Legal

Operator Agreement

This Operator Agreement is concluded under sections 20 and 21 of the Protection of Personal Information Act, 2013 (POPIA). It governs how Sous-Chef, as operator, processes personal information on behalf of the Customer, who acts as the responsible party.

Version: 2026-05-05 · Effective: 2026-05-05

This is the standard template that becomes binding when an organisation owner accepts it during onboarding. A signed PDF copy is generated for the Customer's records and stored in the audit log.

1. Parties and roles

This Agreement is between Sous-Chef (the "Operator"), and the customer organisation that accepts these terms during account onboarding (the "Responsible Party").

The Responsible Party determines the purpose and means of processing the personal information of its employees-members. The Operator processes that personal information only on the Responsible Party's documented instructions, on the terms of this Agreement.

2. Subject matter and duration

The Operator processes personal information for the duration of the Responsible Party's subscription to the Sous-Chef service, plus any wind-down period set out in section 11. The categories of personal information, data subjects and processing operations are described in Annex A.

3. Documented instructions

The Operator processes personal information only on the Responsible Party's documented instructions, including transfers to third countries (see section 7). The configuration of the Sous-Chef service by the Responsible Party and the actions taken by its authorised users in the application constitute documented instructions for the purposes of this Agreement. The Operator informs the Responsible Party if, in its opinion, an instruction violates POPIA or other applicable law.

4. Confidentiality

The Operator ensures that persons authorised to process the personal information are bound by appropriate confidentiality obligations. The Operator does not disclose personal information to law-enforcement agencies except where required by law and, where lawfully possible, notifies the Responsible Party first.

5. Security measures

The Operator implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the nature of the personal information and the harm that could result from a security compromise. The current measures are described in Annex B and are kept under review.

6. Sub-processors

The Responsible Party gives the Operator general written authorisation to engage the sub-processors listed at /legal/sub-processors and any future sub-processor of the same kind. The Operator gives the Responsible Party at least 30 days' prior notice by email of any addition or replacement of a sub-processor. The Responsible Party may object on reasonable grounds; if the objection cannot be resolved, the Responsible Party may terminate this Agreement and the underlying subscription with a pro-rata refund of pre-paid fees for the unused term.

The Operator imposes data-protection obligations on each sub-processor that are no less protective than the obligations in this Agreement, and remains fully liable to the Responsible Party for the performance of each sub-processor.

7. Cross-border processing

Personal information may be processed in the European Union, the United States and on global edge networks via the sub-processors listed at /legal/sub-processors. For transfers outside South Africa, the Operator relies on POPIA s72(1)(a) and (b): the recipient is either subject to a law providing comparable protection (EU/UK) or is bound by binding corporate rules or contractual safeguards that uphold POPIA-equivalent principles.

8. Assistance with data-subject rights

Taking into account the nature of the processing, the Operator assists the Responsible Party by appropriate technical and organisational measures, insofar as possible, to fulfil its obligation to respond to requests from data subjects (POPIA s23–s25): access, correction, deletion, objection, and withdrawal of consent.

9. Security compromises

The Operator notifies the Responsible Party of any security compromise involving personal information without undue delay and in any event within 72 hours of becoming aware of it. The notification includes, to the extent known: the nature of the compromise, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

The Responsible Party remains responsible for any reporting to the Information Regulator (POPIA s22) and to affected data subjects.

10. Audits and information rights

The Operator makes available to the Responsible Party all information reasonably necessary to demonstrate compliance with this Agreement, including (on reasonable notice and during business hours, no more than once per twelve-month period and subject to confidentiality) the right to conduct or commission an audit of the Operator's controls. Audit findings are addressed by mutually agreed remediation plans.

11. Return or deletion on termination

On termination of the underlying subscription the Operator makes the Responsible Party's data available for export for 30 days. After that period the Operator deletes the personal information in accordance with the retention schedule published in the privacy policy, unless retention is required by law (BCEA s31, Income Tax Act, etc.).

12. Liability

Liability under this Agreement is governed by the limitations and exclusions in the Terms of Service, except that nothing limits liability that cannot lawfully be limited under POPIA.

Annex A — Processing details

Categories of data subjects

The Responsible Party's employees, contractors and other workforce members added to the platform
The Responsible Party's administrators and other authorised users

Categories of personal information

Identity data (name, email, ID/passport number)
Contact data (phone, address)
Employment data (role, employment type, salary, schedule, leave)
Health data (sick notes — special personal information, POPIA s27(1)(b))
Disciplinary records (which may include allegations of criminal-behaviour-adjacent conduct — special personal information, POPIA s26)
Audit-trail metadata (IP, user-agent, timestamps)

Processing operations

Storage, retrieval, structuring and indexing
Display in the user interface within the Responsible Party's organisation
Sending of transactional email through the email sub-processor
Generation, signing and storage of HR documents
Anonymisation, aggregation, and deletion in accordance with the retention schedule

Annex B — Technical and organisational measures

TLS 1.2 or higher in transit; AES-256 at rest at the database layer
Multi-tenant isolation at the application layer; per-organisation scoping enforced in every query path
Role-based access control (owner / admin / member) with least-privilege defaults
Tamper-evident audit log of administrative and HR actions
Server-side validation of email domains at registration
Bot protection on registration, login and password-reset flows
Annual review of access privileges, sub-processor list and incident-response runbook
Backups taken daily by the database sub-processor with point-in-time-recovery on production instances

← Back to home

Legal

Operator Agreement

Version: 2026-05-05 · Effective: 2026-05-05

This is the standard template that becomes binding when an organisation owner accepts it during onboarding. A signed PDF copy is generated for the Customer's records and stored in the audit log.

1. Parties and roles

This Agreement is between Sous-Chef (the "Operator"), and the customer organisation that accepts these terms during account onboarding (the "Responsible Party").

2. Subject matter and duration

3. Documented instructions

4. Confidentiality

5. Security measures

6. Sub-processors

7. Cross-border processing

8. Assistance with data-subject rights

9. Security compromises

The Responsible Party remains responsible for any reporting to the Information Regulator (POPIA s22) and to affected data subjects.

10. Audits and information rights

11. Return or deletion on termination

12. Liability

Liability under this Agreement is governed by the limitations and exclusions in the Terms of Service, except that nothing limits liability that cannot lawfully be limited under POPIA.

Annex A — Processing details

Categories of data subjects

The Responsible Party's employees, contractors and other workforce members added to the platform
The Responsible Party's administrators and other authorised users

Categories of personal information

Identity data (name, email, ID/passport number)
Contact data (phone, address)
Employment data (role, employment type, salary, schedule, leave)
Health data (sick notes — special personal information, POPIA s27(1)(b))
Disciplinary records (which may include allegations of criminal-behaviour-adjacent conduct — special personal information, POPIA s26)
Audit-trail metadata (IP, user-agent, timestamps)

Processing operations

Storage, retrieval, structuring and indexing
Display in the user interface within the Responsible Party's organisation
Sending of transactional email through the email sub-processor
Generation, signing and storage of HR documents
Anonymisation, aggregation, and deletion in accordance with the retention schedule

Annex B — Technical and organisational measures

TLS 1.2 or higher in transit; AES-256 at rest at the database layer
Multi-tenant isolation at the application layer; per-organisation scoping enforced in every query path
Role-based access control (owner / admin / member) with least-privilege defaults
Tamper-evident audit log of administrative and HR actions
Server-side validation of email domains at registration
Bot protection on registration, login and password-reset flows
Annual review of access privileges, sub-processor list and incident-response runbook
Backups taken daily by the database sub-processor with point-in-time-recovery on production instances

← Back to home