Data Processing Agreement

1. Roles of the parties

The organization is the controller for personal data it submits to, receives through, or instructs Mthandizi to process for its recruitment, private knowledge base, assistant, complaints, customer-support, or related organization workflows. Mthandizi acts as processor for that processing and follows the organization's documented instructions, including instructions expressed through authorized use of the service.

Mthandizi remains an independent controller for its own account administration, billing, platform security, fraud prevention, service analytics, legal compliance, and communications about the Mthandizi service.

2. Processing details

Depending on the enabled features, processing may include:

• Receiving, storing, organizing, displaying, exporting, and deleting applications, CVs, cover letters, answers, and supporting documents;
• Storing organization knowledge as text and vector embeddings and retrieving relevant passages to generate assistant responses. Organization knowledge is private by default and retrievable only through the organization's own secret credentials and dashboard; where an authorized organization administrator explicitly publishes a knowledge document to the organization's public widget, extracted content from that document may be returned in answers to members of the public, and the document may be returned to private at any time;
• Receiving questions, contact details, feedback, complaints, and conversation records from organization end-users;
• Sending authorized notifications or communications; and
• Providing access controls, audit information, analytics, support, and security monitoring.

3. Data subjects and categories of data

• Applicants: identity and contact details, CVs, work and education history, application answers, cover letters, certificates, transcripts, and other supporting information;
• Organization staff: account identifiers, roles, contact details, activity, and security records;
• Customers and members of the public: questions, feedback, complaints, contact details, and information voluntarily provided through an assistant or widget;
• Organization knowledge: policies, service guides, FAQs, reports, and other uploaded or pasted content, which should exclude unnecessary personal data.

4. Controller obligations

• Have a lawful basis and provide any required notice for the processing;
• Submit only data it is entitled to process and give lawful, documented instructions;
• Limit access to authorized staff and manage team roles promptly;
• Set and apply appropriate applicant, complaint, and knowledge retention periods;
• Avoid unnecessary sensitive personal data and apply additional safeguards where such data is necessary;
• Use AI assistance with appropriate human review; and
• Respond to data-subject requests and regulatory duties for which it is responsible.

5. Mthandizi obligations

• Process data only on documented controller instructions unless applicable law requires otherwise;
• Ensure personnel authorized to process the data are subject to confidentiality obligations;
• Implement appropriate technical and organizational security measures;
• Not use private organization knowledge to train services for other organizations;
• Provide reasonable assistance with data-subject requests, security obligations, impact assessments, and regulator enquiries;
• Notify the controller without undue delay after becoming aware of a confirmed personal-data breach affecting its processor data; and
• Delete or return processor data on termination as described below, unless retention is legally required.

6. Sub-processors

Mthandizi uses sub-processors for cloud hosting, databases, storage, search and vector processing, AI services, security, payments, and communications. Mthandizi will impose appropriate data-protection obligations on sub-processors and remains responsible for their processor activities to the extent required by law. Named provider information is available to organization controllers on request. We will provide reasonable notice of material sub-processor changes where required, allowing the controller to raise a reasonable objection.

7. International processing

Some sub-processors may store or access data outside Malawi. Mthandizi will use a lawful transfer basis and appropriate contractual, technical, and organizational safeguards as required by the Malawi Data Protection Act, 2024.

8. Retention, deletion, and return

• Pro knowledge uploads: original file bytes are processed in memory to extract text and are not intentionally retained after processing; extracted text, document metadata, and embeddings remain until the document is deleted or the service ends;
• Partner and contributor knowledge submitted for platform moderation: original files may be retained in private storage while required for review, publication integrity, replacement history, or deletion workflows;
• Applications and CVs: files and application records may remain in private storage and the organization dashboard while required for recruitment, rights requests, disputes, or an agreed retention period;
• Complaints and assistant interactions: retained for the configured or reasonably necessary service, support, and accountability period; and
• Termination: processor data will be deleted or returned within a reasonable operational period, subject to backups, legal holds, accounting obligations, security records, and controller instructions.

Authorized organization administrators may export available organization data. Feature-level deletion removes the active record and associated search index where supported. If an organization needs a fixed retention schedule or deletion deadline, it should be documented in its order form or written service agreement.

9. Security measures

• HTTPS/TLS encryption in transit;
• Private object storage and signed access for sensitive files;
• Tenant and partner scoping for organization records and retrieval;
• Server-side public/private separation for organization knowledge, so unpublished knowledge is excluded from public-widget retrieval;
• Role-based team access and server-side authorization;
• One-way hashing and revocation controls for secret API credentials;
• Domain restrictions for public widget credentials where supported; and
• Security logging, rate limits, verification, and abuse-prevention controls.

10. Breach cooperation

Mthandizi will provide available information reasonably required for the controller to assess and meet its notification obligations. The controller remains responsible for deciding whether and when it must notify affected people or the Data Protection Authority, unless the law places that obligation directly on Mthandizi.

11. Audit and compliance information

On reasonable written request, Mthandizi will provide information reasonably necessary to demonstrate compliance with this Agreement. Any audit must protect the security, confidentiality, and data of other customers and avoid unreasonable disruption. The parties will cooperate with MACRA or another competent authority where legally required.

12. Registration and data-protection governance

Each party is responsible for assessing whether it must appoint a data-protection officer, register as a controller or processor of significant importance, maintain processing records, or complete another compliance step under applicable law and current regulatory guidance. Mthandizi monitors its own processing and will complete applicable registration or governance requirements when required.

13. Duration and governing law

This Agreement applies while Mthandizi processes organization-controlled personal data and continues for any period required to complete return, deletion, or legally required retention. It is governed by the laws of the Republic of Malawi and supplements the Mthandizi Terms of Service.