Legal
Operator Agreements
Last updated 10 April 2026
1. Purpose
Under POPIA Section 21, when Tapnet Solutions (Pty) Ltd ("Tapnet", the responsible party) engages a third party ("operator") to process personal information on our behalf, we must ensure that operator provides adequate data protection through a written agreement.
This page lists every operator who processes personal information for RankSmith and other Tapnet services, what they process, where they are located, and what contractual protections are in place.
2. Operators
Vercel Inc. - Application hosting
| What they process | HTTP requests, server rendered pages, serverless function execution, cached content, Core Web Vitals field data |
| Location | Global edge network, primary compute in the US and EU |
| Agreement | Vercel Data Processing Addendum (DPA). Vercel is SOC 2 Type II certified. |
| Security | Automatic TLS, DDoS protection, edge network, encrypted at rest |
| Sub processors | AWS (multiple regions) |
Resend Inc. - Email delivery
| What they process | Email addresses for transactional emails (responses to briefs, engagement updates, invoices) |
| Location | United States |
| Agreement | Resend Data Processing Agreement. SOC 2 compliant. |
| Security | TLS encryption for all emails, API key authentication |
| Data minimisation | Only receives email addresses and message content. No passwords, financial data, or profile information. |
Google LLC - Workspace and email
| What they process | Inbound and outbound email at wynand@tapnet.co.za, documents, calendars, and meeting notes created during engagements |
| Location | United States and EU (Google global infrastructure) |
| Agreement | Google Workspace Data Processing Amendment. ISO 27001, SOC 2 and SOC 3 certified. |
| Security | OAuth 2.0, 2 factor authentication, encryption at rest and in transit |
GitHub Inc. - Source code hosting
| What they process | Project source code, commit history, and engagement collaboration records |
| Location | United States |
| Agreement | GitHub Data Protection Agreement. SOC 2 Type II certified. |
| Security | Encryption at rest and in transit, 2FA enforced on all team accounts, SSH key auth for deployments |
| Note | Source code does not contain client personal information beyond what the client chooses to commit |
3. Requirements for all operators
In line with POPIA Section 21, every operator agreement requires the operator to:
- Process personal information only on our documented instructions
- Maintain confidentiality of all personal information processed
- Implement appropriate technical and organisational security measures
- Notify us of any data breach as soon as reasonably possible
- Not engage sub operators without our knowledge
- Delete or return all personal information on termination of the agreement
- Allow for audits and inspections to verify compliance
4. Contractors and freelance developers
Any contractor, freelance developer, writer, or designer who accesses personal information on behalf of Tapnet is required to sign a confidentiality and data processing agreement before being granted access. This agreement includes:
- Obligation to process data only as instructed
- Confidentiality obligations surviving termination
- Prohibition on copying or exporting personal information
- Immediate notification of any suspected breach
- Return or destruction of data on completion of engagement
Access to client production systems is granted on a need to know basis only, using separate credentials that are revoked within one working day of the engagement ending.
5. Liability
Under POPIA, Tapnet Solutions (Pty) Ltd remains the responsible party even when personal information is processed by an operator. If an operator causes a data breach or misuses personal information, Tapnet Solutions (Pty) Ltd is liable to affected data subjects. We may then seek recourse from the operator under our contractual agreements.
This is why we carefully select operators with strong security practices and adequate data protection certifications.
6. Review
Operator agreements and the list of operators are reviewed annually and whenever a new operator is engaged or an existing operator is replaced. The Information Officer is responsible for maintaining this list and ensuring agreements are in place.
7. Contact
- Responsible party: Tapnet Solutions (Pty) Ltd
- Information Officer: Wynand de Beer
- Phone: 079 174 8357
- Email: wynand@tapnet.co.za