TradeJournalBack to app

Operator Agreements

The operators (sub-processors) that help us run TradeJournal, and how they meet our obligations under POPIA sections 20 and 21.

Last updated: 17 April 2026Governing law: Republic of South Africa

1. What This Page Is

POPIA sections 20 and 21 require that any person processing personal information on behalf of a responsible party (an operator) do so only with the responsible party’s knowledge or authorisation, treat the information as confidential, and maintain security measures as required by section 19. There must be a written contract between the responsible party and each operator.

This page discloses every operator Tapnet Solutions currently engages to process personal information on our behalf. If we add or change an operator, we update this page.

2. Current Operators

OperatorRoleData processedLocationAgreementCertifications
Supabase Inc.Database (PostgreSQL), authentication (Supabase Auth), real-time sync, storageAll account data, trade entries, psychological data, consent records, session cookies, technical logsIreland (EU)Supabase Data Processing Addendum - GDPR/POPIA-equivalent standard contractual clausesSOC 2 Type 2
Vercel Inc.Web hosting, global edge network, static asset delivery, serverless function executionHTTP requests, IP addresses, static assets, server logsUnited States (primary) with global edge cachingVercel Data Processing Addendum - GDPR/POPIA-equivalent standard contractual clausesSOC 2 Type 2, ISO 27001

3. Services Not Currently Used

The following categories of operator are not currently in use by TradeJournal:

  • Payment processor - pricing is published but no processor (e.g. Stripe, Paystack) is yet integrated.
  • Email service provider - we do not send bulk transactional or marketing email from the application.
  • Analytics or product telemetry (e.g. Google Analytics, PostHog, Mixpanel, Hotjar).
  • Error tracking (e.g. Sentry, Rollbar, Bugsnag).
  • AI/ML inference providers.
  • Customer-support ticketing platforms.

When any of these are added, we will update this page and, where required, request fresh consent.

4. POPIA Section 21 Compliance Checklist

The following controls are built into each operator agreement and we review them annually:

ControlStatus
Written agreement in placeYes - Supabase DPA and Vercel DPA
Processing only on documented instructionsYes
Confidentiality obligations on operator personnelYes
Appropriate technical and organisational security measures (s19)Yes - SOC 2 / ISO 27001
Sub-processor disclosure and approvalYes - operator-maintained lists
Breach notification to responsible party without undue delayYes
Return or deletion of personal information on terminationYes
Adequate protection for cross-border transfersYes - standard contractual clauses
Assistance with data-subject rights and regulator enquiriesYes

5. Cross-Border Transfers

Both operators are located outside South Africa. We rely on POPIA s72(1)(a) (a binding written agreement with substantially similar protection), s72(1)(b) (your consent, given when you accept our Privacy Policy) and s72(1)(c) (performance of the contract between you and Tapnet Solutions).

You can see and request deletion of your data at any time from Settings → Data or by emailing privacy@tradejournal.co.za. Deleting your account triggers a cascade through every operator so that your data is removed from the live database and automatically purged from backups within the periods set out in our Data Retention Policy.

6. Questions

If you have a question about an operator or want to see the text of an operator agreement, contact privacy@tradejournal.co.za.