Operator Agreements
Last updated: 7 April 2026
1. Purpose
Under POPIA Section 21, when Tapnet Solutions (Pty) Ltd ("Tapnet", the responsible party) engages a third party ("operator") to process personal information on our behalf, we must ensure that operator provides adequate data protection through a written agreement.
This page lists all operators who process personal information for hustler.co.za and other Tapnet services, what data they process, and the agreements in place.
2. Operators
Neon Inc. — Database
| What they process | All user data stored in our database (accounts, profiles, services, quotes, invoices, analytics, consents) |
| Location | Frankfurt, Germany (EU) |
| Agreement | Neon Data Processing Agreement (DPA), part of their Terms of Service. Neon is GDPR-compliant and SOC 2 Type II certified. |
| Security | AES-256 encryption at rest, TLS in transit, automated backups, point-in-time recovery |
| Sub-processors | AWS (Frankfurt region) |
Vercel Inc. — Application Hosting
| What they process | HTTP requests, server-side rendered pages, serverless function execution, cached content |
| Location | Global CDN, primary compute in US and EU |
| Agreement | Vercel Data Processing Addendum (DPA). Vercel is SOC 2 Type II certified. |
| Security | Automatic SSL/TLS, DDoS protection, edge network, encrypted at rest |
| Sub-processors | AWS (multiple regions) |
Resend Inc. — Email Delivery
| What they process | Email addresses for transactional emails (verification, notifications) |
| Location | United States |
| Agreement | Resend Data Processing Agreement (DPA). SOC 2 compliant. |
| Security | TLS encryption for all emails, API key authentication |
| Data minimisation | Only receives email addresses and message content — no passwords, financial data, or profile information |
PayFast (Network International) — Payment Processing
| What they process | Subscription payments — name, email, payment amount. Card details are handled entirely by PayFast (we never see them). |
| Location | South Africa |
| Agreement | PayFast Merchant Agreement, which includes data protection obligations. PayFast is PCI DSS Level 1 compliant. |
| Security | PCI DSS Level 1, 3D Secure, tokenisation, encrypted transactions |
| Note | PayFast is the only operator hosted in South Africa. No cross-border transfer for payment data. |
Google LLC — OAuth Authentication
| What they process | Name, email address, profile photo — only when a user voluntarily chooses "Sign in with Google" |
| Location | United States (global infrastructure) |
| Agreement | Google API Terms of Service and Data Processing Terms |
| Security | OAuth 2.0, ISO 27001, SOC 2/3 certified |
| Data minimisation | We request only basic profile information (name, email, photo). We do not request access to contacts, calendars, or other Google services. |
3. Requirements for All Operators
In line with POPIA Section 21, all operator agreements require the operator to:
- Process personal information only on our documented instructions
- Maintain confidentiality of all personal information processed
- Implement appropriate technical and organisational security measures
- Notify us of any data breach as soon as reasonably possible
- Not engage sub-processors without our knowledge
- Delete or return all personal information upon termination of the agreement
- Allow for audits and inspections to verify compliance
4. Contractors and Developers
Any contractors, freelance developers, or development partners who access personal information on behalf of Tapnet are required to sign a confidentiality and data processing agreement before being granted access. This agreement includes:
- Obligation to process data only as instructed
- Confidentiality obligations surviving termination
- Prohibition on copying or exporting personal information
- Immediate notification of any suspected breach
- Return/destruction of data upon completion of engagement
Access to production databases and user data is granted on a need-to-know basis only, using separate credentials that are revoked upon completion of the engagement.
5. Liability
Under POPIA, Tapnet remains the responsible party even when personal information is processed by an operator. If an operator causes a data breach or misuses personal information, Tapnet is liable to affected data subjects. We may then seek recourse from the operator under our contractual agreements.
This is why we carefully select operators with strong security practices and adequate data protection certifications.
6. Review
Operator agreements and the list of operators are reviewed annually and whenever a new operator is engaged or an existing operator is replaced. The Information Officer is responsible for maintaining this list and ensuring agreements are in place.
7. Contact
Information Officer: Wynand de Beer
Tapnet Solutions (Pty) Ltd
Email: wynand@tapnet.co.za
Phone: 079 174 8357