Our Compliance Framework
At Rozitech, we are committed to maintaining the highest standards of compliance and security. Our comprehensive compliance framework ensures that your data is protected and that we meet all regulatory requirements for operating in South Africa and internationally.
Regulatory Compliance
POPIA (Protection of Personal Information Act)
As a South African company, we fully comply with POPIA requirements:
- Lawful Processing: All data processing has a lawful basis and purpose
- Minimality: We only collect data necessary for specified purposes
- User Rights: Full support for data subject rights including access, correction, and deletion
- Data Security: Implementation of appropriate technical and organizational measures
- Data Breach Notification: Procedures in place for timely breach notification
- Information Officer: Designated Information Officer to handle POPIA compliance
GDPR (General Data Protection Regulation)
For our European users, we ensure GDPR compliance through:
- Legal Basis: Clear legal basis for all processing activities
- Privacy by Design: Data protection built into our systems from the ground up
- Data Protection Officer: Appointed DPO for GDPR matters
- Data Processing Agreements: Standard contractual clauses for international transfers
- Right to Erasure: Support for "right to be forgotten" requests
- Data Portability: Tools for users to export their data
Security Certifications
Current Certifications
| Certification | Status | Valid Until |
|---|---|---|
| SOC 2 Type II | December 2025 | |
| SSL/TLS Certificates | Auto-renewed | |
| PCI DSS Level 1 | June 2025 |
Planned Certifications
| Certification | Status | Target Date |
|---|---|---|
| ISO 27001 | Q3 2025 | |
| ISO 27701 | Q4 2025 | |
| HIPAA Compliance | 2026 |
Security Measures
Data Encryption
- At Rest: AES-256 encryption for all stored data
- In Transit: TLS 1.3 for all data transmissions
- Key Management: Hardware Security Module (HSM) for key storage
- Database Encryption: Transparent Data Encryption (TDE) enabled
Access Controls
- Multi-Factor Authentication: Required for all administrative access
- Role-Based Access Control: Granular permissions based on job function
- Principle of Least Privilege: Minimal access rights by default
- Regular Access Reviews: Quarterly review of user permissions
Network Security
- Firewall Protection: Web Application Firewall (WAF) and network firewalls
- DDoS Protection: Enterprise-grade DDoS mitigation
- Intrusion Detection: 24/7 monitoring and alerting
- Network Segmentation: Isolated production, staging, and development environments
Audit and Monitoring
Audit Logging
Comprehensive audit logging of all system activities:
- User authentication and authorization events
- Data access and modifications
- Administrative actions
- Security events and anomalies
- API calls and system interactions
Security Monitoring
- SIEM Integration: Security Information and Event Management system
- Real-time Alerts: Immediate notification of security events
- Threat Intelligence: Integration with threat intelligence feeds
- Regular Penetration Testing: Annual third-party security assessments
Business Continuity
Disaster Recovery
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 1 hour
- Backup Frequency: Continuous replication with hourly snapshots
- Backup Testing: Monthly disaster recovery drills
- Geographic Redundancy: Data replicated across multiple regions
Incident Response
- Response Team: Dedicated incident response team available 24/7
- Response Plan: Documented and tested incident response procedures
- Communication Protocol: Clear escalation and notification procedures
- Post-Incident Review: Root cause analysis and improvement implementation
Vendor Management
All third-party vendors undergo rigorous security assessment:
- Security questionnaire and documentation review
- Contractual security requirements
- Regular security assessments
- Data Processing Agreements where applicable
- Continuous monitoring of vendor security posture
Employee Security
- Background Checks: Comprehensive screening for all employees
- Security Training: Mandatory annual security awareness training
- Confidentiality Agreements: NDAs for all staff with data access
- Security Policies: Clear policies for data handling and security
- Clean Desk Policy: Physical security measures in office locations
Compliance Reporting
We provide regular compliance reporting to demonstrate our commitment:
- Annual Compliance Report: Comprehensive yearly compliance review
- SOC 2 Reports: Available upon request for enterprise customers
- Security Attestations: Regular security attestation letters
- Audit Reports: Third-party audit reports available under NDA
Compliance Inquiries
For detailed compliance information, audit reports, or security questionnaires:
Compliance Team: compliance@rozitech.com
Security Team: security@rozitech.com
Data Protection Officer: dpo@rozitech.com
Phone: +27 (0) 10 123 4567
Office Hours: Monday - Friday, 8:00 AM - 5:00 PM SAST