Software & Technology Law FAQ

Yes. While verbal contracts are technically enforceable under South African common law, a written agreement is essential for software projects. Software development and licensing involve complex issues — intellectual property ownership, warranties, liability, data protection, and support obligations — that cannot be adequately addressed without a written instrument. Without a written agreement, disputes about ownership, scope, and deliverables are extremely difficult and expensive to resolve. Even for small projects, a well-drafted agreement protects both parties and sets clear expectations.

Learn more in our comprehensive guide to software and technology law.

Under South African law, the default position depends on the nature of the relationship. If the developer is an employee working under a contract of service, section 21(1)(d) of the Copyright Act 98 of 1978 provides that the employer owns the copyright in computer programs created in the course of employment. However, if the developer is an independent contractor, the default position is that the contractor owns the copyright — even if you commissioned and paid for the work. To ensure your business owns the IP, the development agreement must contain an express assignment of copyright from the contractor to your business. A licence to use the software is not the same as ownership of the IP.

You can, but you should not accept them uncritically. International SaaS providers typically use terms drafted under foreign law — often the laws of California, Delaware, or England. These terms may contain provisions that are unenforceable in South Africa, may not comply with POPIA, ECTA, or the CPA, and may include governing law and jurisdiction clauses that require you to litigate disputes in a foreign country. Before accepting standard terms, have them reviewed by a South African attorney to identify provisions that expose your business to unnecessary risk, and negotiate amendments where commercially possible.

A comprehensive software development agreement should address: a detailed specification of the software to be developed; the development methodology and project milestones; acceptance testing criteria and procedures; intellectual property ownership and assignment; warranties regarding functionality, security, and compliance with specifications; limitation of liability and indemnification; escrow arrangements for source code; support and maintenance obligations post-delivery; data protection and POPIA compliance; open source licence disclosure and management; confidentiality obligations; termination rights and consequences; and governing law and dispute resolution.

An assignment is a transfer of ownership — the copyright in the software moves from the developer to the client, and the developer retains no rights. An assignment must be in writing and signed by the assignor to be valid under section 22(3) of the Copyright Act. A licence, by contrast, is a permission to use the software in specified ways, while ownership remains with the licensor. Licences can be exclusive (only the licensee may use the software) or non-exclusive (the licensor may grant the same rights to others). The commercial implications are significant: an assignment gives you complete control, including the right to modify, sublicense, and enforce the IP. A licence limits you to the rights expressly granted.

The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's comprehensive data protection statute. It applies to any entity that processes personal information — which includes virtually every technology business. "Processing" is broadly defined to include collection, storage, modification, retrieval, use, disclosure, and destruction of personal information. If your business collects customer names, email addresses, usage data, IP addresses, or any other information relating to an identifiable person, POPIA applies. The Act imposes obligations regarding lawful processing, purpose limitation, data quality, security, and data subject rights, with penalties of up to R10 million for non-compliance.

See our detailed guide on data processing agreements and POPIA compliance.

Under POPIA, an "operator" is any person who processes personal information on behalf of a "responsible party" under a mandate or agreement. In technology terms, if you are a SaaS provider processing your customers' data, you are likely an operator. Section 21 of POPIA requires the responsible party to enter into a written agreement with the operator that establishes the processing conditions — including the purpose of processing, security measures, return or destruction of data upon termination, and confidentiality obligations. In international terminology, this is equivalent to a data processing agreement (DPA). If you process personal information on behalf of clients, you need an operator agreement with each of them.

Yes, but POPIA section 72 imposes conditions on the cross-border transfer of personal information. You may transfer personal information to a recipient in another country only if that country provides an "adequate level of protection" (essentially, data protection laws substantially similar to POPIA), or the data subject consents to the transfer, or the transfer is necessary for the performance of a contract, or the transfer is for the benefit of the data subject. In practice, cloud infrastructure hosted in the EU, UK, and certain other jurisdictions with recognised data protection laws is generally permissible, but you must conduct a transfer impact assessment and ensure your contracts with cloud providers address POPIA compliance.

Yes. Section 22 of POPIA requires a responsible party to notify the Information Regulator and affected data subjects where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person. Notification must occur "as soon as reasonably possible" after the breach is discovered — the Information Regulator has indicated that 72 hours is the expected timeframe. The notification must describe the nature of the compromise, the personal information affected, the measures taken to address the breach, and steps the data subject can take to protect themselves. In addition, the Cybercrimes Act 19 of 2020 may impose a separate 72-hour reporting obligation to the SAPS for electronic communications service providers and financial institutions.

Data sovereignty refers to the principle that data is subject to the laws and governance structures of the country in which it is collected or stored. For South African businesses, this means that personal information collected in South Africa is subject to POPIA, regardless of where it is subsequently stored or processed. Data sovereignty matters because hosting data in a foreign jurisdiction may expose it to the laws of that jurisdiction — including government surveillance laws, court orders, and regulatory access — which may conflict with POPIA's requirements. Businesses must understand where their data is physically stored, which laws apply, and whether adequate safeguards are in place to protect the data in accordance with South African law.

POPIA compliance for SaaS vendors requires a multi-faceted approach. You must implement appropriate technical and organisational security measures (section 19), including encryption, access controls, and regular security audits. You must enter into operator agreements with each client for whom you process personal information. You must implement procedures for responding to data subject access requests within the prescribed timeframes. You must maintain records of processing activities. You must implement a breach notification process. You must conduct transfer impact assessments before hosting data outside South Africa. And you must appoint an Information Officer and register with the Information Regulator. These obligations should be reflected in your terms of service, privacy policy, and operator agreements.

Click-wrap agreements — where the user must affirmatively click "I Agree" before proceeding — are generally enforceable in South Africa, provided the terms were reasonably accessible and the user had a genuine opportunity to read them. The Electronic Communications and Transactions Act 25 of 2002 (ECTA) recognises electronic agreements and provides that a data message (which includes a click) can constitute consent. Browse-wrap agreements — where terms are merely linked at the bottom of a website without requiring affirmative action — are more vulnerable to challenge. Courts internationally have been reluctant to enforce browse-wrap terms where the user was not given adequate notice, and South African courts would likely follow this approach. To maximise enforceability, use click-wrap with a mandatory checkbox and prominent link to the terms.

Section 44 of ECTA grants consumers who purchase goods or services through an electronic transaction the right to cancel the transaction without reason and without penalty within seven days of receiving the goods. This cooling-off period applies to business-to-consumer transactions concluded entirely by electronic means. The consumer must return the goods in the condition in which they were received. The supplier must refund all payments within 30 days of cancellation. This cooling-off period applies in addition to any rights the consumer may have under the Consumer Protection Act, including the CPA's own five-business-day cooling-off period for direct marketing transactions (section 16).

In most cases, yes. Section 13 of ECTA provides that an electronic signature is not without legal force and effect merely because it is in electronic form. For ordinary commercial contracts, a simple electronic signature — such as typing your name in an email, clicking an "I Agree" button, or using an e-signature platform — satisfies the signature requirement. However, certain documents require an "advanced electronic signature" (AES), which must be accredited by the South African Accreditation Authority. Documents that require an AES include long-term insurance policies and documents that must be notarised. For most commercial software and technology agreements, a standard electronic signature is sufficient.

Section 43 of ECTA requires a website or electronic platform to disclose specific information, including: the full name and legal status of the business; physical address and contact details; the website address; membership of any self-regulatory or accreditation body; any code of conduct to which the business subscribes; the registration number (if a company) and names of office holders; VAT registration number (if registered); and any relevant licence authority. These disclosures must be made available in a manner that enables the customer to access, store, and reproduce the information. Failure to comply with section 43 does not automatically invalidate transactions, but it may expose the business to regulatory penalties and undermine the enforceability of terms.

Yes, but the validity and enforceability of limitation of liability clauses depend on the circumstances. Under South African common law, parties to a commercial contract may generally agree to limit or exclude liability, including liability for negligence. However, limitations must be reasonable and clearly communicated. The Consumer Protection Act imposes restrictions on limitation clauses in consumer agreements — section 49 requires that limitation clauses be drawn to the consumer's attention in plain language, and section 48 renders unfair, unreasonable, or unjust terms void. For business-to-business SaaS agreements, broader limitation clauses are generally enforceable, but clauses that purport to exclude liability for fraud, gross negligence, or intentional breach are likely to be struck down.

If your SaaS provider enters business rescue or liquidation, your access to the software and your data may be at risk. Under South African insolvency law, the business rescue practitioner or liquidator may terminate executory contracts. Your SaaS agreement may be treated as an executory contract and suspended or terminated. To mitigate this risk, your SaaS agreement should include provisions for data return or export in a standard format, source code escrow (with release triggers including insolvency), and the right to continue using the software for a transition period. Without these contractual protections, you may find yourself unable to access your own business data.

Yes. Open source software is copyrighted software licensed under specific terms. Copyleft licences such as the GPL require that any derivative work be distributed under the same licence — meaning that if you incorporate GPL code into proprietary software, you may be required to release your entire product's source code under the GPL. Even permissive licences (MIT, Apache 2.0, BSD) impose attribution requirements that must be complied with. Failure to comply with open source licence terms constitutes copyright infringement under the Copyright Act 98 of 1978. Businesses should maintain an inventory of open source components, implement an open source policy, and conduct regular compliance audits.

Read more about open source licensing risks and compliance.

The Cybercrimes Act 19 of 2020 creates criminal offences for unauthorised access to computer systems, unlawful interception of data, cyber fraud, cyber extortion (including ransomware), and malicious communications. For businesses, the most significant operational impact is the mandatory reporting obligation: electronic communications service providers and financial institutions must report any cyber offence they become aware of to the SAPS within 72 hours. Penalties range from fines to imprisonment of up to 15 years for aggravated offences. All businesses should implement incident response plans, cybersecurity measures, and employee training to reduce their exposure to cybercrime.

See our detailed guide on the Cybercrimes Act and cybersecurity compliance.

South Africa does not yet have a dedicated AI statute. The Draft National AI Policy Framework, published by the Department of Communications and Digital Technologies, proposes principles including transparency, accountability, fairness, and human oversight, but has not been enacted into law. However, existing legislation already applies to AI systems. POPIA section 71 regulates automated decision-making and gives data subjects the right not to be subject to decisions based solely on automated processing. The Consumer Protection Act applies to AI systems that interact with consumers. And the common law of delict creates potential liability for harm caused by AI outputs. Businesses deploying AI should implement governance frameworks covering impact assessments, bias testing, human oversight, and documentation.

See our comprehensive guide on AI governance and regulation in South Africa.