Legal
Data Processing Addendum
Effective: 18 June 2026
This DPA is part of the Buytena Terms. You (“Controller”) instructBuytena Technologies Ltd. (“Processor”) to process personal data on your behalf in connection with the service.
Subprocessors
| Provider | Role | Region |
|---|---|---|
| Supabase (Postgres + Auth) | Primary data store | AWS Frankfurt / Singapore |
| Kilakona | SMS delivery | Tanzania |
| Africa's Talking | WhatsApp + SMS (multi-region) | Kenya / Uganda / TZ |
| SonicPesa | Mobile money billing | Tanzania |
| Resend | Transactional email | United States |
Security measures
- TLS 1.2+ in transit, AES-256 at rest
- Row-level security on every customer-data table
- Quarterly access reviews, key rotation, and incident response drills
- Daily backups with 30-day retention, point-in-time recovery
- Role-based access control for staff with audit logging
Data subject requests
We provide tools in the dashboard to export, edit, or delete individual customer records. For requests you cannot action yourself (full account export, deletion, GDPR/POPIA requests), email privacy@buytena.com and we will respond within 30 days.
Breach notification
We will notify affected customers without undue delay and within 72 hours of becoming aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of individuals.
For the full standard contractual clauses used for cross-border transfers, email privacy@buytena.com.