POPIA Compliance Statement

1. Who This Statement Applies To

This POPIA Compliance Statement applies to Aleph Safe (Pty) Ltd ("Aleph Safe") and covers all personal information collected, processed, stored, or shared in connection with the Aleph Safe platform at alephsafe.co.za. It applies to all users of the platform, visitors to our website, and any individuals whose personal information is processed by Aleph Safe in the course of providing its services.

2. Our Role Under POPIA

Aleph Safe acts as the Responsible Party as defined in POPIA for all personal information collected directly from users through our platform. Where we engage third-party service providers to process personal information on our behalf, those providers act as Operators and are contractually bound to process information only as directed by Aleph Safe and in compliance with POPIA.

3. Information Officer

In accordance with POPIA, Aleph Safe has designated an Information Officer who is responsible for overseeing our compliance with POPIA and handling data subject requests. The Information Officer can be contacted at:

• Email: privacy@alephsafe.co.za
• Platform: alephsafe.co.za

All requests relating to personal information, including access requests, correction requests, and deletion requests, should be directed to the Information Officer.

4. Lawful Basis for Processing

Aleph Safe processes personal information only where a lawful basis exists under POPIA. We rely on the following grounds:

• Contract performance: Processing is necessary to provide the services you have subscribed to, including account management, document generation, and billing
• Consent: Where you have provided explicit consent, such as for marketing communications or optional data sharing
• Legitimate interest: For purposes such as platform security, fraud prevention, service improvement, and analytics — where those interests are not overridden by your rights
• Legal obligation: Where processing is required to comply with applicable South African legislation

5. The Eight Conditions for Lawful Processing

POPIA requires that personal information is processed in accordance with eight conditions. Aleph Safe commits to meeting each of these:

• Accountability: We take responsibility for ensuring that POPIA is complied with in all our processing activities
• Processing limitation: We collect only the personal information that is necessary for the specified purpose
• Purpose specification: Personal information is collected for specific, explicitly defined, and lawful purposes
• Further processing limitation: Personal information is not processed in a manner incompatible with the original purpose of collection
• Information quality: We take reasonable steps to ensure that personal information is complete, accurate, and up to date
• Openness: We maintain this statement and our Privacy Policy to inform data subjects of our processing activities
• Security safeguards: We implement appropriate technical and organisational measures to secure personal information against loss, damage, or unauthorised access
• Data subject participation: We respect and facilitate the rights of data subjects to access, correct, and delete their personal information

6. Cross-Border Transfers

Some of our service providers are located outside the Republic of South Africa. Where personal information is transferred to a foreign country, Aleph Safe ensures that adequate protection is in place as required by section 72 of POPIA. Our cloud infrastructure is hosted in the European Union, which provides a level of protection substantially similar to the conditions for lawful processing of personal information under POPIA.

We do not transfer personal information to countries that do not provide adequate protection without first ensuring that appropriate safeguards are in place, such as data processing agreements containing standard contractual clauses.

7. Security Measures

Aleph Safe implements the following security safeguards to protect personal information:

• All data transmitted between users and the platform is encrypted using TLS/SSL protocols
• Personal information stored in our database is encrypted at rest
• Passwords are hashed using industry-standard algorithms and are never stored in plain text
• Access to personal information is restricted to authorised personnel on a need-to-know basis
• We maintain access logs and conduct regular security reviews
• Generated documents are stored in access-controlled private storage and are accessible only to the account holder
• All third-party operators are vetted for security compliance before being engaged

8. Data Subject Rights

As a data subject, you have the following rights under POPIA which Aleph Safe is committed to upholding:

• Right to be notified: You have the right to be notified that your personal information is being collected and the purpose for which it is collected
• Right of access: You may request confirmation of whether we hold your personal information and a copy of that information
• Right to correction or deletion: You may request that we correct inaccurate information or delete information we are no longer entitled to retain
• Right to object: You may object to the processing of your personal information in certain circumstances, including for direct marketing
• Right to complain: You have the right to submit a complaint to the Information Regulator if you believe your rights under POPIA have been infringed

To exercise any of these rights, contact our Information Officer at privacy@alephsafe.co.za. We will respond to all requests within a reasonable time and in accordance with POPIA requirements.

9. Data Breach Notification

In the event of a security compromise affecting personal information, Aleph Safe will notify the Information Regulator and affected data subjects as soon as reasonably possible after becoming aware of the compromise, in accordance with section 22 of POPIA. Notifications will include the nature of the compromise, the personal information involved, and the steps being taken to address it.

10. Retention and Deletion

We retain personal information only for as long as is necessary to fulfil the purpose for which it was collected, or as required by law. Our retention periods are as follows:

• Account data: Retained for the duration of your account and deleted within 30 days of account closure
• Generated documents: Retained for the duration of your subscription and for 30 days after cancellation
• Usage and security logs: Retained for up to 12 months
• Billing records: Retained for 5 years as required by South African tax legislation

11. Complaints and the Information Regulator

If you are not satisfied with how Aleph Safe has handled your personal information or a request you have submitted, you have the right to lodge a complaint with the Information Regulator of South Africa:

• Website: www.inforegulator.org.za
• Email: inforeg@justice.gov.za
• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

We encourage you to contact us directly first at privacy@alephsafe.co.za so that we can attempt to resolve your concern before you escalate to the Regulator.

12. Updates to This Statement

This POPIA Compliance Statement may be updated from time to time to reflect changes in our practices or in applicable legislation. We will notify active subscribers of material changes by email. The date at the top of this statement indicates when it was last updated. The most current version will always be available at alephsafe.co.za/popia.