Data Processing Agreement
Partner DPA template.
Last updated 2026-05-01. Counter-signed copies are issued at subscription start and on every sub-processor change.
This template forms the data-protection schedule of every Vantage partner subscription. It maps cleanly to POPIA (ZA), NDPA (NG), the Kenya DPA, the Botswana DPA, the Zambia DPA, and the Zimbabwe Cyber & Data Protection Act. Country addenda live under /terms/{country-code}.
1. Scope and roles
This Data Processing Agreement (DPA) forms part of the partner subscription agreement between Vantage (the Processor) and the contracting partner organisation (the Controller). It governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the Vantage platform — including farmer, dealer, staff, transaction, and KYC data. Where farmer relationships are originated by the Controller, the Controller is the data controller and Vantage is the data processor. Where Vantage collects platform-staff data directly, Vantage is the controller for that limited set.
2. Subject matter, duration, nature and purpose
Subject matter: agricultural credit, satellite scoring, card issuance, dealer settlement, ledger, and reporting services. Duration: the term of the partner subscription agreement plus any tail period required by applicable financial regulations (typically 5-7 years for ledger and KYC records). Nature: storage, structured-data processing, automated scoring, encrypted transmission, audit logging. Purpose: deliver the contracted service to the Controller.
3. Categories of data and data subjects
Data subjects: farmers, dealers, partner staff, partner contractors. Categories of personal data: identification (name, ID number, date of birth), contact (phone, email, postal), location (farm coordinates, polygon geometry), financial (loan history, card balance, transaction logs), KYC documents (national ID scan, proof of residence), biometric (selfie liveness check where used), satellite-derived farm attributes (NDVI, soil moisture, expected yield). Special-category data is processed only where strictly required for KYC and AML compliance and is encrypted at rest.
4. Processor obligations
Vantage will (a) process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, (b) ensure that persons authorised to process the personal data are bound by confidentiality, (c) implement the technical and organisational measures described in the Security Schedule, (d) assist the Controller in responding to requests from data subjects exercising their rights, (e) assist the Controller in meeting its obligations on security, breach notification, impact assessments, and prior consultation with regulators, (f) at the choice of the Controller, delete or return all personal data after the end of the provision of services, and (g) make available all information necessary to demonstrate compliance with these obligations.
5. Sub-processors
The Controller authorises Vantage to engage the sub-processors listed in Schedule A. Vantage will inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days before the change, giving the Controller the opportunity to object. Every sub-processor is bound in writing to data-protection terms no less protective than this DPA. Vantage remains fully liable to the Controller for the performance of its sub-processors' obligations.
6. Security
Vantage implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures cover (a) pseudonymisation and encryption (bcrypt for passwords and PINs, TLS in flight, AES-256 for sensitive at-rest fields), (b) confidentiality, integrity, availability and resilience of processing systems and services, (c) the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident, (d) a process for regularly testing, assessing, and evaluating the effectiveness of those measures (penetration testing, vulnerability scanning, access reviews, backup restore drills).
7. Personal data breach
Vantage will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects. Vantage will cooperate with the Controller on regulator notifications required under POPIA, NDPA, the Kenya DPA, the Botswana DPA, the Zambia DPA, and the Zimbabwe Cyber & Data Protection Act, as applicable to the relevant data subjects.
8. International transfers
Vantage will not transfer personal data to a country outside the data subject's country of residence except where (a) the destination country is recognised by the relevant regulator as offering an adequate level of protection, or (b) Vantage has put in place appropriate safeguards (binding corporate rules, standard contractual clauses, or equivalent), or (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject, or (d) the data subject has explicitly consented after being informed of the possible risks.
9. Audit rights
Vantage will make available to the Controller, on reasonable prior written notice and no more than once per calendar year (unless a regulator-mandated audit is in progress), the information necessary to demonstrate compliance with this DPA. The Controller may either accept a current SOC 2 Type II report (or equivalent), audit reports of independent security testing firms, or conduct an audit at the Controller's expense subject to reasonable confidentiality and operational-impact safeguards.
10. Deletion on termination
Within 30 days of termination or expiry of the partner subscription agreement, Vantage will (a) make all personal data available to the Controller for export in a structured, commonly used, machine-readable format, (b) on confirmed receipt of the export by the Controller, hard-delete operational copies of personal data, (c) retain only the minimum subset required by applicable financial regulations (typically the KYC, AML, and ledger records mandated by the central bank of the relevant country for 5-7 years), and (d) issue a written certificate of deletion to the Controller on request.
11. Liability
Liability for breaches of this DPA is governed by the limitation-of-liability clause in the partner subscription agreement. Nothing in this DPA limits liability for direct damages arising from a wilful breach of the Processor obligations in clause 4 or from the unauthorised disclosure of personal data caused by Vantage's gross negligence.
12. Order of precedence
In the event of any conflict between this DPA, the partner subscription agreement, and any country-specific schedule, the country-specific schedule prevails, then this DPA, then the partner subscription agreement.
Schedule A — sub-processors
The current sub-processor list. Changes are announced to partners at least 30 days in advance via the partner success channel agreed at onboarding.
| Sub-processor category | Purpose | Region |
|---|---|---|
| Cloud infrastructure provider | Compute, storage, and managed PostgreSQL hosting | Per region selected in the partner subscription agreement |
| Object storage | Encrypted KYC document storage, signed-URL retrieval | Same region as primary database |
| Transactional email | Account verification, password reset, system notifications | EU / US (per provider) |
| SMS aggregator | OTP delivery, farmer alerts, dealer settlement notices | Per country (locally licensed where required) |
| Satellite imagery API | Sentinel-2 derived NDVI, soil moisture, weather inputs | EU (Copernicus / ESA) |
| Error and performance monitoring | Server-side error capture, latency tracing, alerting | Configurable; defaults to EU |