Help center • Legal

Operator Processor Agreement

Version 1.0.0

The latest version of our operator processor agreement. These pages live in the help system so they are easy to reference from registration, listings, and support.

Help home Contact support

OPERATOR / PROCESSOR AGREEMENT

In terms of Section 21 of the Protection of Personal Information Act, 4 of 2013 (POPIA)

Quote My Car (Pty) Ltd (“QMC”) Version: 1.0 Effective Date: 27/11/2025

This Operator / Processor Agreement is executed separately with each appointed operator and does not apply to platform users or members.

1. Parties

1.1 Responsible Party

Quote My Car (Pty) Ltd Registration Number: 2025/393314/07 Address: Stand 58, Rietvlei Heights Country Estate, Pretoria, Gauteng Information Officer: P.G. Wessels Email: support@qmcars.co.za

1.2 Operator / Processor

{{Operator Company Name}} Registration Number: {{Operator Registration}} Address: {{Operator Address}} Email: {{Operator Email}}

The Responsible Party and Operator are collectively referred to as “the Parties”.

2. Purpose of This Agreement

This Agreement governs the processing of personal information by the Operator on behalf of QMC, in compliance with Section 21 of POPIA.

The Operator may only process personal information:

  • For authorised and documented purposes
  • Under QMC’s written instructions
  • With appropriate technical and organisational safeguards
  • In accordance with POPIA

3. Definitions

3.1 “Personal Information”

Includes information relating to:

  • Names, contact details
  • Identity documents and ID numbers
  • KYC documents
  • Bank account verification data
  • Auction activity and bid logs
  • Device and behavioural analytics
  • Seller, dealer, and bidder records

3.2 “Processing”

Includes collecting, storing, modifying, accessing, transporting, sharing, archiving, or deleting personal information.

3.3 “Operator”

A third-party service provider processing personal information on behalf of QMC.

4. Roles and Responsibilities

4.1 QMC (Responsible Party)

QMC determines:

  • Purpose and means of processing
  • Data categories to be processed
  • Security measures to be applied
  • Authorised sub-processing (if any)
  • Retention and destruction requirements

4.2 Operator

The Operator must:

  1. Process personal information only in accordance with QMC’s instructions
  2. Treat personal information as strictly confidential
  3. Implement and maintain strong security safeguards
  4. Notify QMC immediately of any breach or security incident
  5. Ensure authorised staff are trained on POPIA requirements
  6. Assist QMC with fulfilling POPIA obligations
  7. Allow audits, inspections, or reviews by QMC
  8. Not subcontract processing without QMC’s written approval

5. Authorised Processing Activities

The Operator may process personal information only for the following:

5.1 Hosting & Infrastructure

  • Cloud hosting
  • Database management
  • Backup and disaster recovery

5.2 KYC & Identity Verification

  • ID number verification
  • Address verification
  • Liveness or facial match (if applicable)

5.3 Bank Account Verification

  • Account holder validation
  • Anti-fraud checks

5.4 Auction Operations

  • Bid logging
  • Behaviour analytics
  • Fraud detection and anti-abuse systems

5.5 Messaging & Communications

  • Email/SMS/WhatsApp notifications
  • Platform alerts and OTPs

5.6 Payment Handling

  • Bidder deposit processing
  • Refund logging
  • Payment verification

5.7 Security Monitoring

  • Intrusion detection
  • Risk scoring
  • Device/IP reputation checks

No other processing is permitted unless explicitly authorised in writing by QMC.

6. Security Obligations of the Operator

6.1 Technical Safeguards

  • Encryption of data at rest and in transit
  • Secure APIs and access tokens
  • MFA for privileged access
  • Firewalls, IDS/IPS, anti-malware systems
  • Segregation of sensitive data
  • Regular vulnerability scanning and patching

6.2 Organisational Safeguards

  • Staff confidentiality agreements
  • POPIA training for all relevant personnel
  • Access on a strict need-to-know basis
  • Documented security and privacy policies

6.3 Physical Safeguards

  • Secure premises
  • Restricted access to server environments
  • CCTV or access logs (if applicable)

6.4 Breach Management

The Operator must:

  • Notify QMC immediately of any suspected or actual breach
  • Provide full details (nature, scope, data affected)
  • Assist with containment, recovery, and remediation
  • Not notify data subjects or regulators unless instructed

7. Sub-Processing

The Operator may not appoint a sub-processor without written approval from QMC.

If approved:

  • A POPIA-compliant sub-processing agreement is required
  • The Operator remains fully liable for the sub-processor’s conduct

8. Cross-Border Transfers

If the Operator transfers or stores data outside South Africa:

  • Transfers must comply with Section 72 of POPIA
  • QMC must approve the destination country and provider
  • Adequate data protection measures must be in place

9. Confidentiality

The Operator must:

  • Treat all QMC data as confidential
  • Ensure staff and subcontractors sign confidentiality obligations
  • Prevent any unauthorised use or disclosure

Confidentiality continues after termination.

10. Retention & Deletion

The Operator must:

  1. Retain data only as instructed by QMC
  2. Follow QMC’s Data Retention & Destruction Policy
  3. Return or securely delete all data upon:
    • QMC’s request, or
    • Termination of services
  4. Provide written confirmation of deletion

11. Data Subject Requests

If any seller, dealer, bidder, or user contacts the Operator directly:

  • The Operator must not respond
  • The Operator must forward the request to QMC immediately
  • The Operator must assist QMC where necessary

12. Breach Notification

The Operator must notify QMC immediately of:

  • Any unauthorised access
  • Loss, theft, deletion, or corruption of data
  • Security incidents or breaches
  • Any event potentially impacting confidentiality or integrity

13. Audit & Oversight

QMC may:

  • Audit the Operator’s processes
  • Request security documentation or evidence
  • Require vulnerability or penetration test results
  • Review data handling practices

The Operator must provide reasonable cooperation.

14. Liability

The Operator is liable for:

  • POPIA violations caused by its negligence
  • Security failures due to inadequate safeguards
  • Processing outside QMC’s instructions
  • Breaches caused by its staff or sub-processors

QMC may seek damages or terminate this Agreement.

15. Termination

Upon termination:

  • All QMC personal information must be returned or securely destroyed
  • No copies may be retained
  • Written deletion confirmation must be provided

16. Governing Law

This Agreement is governed by the laws of the Republic of South Africa, including POPIA.