Data Processing Agreements.

Flamingo Pay (Pty) Ltd (“Flamingo”, “we”, “us”, “our”) processes personal information on behalf of our merchants and their customers. In the course of providing our QR-based payment platform, we engage third-party service providers (“operators” or “processors”) who may access, store, or process personal information on our behalf.

Under the Protection of Personal Information Act 4 of 2013 (“POPIA”), we are required to ensure that all operators processing personal information on our behalf are bound by appropriate data processing agreements (“DPAs”) that guarantee the security and confidentiality of personal information.

This page provides transparency about who our third-party processors are, what data they process, what safeguards are in place, and how we manage cross-border data transfers.

POPIA Section 21 requires that when a responsible party (Flamingo) engages an operator (third-party processor) to process personal information, the operator must:

• Process personal information only with the knowledge or authorisation of the responsible party (Section 21(1))
• Treat all personal information as confidential and not disclose it unless required by law or in the course of properly performing their duties (Section 21(1))
• Be bound by a written contract that establishes the conditions for processing, including security measures (Section 21(2))
• Comply with the security safeguards established by the responsible party (Section 19)

Additionally, POPIA Section 72 governs the trans-border flow of personal information, requiring adequate levels of protection when data is transferred outside South Africa.

The following table summarises the third-party processors engaged by Flamingo Pay, the personal information they process, and where the data is stored:

Entity: Ozow (Pty) Ltd, a registered Payment Service Provider regulated by the South African Reserve Bank and the Payments Association of South Africa (PASA).

What they do:Ozow processes all PayShap instant payments on our platform. When a buyer scans a merchant's QR code and pays, Ozow facilitates the bank-to-bank transfer via PayShap rails.

Personal information processed:

• Buyer bank account details and bank selection
• Transaction amounts and payment references
• Payment status and settlement information
• Buyer IP address (for fraud detection)

Data location: South Africa — Ozow is a South African company and stores all payment data within South African borders.

Safeguards:Ozow is PCI-DSS compliant, licensed by SARB, and subject to POPIA. Flamingo Pay never receives or stores buyer bank account details — these remain solely within Ozow's infrastructure.

Retention: Payment records are retained for 5 years as required by FICA Section 22.

Entity: Upstash, Inc., a serverless data platform providing managed Redis databases.

What they do: Upstash provides the primary data storage layer for the Flamingo Pay platform. All merchant profiles, KYC records, transaction logs, compliance flags, dispute records, and DSAR records are stored in Upstash Redis.

Personal information processed:

• Merchant personal details (name, email, phone, SA ID number)
• KYC verification documents and statuses
• Transaction records and payment histories
• Compliance flags and account restrictions
• Dispute records and resolution histories
• Data subject access request records

Data location: AWS eu-west-1 (Ireland, EU). This constitutes a cross-border transfer of personal information — see Section 9 for details on how this is managed under POPIA Section 72.

Safeguards: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Upstash operates under SOC 2 Type II compliance. Access is restricted to API key authentication only.

Retention: Data is retained according to our retention policy. Financial records are retained for 5 years per FICA; non-financial personal information is deleted upon account closure or DSAR deletion request.

Entity: Vercel Inc., a cloud platform for frontend deployment and serverless functions.

What they do:Vercel hosts the Flamingo Pay website and API endpoints. All web requests pass through Vercel's infrastructure including their global edge network and serverless function execution.

Personal information processed:

• IP addresses of all visitors and API consumers
• HTTP request headers (browser, device, referrer)
• Session cookies and authentication tokens
• Server-side function execution logs (auto-deleted after 30 days)

Data location: Global edge network with primary compute in the USA. This constitutes a cross-border transfer — see Section 9.

Safeguards: Vercel is SOC 2 Type II certified, all traffic is encrypted via TLS, and function logs are automatically purged after 30 days. No persistent personal information is stored on Vercel beyond session tokens and transient logs.

Entity: XDS (Pty) Ltd, trading as VerifyNow, a South African credit bureau and identity verification provider regulated by the National Credit Regulator.

What they do: VerifyNow provides Know Your Customer (KYC) identity verification for merchant onboarding. When a merchant supplies a South African ID number, it is verified against the Department of Home Affairs database and screened against sanctions and PEP lists. VerifyNow is notengaged for the Simplified due-diligence path (FICA Directive 6, informal traders under R5,000 monthly volume) when the merchant declines to supply an ID — those merchants are verified on RICA-registered phone plus sworn affidavit and reviewed manually by Flamingo's Compliance team, so no personal data is shared with VerifyNow for that cohort.

Personal information processed:

• Full legal name
• South African ID number
• Selfie photographs (for biometric matching)
• Physical address
• Verification status and results

Data location: South Africa — VerifyNow is a South African company that stores and processes all identity data within South African borders.

Safeguards:XDS is a registered credit bureau under the National Credit Act and is subject to the NCR's data protection requirements, POPIA, and FICA. All data transmissions use TLS encryption and API key authentication.

Retention: KYC records are retained for 5 years as required by FICA Section 22. Selfie images are deleted once verification is complete and only the verification result is retained.

Entity: Functional Software, Inc., trading as Sentry, an application monitoring and error tracking platform.

What they do: Sentry captures application errors and performance data to help us identify and fix bugs. Sentry is configured to scrub personally identifiable information before transmission.

Personal information processed:

• IP addresses (anonymised by default)
• Browser and device information (user agent strings)
• Error stack traces and breadcrumbs
• Page URLs visited at the time of an error

Data minimisation:Sentry is configured with PII scrubbing enabled. We use Sentry's beforeSend hook to strip names, email addresses, phone numbers, ID numbers, and financial data from error reports before they are transmitted.

Data location: USA (us-west region). Because PII is scrubbed before transmission, the cross-border risk is minimal.

Retention: Error events are automatically deleted after 90 days.

POPIA Section 72 permits the transfer of personal information outside South Africa only if one or more of the following conditions are met:

• The recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection (Section 72(1)(a))
• The data subject consents to the transfer (Section 72(1)(b))
• The transfer is necessary for the performance of a contract between the data subject and the responsible party (Section 72(1)(c))
• The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent (Section 72(1)(d))

Flamingo Pay relies on the following bases for cross-border transfers:

Upstash (Ireland/EU): The European Union provides an adequate level of data protection under GDPR, which the Information Regulator has recognised as meeting the POPIA adequacy standard. Additionally, our DPA with Upstash includes Standard Contractual Clauses and data processing terms that meet POPIA Section 21 requirements.

Vercel (USA): Our DPA with Vercel includes binding contractual commitments to process data in accordance with POPIA requirements. Vercel is SOC 2 Type II certified. The transfer is also necessary for the performance of the contract — without web hosting, the platform cannot operate.

Sentry (USA): PII is scrubbed before transmission to Sentry, meaning no personal information as defined by POPIA is transferred. Only anonymised technical data crosses borders.

Ozow & VerifyNow (South Africa): No cross-border transfer — both processors store and process data exclusively within South Africa.

All DPAs entered into by Flamingo Pay include the following minimum contractual obligations as required by POPIA Section 21:

• Purpose limitation: The operator may only process personal information for the specific purposes set out in the agreement and may not use it for any other purpose.
• Confidentiality: The operator must treat all personal information as confidential and ensure that its employees and subcontractors are bound by confidentiality obligations.
• Security measures: The operator must implement appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised access, or unlawful processing (POPIA Section 19).
• Breach notification: The operator must notify Flamingo Pay within 72 hours of becoming aware of any data breach affecting personal information, enabling us to meet our own notification obligations under POPIA Section 22.
• Sub-processing: The operator may not engage sub-processors without prior written consent from Flamingo Pay, and must ensure sub-processors are bound by equivalent obligations.
• Data return and deletion: Upon termination of the agreement, the operator must return or securely delete all personal information unless retention is required by law.
• Audit rights:Flamingo Pay retains the right to audit the operator's compliance with the DPA and POPIA.
• DSAR cooperation: The operator must assist Flamingo Pay in responding to data subject access and deletion requests within the 30-day POPIA deadline.

Before engaging any new third-party processor, Flamingo Pay conducts a Data Protection Impact Assessment (DPIA) that evaluates:

• The nature and volume of personal information to be processed
• The processor's security certifications and compliance history
• Whether cross-border transfers are involved and the adequacy of protection in the destination country
• Whether a suitable DPA can be negotiated that meets POPIA Section 21 requirements

This page will be updated whenever a new processor is engaged. We will notify existing merchants of material changes to our processor list via email.

Planned future processors:

• Peach Payments — Additional payment gateway (South Africa-based, SARB regulated). Will handle card payments when introduced.
• SendGrid / Postmark — Transactional email delivery. DPA and data minimisation review in progress.

Under POPIA, you have the right to know who has access to your personal information and how it is being processed. Specifically, you may:

• Request a copy of all personal information we hold about you, including data shared with our processors — submit a DSAR
• Request the deletion of your personal information (subject to FICA retention requirements) — submit a deletion request
• Object to the processing of your personal information by any specific processor
• Request details of the safeguards in place for any cross-border transfer of your data
• Lodge a complaint with the Information Regulator if you believe your data is being processed unlawfully

Flamingo Pay uses a standard Data Processing Agreement template for all third-party processors. This template is based on POPIA requirements and includes all safeguards listed in Section 10 above.

If you are a third-party service provider seeking to integrate with Flamingo Pay, or a merchant wishing to review our DPA template, you may download a copy below:

For any questions about our data processing agreements, contact our Information Officer at compliance@flamingopay.co.za.

For questions about our data processing arrangements, to request a copy of any specific DPA, or to exercise your rights under POPIA, contact:

• Information Officer: Shawn Henderson
• Compliance Officer: Siphokazi Gazi
• Email: compliance@flamingopay.co.za
• Registered address: A23 10th Ave, Edenburg, Rivonia, Sandton, 2091, Gauteng, South Africa
• CIPC Registration: 2026/276925/07

You may also contact the Information Regulator directly at complaints.IR@justice.gov.za if you have concerns about how your data is being processed by any of our third-party processors.