Operator Agreements

Last Updated: 8 April 2026

1. Introduction

This document describes the operator (third-party processor) agreements in place for Tapnet Solutions (Pty) Ltd (Registration No. 2023/135522/07), as required by Section 21 of the Protection of Personal Information Act 4 of 2013 (POPIA).

Under POPIA, a responsible party (such as Tapnet) must ensure that any operator (a third party that processes personal information on behalf of the responsible party) does so under a written contract that establishes the conditions for lawful processing.

This policy applies to tapnet.co.za and all other websites, applications, and digital services operated by Tapnet Solutions (Pty) Ltd.

Section 21 of POPIA requires that operators:

  • Process personal information only with the knowledge or authorisation of the responsible party
  • Treat all personal information as confidential
  • Implement appropriate technical and organisational security measures
  • Notify the responsible party of any security compromises

Tapnet Solutions (Pty) Ltd, as the responsible party, is obligated to ensure that all operators engaged to process personal information on our behalf comply with these requirements. This document provides a transparent registry of all such operators and the agreements governing their processing activities.

2. Operator Registry

The following operators process personal information on behalf of Tapnet Solutions (Pty) Ltd. Each operator is engaged under a written agreement that satisfies the requirements of POPIA Section 21.

Vercel Inc.

What they process: Website hosting, serving web pages, static assets, serverless functions, deployment logs
Personal data handled: IP addresses (in server logs), form submission data (transits through serverless functions)
Physical location: United States (edge network globally)
Agreement type: Vercel Terms of Service + Data Processing Agreement (DPA)
Security certifications: SOC 2 Type 2, ISO 27001
Sub-processors: AWS (infrastructure), Cloudflare (CDN in some regions)
Data Processing Agreement: Yes, covers GDPR and applicable privacy laws

Neon Inc.

What they process: PostgreSQL database hosting, stores contact form submissions, booking requests, quote requests, admin accounts, scroll sessions
Personal data handled: Names, email addresses, phone numbers, company names, messages, project details, hashed passwords
Physical location: United States / European Union (region configurable)
Agreement type: Neon Terms of Service + Data Processing Agreement
Security certifications: SOC 2 Type 2
Sub-processors: AWS (infrastructure)
Data Processing Agreement: Yes

Google LLC (Google Analytics)

What they process: Website analytics, page views, sessions, user interactions, device information
Personal data handled: Anonymized IP addresses, cookie identifiers, browser/device fingerprints, referrer URLs
Physical location: United States (Google Cloud global infrastructure)
Agreement type: Google Analytics Terms of Service + Data Processing Terms
Security certifications: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, FedRAMP
Sub-processors: Google Cloud Platform
Data Processing Agreement: Yes (Google Ads Data Processing Terms)
Note: IP anonymization enabled; data only collected after user consent

OpenAI, LP

What they process: AI chatbot conversations, user messages and generated responses
Personal data handled: Any information users voluntarily share in chat conversations
Physical location: United States
Agreement type: OpenAI Terms of Use + Data Processing Agreement (API)
Security certifications: SOC 2 Type 2
Sub-processors: Microsoft Azure (infrastructure)
Data Processing Agreement: Yes (API data not used for training per API terms)
Note: Users are informed before interacting with the chatbot; no personal data required to use it

3. POPIA Section 21 Requirements for All Operators

Tapnet Solutions (Pty) Ltd ensures that all operators listed above comply with the following requirements under Section 21 of POPIA:

Written agreement in place (Section 21(1))

All operators have terms of service and/or Data Processing Agreements (DPAs) that constitute written agreements governing the processing of personal information.

Processing only on instruction (Section 21(1)(a))

Operators process data only as configured and instructed by Tapnet Solutions (Pty) Ltd. No operator has independent discretion over the purposes of processing.

Confidentiality (Section 21(1)(b))

All operators are bound by confidentiality obligations under their respective agreements, ensuring personal information is treated as confidential.

Security measures (Section 21(1)(c))

All operators maintain industry-standard security measures as evidenced by their certifications (SOC 2, ISO 27001, and others as listed above).

Sub-processor notification (Section 21(1)(d))

All operators disclose their sub-processors, as documented in the Operator Registry above.

Return/deletion on termination

Data can be exported or deleted upon termination of services with any operator. Each operator provides mechanisms for data portability and deletion.

Breach notification

All operators are required to notify Tapnet Solutions (Pty) Ltd promptly of any security compromise affecting personal information processed on our behalf.

4. Contractor and Developer Requirements

In addition to the operators listed above, all contractors and developers with access to personal information processed by Tapnet Solutions (Pty) Ltd must comply with the following requirements:

  • Sign confidentiality and non-disclosure agreements (NDAs) before being granted access to any personal information
  • Only access data necessary for their role, in accordance with the principle of least privilege
  • Use secure development practices, including encrypted connections, secure coding standards, and code review processes
  • Not store personal data on personal devices under any circumstances
  • Report any security incidents immediately to the Information Officer
  • Return or destroy all personal data upon completion of their engagement
  • Comply with this policy and the Security Policy

Note: Failure to comply with these requirements may result in immediate termination of the contractor or developer engagement and may be reported to the Information Regulator if a breach of POPIA has occurred.

5. Liability

Tapnet Solutions (Pty) Ltd remains the responsible party for all personal information processed by operators on its behalf. This means that Tapnet bears ultimate accountability for ensuring that personal information is processed lawfully and securely.

Operators are liable for any damages caused by their non-compliance with POPIA or the terms of their agreements with Tapnet. Where an operator acts outside the scope of its instructions or fails to implement adequate security measures, the operator may be held directly liable under POPIA.

Tapnet Solutions (Pty) Ltd maintains the right to audit operators' compliance with their data processing agreements and POPIA requirements. Audits may be conducted at Tapnet's discretion and operators are expected to cooperate fully.

Breach Response: In the event of an operator breach involving personal information, Tapnet Solutions (Pty) Ltd will immediately follow the Breach Response Plan, which includes notification to affected data subjects and the Information Regulator where required.

6. Operator Review Process

Tapnet Solutions (Pty) Ltd follows a structured process for assessing and reviewing all operators that process personal information on its behalf.

New Operator Assessment

Before engaging any new operator, Tapnet conducts a POPIA compliance assessment. The assessment criteria include:

  • Security certifications: Does the operator hold recognised certifications (e.g., SOC 2, ISO 27001)?
  • DPA availability: Does the operator offer a Data Processing Agreement or equivalent written contract?
  • Data location: Where is personal information stored and processed? Are adequate protections in place for cross-border transfers?
  • Sub-processor transparency: Does the operator disclose its sub-processors and notify of changes?
  • Breach notification capability: Does the operator have a clear process for notifying Tapnet of security incidents?

Ongoing Review

Existing operators are reviewed on an annual basis to ensure continued compliance with POPIA and the terms of their agreements. The review assesses whether the operator continues to meet the assessment criteria listed above and whether any material changes have occurred (e.g., changes to sub-processors, data locations, or security posture).

Non-compliant operators are given a reasonable remediation timeline. If an operator fails to achieve compliance within the specified period, Tapnet will replace the operator with a compliant alternative.

Operator Register

A register of all operators is maintained by the Information Officer, Wynand de Beer. This register includes the operator name, purpose of processing, types of personal information processed, data location, agreement details, and date of last review. The register is updated whenever operators are added, removed, or changed.

7. Review

This document is reviewed annually and whenever there is a change in the operators processing personal information on behalf of Tapnet Solutions (Pty) Ltd. The last review date is displayed at the top of this page.

Any updates to this document will be published at this URL. Significant changes will be communicated to affected parties where appropriate.

Contact the Information Officer

For any questions about our operator agreements or the processing of personal information by third parties, please contact:

Information Officer: Wynand de Beer

  • Company: Tapnet Solutions (Pty) Ltd
  • Registration No: 2023/135522/07
  • Email: wynand@tapnet.co.za
  • Phone: 079 174 8357
  • Address: 594 Bombani Street, Elarduspark, Gauteng, 0181, South Africa

Questions about this policy? Contact our Information Officer:

wynand@tapnet.co.za 079 174 8357

Privacy PolicyTerms of ServicePAIA ManualData ProtectionData RetentionSecurityBreach ResponseOperator Agreements