This Schedule is incorporated into, and forms part of, the SkipDrop Terms of Service. Capitalised terms not defined here have the meaning given to them in those Terms. It is the written agreement contemplated by section 21 of the Protection of Personal Information Act 4 of 2013("POPI Act") between the Operator (as the responsible party in respect of End Customer data) and SkipDrop (as that Operator's operator, as defined in the POPI Act).
1. Subject matter
SkipDrop processes Personal Information on behalf ofthe Operator strictly to provide the Service. SkipDrop will not process Personal Information for any other purpose, will act only on the Operator's documented instructions (the act of entering data into the tenant being a documented instruction to process it for the relevant operational purpose), and will not disclose Personal Information except as required by these Terms or by law.
2. Categories of data subjects
- The Operator's End Customers — i.e. the natural or juristic persons who book skip-hire services from the Operator.
- The Operator's staff — drivers, dispatchers, office users, and any other people the Operator chooses to add to its tenant.
3. Categories of Personal Information
- Contact details (name, cell, email, billing address).
- Service-site location data (delivery / collection addresses, GPS pins, site notes).
- Booking and job history (skip size, waste type, dates, photos).
- Payment records and invoice history (amounts, payment method references, PayFast transaction identifiers).
- Job photos uploaded by drivers (which may incidentally capture third-party Personal Information at a site).
- Operator staff records (display name, cell, email, role flags).
SkipDrop does notrequire, and the Operator should not upload, Special Personal Information (POPI § 26) or children's data (POPI § 34) without first putting in place its own POPI-compliant lawful basis. SkipDrop does not store payment-card numbers — those are handled exclusively by PayFast.
4. Sub-processors
The Operator authorises SkipDrop to engage the following sub-processors:
- Supabase — managed PostgreSQL database (EU region).
- Vercel — application hosting and edge network (US region, with global edge caching).
- Resend — transactional email delivery (US region).
- SMS Portal — SMS delivery (South Africa).
- PayFast — payment processing (South Africa).
SkipDrop will give the Operator at least thirty (30) days' notice (by email and in-platform) before adding or replacing a sub-processor that processes End Customer Personal Information. If the Operator objects on reasonable POPI-compliance grounds within that period, its sole remedy is to terminate the Service and export its data under the main Terms.
5. Cross-border transfers
Some sub-processors store or process Personal Information outside South Africa. The Operator authorises these transfers under POPI § 72(1)(c)— the transfer is necessary for the performance of the contract between the data subject and the Operator (or, where applicable, for pre-contract steps taken at the data subject's request).
Where a sub-processor is located outside South Africa, SkipDrop will ensure that the sub-processor is either (i) subject to a law / binding corporate rules / contractual undertakings providing an adequate level of protection substantially similar to the POPI Act, or (ii) bound by Standard Contractual Clauses to equivalent effect.
6. Security safeguards (POPI § 19)
SkipDrop will maintain at least the following technical and organisational measures, which the parties agree are appropriate, reasonable, and generally accepted information-security practices for the nature of the Personal Information involved:
- Databases encrypted at rest.
- All transport encrypted in transit (TLS 1.3).
- Tenant isolation enforced at the database layer via PostgreSQL Row-Level Security policies.
- One-time-password authentication only — no shared passwords.
- Documented backup and restore procedures.
- Incident response procedures targeting initial assessment and Operator notification within seventy-two (72) hours of becoming aware of a compromise.
- Independent platform-level rate-limiting and abuse controls.
- Audit logging of sensitive operations (team changes, exports, billing changes).
7. Confidentiality
All SkipDrop personnel and contractors with access to Operator Personal Information are bound by written confidentiality obligations that survive the end of their engagement.
8. Data-subject rights
The POPI Act gives data subjects rights of access (§ 23), correction (§ 24), and (where applicable) deletion / destruction (§ 25). Those rights are exercised against the responsible party — i.e. the Operator.
SkipDrop will assist the Operator in fulfilling these requests within fourteen (14) daysof being asked, through the per-tenant export endpoint, the in-platform record-editing UI, and (for erasure) the POPIA "keep-for-tax" anonymisation already implemented on sd_customers.erased_at. Where SARS or another regulator mandates a longer retention (e.g. five years for tax records), that retention obligation prevails over a deletion request.
9. Breach notification (POPI § 22)
If SkipDrop becomes aware that any Personal Information belonging to the Operator's tenant has, or is reasonably likely to have been, accessed or acquired by an unauthorised person, SkipDrop will notify the Operator without undue delay and in any event within seventy-two (72) hours of becoming so aware. The notification will include the information reasonably needed for the Operator to comply with its own section 22 obligations to the Information Regulator and affected data subjects.
10. Retention & return
On termination of the main Terms, SkipDrop will retain Operator Personal Information for thirty (30) days to allow export, and will then delete it within a further thirty (30) days. The Operator may, on written request, ask SkipDrop to extend retention of invoice records for the five (5) year minimum prescribed by the Tax Administration Act 28 of 2011 / VAT Act 89 of 1991.
11. Audit
The Operator may request, no more than once in any 12-month period, a written summary of SkipDrop's security posture (architecture, sub-processors, controls, incident history). On-site audits are not offered at this tier.
12. Information Officer
The Operator'sInformation Officer is its CEO, principal, or other person designated as such under POPI § 56 — by default, the Operator's owner-user on the SkipDrop account.
SkipDrop's Information Officer is Charl Lamprecht. Contact: bot@botandbotty.com.
13. Liability & indemnity
Liability and indemnity under this Schedule are governed by clauses 11 and 12 of the main Terms. Nothing in this Schedule extends a party's liability beyond the limits set in those clauses.
14. Term
This Schedule takes effect on the same date as the main Terms (i.e. when the Operator accepts them on sign-up) and remains in force for as long as SkipDrop processes Personal Information on the Operator's behalf — including the 30-day post-termination retention window in clause 10.