This Cross-Border Transfer Addendum describes the contractual safeguards and disclosure framework applicable where customer personal information is transferred, hosted, accessed, backed up, supported, or otherwise processed outside the country in which the customer or relevant data subjects are located, including transfers governed by South Africa’s Protection of Personal Information Act, 4 of 2013.
The customer acts as the responsible party, controller, or equivalent role under applicable data-protection law. WISPGate acts as the operator, processor, service provider, or equivalent role when processing customer personal information on behalf of the customer through the WISPGate services.
This addendum applies to customer personal information transferred to, stored in, accessed from, or processed in a country other than the customer’s primary country of establishment or the country of the relevant data subjects, including transfers arising from cloud hosting, backup, support access, migration assistance, security monitoring, troubleshooting, disaster recovery, and authorized subprocessor activity.
The customer authorizes WISPGate to conduct covered transfers where reasonably necessary to provide, secure, maintain, support, back up, restore, migrate, or improve the services, subject to the safeguards stated in this addendum, the Data Processing Agreement, the POPIA Operator Agreement where applicable, the subprocessor list, and any customer-specific order form or statement of work.
Where POPIA Section 72 applies, WISPGate contractually commits to processing customer personal information under principles, safeguards, and contractual obligations that are substantially similar to the conditions for lawful processing under POPIA, to the extent applicable to WISPGate’s role as operator and the services being provided. WISPGate will process such personal information only under customer instructions, protect it with appropriate security safeguards, restrict access, apply confidentiality obligations, and return or delete it according to the governing agreement.
Unless a customer-specific order form, hosting schedule, or deployment statement states otherwise, WISPGate may deploy customer environments using WISPGate-managed cloud infrastructure, customer-selected cloud infrastructure, partner infrastructure, or customer on-premise infrastructure. The exact data residency profile depends on the hosting model selected for the customer environment.
| Hosting Model | Primary Processing Location | Notes |
|---|---|---|
| WISPGate Managed Cloud | As disclosed in the customer order form, deployment ticket, or data residency statement | Used where WISPGate provisions and manages the production environment. |
| Customer Cloud | Country and region selected by the customer | Customer controls the cloud account or cloud provider selection unless agreed otherwise. |
| Partner Cloud | Country and region operated by the approved partner | Applicable only where the customer approves partner-hosted deployment. |
| On-Premise | Customer-controlled premises or data centre | WISPGate may still access the environment remotely for support if authorized. |
For each customer deployment, WISPGate may provide a customer-specific data residency disclosure identifying the applicable infrastructure provider, country, data centre region, backup location, and support-access jurisdictions. The following schedule should be completed before execution where the customer requires written disclosure.
| Disclosure Field | Customer-Specific Entry |
|---|---|
| Customer Name | [Insert Customer Name] |
| Production Hosting Provider | [Insert Provider] |
| Production Country / Region | [Insert Country / Region] |
| Production Data Centre Location | [Insert Location] |
| Backup Provider | [Insert Provider] |
| Backup Country / Region | [Insert Country / Region] |
| Replication or Disaster Recovery Location | [Insert Location or “Not Applicable”] |
| Support Access Countries | [Insert Countries from which authorized WISPGate personnel may access the environment] |
| Approved Subprocessors | [Insert or reference current WISPGate Subprocessor List] |
| Special Residency Restriction | [Insert any customer-specific restriction or “None”] |
WISPGate will disclose the cloud infrastructure provider used for the customer’s production environment where WISPGate controls the deployment. Where the customer provides, selects, or controls the hosting environment, the customer remains responsible for verifying the legal suitability, location, security, and transfer basis of that hosting provider unless the parties agree otherwise in writing.
Customer personal information may be included in backups, snapshots, logs, exports, database replicas, or disaster recovery copies as reasonably necessary for service continuity, restoration, security, migration, and operational resilience. Backup and replication locations must be disclosed in the customer-specific data residency schedule where required by law or contract.
Authorized WISPGate personnel may access customer environments remotely for onboarding, migration, implementation, troubleshooting, monitoring, maintenance, security response, or support. Such access will be limited to personnel with a legitimate operational need and is subject to confidentiality, access-control, and security requirements.
WISPGate may use subprocessors and service providers for infrastructure, storage, backup, email delivery, communications, monitoring, logging, payment support, security, and operational services. WISPGate will maintain a subprocessor list identifying relevant vendor categories, purposes, and regions. Customer-specific deployments may use a narrower or different set of subprocessors depending on selected modules, hosting model, integrations, and enabled services.
WISPGate will apply safeguards appropriate to the nature of the processing, which may include contractual confidentiality, least-privilege access, account controls, secured infrastructure, backup controls, operational logging, administrative restrictions, documented instructions, incident-response procedures, and return or deletion obligations. Where required, the parties may supplement this addendum with standard contractual clauses, regional transfer terms, or another recognized legal transfer mechanism.
WISPGate will not knowingly transfer customer personal information to an unauthorized third party for independent processing. Onward transfers to approved subprocessors are permitted only where necessary for the services and subject to contractual controls appropriate to the nature of the processing.
If WISPGate receives a legally binding request from a public authority seeking access to customer personal information, WISPGate will, where legally permitted, notify the customer and provide reasonable cooperation so the customer may seek protective measures. WISPGate may comply with lawful requests where required by applicable law.
The customer remains responsible for assessing the legality of cross-border transfers from the customer’s jurisdiction, issuing lawful processing instructions, informing data subjects where required, selecting an appropriate hosting model, and obtaining any approvals, notices, consents, or transfer assessments required by applicable law.
WISPGate may update infrastructure, subprocessors, data centre locations, backup locations, or support-access arrangements from time to time. Where a signed agreement requires advance notice or customer approval, WISPGate will follow that signed agreement. Otherwise, WISPGate may provide notice through the legal center, subprocessor list, account communication, ticket, email, or other reasonable channel.
Upon customer request and subject to technical feasibility, contract terms, fees, and legal requirements, WISPGate may assist with data export, migration, deletion, hosting relocation, or localization changes. Such requests may require a separate statement of work where they involve re-architecture, region migration, data transfer, custom backup handling, or downtime planning.
If this addendum conflicts with a signed customer-specific data residency schedule, order form, or negotiated data-transfer clause, the signed customer-specific document controls for that customer. If this addendum conflicts with the Data Processing Agreement or POPIA Operator Agreement, the document providing the higher level of protection for customer personal information controls for the specific data-transfer issue, unless a signed agreement expressly states otherwise.
Liability under this addendum is subject to the limitations, exclusions, and remedies stated in the master commercial agreement, unless prohibited by non-waivable applicable law.
Questions regarding this Cross-Border Transfer Addendum or customer-specific data residency disclosures should be directed to privacy@wispgate.us.
Your request has been submitted successfully.