Operator (Data Processing) Agreement
Effective date: 2026-06-21 Applicable law: Protection of Personal Information Act, 2013 (POPIA)
This Operator Agreement (the "Agreement") forms part of, and is incorporated into, the Terms of Service. It records the relationship between the user (the "Responsible Party", "you") and Safety Quest cc ("Safety Quest", the "Operator", "we", "us") in respect of personal information that you upload into or generate through the Service for the preparation and management of safety documentation.
For the purposes of POPIA, you determine the purpose and means of processing the personal information of your personnel and are therefore the Responsible Party. Safety Quest processes that personal information only on your behalf and on your documented instructions, and is therefore the Operator. This Agreement governs that processing.
By accepting the Terms of Service or by using the Service, you enter into this Agreement with Safety Quest.
1. Definitions
Terms defined in POPIA carry the same meaning in this Agreement. In particular:
- "Personal information" means information relating to an identifiable, living natural person and, where applicable, an identifiable, existing juristic person, as defined in section 1 of POPIA.
- "Special personal information" means the categories of information described in section 26 of POPIA, including information concerning a person's health.
- "Processing" means any operation concerning personal information, including collection, storage, use, dissemination, and deletion.
- "Data subject" means the person to whom personal information relates. In the context of this Agreement, that is principally your personnel.
- "Sub-operator" means a third party engaged by Safety Quest to process personal information on its behalf in connection with the Service.
- "Security compromise" means a breach in which there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person (section 22 of POPIA).
- "Information Regulator" means the Information Regulator established under section 39 of POPIA.
- "Service" has the meaning given in the Terms of Service.
2. Scope and Roles
2.1 This Agreement applies where you upload, enter, or generate personal information about your personnel and other data subjects (for example identity and contact details, training records, medical fitness certificates, work experience, and signatures) into Safety Files and related records within the Service.
2.2 In respect of that personal information, Safety Quest acts as Operator and you act as Responsible Party.
2.3 Safety Quest's separate role as Responsible Party for account, billing, and platform data (for example your own account and login details, billing information, and usage data) is dealt with in the Privacy Policy and is not governed by this Agreement.
3. Subject Matter, Nature, and Purpose of Processing
3.1 Subject matter and duration. Safety Quest processes personal information for the duration of your use of the Service and for any further period required to give effect to clause 10 (return and deletion) and applicable retention obligations.
3.2 Nature and purpose. Processing is carried out solely to provide the Service, namely to host, store, organise, generate, compile, and make available safety documentation and the associated personnel, training, appointment, and compliance records, and to support related functions such as electronic signing.
3.3 Categories of data subjects. Your personnel, and any other individuals whose personal information you choose to include in Safety Files (for example employees, subcontractors, and appointees).
3.4 Categories of personal information. Identification and contact details; employment, appointment, and competency information; training and qualification records; work experience; PPE issuance records; signatures; and, where you choose to upload them, medical fitness confirmations and other compliance documents. Medical fitness information may constitute special personal information under section 26 of POPIA, and you are responsible for ensuring you have a lawful basis to process it.
3.5 Safety Quest does not determine the purpose or means of processing your personnel's personal information and will not process it for any purpose of its own.
4. Operator Obligations
As Operator, Safety Quest undertakes to:
4.1 process personal information only with your knowledge or authorisation and only on your documented instructions, including as set out in this Agreement, the Terms of Service, and your use of the Service's features, except where required to do so by law (section 20 of POPIA). Where Safety Quest is required by law to process otherwise, it will, unless prohibited, inform you of that legal requirement before processing;
4.2 treat all personal information that comes to its knowledge as confidential, and not disclose it, unless required by law or in the proper performance of the Service (section 21(1) of POPIA);
4.3 ensure that persons acting under its authority who have access to personal information (including employees and sub-operators) are subject to a duty of confidentiality;
4.4 secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures to prevent its loss, damage, unauthorised destruction, and unlawful access or processing (section 19 of POPIA), having regard to generally accepted information security practices. These measures include, as applicable, access controls and role-based permissions, encrypted connections (HTTPS), secure hosting environments, and logical separation of customer data;
4.5 taking into account the nature of the processing, provide reasonable assistance to you, by appropriate technical and organisational measures, to enable you to respond to requests from data subjects exercising their rights under POPIA (for example access, correction, or deletion);
4.6 provide reasonable assistance to you in ensuring compliance with your obligations relating to security of processing and notification of a security compromise, taking into account the information available to Safety Quest; and
4.7 notify you in writing without undue delay, and in any event within 72 hours, after becoming aware of a security compromise affecting personal information processed under this Agreement, with sufficient detail to allow you to meet your own notification obligations to the Information Regulator and affected data subjects under section 22 of POPIA. Safety Quest will not make a notification on your behalf to data subjects or the Information Regulator unless you instruct it to do so or it is independently required by law.
5. Responsible Party Obligations and Warranties
You, as Responsible Party, warrant and undertake that:
5.1 you have a lawful basis under POPIA to collect, upload, and process the personal information of your personnel and any other data subjects whose information you include in the Service, and that your instructions to Safety Quest are lawful;
5.2 you have, where required, made the relevant data subjects aware of the processing and obtained any consent necessary, including in respect of any special personal information such as medical fitness information;
5.3 you will keep the personal information you process through the Service accurate, complete, and up to date so far as is reasonably practicable; and
5.4 you will not instruct Safety Quest to process personal information in a manner that would cause Safety Quest to breach POPIA or any other applicable law.
You remain responsible, as Responsible Party, for your own compliance with POPIA, including the lawfulness of the processing you direct.
6. Sub-Operators
6.1 You provide general authorisation for Safety Quest to engage sub-operators to process personal information in connection with the Service. The sub-operators engaged as at the effective date of this Agreement are:
| Sub-operator | Purpose | Personal information processed | Processing location |
| Google Cloud Platform (Compute Engine) | Hosting and storage of the Service and its data | All personal information stored in the Service | Johannesburg, South Africa (africa-south1) |
| DeepSeek (AI text generation) | Generating safety-document text from the inputs you submit | Any personal information you choose to include in generation inputs | Outside South Africa |
Account and billing data, including payment processing, is processed under the Privacy Policy and does not form part of this list.
6.2 Safety Quest will give you reasonable prior notice (ordinarily at least 30 days, or a shorter period where required for security or legal reasons) of any intended addition or replacement of a sub-operator that processes personal information under this Agreement. The current list is available on request through the contact page.
6.3 You may object to a new sub-operator on reasonable data-protection grounds by notifying Safety Quest before the change takes effect. The parties will work in good faith to resolve the objection. If it cannot be resolved, your sole remedy is to stop using the affected feature and, where that is not practicable, to terminate your account in accordance with clause 10.
6.4 Where a sub-operator processes personal information on Safety Quest's behalf, Safety Quest will impose on that sub-operator, by written agreement, data protection and confidentiality obligations that are substantially equivalent to those in this Agreement.
6.5 Safety Quest remains responsible to you for the performance of its sub-operators' obligations in respect of personal information processed under this Agreement.
6.6 You should not enter personal information into free-text or generation features unless it is necessary for the documentation you are preparing, as that information will be processed by the relevant sub-operator solely to deliver the feature.
7. Audit and Compliance Reports
7.1 On reasonable written request, and no more than once in any 12-month period (unless required more frequently by the Information Regulator or following a security compromise), Safety Quest will make available to you the information reasonably necessary to demonstrate its compliance with this Agreement. This may take the form of a summary of its technical and organisational security measures and, where available, current third-party audit reports or certifications.
7.2 Where you reasonably consider that the information made available under clause 7.1 is insufficient to demonstrate compliance, you, or an independent auditor appointed by you who is bound to confidentiality and not a competitor of Safety Quest, may request an audit. Any such audit will be conducted on reasonable prior written notice, during normal business hours, in a manner that does not disrupt the Service or compromise the confidentiality or security of other customers' data, and at your cost.
7.3 Safety Quest's obligations in respect of processing carried out by a sub-operator may be satisfied by providing or procuring that sub-operator's available audit reports, certifications, or security declarations.
8. Cross-Border Processing
The Service is hosted, and the personal information you upload is stored, on infrastructure located in South Africa (Google Cloud Platform's Johannesburg region). The AI text-generation feature is provided by DeepSeek and processes the inputs you submit to it on servers outside South Africa. Where personal information is transferred outside South Africa, Safety Quest will ensure that the transfer is permitted under section 72 of POPIA, for example because the transfer is necessary to perform the service you have requested, or because adequate protection or your consent is in place. As noted in clause 6.6, you should not enter personal information into generation features unless it is necessary for the documentation you are preparing.
9. Assistance with Data Subject Requests
9.1 If Safety Quest receives a request, complaint, or communication directly from a data subject relating to personal information processed under this Agreement, it will not respond to the substance of the request itself (except to confirm receipt and direct the data subject appropriately) but will, without undue delay, forward the request to you.
9.2 You are responsible for responding to data subject requests. Safety Quest will provide the reasonable assistance described in clause 4.5, using the access, correction, export, and deletion functionality available within the Service and its administrative tooling.
10. Duration, Return, and Deletion of Personal Information
10.1 This Agreement takes effect when you accept the Terms of Service or begin using the Service, and continues for as long as Safety Quest processes personal information on your behalf.
10.2 Safety Quest processes personal information for as long as you maintain an account or as otherwise required to provide the Service.
10.3 On termination of your account, or on your written instruction, Safety Quest will, at your election and within a reasonable time, delete or return the personal information processed under this Agreement, and delete existing copies, unless retention is required by law. Deletion is handled in accordance with the Privacy Policy and applicable retention obligations.
10.4 You are responsible for exporting or retaining your own copies of any Safety Files or records required for statutory recordkeeping before deletion takes effect.
11. Liability and Relationship to the Terms of Service
11.1 This Agreement supplements the Terms of Service. The limitation of liability and indemnity provisions of the Terms of Service apply to this Agreement to the maximum extent permitted by law.
11.2 In the event of a conflict between this Agreement and the Terms of Service in relation to the processing of personal information governed by this Agreement, this Agreement prevails to the extent of the conflict. In all other respects the Terms of Service apply.
12. Governing Law
This Agreement is governed by the laws of the Republic of South Africa, and the courts of South Africa have exclusive jurisdiction in respect of any dispute arising from it.
13. General
- Variation. Safety Quest may update this Agreement from time to time to reflect changes in the Service or in applicable law. Continued use of the Service after an updated version takes effect constitutes acceptance.
- Severability. If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions continue in full force.
- Entire agreement. Together with the Terms of Service and Privacy Policy, this Agreement constitutes the entire agreement between the parties in respect of the processing of personal information through the Service.
14. Contact
Questions about this Operator Agreement, or instructions relating to the personal information processed under it, can be raised through the contact page.