Legal
Data Processing Agreement
Last updated: 02 July 2026. Version 1.0.
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Processor: Nei Shot Webx Solutions CC (registration number CC/2025/02042), trading as eVoting, a close corporation registered in the Republic of Namibia (“we”, “us”, “the Processor”); and
- Controller: the organisation that has agreed to the eVoting Terms of Service and is using the eVoting platform to conduct an election or nomination process (“you”, “the Controller”).
This DPA forms part of the service agreement between the parties and applies whenever the Processor processes personal data on behalf of the Controller in connection with the eVoting platform.
2. Definitions
- Personal Data means any information relating to an identified or identifiable natural person processed in connection with the Service.
- Processing means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- Data Subject means a voter, nominee, or other natural person whose Personal Data is processed under this DPA.
- Service means the eVoting online elections and nominations platform available at this domain.
- Sub-Processor means any third party engaged by the Processor to process Personal Data on its behalf.
- Applicable Law means the Protection of Personal Information Act (POPIA) of South Africa, as adopted by the Processor as its regional standard, together with any equivalent Namibian data protection legislation in force from time to time.
3. Subject matter, nature, and purpose of processing
The Processor processes Personal Data solely to provide the Service to the Controller, including:
- Storing and managing the voter roll uploaded by the Controller
- Generating and delivering ballot access links to voters by email and/or SMS
- Recording submitted ballots and producing tabulated results
- Maintaining an audit trail of election activity for the Controller’s governance and regulatory purposes
- Providing the Controller’s administrators with access to election management tools
Processing is carried out only on the documented instructions of the Controller. The Processor will not use Personal Data for any purpose outside the scope of the Service, including marketing, profiling, or sale to third parties.
4. Categories of Personal Data and Data Subjects
4.1 Data Subjects
Members, employees, or other eligible voters and nominees of the Controller, and the Controller’s appointed administrators.
4.2 Categories of Personal Data
- Identity data: full name, membership or employee number, and any unique identifier assigned by the Controller
- Contact data: email address and/or mobile phone number
- Voting weight and group membership, where provided by the Controller
- Technical data: IP address at ballot access (redacted from the ballot record for secret elections), user agent, and access timestamps
- Ballot data: contest selections, submission timestamp, and anonymous receipt reference
The Processor does not request or require special-category data (health, religion, politics, biometrics) and the Controller must not import such data unless it has obtained the required consent and notified the Processor in writing.
5. Duration
This DPA remains in force for the duration of the service agreement. On termination or expiry, the Processor will retain Personal Data for a maximum of 24 months to support audit and dispute resolution, after which it will be securely deleted unless the Controller requests earlier deletion or extended retention for a specified lawful purpose.
6. Obligations of the Processor
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside Namibia
- Ensure that all personnel with access to Personal Data are bound by confidentiality obligations
- Implement and maintain the technical and organisational security measures described in clause 8
- Not engage a Sub-Processor without the Controller’s prior knowledge and this DPA’s sub-processor provisions applying to that engagement
- Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligations to respond to Data Subject rights requests
- Notify the Controller without undue delay (and no later than 72 hours after becoming aware) of any Personal Data breach that is likely to result in a risk to the rights and freedoms of Data Subjects
- Make available all information reasonably necessary to demonstrate compliance with this DPA and Applicable Law
- Delete or return all Personal Data to the Controller on termination of the service agreement, at the Controller’s written request
7. Obligations of the Controller
The Controller agrees to:
- Ensure it has a lawful basis for providing Personal Data to the Processor, including obtaining any required consent from Data Subjects
- Provide accurate and up-to-date voter and administrator data
- Not instruct the Processor to process Personal Data in a manner that would violate Applicable Law
- Notify Data Subjects of the use of the eVoting platform in a manner consistent with the Controller’s own privacy notices
- Promptly inform the Processor of any changes to its instructions that may affect the Processor’s compliance obligations
8. Security measures
The Processor maintains the following technical and organisational measures to protect Personal Data:
- Encryption in transit: all data transmitted between users and the platform uses TLS 1.2 or higher (HTTPS enforced)
- Encryption at rest: database volumes and backup snapshots are encrypted using AES-256
- Ballot secrecy: for secret elections, the link between a voter’s identity and their ballot selections is severed at submission time at the database level, not merely by policy
- Access control: production database access is restricted to authorised infrastructure accounts; no human operator can query production voter data or ballot content without a formal access event being logged
- Single-use ballot links: each voter receives a cryptographically unique, single-use token; reuse is blocked at the application and database level
- Audit logging: all administrator actions (login, data import, election state changes, exports) are logged with timestamp, IP address, and actor identity
- Penetration and vulnerability management: the platform undergoes periodic security review; dependency vulnerabilities are monitored and patched promptly
- Incident response: the Processor maintains an internal incident response procedure with escalation paths and breach notification obligations as described in clause 6
9. Sub-Processors
The Controller grants general authorisation for the Processor to engage the following categories of Sub-Processor:
- Cloud hosting and database infrastructure providers that store and serve the platform and its data
- Transactional email providers used to deliver ballot links, reminders, and system notifications to voters and administrators
- SMS gateway providers used to deliver ballot links and reminders by mobile message
A current list of named Sub-Processors is available on request at hello@neishot.com. The Processor will notify the Controller of any intended addition or replacement of a Sub-Processor with at least 14 days’ notice, giving the Controller the opportunity to object on reasonable data protection grounds.
The Processor imposes data protection obligations on each Sub-Processor equivalent to those in this DPA. The Processor remains liable to the Controller for the Sub-Processor’s performance of its data protection obligations.
10. International data transfers
Personal Data is hosted on servers located in the Republic of Namibia. Where capacity or resilience requirements necessitate use of infrastructure outside Namibia, the Processor will ensure that equivalent safeguards are in place, including standard contractual clauses or equivalent mechanisms recognised under Applicable Law, and will notify the Controller accordingly.
11. Data Subject rights
Because the Processor acts as data processor, Data Subject rights requests (access, correction, deletion, portability, objection) should in the first instance be directed to the Controller as data controller. Where the Processor receives a request directly, it will forward it to the Controller without undue delay. The Processor will provide the Controller with all reasonable technical assistance to respond to such requests within the timeframes required by Applicable Law.
12. Audit rights
The Controller may, on at least 14 days’ written notice and no more than once per calendar year, request an audit of the Processor’s data processing activities relevant to this DPA. The Processor will make available all information reasonably necessary to demonstrate compliance. Audits must be conducted during normal business hours, at the Controller’s cost, and must not unreasonably disrupt the Processor’s operations.
13. Liability
Each party is liable for damage caused by processing that violates this DPA or Applicable Law where that party is responsible for the violation. The Processor’s total aggregate liability arising out of or in connection with this DPA, whether in contract, delict, or otherwise, shall not exceed the total fees paid by the Controller to the Processor in the 12 months preceding the event giving rise to the claim.
Nothing in this DPA limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded by law.
14. Governing law and disputes
This DPA is governed by the laws of the Republic of Namibia. Any dispute arising out of or in connection with this DPA shall first be referred to good-faith negotiation between the parties. If not resolved within 30 days, the dispute shall be referred to the courts of the Republic of Namibia, which shall have exclusive jurisdiction.
15. Contact
For questions about this DPA, to request the current Sub-Processor list, or to exercise any right under this agreement:
- Email: hello@neishot.com
- WhatsApp / Phone: +264 85 798 3217
- Post: Nei Shot Webx Solutions CC, Windhoek, Republic of Namibia
To request a countersigned copy of this DPA for your records, please contact us at the above details and we will provide an executed version within five business days.