Data Processing Addendum
Effective Date: January 29, 2026
This Data Processing Addendum ("DPA") is incorporated into and forms a binding part of the Master Terms of Service between the Company (acting as "Processor") and the Client (acting as "Controller").
1. Legal Identities of the Parties
The Processor:
USA Entity: Mortai, LLC
Registered Office: 2093 Philadelphia Pike 2802, Claymont, DE, 19703
RSA Entity: Mortai Solutions (Pty) Ltd
Registration: 2025/929033/07
Registered Office: 33 6TH AVENUE, ILLOVO, JOHANNESBURG, 2198
Information Officer: Tristan Mark Mortimer
The Controller:
The entity or individual engaging the services of Mort AI Solutions as identified in the applicable Service Agreement or Order Form.
2. Nature and Purpose of Processing
Processor shall process professional lead information (names, job titles, business emails, social media URLs) solely for the purpose of executing B2B lead generation and autonomous AI-driven outreach campaigns as instructed by the Controller.
3. Controller Warranties (The Liability Shield)
The Controller (Client) warrants and represents that:
- It has a valid legal basis (Legitimate Interest or Consent) for processing lead data and initiating outreach via the Processor.
- It is solely responsible for the accuracy and legality of the "Retrieval-Augmented Generation" (RAG) data provided to train the AI agent.
Indemnification
Controller shall indemnify and hold Processor harmless from any administrative fines, regulatory penalties (including POPIA/GDPR fines), or legal damages resulting from the Controller's failure to maintain a lawful basis for outreach.
4. Processor Obligations
Processor shall:
Technical Security: Maintain encryption for lead data at rest (AES-256) and in transit (TLS 1.2+).
Confidentiality: Ensure all personnel and AI systems are bound by non-disclosure obligations.
Breach Notification: Notify the Controller within 72 hours of becoming aware of any actual or suspected "Security Compromise" as defined by POPIA or "Data Breach" as defined by US State Laws.
Data Rights: Assist Controller in fulfilling "Right to be Forgotten" or access requests within the statutory 30-day window.
5. Authorized Sub-processors
Controller provides a general written authorization for Processor to engage the following third-party sub-processors (including, but not limited to):
Infrastructure: Google Cloud Platform (GCP)
Automation: Apify (Apify Technologies s.r.o.)
Intelligence/Enrichment: Apollo.io (ZenLeads Inc.), Hunter.io, Anymailfinder.com
Email Delivery: Instantly.ai (Instantly Inc.)
6. Transborder Data Flows
Processor is authorized to transfer and store personal information in the United States and the Republic of South Africa, provided that such transfers comply with Section 72 of POPIA and applicable US federal/state privacy frameworks.
7. Audit and Verification
Security Audit: Controller may request evidence of Processor's security measures once per calendar year.
Commercial Audit: As specified in the Master Terms, Processor reserves the right to audit Controller's sales records to verify "Closed Won" success commissions.
8. Termination
Upon the expiration or termination of the Service Agreement, Processor shall, at Controller's instruction, delete all Controller-controlled lead data within 30 days, unless South African or US law requires continued retention (e.g., for tax or legal defense purposes).