Data Processing Agreement

Effective date: 21 April 2026

This Data Processing Agreement (“DPA”) forms part of the master services agreement or order form between Digiiworks Legal (“Digiiworks”, “we”, “us”) and the law firm identified in that agreement (the “Firm”, “you”). It governs the processing of personal information by Digiiworks acting as an operator on behalf of the Firm as responsible party, in accordance with sections 20 and 21 of the Protection of Personal Information Act 4 of 2013 (“POPIA”).

1. Roles and scope

The Firm determines the purpose and means of processing personal information relating to its clients, matters, appointments, invoices, and other practice data held on the Digiiworks platform. Digiiworks processes that personal information only on the Firm’s documented instructions and only for the purposes necessary to deliver the services described in the master agreement.

This DPA applies for as long as Digiiworks holds personal information on the Firm’s behalf, including any retention period following termination of the master agreement.

2. Categories of data subjects and personal information

Personal information processed under this DPA may include:

  • Data subjects: the Firm’s clients, prospective clients, opposing parties, witnesses, and the Firm’s staff.
  • Categories: names, identity numbers, contact details, banking details, matter descriptions, correspondence, documents, calendar entries, billing records, and other practice information uploaded to or generated by the platform.
  • Special personal information (within the meaning of section 26 of POPIA) will only be processed where the Firm has a lawful basis for doing so and has instructed Digiiworks accordingly.

3. Purpose of processing

Digiiworks processes personal information solely to:

  • host, maintain, and make the platform available to the Firm;
  • run the AI-assisted intake, drafting, analytics, and communication features the Firm has enabled;
  • generate and deliver invoices, reports, and reminders;
  • provide support, diagnose incidents, and improve security; and
  • meet our legal and regulatory obligations (including tax and record-keeping laws).

4. Confidentiality

Digiiworks will treat all personal information processed under this DPA as confidential. Persons authorised to process personal information on our behalf are bound by written confidentiality obligations of no lesser scope than those imposed on us by this DPA.

5. Security safeguards (section 19 of POPIA)

Digiiworks maintains appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of personal information, including:

  • application-level encryption of sensitive fields using firm-scoped AES-256-GCM keys derived per tenant;
  • transport-layer encryption (TLS 1.2 or higher) for all traffic;
  • row-level security in the database, scoped by the Firm’s tenant identifier;
  • least-privilege access controls and audit logging;
  • browser security headers, including a Content Security Policy with per-request nonces, frame-denial, content-sniff denial, and restricted referrer leakage, applied to every response;
  • automatic scrubbing of personally identifiable information from error-monitoring and diagnostic telemetry before it leaves our servers;
  • rate limiting, secret scanning, and dependency monitoring in our deployment pipeline; and
  • regular backups and point-in-time recovery of the primary database.

Further detail on our controls is available in our Security Statement.

6. Security compromises (section 22 of POPIA)

Digiiworks will notify the Firm without undue delay, and in any event within 72 hours of becoming aware of a reasonable belief that personal information processed on the Firm’s behalf has been accessed or acquired by an unauthorised person. The notification will include, to the extent then known, the nature of the compromise, the categories of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. We will cooperate with the Firm in meeting the Firm’s own obligations to notify the Information Regulator and affected data subjects.

7. Assistance with data subject requests

Digiiworks provides self-service tools in the portal to help the Firm respond to data subject requests, including an export endpoint that returns a machine-readable copy of the Firm’s tenant data with decrypted personal information. Where the Firm requires further assistance to respond to a request under section 23, 24, or 25 of POPIA, we will provide reasonable assistance at no additional charge within a reasonable time.

8. Sub-operators

The Firm authorises Digiiworks to engage the following categories of sub-operators to deliver the services:

  • Cloud hosting and database: Supabase (primary database and storage) and Vercel (application hosting).
  • Artificial intelligence: Anthropic PBC (Claude models for intake, drafting, and analytics).
  • Email delivery: Twilio SendGrid.
  • SMS delivery: Twilio.
  • Error monitoring: Functional Software, Inc. trading as Sentry, with personal information scrubbed from events before transmission.

Digiiworks remains fully liable to the Firm for the performance of each sub-operator’s obligations. We will notify the Firm in advance of any change to this list and give the Firm a reasonable opportunity to object on reasonable grounds relating to the protection of personal information.

9. Cross-border transfers (section 72 of POPIA)

Where personal information is transferred outside the Republic of South Africa (for example, to sub-operators with infrastructure in other jurisdictions), Digiiworks will ensure that the transfer is lawful under section 72 of POPIA, whether by binding corporate rules, a binding agreement providing substantially similar protection, or a statutory exception.

10. Deletion and return of personal information

Upon termination of the master agreement, Digiiworks will, at the Firm’s election, either delete or return all personal information processed on the Firm’s behalf, and delete existing copies, within a reasonable time unless we are required by law to retain the information. Backups containing personal information will be purged in the ordinary course of our backup retention schedule.

11. Audit and information

On reasonable prior written notice, and no more than once in any twelve-month period, Digiiworks will make available to the Firm information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports where applicable. On-site audits are not contemplated; the Firm may engage an independent third-party auditor bound by confidentiality obligations where required to meet a regulatory demand.

12. Liability and indemnity

Liability under this DPA is subject to the limitations set out in the master agreement, save to the extent such limitations are prohibited by POPIA or applicable consumer-protection law.

13. Governing law and jurisdiction

This DPA is governed by the laws of the Republic of South Africa. The parties submit to the exclusive jurisdiction of the South African courts.

14. Contact

Queries concerning this DPA should be addressed to our Information Officer at privacy@digiiworks.co.

Privacy policyTerms of servicePOPIA statementTrust & security
Data Processing Agreement | Digiiworks Legal — Digiiworks Legal