Data Processing Addendum (DPA)
How tribe.one processes personal information on your community's behalf under POPIA. This addendum forms part of our Terms of Service.
Last updated 1 June 2026
Plain-English summary — this is a friendly overview, not the binding text. Switch to “Full legal text” for the wording that actually applies.
Roles under POPIA
Under the Protection of Personal Information Act, 2013 (POPIA), your community is the responsible party (controller) for the personal information of its members, and tribe.one is the operator (processor) acting on your documented instructions. This DPA records each party's obligations.
Under POPIA, your community owns the decisions about members' data (you're the "responsible party"); tribe.one just processes it for you (we're the "operator").
Scope of processing
We process member personal information (such as names, contact details, roles, transactions, messages, and incident reports) only to provide the tribe.one service, to keep it secure, and as otherwise instructed by you or required by law. We do not sell personal information or use it for our own advertising.
We only use members' data to run the service and keep it secure — never to sell or advertise.
Security measures
We maintain appropriate technical and organisational measures including encryption in transit (TLS 1.3) and at rest (AES-256), three-layer tenant isolation, role-based access control, append-only audit logging, and South African data residency (af-south-1). Full detail is in our Privacy & POPIA notice.
Your data is encrypted, isolated per community, access-controlled, audited, and stored in South Africa.
Sub-operators
We use vetted sub-operators (e.g. cloud hosting, payment tokenisation, email and SMS delivery) under contracts that impose equivalent data-protection obligations. A current list is available on request, and we will give notice of material changes so you can object.
We use a few trusted suppliers (hosting, payments, email/SMS) bound by the same data rules. Ask us for the current list.
Data-subject requests
We assist you in responding to members exercising their POPIA rights (access, correction, deletion, objection). Members can export their own data in-app; deletions are honoured within 30 days, with references in immutable records (votes, transactions) anonymised rather than erased to preserve audit integrity.
If a member asks to see, fix, or delete their data, we help you handle it. Deletions happen within 30 days (records like votes are anonymised, not erased).
Breach notification
If we become aware of a security compromise affecting personal information, we will notify the affected community admin(s) without undue delay (and within 24 hours of confirming the incident), and assist with notifications to the Information Regulator and data subjects as required by POPIA § 22.
If there's a data breach, we tell you within 24 hours and help with the legally-required notifications.
Return & deletion
On termination you may export all community data within 30 days (JSON + CSV). After that, we delete it from active systems and purge backups on their normal rotation, except where retention is required by law.
When you leave, you have 30 days to export everything. Then we delete it (apart from anything the law makes us keep).
Questions about this document? Email hello@tribeone.co.za.