Mighty Workflow logo
Sign in Get Mighty free

Data Processing Agreement (DPA)

  • Effective Date: 7 Sep 2025
  • Last Updated: 7 Sep 2025

This Data Processing Agreement (“ Agreement”) forms part of the Terms of Service between:

Subscriber (the “Controller” / “Responsible Party”)

The individual or legal entity that has entered into the Terms of Service with Mighty Workflow and that determines the purposes and means of processing Customer Data.

and

MIGHTY TOOLKIT (PTY) LTD, trading as Mighty Workflow (the “Processor” / “Operator”)

A company registered in South Africa under registration number 2025/685291/07, with its registered address at:

2 Willow Ridge, Royal Ascot, Cape Town, Western Cape, 7441, South Africa.

1. Definitions

For the purposes of this Agreement:

  • “Controller” / “Responsible Party”: The party that determines the purposes and means of processing Personal Data (that’s the Subscriber).
  • “Processor” / “Operator”: The party that processes Personal Data on behalf of the Controller (that’s MIGHTY TOOLKIT (PTY) LTD, trading as Mighty Workflow).
  • “Data Subject”: An identified or identifiable natural person whose Personal Data is processed.
  • “Personal Data”: Any information relating to a Data Subject, as defined under GDPR and POPIA.
  • “Processing”: Any operation performed on Personal Data, whether automated or not, including collection, storage, organisation, structuring, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.
  • “Sub-processor”: A third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • “Customer Data”: All Personal Data and other information submitted to or generated within the Services by the Subscriber or its Invited Users, including documents, form inputs, workflow data, and related content.
  • “Subscriber”: The individual or legal entity that enters into the Terms of Service by creating a Workspace in the Services. The Subscriber is legally responsible for the Workspace, including payment of fees, management of access and permissions, and all actions of Invited Users. In Mighty Workflow, the Subscriber is assigned the role of Owner.
  • “Invited User”: Any individual the Subscriber invites to access the Workspace (e.g., employees, contractors, external clients). The Subscriber controls Invited Users’ roles, permissions, and access, and may change or revoke such access at any time. This includes:
    • Team Members – added by the Subscriber to collaborate in creating and managing workflows.
    • Contacts – external participants who are added to complete assigned workflow steps, upload documents, or provide information.
  • “Workspace”: The environment created by the Subscriber within the Services that contains Customer Data, Invited Users, and associated settings.
  • “Technical and Organisational Measures (TOMs)”: The security practices, controls, and safeguards implemented by the Processor to protect Personal Data (e.g., encryption, access control, logging, backups).
  • “Standard Contractual Clauses (SCCs)”: The contractual mechanisms approved by the European Commission to ensure adequate protection for international transfers of Personal Data.
  • “Applicable Data Protection Law”: All laws and regulations governing the processing of Personal Data under this Agreement, including POPIA and GDPR.

2. Scope of the Agreement

This Agreement applies to all Customer Data (as defined in the Terms of Service) that the Subscriber (Controller) collects, uploads, or manages using Mighty Workflow.

We, as Processor, will process Customer Data solely:

  • As necessary to provide, maintain, and support the Services,
  • On documented instructions from the Controller, and
  • In compliance with Applicable Data Protection Law and this Agreement.

Processing may include the use of approved sub-processors, as described in Section 5.

3. Our Responsibilities as the Processor

We shall:

  • Process Personal Data only under the Controller’s documented instructions.
  • Maintain confidentiality and ensure that personnel are bound by appropriate obligations.
  • Implement and maintain Technical and Organisational Measures (TOMs), including encryption, access controls, logging, and backups.
  • Ensure that any sub-processors are bound by obligations no less protective than those in this Agreement.
  • Assist the Controller, where reasonably possible, with:
    • Data Subject rights requests,
    • Security incidents, and
    • Data Protection Impact Assessments (DPIAs).
  • Notify the Controller without undue delay of any Personal Data breach, including:
    • The nature and scope of the breach,
    • Likely consequences, and
    • Measures taken or proposed to address it.
  • Delete or return all Customer Data at the end of the Agreement, subject to the 60-day retention period stated in the Terms of Service, unless otherwise required by law.

4. Your Responsibilities as the Controller

The Controller is responsible for:

  • Ensuring a lawful basis for the collection and processing of Customer Data.
  • Providing required notices and obtaining valid consent from Data Subjects, where applicable.
  • Responding to Data Subject rights requests (we will provide reasonable assistance).
  • Ensuring Customer Data shared with Mighty Workflow complies with Applicable Data Protection Law.
  • Ensuring the accuracy, quality, and legality of Customer Data.
  • Configuring the Services appropriately, including roles, permissions, retention, and security measures (e.g., MFA, user offboarding) .

Children’s Data

The Controller is solely responsible for ensuring lawful collection and processing of minors’ data (including under POPIA). Mighty Workflow does not knowingly collect or process children’s data without verified parental/guardian consent and only in accordance with the Terms of Service.

5. Sub-Processors

We may use trusted sub-processors (e.g., hosting, analytics, email delivery, payment providers) to support the Services. We will:

  • Maintain a list of current sub-processors (published on our website or available on request),
  • Ensure sub-processors are bound by data protection obligations no less protective than those in this Agreement,
  • Notify the Controller in advance of any new sub-processor, and
  • Allow the Controller to object on reasonable grounds. If the objection cannot be resolved, the Controller may terminate the affected Services.

6. International Data Transfers

  • Hosting: Our primary servers are located in the European Union (EU). Customer Data is stored and processed in this region. Transfers to the EU are permitted under section 72 of POPIA and the GDPR, as the EU provides an adequate level of protection.
  • Other transfers: Some sub-processors may operate outside the EU or South Africa. Where this occurs, we implement appropriate safeguards, such as Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent protections.
  • Subscriber responsibility: As the Controller, you remain responsible for ensuring that your use of the Services and any onward transfers of Customer Data comply with applicable laws.

7. Payment Processing

We use Paddle.com as our authorized Merchant of Record to process payments.

  • Payment details (e.g., card information) are collected and processed directly by Paddle. We do not access or store card details.
  • Paddle acts as an independent Controller for payment data and processes it in accordance with its own Privacy Policy and GDPR/POPIA obligations.
  • Paddle also calculates, collects, and remits applicable taxes on our behalf.
  • We only receive limited information from Paddle (e.g., name, email, transaction ID, tax jurisdiction), which we use solely to provide Services and maintain records.

8. Security Measures

We implement appropriate technical, organisational, and physical safeguards, including:

  • Data encryption in transit (TLS) and at rest,
  • Secure login, role-based access, and least-privilege principles,
  • Secure backups and disaster recovery procedures,
  • Regular monitoring, security updates, and vulnerability patching,
  • Restricted physical access to hosting facilities.

Security is a shared responsibility. The Controller is responsible for appropriate configuration of the Services, including managing roles/permissions, enforcing MFA, and promptly removing departing Users.

A current list of our Technical and Organisational Measures (TOMs) is available on request.

9. Data Breaches

We will notify the Controller without undue delay upon becoming aware of a Personal Data breach. The notification will include:

  • The nature and scope of the breach,
  • The categories and approximate number of records affected,
  • The likely consequences, and
  • The measures taken or proposed to address the breach.

We will provide reasonable assistance to the Controller in complying with their breach notification obligations under GDPR and POPIA.

10. Deletion & Retention

Upon termination of the Services:

  • Customer Data will be retained in an archived state for up to 60 days to allow export or reactivation.
  • After this period, Customer Data will be securely deleted, unless longer retention is required by law.
  • Customer Data may temporarily persist in backup systems but will be securely overwritten within standard backup cycles.

11. Duration

This Agreement remains in force for as long as we process Customer Data on behalf of the Controller. Its obligations survive termination until all Customer Data has been deleted or returned in accordance with Section 10.

12. Governing Law

This Agreement is governed by the laws of South Africa. Both parties submit to the exclusive jurisdiction of the High Court of South Africa (Western Cape Division, Cape Town) .

13. Contact Information

For data protection matters, contact:

📧 [email protected]

🏢 2 Willow Ridge, Royal Ascot, Cape Town, Western Cape, 7441, South Africa

👤 Information Officer (POPIA) / Data Protection Officer (GDPR): Allister Smith