This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer") and NEI SHOT WEBX SOLUTIONS CC (CC/2025/02042) ("Tuma SMS") and applies to processing of personal information that the Customer (as Responsible Party / Controller) instructs Tuma SMS (as Operator / Processor) to perform through the Tuma SMS - Nei Shot platform.
This DPA reflects the requirements of the Namibian Data Protection Bill / POPIA and, where applicable to international recipients, the EU General Data Protection Regulation ("GDPR"). Capitalised terms not defined here have the meaning given in POPIA or GDPR, whichever applies.
The Customer is the Responsible Party / Controller for personal information about its message recipients. Tuma SMS is the Operator / Processor and processes such personal information solely on the Customer's behalf and in accordance with the Customer's documented instructions, expressed by configuring and using the platform.
The subject matter, nature, purpose, categories of personal information, and categories of data subjects are set out in Annex A. Processing continues for the duration of the Customer's account, plus any retention period agreed in writing or required by law.
Tuma SMS will process personal information only on the Customer's documented instructions, including for international transfers, unless required to do so by applicable law. If we believe an instruction breaches POPIA / GDPR or any other applicable data-protection law, we will inform the Customer.
Tuma SMS ensures that all personnel authorised to process personal information are bound by confidentiality obligations.
Tuma SMS implements appropriate technical and organisational measures to protect personal information against unauthorised or unlawful processing, accidental loss, destruction, damage, or disclosure. These measures are described in Annex B and reviewed periodically.
The Customer authorises Tuma SMS to engage sub-processors for delivery, hosting, and monitoring. The current list of sub-processors is published in our Privacy Policy and is available on request.
If Tuma SMS appoints a new sub-processor, we will give the Customer at least 14 days' prior notice by posting the change on this page or by email. The Customer may object on reasonable grounds, in which case we will work in good faith to find a workable alternative; if none can be found, the Customer may terminate the affected services.
Tuma SMS imposes data-protection obligations on sub-processors that are no less protective than those in this DPA, and remains responsible for the sub-processor's compliance.
Where Tuma SMS receives a request from a data subject relating to personal
information processed on the Customer's behalf, Tuma SMS will, where
legally permitted, forward the request to the Customer without undue delay. The platform
provides a per-contact data-export endpoint (/ui/tenant/contacts/{id}/data-export)
to help the Customer respond.
Tuma SMS will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal-information breach affecting the Customer's data. The notice will include, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
The Customer may, on reasonable advance written notice (not more than once in any 12-month period, or more frequently if required by a regulator after a breach), request information reasonably necessary to demonstrate compliance with this DPA. Tuma SMS will respond within 30 days. On-site audits may be conducted only by mutual agreement and at the Customer's expense.
On termination of the services, Tuma SMS will, at the Customer's choice, return or delete all personal information processed on the Customer's behalf within 90 days, save where retention is required by applicable law.
Each party's liability arising under or in connection with this DPA is subject to the liability limits set out in the Terms of Service.
| Subject matter | Provision of bulk SMS and email messaging services to recipients designated by the Customer. |
|---|---|
| Duration | For the duration of the Customer's account plus any agreed retention period. |
| Nature and purpose | Storage, transmission, delivery-status tracking, and reporting on messages sent on Customer's behalf. |
| Categories of data subjects | The Customer's employees, customers, members, students, parents, voters, or other recipients designated by the Customer. |
| Categories of personal information | Names, mobile phone numbers (Namibian format 264XXXXXXXXX), email addresses, optional custom fields supplied by the Customer, message content, delivery / open / bounce metadata. |
| Special categories | The Customer must not upload special / sensitive personal information (race, health, political opinions, sexual orientation, financial details, etc.) unless an additional written agreement is in place. |
tenant_id on every record;
row-level enforcement at the application layer.