customer’s account only). Customer can revoke at any time from their Google or Microsoft account permissions page. Daybook does not store email passwords. |
| Audit logging | Every invoice action, quote action, reminder send, status change, and account event is recorded in an audit log (Notion Activity entries) with timestamp, actor, and action description. Logs are retained as required by clause 6. |
| Webhook integrity | All inbound webhooks (WhatsApp, payment processor) are verified by HMAC signature or equivalent cryptographic check before being processed. |
| Idempotency | Inbound WhatsApp messages are de-duplicated to avoid duplicate invoices arising from message replay. |
| Personnel | All authorised personnel sign written confidentiality undertakings and complete POPIA awareness training. |
| Vendor management | All Sub-operators are bound by a data processing agreement or equivalent contractual terms before any Customer Data is shared. Sub-operators are reviewed annually. |
| Vulnerability management | Routine dependency updates; logging and monitoring of error rates; planned external review at first material milestone. |
| Back-ups and recovery | Notion’s native version history and back-ups; encrypted disaster-recovery snapshots; retention per clause 6. |
| Physical security | Daybook does not operate on-premise infrastructure that processes Customer Data. All production processing occurs within Sub-operator infrastructure that itself maintains physical security commensurate with industry norms. |
5.2. Daybook may update the Security Measures from time to time, provided that no update materially reduces the level of protection.
6. Return and deletion of Customer Data
6.1. Return window (14 days). Within fourteen (14) days of termination or expiry of the Agreement (or earlier, at Customer’s request), Daybook will provide Customer with an export of all Customer Data in a structured, commonly used machine-readable format (such as CSV or JSON).
6.2. Deletion window (14 days). Within fourteen (14) days after the return window in clause 6.1 ends (or earlier, at Customer’s request, once Customer has received its export), Daybook will delete all Customer Data from its production systems, including from:
- 6.2.1. the Notion database used as the Daybook data store;
- 6.2.2. Vercel Blob and any other file storage;
- 6.2.3. the token store, in respect of OAuth tokens;
- 6.2.4. any reasonably accessible copies held by Sub-operators that act on Daybook’s instruction (Daybook will instruct each Sub-operator to delete in accordance with its DPA);
- 6.2.5. internal copies in support tooling and any other production system.
6.3. Statutory retention exceptions. Notwithstanding clause 6.2, Daybook may retain Personal Information to the extent required by applicable law (UK GDPR Article 28(3)(g) and POPIA), namely:
- 6.3.1. records required to be kept under section 29 of the South African Tax Administration Act 28 of 2011 (Daybook’s own tax records relating to fees billed to Customer) - up to seven (7) years where required;
- 6.3.2. records required under UK tax and accounting law (commonly retained for around six years, and longer where a dispute or investigation is open);
- 6.3.3. records required under the South African Companies Act 71 of 2008, the FIC Act (if applicable), the equivalent UK company-law or anti-money-laundering rules, or a court order;
- 6.3.4. records reasonably necessary to establish, exercise, or defend legal claims, on a documented legitimate-interests basis under UK GDPR Article 6(1)(f) and / or POPIA section 11(1)(f).
Records retained under this clause 6.3 are processed only for the legal purpose for which they are retained, are kept securely, and are deleted once the retention purpose is exhausted.
6.4. Back-ups. Personal Information in encrypted back-ups will be deleted in the ordinary back-up rotation cycle or sooner where reasonably practicable. While in back-ups, the information is not actively processed.
6.5. Certification of deletion. Daybook will, on Customer’s written request, certify deletion in writing once the deletion window in clause 6.2 has been completed.
6.6. OAuth revocation. Customer should revoke Daybook’s OAuth access on its Google or Microsoft account permissions page on or around the date of termination. Daybook will, in any event, invalidate stored OAuth tokens during the deletion window.
7. Data Subject requests and assistance
7.1. Daybook will, taking into account the nature of the processing and the information available to it, assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer’s obligation to respond to:
- 7.1.1. requests from Data Subjects exercising rights under the UK GDPR - access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), and objection (Article 21) - and / or under POPIA sections 23 (access), 24 (correction and deletion), and 11(3) (objection);
- 7.1.2. requests in respect of direct marketing under UK GDPR Article 21(2)-(3) and PECR, and / or POPIA section 69; and
- 7.1.3. requests in respect of automated decision-making under UK GDPR Article 22 and / or POPIA section 71 (noting that Daybook does not perform solely automated decision-making with legal or similarly significant effect, per clause 3.2 of the Privacy Policy).
7.2. Daybook will not respond directly to Data Subject requests in respect of Customer Data, except: (a) on Customer’s express instruction; or (b) where required to do so by law. Daybook will forward such requests to Customer without undue delay.
7.3. Customer will reimburse Daybook for reasonable costs incurred in providing assistance that exceeds standard configuration, where the request volume or complexity is materially above the ordinary course.
8. Sub-processors / Sub-operators
8.1. General written authorisation. Customer grants Daybook general written authorisation (UK GDPR Article 28(2)) to engage Sub-processors / Sub-operators for the purpose of providing the Service. The Sub-processors currently engaged are listed in Annex A.
8.2. Notification of changes. Daybook will give Customer at least fourteen (14) days’ prior written notice (by email and / or in-dashboard notice) of the engagement of a new Sub-operator or of a change of a Sub-operator. The notice will describe the Sub-operator’s role and location.
8.3. Right to object. Customer may object on reasonable grounds related to data protection to the engagement of a new Sub-operator by giving written notice to Daybook within the notice period in clause 8.2. If Customer’s objection cannot be resolved on commercially reasonable terms, Customer may terminate the Agreement under clause 10 of the Terms of Service, provided that fees for the unused portion of any prepaid period will be refunded on a pro rata basis.
8.4. Sub-processor obligations. In line with UK GDPR Article 28(4), Daybook will:
- 8.4.1. contract with each Sub-processor / Sub-operator on terms that impose substantively equivalent data protection obligations to those in this DPA (in particular regarding instructions, confidentiality, security, sub-processing, international transfers, and assistance);
- 8.4.2. remain fully liable to Customer for the performance of each Sub-processor’s obligations relating to Customer Data, subject to clause 10 of the Terms of Service.
9. Audits and information rights
9.1. Information requests. On reasonable written request, Daybook will provide Customer with the information reasonably necessary to demonstrate compliance with this DPA, including:
- 9.1.1. Daybook’s then-current security policies and Security Measures summary;
- 9.1.2. Sub-operator list and locations;
- 9.1.3. the relevant DPAs and SCCs in place with Sub-operators (where Daybook is permitted to disclose them);
- 9.1.4. summaries of any audit reports or certifications held by Daybook.
9.2. Audit right. Customer may, on no less than thirty (30) days’ prior written notice and no more than once in any twelve (12) month period (save where an audit is triggered by a confirmed Personal Data Breach / Security Compromise or a written instruction from a Supervisory Authority - the ICO or the Information Regulator), conduct an audit of Daybook’s compliance with this DPA, in line with UK GDPR Article 28(3)(h). Audits will:
- 9.2.1. be conducted during ordinary business hours in Daybook’s place of business;
- 9.2.2. not unreasonably interfere with the Service;
- 9.2.3. respect the confidentiality of Daybook’s other customers and the security of its systems;
- 9.2.4. be carried out by Customer or by a suitably qualified independent third-party auditor bound by confidentiality to Daybook;
- 9.2.5. be at Customer’s own cost, except where the audit reveals a material breach of this DPA by Daybook, in which case Daybook will bear reasonable audit costs.
9.3. Daybook may satisfy an audit request through written responses, evidence packs, and independent attestations (such as SOC 2 reports of Sub-operators), where reasonably available.
10. Personal Data Breach notification
10.1. As processor / Operator, Daybook will notify Customer of a Personal Data Breach / Security Compromise affecting Customer Data without undue delay after becoming aware of it (UK GDPR Article 33(2)), and in any event no later than forty-eight (48) hours after becoming aware.
10.2. The notice will, to the extent then known and to the extent it can be lawfully shared, include:
- 10.2.1. a description of the nature of the compromise;
- 10.2.2. the categories and approximate number of Data Subjects affected;
- 10.2.3. the categories and approximate volume of Personal Information affected;
- 10.2.4. the likely consequences of the compromise;
- 10.2.5. the measures taken or proposed to address the compromise and to mitigate adverse effects;
- 10.2.6. the name and contact details of a Daybook point of contact for further information.
10.3. Where Daybook does not have all the information required by clause 10.2 at the time of initial notification, Daybook will provide the information progressively as it becomes available, without further undue delay.
10.4. Daybook will, taking into account the nature of the processing and information available to it, support Customer in meeting Customer’s obligations to notify the relevant Supervisory Authority and affected Data Subjects - under UK GDPR Articles 33-34 (notification to the ICO within 72 hours where reportable, and to individuals where the breach is likely to result in a high risk) and / or POPIA section 22.
10.5. The fact of, or the content of, any breach notification is not in itself an acknowledgement of fault or liability by Daybook.
11. International transfers
11.1. Customer authorises Daybook to transfer Customer Data outside the United Kingdom and / or outside the Republic of South Africa to the extent necessary to provide the Service, including to the Sub-processors listed in Annex A.
11.2. UK transfers. Where the UK GDPR applies, Daybook will only transfer Customer Data to a country outside the UK where one of the conditions in Chapter V of the UK GDPR is met - in particular: (a) the country benefits from UK adequacy regulations; (b) appropriate safeguards under Article 46 are in place, namely the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum, supplemented by additional technical and organisational measures where a transfer risk assessment indicates they are needed; or (c) a derogation in Article 49 applies (for example, the transfer is necessary to perform the contract).
11.3. South African transfers. Where POPIA applies, Daybook will only effect such transfers where a lawful basis under POPIA section 72 applies.
11.4. The basis for each Sub-processor’s transfer is set out in Annex B.
11.5. Where additional safeguards (such as updated Standard Contractual Clauses or the IDTA, supplementary technical measures, or transfer risk / impact assessments) become a regulatory expectation of the ICO or the Information Regulator, Daybook will implement them in cooperation with Customer.
12. Liability
12.1. Each Party’s liability arising out of or in connection with this DPA, whether in contract, delict, statute, or otherwise, is subject to the limitations of liability set out in clause 8 of the Daybook Customer Terms of Service, including the aggregate cap at six (6) months of fees paid.
12.2. Nothing in clause 12.1 limits either Party’s liability for: (a) regulatory fines or penalties imposed directly on that Party by the ICO, the Information Regulator, or a court for that Party’s own breach of the UK GDPR or POPIA; (b) wilful misconduct or fraud; or (c) any other liability that cannot be excluded or limited under applicable law.
12.3. Where the ICO, the Information Regulator, or a court imposes a fine or penalty on one Party arising out of facts that are partly the fault of the other Party, the Parties will cooperate in good faith to determine an equitable apportionment, taking into account each Party’s respective contribution.
13. Governing law and dispute resolution
13.1. This DPA is governed by the law that governs the Agreement (which, unless the Agreement states otherwise, is the law of the Republic of South Africa).
13.2. Mandatory data protection law prevails. Regardless of the governing law in clause 13.1, the mandatory provisions of the Data Protection Law applicable to the relevant processing prevail over any conflicting provision of this DPA. For processing subject to UK Data Protection Law, the UK GDPR and the supervisory jurisdiction of the ICO apply; for processing subject to POPIA, POPIA and the supervisory jurisdiction of the Information Regulator apply.
13.3. Disputes are resolved under clause 15 of the Daybook Customer Terms of Service.
14. General
14.1. Incorporation. This DPA is incorporated by reference into the Agreement.
14.2. Order of precedence. In the event of conflict, the order of precedence is: (i) the UK GDPR, POPIA, and other mandatory law applicable to the processing; (ii) this DPA; (iii) the Daybook Customer Terms of Service; (iv) the Daybook Customer Privacy Policy; (v) the Daybook Founding Partner Agreement (where applicable to Founding-tier customers); (vi) any other Daybook document.
14.3. Amendments. Daybook may update this DPA from time to time to reflect changes in law, sub-processors, or operational practice, on not less than thirty (30) days’ notice for material changes, in accordance with clause 14 of the Terms of Service.
14.4. Severability. If any provision of this DPA is held invalid or unenforceable, the remainder will continue in force.
14.5. Counterparts and electronic acceptance. Acceptance of the Terms of Service constitutes acceptance of this DPA in accordance with section 13 of the ECT Act.
List of Sub-operators
| Sub-operator | Role | Country / region of processing |
|---|---|---|
| Google LLC (Gmail, Google Workspace OAuth) | Sending and reading email on Customer’s behalf under OAuth scopes | United States |
| Microsoft Corporation (Microsoft Graph / Outlook OAuth) | Sending and reading email on Customer’s behalf under OAuth scopes (where Customer uses Microsoft 365) | United States and European Union |
| Anthropic, PBC | AI extraction and drafting (Claude model) | United States |
| OpenAI, LLC | Backup AI extraction model (where used) | United States |
| Notion Labs, Inc. | Database / data store; internal CRM | United States |
| Vercel, Inc. | Web hosting, serverless compute, Vercel Blob file storage | United States |
| WPPConnect (self-hosted instance - interim) or Twilio Inc. or 360dialog GmbH | WhatsApp message routing | Self-hosted infrastructure; United States (Twilio); Germany (360dialog) |
| Sentry - Functional Software, Inc. (once enabled) | Error and exception monitoring | United States |
| PostHog Inc. (once enabled) | Product analytics, IP truncated | United States |
| Vercel Analytics (if used) | Aggregated website analytics | United States |
| Paddle.com Market Limited (Merchant of Record) | Checkout, subscription and setup-fee billing, card processing, invoicing, tax/VAT, refunds and chargebacks for the Daybook subscription | United Kingdom / European Union |
This list is current as of the Effective Date and is updated in accordance with clause 8.
Lawful basis for cross-border transfers (UK GDPR Chapter V and POPIA section 72)
For transfers of UK data subjects’ personal data, Daybook relies on the UK transfer mechanisms in UK GDPR Article 46 - in practice the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses (SCCs) together with the UK International Data Transfer Addendum - or, where the destination benefits from UK adequacy regulations (such as the EEA), on that adequacy; supplemented by a transfer risk assessment where needed. For transfers of South African data subjects’ personal information, Daybook relies on POPIA section 72. The table summarises the basis per Sub-processor.
| Sub-processor | Country | UK GDPR (Chapter V) basis | POPIA section 72 basis |
|---|---|---|---|
| Google LLC | United States | Art. 46 safeguards: provider’s data processing terms incorporating SCCs and the UK Addendum (or the UK IDTA); Art. 49(1)(b) where necessary to perform the contract. | s. 72(1)(a): Google is subject to its Data Processing Addendum incorporating Standard Contractual Clauses comparable to POPIA’s information protection conditions; s. 72(1)(c): necessary to perform the contract with Customer. |
| Microsoft Corporation | United States / EU | Art. 45 adequacy for EU processing; Art. 46 safeguards (SCCs + UK Addendum / IDTA) for US processing. | s. 72(1)(a): Microsoft DPA and Standard Contractual Clauses; s. 72(1)(c). |
| Anthropic, PBC | United States | Art. 46 safeguards: provider DPA with SCCs + UK Addendum. | s. 72(1)(a): Anthropic DPA, EU SCCs incorporated; s. 72(1)(c). |
| OpenAI, LLC | United States | Art. 46 safeguards: provider DPA with SCCs + UK Addendum. | s. 72(1)(a): OpenAI DPA, EU SCCs incorporated; s. 72(1)(c). |
| Notion Labs, Inc. | United States | Art. 46 safeguards: provider DPA with SCCs + UK Addendum; encryption at rest. | s. 72(1)(a): Notion DPA, EU SCCs incorporated, AES-256 at rest; s. 72(1)(c). |
| Vercel, Inc. | United States | Art. 46 safeguards: provider DPA with SCCs + UK Addendum. | s. 72(1)(a): Vercel DPA incorporating SCCs; s. 72(1)(c). |
| Twilio Inc. (if used) | United States | Art. 46 safeguards: provider DPA with SCCs + UK Addendum. | s. 72(1)(a): Twilio DPA incorporating SCCs; s. 72(1)(c). |
| 360dialog GmbH (if used) | Germany (EU) | Art. 45: the EEA benefits from UK adequacy regulations. | s. 72(1)(a): the EU is recognised by the Information Regulator as offering an adequate level of protection. |
| WPPConnect (self-hosted interim) | Daybook-controlled infrastructure | Direct processing under Daybook’s own contractual and security controls; no third-country recipient where hosted in an adequate jurisdiction. | s. 72(1)(c): direct processing under Daybook’s contractual and security controls. |
| Sentry, PostHog (once enabled) | United States | Art. 46 safeguards: respective DPAs with SCCs + UK Addendum. | s. 72(1)(a): respective DPAs incorporating SCCs; s. 72(1)(c). |
| Paddle.com Market Limited | United Kingdom / EU | Paddle is UK-established (Art. 3 applies directly); onward transfers under Paddle’s DPA rely on Art. 46 safeguards (UK IDTA / EU SCCs + UK Addendum) where applicable. | s. 72(1)(a): Paddle’s DPA incorporates SCCs; s. 72(1)(c): necessary to perform the contract. |
Categories of processing, summary
| Category | Detail |
|---|---|
| Categories of Data Subjects | Customer’s debtors (natural and juristic persons); authorised representatives of those debtors; Customer’s own employees and contractors whose details Customer chooses to submit. |
| Categories of Personal Information | Name, contact details, billing address, business identifiers (registration / VAT number), invoice and payment details, communication content. |
| Special Personal Information | Not knowingly processed. |
| Children’s Personal Information | Not knowingly processed. |
| Nature of processing | Collection, recording, storage, retrieval, dissemination by transmission (email send), use, erasure. |
| Purpose of processing | Provision of the Daybook invoicing, reminders, and reconciliation Service. |
| Duration of processing | Term of the Agreement, plus retention periods in clause 6. |
End of Data Processing Addendum.
Privacy queries: intake@daybookcoza.com
DPA queries: intake@daybookcoza.com