REG: 2023/121880/07
(hereinafter called “Cohesion X”)
This Standard Data Agreement (“Data Agreement”) of Cohesion X (Pty) Ltd governs the relevant aspects of data processing, privacy, security, and related obligations applicable to the Services provided by Cohesion X. This Data Agreement shall apply to all Customers and Users of Cohesion X Services, and forms an integral part of the contractual relationship between the Client and Cohesion X, together with Governing Agreements.
Document date: 5 November 2025
This Data Agreement shall be read in conjunction with the Governing Agreements of Cohesion X, the terms of which shall be explicitly deemed incorporated herein.
Unless the context indicates otherwise, the words and expressions set out below shall bear the meanings assigned to them, and similar expressions shall bear corresponding meanings. These definitions, as read with any further applicable definitions in the Governing Agreements, shall apply throughout this Data Agreement:
Client means the person or entity that registers for, subscribes to, or otherwise makes use of the Service, and includes its authorised users, personnel, or representatives.
Client Inputs means all data, content, materials, instructions, prompts, configurations, queries, selections, or other inputs submitted, provided, or initiated by the Client or its Users through or in connection with the use of the Service, including any information used to generate Outputs or interact with AI-powered features.
Client Data means all data, content, information, files, materials, or records that are provided to Cohesion X by the Client or its Users, or that are collected, stored, processed, or transmitted on the Client’s behalf through the Service, including Personal Information, business records, usage data, configurations, and other materials input or uploaded by the Client.
Governing Agreements means this Data Agreement, together with all annexures, schedules, policies, as well as all agreements defined as forming part of the Governing Agreement as set out in the Cohesion X Standard Terms and Conditions of Service (a copy can be obtained at www.cohesionx.co.za/legal), which collectively form the full and binding agreement between the Client and Cohesion X regarding the Services.
Intellectual Property shall mean all rights, title, and interest in and to any and all intellectual property, whether registered or unregistered, including without limitation copyrights, moral rights, rights in and to databases, rights in and to trade secrets and confidential information, patents, inventions, trademarks, service marks, trade names, domain names, designs, know-how, methodologies, algorithms, and all other similar rights recognised in any jurisdiction worldwide, together with all applications for registration, renewals, extensions, and rights to claim priority therefrom, and all rights of action in relation to any past, present or future infringement of any of the foregoing.
Outputs means any content, information, results, responses, insights, reports, analyses, predictions, summaries, or other materials generated or produced by or through the Service, including through AI-enabled features or automated processes, whether in response to Client Data, Client Inputs, or system operation.
Personal Information has the meaning ascribed to it in POPIA, and includes any information relating to an identifiable, living natural person, and where applicable, an identifiable, existing juristic person.
POPIA means the Protection of Personal Information Act, 4 of 2013, together with all regulations and codes of conduct promulgated under it, as amended from time to time.
Service means the suite of software applications, platforms, tools, systems, features, and infrastructure comprising the Service IP of Cohesion X, together with all related support and services provided or made available by Cohesion X to the Client. This includes, without limitation, access to the VectorMind Platform, AI-powered components, hosted environments, system integrations, configurations, user interfaces, and any associated functionalities, whether delivered via cloud, on-premises, mobile, or other means. The specific components and scope of the Service shall be as set out in the applicable Proposal, Service Order, Subscription Plan, or other written agreement concluded between the Parties.
Service IP means all Intellectual Property owned or developed by Cohesion X or its licensors relating to the design, architecture, code, components, systems, data models, algorithms, platforms, infrastructure, and technology used to provide or operate the Service, including the VectorMind Platform, and all updates, improvements, and derivative works thereof, whether developed before, during, or after the term of the Governing Agreements and whether or not incorporated into the Services.
Service Order means the document issued by Cohesion X and accepted by the Client which sets out the specific commercial terms, subscription details, effective date, minimum period, and other particulars relating to the Client’s use of the Service, and which forms part of the binding agreement between the Parties when read together with the Proposal, this Data Agreement, and the Standard Terms and Conditions of Service.
User means any individual who the Client authorises to access and use the Service under the Client’s account, which may include the Client’s authorised staff, contractors, or representatives.
VectorMind Platform means the proprietary artificial intelligence backend solution, licensed to and serviced by Cohesion X, and offered as a managed service and suite of solutions. It includes, without limitation, all associated AI engines, agentic solutions, software, code, tools, automation, analytics, digital infrastructure, components, libraries, frameworks, utilities, codebases, data models, designs, authentication layers, data processing capabilities, servers, and any related infrastructure required to support AI-driven functionalities within the Client Solution, together with all updates, enhancements, and improvements thereto.
The Client acknowledges and agrees that the Service may include components powered by artificial intelligence (AI), machine learning, natural language processing, or other forms of algorithmic automation (collectively, “AI Systems”), including the VectorMind Platform. The Client authorises Cohesion X to make use of such AI Systems in the performance, optimisation, and enhancement of the Service.
The Client is aware of and accepts the inherent risks associated with the use of AI Systems, including but not limited to:
the potential for inaccuracies or unpredictable outputs;
limitations in reasoning, context, or judgment by automated processes; and
reliance on probabilistic or data-driven models that may not fully reflect the Client’s specific needs, inputs, or instructions.
Cohesion X shall implement appropriate controls, governance, and oversight measures to ensure that the use of AI Systems is responsible, secure, and aligned with the intended purpose of the Service.
Cohesion X warrants that all Client Data, Client Inputs, and Outputs shall be siloed, securely processed, and stored in accordance with applicable data protection laws and best practices. Without limiting the generality of this clause, Cohesion X undertakes that:
Client Data shall not be used to train, retrain, fine-tune, or otherwise influence any third-party AI models or systems;
Client Data shall not be shared with, uploaded to, or processed by any external or publicly available AI service or model, unless expressly authorised in writing by the Client;
all AI processing shall occur within Cohesion X’s controlled infrastructure or authorised secure environments, and shall be subject to technical and organisational safeguards to prevent data leakage or misuse.
The Client remains responsible for reviewing and verifying any Outputs or recommendations generated by the Service before relying on them for critical decisions, and acknowledges that such Outputs may reflect statistical or automated reasoning rather than definitive advice or human judgment.
Cohesion X warrants that its systems and infrastructure are designed and implemented to ensure the confidentiality of all Client Data and Personal Information. No staff member, agent, or contractor of Cohesion X shall have access to any Client Data or Personal Information processed or stored by the Service, unless strictly required for support, maintenance, or compliance purposes and subject to the safeguards outlined below.
In the event that technical assistance or service support requires any Cohesion X personnel to access the Client’s systems or environments, including where such access may expose Client Data or Personal Information, Cohesion X undertakes and warrants that:
such access shall be limited to what is strictly necessary to resolve the technical issue or provide the requested support;
no Client Data or Personal Information shall be transferred, copied, extracted, or used for any purpose unrelated to such technical support;
all Client Data or Personal Information accessed by Cohesion X, whether intentionally or inadvertently, shall be treated as strictly confidential and subject to the non-disclosure obligations set out herein.
Cohesion X shall implement appropriate internal controls, access restrictions, personnel training, and confidentiality protocols to ensure that all staff or authorised representatives comply with the obligations of confidentiality and data protection.
Any access to Client Data or Personal Information by Cohesion X personnel shall be logged and monitored, and shall be subject to oversight by Cohesion X’s data protection officer or designated compliance officer.
For the avoidance of doubt, all Client Data and Personal Information to which Cohesion X may gain access shall be deemed to be confidential and proprietary to the Client, and shall not be disclosed to any third party, used for any unauthorised purpose, or retained beyond the resolution of the issue that necessitated the access, unless otherwise agreed in writing.
The Parties acknowledge that the provision and use of the Service may involve the collection, storage, transmission, or processing of data, including Personal Information as defined in POPIA, as well as data subject to other applicable international data protection and privacy laws.
Cohesion X shall implement appropriate technical and organisational measures to safeguard all data processed in the course of providing the Service and shall take reasonable steps to ensure that such data is protected against unauthorised access, disclosure, alteration, or destruction.
The Client acknowledges that the Service may be hosted or supported using infrastructure or subprocessors located outside the Republic of South Africa. By using the Service, the Client consents to the lawful cross-border transfer and processing of data, including Personal Information, subject to Cohesion X ensuring that such transfers comply with applicable data protection laws and are subject to appropriate safeguards.
Cohesion X shall only process data in accordance with this Data Agreement and applicable law and shall not use any Client Data, including Personal Information:
for its own purposes unrelated to the Service;
to train third-party AI systems; or
in any way that contravenes the Client’s lawful instructions or applicable data privacy regulations.
The Client warrants that:
it has obtained all necessary consents and authorisations required for the lawful collection, processing, and transmission of any data, including Personal Information, submitted to or processed via the Service;
its use of the Service and the data it provides shall be compliant with all applicable data protection and privacy laws, including POPIA, the General Data Protection Regulation (GDPR), and any other relevant laws governing the processing or cross-border transfer of personal data; and
it shall not use the Service to process or transmit any data in a manner that would result in a breach of applicable laws or the rights of any data subject.
The Client indemnifies and holds harmless Cohesion X, its directors, employees, and service providers against any claims, fines, losses, or damages (including legal costs on an attorney and own client scale) arising from:
any failure by the Client to comply with data protection or privacy laws;
any unauthorised, unlawful, or negligent processing of data by the Client or its Users; or
any claim by a data subject or regulatory authority related to the Client’s use of the Service or the data it provides.
Upon termination of this Data Agreement, Cohesion X shall, at the Client’s written request and subject to any legal or regulatory obligations, securely delete or return all Client Data, including Personal Information, that is in its possession.
The Parties agree that acceptance of this Data Agreement shall constitute a binding data processing Data Agreement (DPA) between them for the purposes of POPIA, GDPR, and any other applicable data protection laws. This Data Agreement sets out the scope, nature, purpose, and duration of data processing, as well as the rights and obligations of both the Client (as responsible party or controller) and Cohesion X (as operator or processor) in respect of Personal Information processed under or in connection with the Service.
All Client Data that is stored by Cohesion X as part of the Service shall be segregated from the data of Cohesion X and its other customers, and shall be subject to strict access controls to ensure data confidentiality and integrity.
Cohesion X shall implement and maintain industry-standard security measures to protect stored Client Data against unauthorised access, loss, alteration, or destruction, including encryption, access controls, and routine vulnerability assessments.
Stored Client Data shall be backed up regularly for the duration of this Data Agreement and for a maximum of ninety (90) days following the termination of this Data Agreement, after which such data shall be permanently deleted from all active and backup systems, unless otherwise agreed in writing.
Should the Client require a copy of any backed-up data following termination, Cohesion X shall make such data available in a reasonable format, subject to the Client bearing the reasonable costs of data extraction, packaging, and secure transfer.
The Client acknowledges and accepts that only data explicitly stored as part of the Service will be included in backups. Not all Client Data or Client Inputs submitted via or through the system will necessarily be retained or stored unless the relevant component of the Service has been specifically designed to store such data.
The Client accordingly acknowledges that it has no reasonable expectation that all uploaded content, system interactions, or transient inputs will be stored, archived, or retrievable, and is solely responsible for independently retaining any such data it requires outside of the Service.
The Client hereby indemnifies, defends, and holds harmless Cohesion X, its directors, officers, employees, agents, and service providers (“Indemnified Parties”) from and against any and all claims, losses, damages, liabilities, penalties, costs, and expenses (including reasonable legal fees on an attorney and own client scale) arising out of or in connection with:
the Client’s breach of this Data Agreement, including any misuse of the Service or unauthorised disclosure of Confidential Information;
any infringement or alleged infringement of intellectual property rights or privacy rights resulting from the Client Data, Client Inputs, or the use of the Service by the Client or its Users;
any failure by the Client to comply with applicable laws, including data protection, consumer protection, export control, or regulatory requirements;
any claim brought by a third party (including a User or data subject) relating to the Client’s use of the Service or reliance on any Outputs generated by or through the Service; or
any negligent or unlawful act or omission by the Client or its Users.
This indemnity shall survive the termination or expiry of this Data Agreement.
Upon termination or expiry of this Data Agreement, the Client shall be solely responsible for taking all necessary steps to download, export, or transfer its Client Data, system data, configurations, and any other materials from the Service. Cohesion X shall not be liable for any loss, cost, or consequence arising from the Client’s failure to do so within the applicable timeframe.
Cohesion X shall not be responsible for the cost, support, or facilitation of any data migration, system reconfiguration, or integration work required by the Client after the termination of the Service, regardless of the reason for such termination.
Following termination of the Data Agreement, Cohesion X shall maintain the Client’s instance of the Service, including access to stored data and configurations, for a maximum period of seven (7) calendar days, unless specifically agreed otherwise in writing, after which Cohesion X may permanently delete such instance and all associated data, configurations, and materials without further notice.
Backed-up data shall be handled strictly in accordance with clause 5.7 above. After the applicable retention period, all such data shall be permanently deleted unless otherwise agreed in writing.
