Legal

Data Processing Agreement

Last updated: 3 May 2026  ·  Effective: 3 May 2026

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Agent Loop Terms of Service. It applies to all personal information that you ("Responsible Party") instruct Agent Loop (Pty) Ltd ("Operator") to process on your behalf through the Service.

This DPA is entered into pursuant to Section 20 and related provisions of the Protection of Personal Information Act 4 of 2013 (POPIA).

1. Definitions

• "Personal Information" — as defined in POPIA s.1: information relating to an identifiable natural person
• "Processing" — any operation performed on personal information
• "Responsible Party" — you, the estate agent or agency using the Service
• "Operator" — Agent Loop (Pty) Ltd
• "Data Subject" — your clients whose personal information is processed
• "Sub-operator" — a third party engaged by Agent Loop to assist in processing

2. Subject Matter and Scope

Agent Loop processes Personal Information on your behalf for the following purposes:

• Storing and managing client contact records and property requirements
• Applying AI matching algorithms to identify property-client matches
• Parsing email, WhatsApp and social media messages to extract lead information
• Generating match scores, notifications and reports
• Facilitating anonymised cross-agent match alerts (no PII shared without mutual opt-in)

3. Responsible Party Obligations

You warrant and agree that:

• You have obtained all necessary consents from Data Subjects before uploading their personal information, including consent for AI-assisted processing
• Your instructions to Agent Loop comply with all applicable laws including POPIA
• You will maintain a record of the consents you have obtained
• You will respond to Data Subject requests (access, correction, deletion, objection) within the timeframes required by POPIA and will notify Agent Loop where our assistance is required
• You will notify Agent Loop of any change in applicable law that affects processing obligations

4. Operator Obligations

Agent Loop agrees to:

• Process Personal Information only on your documented instructions, except where required by applicable law
• Ensure that persons authorised to process Personal Information are subject to appropriate confidentiality obligations
• Implement appropriate technical and organisational security measures in accordance with POPIA s.19, including encryption at rest and in transit, access controls and audit logging
• Not engage sub-operators without your prior authorisation (general authorisation is granted in Section 5 below for the sub-operators listed therein)
• Assist you in responding to Data Subject requests and regulatory enquiries, to the extent technically feasible
• Delete or return all Personal Information upon termination of the Service, in accordance with our retention policy and any legal obligations
• Notify you without undue delay (and within 72 hours where feasible) upon becoming aware of a personal information breach affecting your Data Subjects
• Make available all information necessary to demonstrate compliance with this DPA and cooperate with reasonable audits

5. Approved Sub-Operators

You grant general authorisation for Agent Loop to engage the following sub-operators. Agent Loop will impose data protection obligations on each sub-operator equivalent to those in this DPA.

We will notify you of any intended changes to this list (new or replacement sub-operators) with at least 30 days' notice, giving you the opportunity to object.

6. International Transfers

Where personal information is transferred outside South Africa (e.g., to Anthropic's servers in the USA), Agent Loop will implement appropriate safeguards as required by POPIA s.72, including contractual clauses equivalent to the POPIA standard. By accepting this DPA you consent to such transfers on the basis that adequate safeguards are in place.

7. Security Measures

Agent Loop implements the following technical and organisational measures:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption at rest for credential and token data
• bcrypt password hashing (cost factor ≥ 12)
• Role-based access control with principle of least privilege
• Comprehensive audit logging of data access and modifications
• Regular penetration testing and vulnerability assessments
• Incident response plan with defined escalation procedures
• Employee security training and background checks for personnel with data access

8. Personal Information Breach

In the event of a breach involving your Data Subjects' personal information, Agent Loop will:

• Notify you without undue delay upon discovery
• Provide all available information about the nature and scope of the breach
• Assist you in meeting any notification obligations to the Information Regulator under POPIA s.22
• Take immediate remedial action to contain and mitigate the breach

9. Deletion and Return of Data

Upon termination of your account or upon your written request, Agent Loop will delete your Personal Information within 30 days, except where we are required to retain it by law. You may export your data via the Settings page before account closure.

10. Audit Rights

You may, with reasonable notice (not less than 30 days), request an audit of Agent Loop's data processing activities relevant to your data. Audits must be conducted during business hours and at your cost. Agent Loop may satisfy audit requests by providing relevant certifications or third-party audit reports.

11. Liability

Each party is liable to the other for any damage caused by processing that breaches this DPA or POPIA. Agent Loop's liability under this DPA is subject to the limitations set out in the Terms of Service.

12. Term

This DPA is effective from the date you accept the Terms of Service and continues until the later of: (a) termination of your account; or (b) the end of our legal retention obligations.

13. Contact

Information Officer, Agent Loop (Pty) Ltd
Email: admin@agentloop.digital
Information Regulator of South Africa: inforegulator.org.za