- Fill in your company details in Section 1 — Parties.
- Print the document (browser → Print → Save as PDF) — A4-formatted.
- Have an authorised signatory of your company sign on page 2.
- Email the signed PDF to legal@sanya.tz. We countersign and return within 2 business days.
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
(company name)
(TIN)
(registered address)
Service account identifier(s) — complete the line(s) for the service(s) you use with Netpoa Limited; leave the rest blank:
(Sanya workspace slug — yourcompany.sanya.tz)
(domain name(s) — e.g. yourcompany.co.tz)
(hosting / cPanel account — username or primary domain)
(Sanya Cloud VPS — server label or IP address)
(SanyaSMS — sender ID / account)
(other service reference)
and
Netpoa Limited, operator of the Sanya brand
Registered in the United Republic of Tanzania
TIN / Company Registration: 143-477-398
Address: Kijitonyama, Dar es Salaam, Tanzania
Contact: legal@sanya.tz · DPO: dpo@sanya.tz
collectively the "Parties", individually a "Party".
2. Background
The Customer has subscribed to one or more of Sanya's products and services — which may include the Sanya business operating system, web hosting and domain registration, Sanya Cloud (VPS and storage), and SanyaSMS (collectively, the "Service") — under Sanya's Terms of Service and the applicable Service Schedule(s) (together, the "Principal Agreement"). In the course of using the Service, the Customer (acting as data controller) entrusts personal data to Sanya (acting as data processor) for processing on the Customer's behalf. This DPA sets out the terms under which Sanya processes that data, in compliance with the Tanzania Personal Data Protection Act, No. 11 of 2022 ("PDPA"), the Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023, and other applicable data-protection laws.
3. Definitions
Capitalised terms not defined here have the meaning given in the PDPA. In particular:
- "Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meaning given in section 4 of the PDPA.
- "Customer Data" means personal data uploaded into, or generated within, any part of the Service used by the Customer — including the Customer's Sanya workspace, hosted websites and email, registered domains, Sanya Cloud servers and storage, and SanyaSMS.
- "Sub-processor" means any third party engaged by Sanya to process Customer Data.
- "Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data.
4. Subject Matter, Duration, Nature & Purpose
| Subject matter | Processing of Customer Data through the Service (Sanya Business, Sanya Host, Sanya Cloud, SanyaSMS, Kanisa MS). |
| Duration | From the Effective Date until termination of the Principal Agreement, plus the data-retention period set out in §11. |
| Nature & purpose | Providing the Service to the Customer: storage, retrieval, processing, transmission of Customer Data as instructed by the Customer through their normal use of the Service. |
| Types of personal data | As selected by the Customer — typically: names, contact details, TIN, business and financial-transaction records, employee / payroll / attendance records, SMS recipient phone numbers (SanyaSMS), church member records (Kanisa MS), and any personal data the Customer stores on a Sanya Host account or Sanya Cloud VPS. |
| Categories of data subjects | As selected by the Customer — typically: the Customer's clients, employees, suppliers, contractors, SMS recipients, church members, and the users of any site or system the Customer runs on Sanya Host / Sanya Cloud. |
| Sensitive data | Other than church membership in Kanisa MS — which by its nature reveals religious belief (see Schedule F §F.7) — Netpoa Limited does not require or solicit special-category (sensitive) personal data such as health or biometric data. The Customer agrees not to upload other sensitive data without first contacting us to discuss appropriate controls. |
5. Processor Obligations
Sanya shall:
- Process Customer Data only on the Customer's documented instructions, including in relation to transfers to third countries, except where required by Tanzanian law. Where so required, Sanya will notify the Customer before processing (unless prohibited by law).
- Ensure persons authorised to process Customer Data are bound by confidentiality obligations, whether contractual or statutory.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Sanya's Security Overview and summarised in Annex A.
- Notify the Customer without undue delay and within 72 hours of becoming aware of a Security Incident affecting Customer Data, providing all information reasonably required to fulfil the Customer's notification obligations under the PDPA.
- Assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to data subject requests (access, correction, deletion, restriction, objection, portability).
- Assist the Customer in ensuring compliance with security, breach notification, data protection impact assessment, and prior consultation obligations under the PDPA.
- Enable the Customer to export their own Customer Data (through their access to the Service) before the end of the provision of services, and then delete all Customer Data and existing copies after the applicable retention window, unless Tanzanian law requires storage — see §11.
- Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (see §10).
6. Sub-processors
The Customer authorises Sanya to engage the sub-processors listed in Annex B. Sanya shall:
- Impose contractual data-protection obligations on each sub-processor that are no less protective than those in this DPA.
- Remain liable to the Customer for any failure by a sub-processor to fulfil its data-protection obligations.
- Give the Customer at least 14 days' prior written notice of any new sub-processor, during which time the Customer may object on reasonable data-protection grounds. If the Parties cannot resolve the objection, the Customer may terminate the Principal Agreement without penalty.
7. International Data Transfers
Where Customer Data is transferred outside Tanzania, Sanya shall ensure that such transfer complies with PDPA section 36 by relying on:
- Transfer to a jurisdiction recognised by the PDPC as providing adequate protection; or
- Contractual safeguards equivalent to those required under the PDPA; or
- Other lawful transfer mechanisms recognised by Tanzanian law.
8. Data Subject Rights
Sanya provides the Customer with self-service tools through the Service to fulfil data subject rights (export, edit, delete). Where the Customer requires additional assistance — for example, to identify all instances of a data subject's data — Sanya will provide reasonable cooperation. Cost: included in the subscription for up to two complex requests per year; beyond that, time-and-materials at Sanya's standard rates.
9. Security Incidents
In the event of a Security Incident, Sanya shall:
- Notify the Customer at the registered admin email within 72 hours of discovery, including:
- The nature of the incident, categories and approximate number of data subjects affected.
- Likely consequences.
- Measures taken or proposed.
- Contact point at Sanya for further information.
- Take all reasonable steps to mitigate the effects and to minimise damage.
- Reasonably cooperate with the Customer's investigation and any required notifications to the PDPC or affected data subjects.
- Publish a public post-mortem within 30 days where appropriate.
10. Audit Rights
Once per calendar year, with at least 30 days' prior written notice, the Customer (or its appointed independent auditor bound by confidentiality) may audit Sanya's compliance with this DPA. Audits shall:
- Be conducted during normal business hours.
- Not unreasonably interfere with Sanya's operations.
- Not access another customer's data or systems.
- Be at the Customer's expense, unless the audit reveals material non-compliance, in which case Sanya bears reasonable costs.
For most needs, Sanya's published Security Overview, third-party penetration test reports (when available), and the Customer's own access to their workspace's audit logs are sufficient — a full on-site audit is intended for cases where these do not suffice.
11. Term, Data Export & Deletion
This DPA takes effect from the Effective Date and remains in force for the duration of the Principal Agreement.
Netpoa Limited does not extract, package, or hand over Customer Data on the Customer's behalf. Instead, for as long as the service is active — and during any post-termination grace window in the table below — Netpoa Limited gives the Customer the access they paid for so the Customer can export their own data, in whatever format they choose:
- SaaS (Sanya Business / Kanisa MS) — the Customer exports their own records from the in-app tools (e.g. CSV / JSON / PDF).
- Sanya Host / Sanya Cloud (hosting & VPS) — the Customer downloads their own files, databases, or full snapshot / disk image via cPanel, SSH, or the portal while the service is reachable.
After the applicable retention window passes, Netpoa Limited deletes all Customer Data from its systems (including backups, within reasonable backup-rotation cycles), except where Tanzanian law requires continued storage. Deletion is automatic and irreversible — once it runs, the data cannot be recovered.
Retention windows by product (these are the operational limits — the underlying infrastructure cost forces deletion once they pass):
| Product / billing cycle | Retention after termination |
|---|---|
| Sanya Business / Kanisa MS (subscription SaaS) | 90 days (full export available) |
| Sanya Host / Sanya Cloud — monthly billing | 3 days after suspension |
| Sanya Host / Sanya Cloud — quarterly billing | 7 days after suspension |
| Sanya Host / Sanya Cloud — annual billing | 14 days after suspension |
| SanyaSMS / Sanya Store account closure | 90 days for transactional history; downloads remain available while the account is active |
This DPA and the published retention windows above are themselves the Customer's written notice and confirmation that Customer Data is deleted once the applicable window passes — no separate per-account confirmation is issued. It is the Customer's responsibility to retrieve any data they need before the deletion deadline using their own access; extensions may be granted only if requested in writing before that date.
12. Liability
The liability provisions of the Principal Agreement (Terms of Service §11) apply to this DPA. Nothing in this DPA limits liability that cannot lawfully be limited under Tanzanian law.
13. Governing Law & Disputes
This DPA is governed by the laws of the United Republic of Tanzania. Disputes arising out of or relating to this DPA shall be resolved as set out in the Principal Agreement (Terms of Service §14).
14. Order of Precedence
In the event of conflict between this DPA and the Principal Agreement on a data-protection matter, this DPA prevails. On all other matters, the Principal Agreement prevails.
Signatures
Title:
Date:
Signature:
Title:
Date:
Signature:
Annex A — Technical & Organisational Security Measures
The current list of measures is published and kept up to date at /legal/security.php. The version of that page in force on the Effective Date forms part of this DPA. Material changes are communicated to the Customer at least 14 days in advance via the registered admin email.
These measures cover every product Netpoa Limited operates (Sanya Business, Sanya Host, Sanya Cloud, SanyaSMS, Kanisa MS). For Sanya Cloud (VPS), a shared-responsibility model applies: Netpoa Limited secures the underlying infrastructure and control plane, while the Customer secures everything inside their own server. Where responsibility shifts, it is noted below (see also Schedule C §C.2).
- Encryption — TLS 1.2+ in transit to our apps, customer portal, and control plane; disk-level encryption at rest in the data centre. VPS: any encryption inside the guest OS / application is configured by the Customer.
- Authentication — Argon2 / bcrypt password hashing, optional 2FA, and mandatory 2FA for super-admins on the SaaS apps, the customer portal, and our control plane. VPS: root credentials are issued to the Customer at provisioning (we retain no copy); the Customer manages their own OS-level authentication.
- Isolation — SaaS (Sanya Business / Kanisa MS): a separate MySQL database per customer. Sanya Cloud (VPS): a dedicated virtual server isolated at the hypervisor. SanyaSMS / Sanya Store: account-level isolation.
- Backups — SaaS platform: daily off-site, encrypted, retained 30 days. VPS (Sanya Cloud): backing up the contents of the VPS is the Customer's responsibility — Netpoa Limited does not back up VPS data. Manual snapshots are a self-service rollback, not a backup (see Schedule C §C.8).
- Access controls — Internal staff access to Customer Data is logged and limited to active support tickets the Customer has opened. Our staff cannot log in to a Customer's VPS by design (no retained credentials); the control plane can only power, suspend, snapshot, or delete a VPS, not read inside it.
- Vulnerability management — Netpoa Limited patches the platform, host hypervisor, and control plane within 7 days of security advisories. VPS: patching the guest operating system and any software the Customer installs is the Customer's responsibility.
- Incident response — Documented procedure; 72-hour breach notification commitment (all products).
Annex B — Approved Sub-processors
Netpoa Limited engages the following sub-processors, each bound by a written agreement requiring data-protection standards at least equivalent to those in this DPA. The list below is current as of the Effective Date and is also maintained at /legal/data-protection.php#sub-processors.
B.1 — Sub-processors common to all products
| Sub-processor | Purpose | Data shared | Jurisdiction |
|---|---|---|---|
| Hetzner Online GmbH AV / DPA |
VPS & cloud infrastructure, encrypted-at-rest storage, network | All Customer Data resident on the server (databases, uploads, backups). Encrypted at rest. | Germany (HE1, NBG1, FSN1) / Finland (HEL1). GDPR-compliant. |
| Selcom Money Ltd | Online payment processing — M-Pesa, Tigo Pesa, Airtel Money, Halopesa, Visa, Mastercard | Order ID, amount, payer name + email + phone. Card PAN never leaves Selcom. | Tanzania (TCRA-licensed) |
| Beem Africa Ltd | SMS gateway — outbound transactional + bulk SMS | Recipient phone numbers, message bodies, sender-ID | Tanzania (TCRA-licensed) |
| Brevo SAS (formerly Sendinblue) | Transactional email delivery (signup confirmations, invoices, reminders, password resets) | Recipient email, message subject + body | France / EU (GDPR-compliant) |
| Let's Encrypt (ISRG) | TLS certificate issuance for HTTPS | Domain name only (no Customer Data) | United States (non-profit) |
B.2 — Product-specific sub-processors
The full chain of sub-processors involved varies by product. The Controller's actual usage determines which sub-processors process Customer Data:
| Product | Sub-processors engaged |
|---|---|
| Sanya Business (business OS) |
Hetzner (hosting), Selcom (payments), Beem (SMS — only when the SMS module is used), Brevo (email) |
| Sanya Host / VPS | Hetzner (underlying servers), Let's Encrypt (TLS), Selcom (billing payments), Brevo (email). Domain registration involves the relevant registry (TCRA for .tz / .co.tz; VeriSign / PIR / etc. for international TLDs) as a separate controller-to-controller relationship. |
| Kanisa MS | Hetzner (hosting), Selcom (payments), Beem (SMS — when church uses SMS reminders), Brevo (email) |
| SanyaSMS | Beem (SMS delivery — primary), Hetzner (account & logging infrastructure), Selcom (credit purchases) |
Adding or replacing a sub-processor: Netpoa Limited will give the Controller at least 14 days' written notice via the registered admin email before adding or replacing any sub-processor. The Controller may object on reasonable data-protection grounds within those 14 days; if Netpoa Limited cannot accommodate the objection, the Controller may terminate the affected service with pro-rated refund of any pre-paid fees.
Sub-processor changes affect all products that engage them. For example, if Hetzner is replaced, all four products are affected. The notice will state which products are impacted.
For the most current vendor list including any interim additions made since the Effective Date of this DPA, email dpo@sanya.tz.
End of Data Processing Agreement. Two pages.
Netpoa Limited · Kijitonyama, Dar es Salaam, Tanzania · legal@sanya.tz