A
Acceptance testing
The contractual process by which a software customer verifies that delivered work meets agreed acceptance criteria before paying for or taking ownership of it. A well-drafted South African development agreement defines the test period, defect-severity classes, the number of remediation rounds, and whether silence after the test window results in deemed acceptance.
Full guide →Advanced electronic signature (AES)
An electronic signature backed by a process accredited under section 37 of ECTA. Where South African law requires a signature but does not specify the type, section 13(1) of ECTA is satisfied only by an advanced electronic signature. For ordinary commercial contracts where the parties themselves choose to sign electronically, a standard electronic signature is sufficient.
Full guide →API licence
An agreement granting programmatic access to a software platform or data service through an application programming interface. Unlike a SaaS subscription consumed through a user interface, an API licence regulates rate limits, key security, versioning and deprecation, redistribution of API responses, and increasingly whether responses may be used to train AI models.
Full guide →Assignment (of copyright)
The outright transfer of ownership of copyright from one party to another. Under section 22(3) of the South African Copyright Act an assignment is invalid unless it is in writing and signed by or on behalf of the assignor — paying a developer's invoice, or a verbal agreement, does not transfer copyright in software.
Full guide →B
Background IP
Intellectual property a party owns before a project begins or develops outside it — the frameworks, libraries, tools and know-how a developer brings to every engagement. Software development agreements typically let the developer retain background IP while granting the customer a licence to use it as embedded in the deliverables.
Full guide →Browse-wrap
Website terms presented only as a link somewhere on the page, with no affirmative act of acceptance — the user supposedly agrees by simply continuing to browse. It is the weakest form of electronic contracting. South African practice favours click-wrap, where the user actively signifies assent, because proof of acceptance is far stronger.
Full guide →C
Click-wrap
An electronic contracting mechanism where the user must click "I agree" or tick a box before proceeding. ECTA recognises contracts concluded by data messages, and the affirmative click is the strongest evidence that terms were accepted — which is why SaaS sign-ups, EULAs and website terms should use click-wrap rather than browse-wrap.
Full guide →Computer-generated work
Under section 1(1) of the South African Copyright Act, a work generated by computer in circumstances where there is no human author of the work. The author — and first owner — is the person who undertook the arrangements necessary for the creation of the work, a definition now central to ownership of AI-generated code.
Full guide →Computer program
A separate category of copyright work under section 2(1)(i) of the South African Copyright Act — software is not protected as a literary work in SA. The author is the person who exercised control over the making of the program (the control test, confirmed in Haupt v Brewers Marketing Intelligence), not necessarily the person who wrote the code.
Full guide →Consent (POPIA)
Defined in section 1 of POPIA as any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. All three elements must be present — bundled, coerced or vague consent fails the definition and cannot serve as a lawful basis for processing.
Full guide →Cooling-off right (ECTA s 44)
Section 44 of ECTA gives a consumer in an electronic transaction seven days to cancel without reason or penalty — running from receipt of the goods or conclusion of a services agreement. Section 42(2) excludes several categories, including computer software whose seal the consumer has broken, so most downloaded software falls outside the right.
Full guide →Copyleft
A class of open-source licence — the GPL family is the best known — that requires derivative works to be distributed under the same licence terms, including making source code available. Incorporating copyleft code into proprietary software can oblige a vendor to open its own source, the central risk an open-source audit manages.
Full guide →CPA juristic-person threshold
The Consumer Protection Act protects juristic persons (companies, close corporations, trusts) only if their asset value or annual turnover is below R2 million at the time of the transaction. Larger business customers fall outside the CPA, and some protections — such as the section 14 fixed-term contract rules — apply to natural persons only.
Cross-border transfer (POPIA s 72)
Section 72 of POPIA prohibits transferring personal information outside South Africa unless a ground applies: the foreign recipient is bound by law, binding corporate rules or a binding agreement providing substantially similar protection; the data subject consents; the transfer is necessary for a contract; or it benefits the data subject and consent is impracticable.
Full guide →Cyber extortion
An offence under section 10 of the Cybercrimes Act 19 of 2020: committing, or threatening to commit, certain cybercrimes — such as unlawful access to or interference with data or computer systems — to coerce another person into paying or doing something. Ransomware attacks on South African businesses are prosecuted under this section.
Full guide →D
Data sharing agreement
A contract between two responsible parties that each use shared personal information for their own purposes. It differs from an operator (data processing) agreement, where one party processes only on the other's instructions. The distinction determines which POPIA duties each party carries — using a DPA template for a controller-to-controller share misallocates them.
Full guide →Data subject
The person to whom personal information relates. Unusually among major privacy laws, POPIA's data subject can be a natural person or an existing juristic person — South African companies' information enjoys POPIA protection too, unlike under the GDPR, which protects natural persons only.
Full guide →De-identification
Deleting or altering any information that identifies a data subject, can be used or manipulated to identify them, or can be linked to other identifying information. Data that has been properly de-identified and cannot reasonably be re-identified falls outside POPIA — which is why de-identification standards matter in analytics and AI training-data clauses.
Direct marketing (POPIA s 69)
Section 69 of POPIA makes electronic direct marketing opt-in: marketing by email, SMS or automated calls is prohibited unless the data subject has consented, or is an existing customer whose details were obtained in the context of a sale, for marketing similar products, with an opt-out offered at collection and in every message.
E
EOR (employer of record)
A third party that legally employs staff in one country on behalf of a client company in another, handling payroll, tax and labour-law compliance. Foreign tech companies commonly use an EOR to engage South African developers without opening a local entity — though misclassification and permanent-establishment risks still need managing.
Full guide →Escrow (source code)
An arrangement in which a software vendor deposits its source code with an independent escrow agent, to be released to the customer on defined trigger events — typically vendor insolvency, end of support, or material breach. Escrow protects business-critical customers against vendor failure without the vendor handing over its source code day-to-day.
Full guide →EULA (end-user licence agreement)
The contract between a software publisher and the person who installs or uses the software, granting a limited right of use subject to restrictions such as no copying, reverse engineering or redistribution. South African consumer-facing EULAs must also navigate the CPA's fairness rules and ECTA's electronic-contracting framework.
Full guide →Exchange control
South African Reserve Bank rules under which intellectual property is treated as capital. A South African resident cannot assign or sell IP offshore — including to its own foreign holding company — without exchange-control approval through an authorised dealer. Licensing offshore is treated differently from outright assignment, which is why flip structures need approval first.
Full guide →F
Fine-tuning
Further training an existing AI model on a specific dataset so that it performs better at a particular task. Contractually it raises ownership questions (who owns the fine-tuned model and its weights), data questions (was the dataset lawfully sourced under POPIA and copyright law), and confidentiality questions where customer data is used.
Full guide →Foreground IP
Intellectual property created during, and as a result of, a specific project — the new code, designs and documentation the customer is paying for. Development agreements typically assign foreground IP to the customer in writing (as section 22(3) of the Copyright Act requires) while the developer retains its background IP under licence.
Full guide →G
GCC (General Conditions of Contract)
The standard terms that apply by default to South African government procurement contracts, alongside SITA's framework for state ICT procurement. The GCC allocates risk in the state's favour — broad termination rights, penalties and ownership defaults — so software vendors selling to government must expressly reconcile their licence terms with it.
Full guide →H
Hallucination
An AI output that is fluent but false — invented case law, fabricated references, functions that do not exist. Contracts manage hallucination risk through accuracy disclaimers, human-review obligations and output-verification duties. South African courts have shown zero tolerance for AI-hallucinated citations in court papers, referring practitioners to the Legal Practice Council.
I
Indemnity
A contractual promise to cover another party's losses from a defined event — in software contracts, most commonly third-party claims that the software infringes intellectual property rights. Indemnities often sit outside the liability cap or under a higher super-cap, which is why their scope is among the most heavily negotiated clauses.
Information officer
The person responsible for POPIA compliance within a South African organisation — by default the head of the business, such as the CEO, with deputies appointable in writing. The information officer must be registered with the Information Regulator and serves as the contact point for data subjects and the Regulator.
Full guide →Information Regulator
South Africa's data protection authority, established under POPIA. It enforces both POPIA and PAIA: receiving section 22 breach notifications, handling complaints, conducting assessments, and issuing enforcement notices. It can impose administrative fines of up to R10 million or refer conduct for criminal prosecution.
L
Liability cap
A clause limiting the total damages one party can recover from the other — commonly twelve months' fees in SaaS deals or the contract value in development work. Caps typically carve out confidentiality breaches, IP indemnities and sometimes data-protection liability, which may be uncapped or subject to a higher super-cap.
M
Model weights
The numerical parameters inside a trained AI model that encode what it has learned — the commercially valuable core of the model. Whether South African copyright protects weights is unsettled, so contracts protect them through trade-secret and confidentiality obligations plus express ownership clauses, rather than relying on copyright alone.
MSA (master service agreement)
An umbrella contract that fixes the standing legal terms — liability, intellectual property, confidentiality, data protection, dispute resolution — under which the parties execute multiple statements of work over time. The MSA-plus-SOW structure lets an ongoing tech relationship add projects without renegotiating the legal terms each time.
Full guide →O
Open-source licence
A licence granting anyone the right to use, study, modify and redistribute software, on conditions ranging from light attribution requirements (MIT, Apache 2.0) to copyleft share-alike obligations (GPL). Open-source licences are enforceable in South Africa as copyright conditions — non-compliance is copyright infringement, not merely a breach of etiquette.
Full guide →Operator (POPIA)
Defined in section 1 of POPIA as a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under its direct authority. SaaS providers, hosting companies and payroll bureaus are typically operators — the South African analogue of a GDPR processor.
Full guide →Operator agreement (POPIA s 21)
The written contract section 21 of POPIA requires between a responsible party and its operator, obliging the operator to maintain the security measures in section 19 and to process personal information only with the responsible party's knowledge or authorisation. It is the South African equivalent of a GDPR Article 28 data processing agreement.
Full guide →P
Perpetual licence
A software licence granted indefinitely for a one-off fee, in contrast to a subscription that lapses when payments stop. "Perpetual" refers to the licence term only — support and updates are usually a separate annual contract — and the licence can still terminate for breach if the agreement says so.
Full guide →POPIA
The Protection of Personal Information Act 4 of 2013, South Africa's data protection law, fully in force since 1 July 2021. It imposes eight conditions for lawful processing, regulates direct marketing and cross-border transfers, and is enforced by the Information Regulator with administrative fines of up to R10 million.
Full guide →R
Responsible party
The party that determines the purpose and means of processing personal information — the South African analogue of a GDPR controller. The responsible party carries the primary POPIA duties: meeting the lawful-processing conditions, notifying breaches, answering data subject requests, and binding its operators under section 21 agreements.
Full guide →Royalty (withholding tax)
A payment for the use of, or the right to use, intellectual property. Under sections 49A–49G of the Income Tax Act, royalties paid from South Africa to a foreign licensor attract a 15% withholding tax, often reduced by a double tax agreement — and how a software fee is characterised determines whether the tax applies at all.
Full guide →S
SCCs (standard contractual clauses)
The European Commission's pre-approved contract terms that legitimise transfers of personal data from the EU to countries — like South Africa — without an adequacy decision. SA SaaS companies serving EU customers typically sign SCCs as data importer; POPIA's section 72 then separately governs any onward transfer out of South Africa.
Full guide →Security compromise (POPIA s 22)
POPIA's term for a data breach. Section 22 requires a responsible party to notify the Information Regulator and affected data subjects as soon as reasonably possible after there are reasonable grounds to believe personal information has been accessed or acquired by an unauthorised person. POPIA sets no fixed 72-hour deadline like the GDPR.
Full guide →Service credit
A pre-agreed fee reduction the provider gives the customer for missing a service level — typically a sliding percentage of the monthly fee keyed to how far availability fell below the commitment. SLAs commonly make service credits the sole and exclusive remedy for downtime, which customers should resist for severe or repeated outages.
Full guide →SLA (service level agreement)
The contractual commitments a provider makes about service quality — uptime percentage, support response and resolution times, error rates and maintenance windows — together with defined remedies, usually service credits, for missing them. In South African cloud and SaaS deals the SLA is typically a schedule to the main agreement.
Full guide →Source code
The human-readable instructions developers write, from which executable software is compiled or interpreted. Owning copyright in software without holding the source code is commercially hollow — which is why delivery of source code, repository access and escrow are negotiated separately from IP ownership in development agreements.
SOW (statement of work)
A project-specific document executed under a master service agreement, describing the deliverables, milestones, timeline, fees and acceptance criteria for one engagement. The MSA's legal terms apply to every SOW; a well-drafted MSA also states which document prevails when an SOW conflicts with the master terms.
Full guide →Special personal information (POPIA s 26)
Categories of personal information that section 26 of POPIA prohibits processing by default: religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, and criminal behaviour. Processing requires a specific exception in sections 27–33, such as the data subject's consent.
T
Training data
The dataset used to teach a machine-learning model. In South African contracts the live questions are whether personal information in the dataset was processed lawfully under POPIA, whether copyright-protected works were reproduced without licence, and whether a customer's data may be used to train models that then serve other customers.
Full guide →Transfer pricing
Tax rules in section 31 of the Income Tax Act requiring transactions between cross-border connected persons to be priced at arm's length. When a South African company licenses or sells its IP to an offshore parent in a flip structure, SARS can adjust the price — and tax the difference — if it is not market-related.
Full guide →U
Uptime
The percentage of time a service is available and operational over a defined measurement period — 99.9% monthly uptime allows roughly 43 minutes of downtime per month. The definition matters as much as the number: exclusions for planned maintenance, force majeure and third-party failures can hollow out a headline figure.
Full guide →V
Voetstoots
The South African common-law mechanism for selling something "as is", excluding liability for defects. It does not work against consumers: where the Consumer Protection Act applies, the implied warranty of quality in sections 55 and 56 overrides as-is wording — so consumer software and devices cannot simply be sold voetstoots.
W
White-label
An arrangement where a reseller markets a provider's software under the reseller's own brand, with the underlying provider invisible to end customers. White-label deals need careful drafting on trade mark licensing, who contracts with the end user, who carries POPIA operator duties, and how support obligations flow down the chain.
Full guide →Work made for hire
A United States copyright doctrine under which works created by employees, or certain commissioned works, are authored by the hiring party. South African law has no work-made-for-hire equivalent: section 21(1)(d) of the Copyright Act vests works made in the course of employment in the employer, and commissioned software follows the control test — US-style clauses need local adaptation.
Full guide →Need more than a definition?
Every term above links into the full Software & Technology Law hub — practical guides on SaaS, software development, IP ownership, POPIA, AI contracting and cross-border deals for South African tech businesses.
Browse the full hub →