nCino has acquired DocFox. Find out more

DocFox is now nCino here is what to expect

DocFox Privacy Policy



The information, content, services and/or materials offered by DocFox Africa on, or through its website (“the Website”), is made available subject to the provisions contained below.

Please read this Privacy Policy carefully to understand how your personal information will be treated when you use the Website.

All queries and/or requests relating to this Privacy Policy should be sent to

Data Privacy Compliance (POPIA & GDPR)

1. Introduction
DocFox Africa (DFA) provides its services to Accountable Institutions to assist them in meeting their compliance obligations in terms of the Financial Intelligence Act (FICA). These services are provided using software licensed from DocFox Inc (DInc), incorporated in Delaware in the United States. For ease of reference, DFA and DInc will be referred to collectively as DocFox where applicable. The integrity and confidentiality of the personal information of our customers and their clients is of critical importance for DocFox.
2. Data Privacy Laws and Regulations
The flow of our customer data originates in South Africa and is then transferred offshore, where it is hosted via third-party providers. DocFox therefore complies with local (Protection of Personal Information Act) (POPIA) and global (General Data Protection Regulation) (GDPR) data privacy laws and regulations.

The reason for this offshore data transmission is that DocFox’s data cloud storage centre is hosted in the Republic of Ireland, by two main subcontractors. These subcontractors are AWS (supplier of infrastructure-as-a-service) and Heroku (supplier of platform-as-a-service) respectively. Personal information is only processed by DocFox, as well as our third-party service providers, for the specific, lawful purpose for which it is gathered, which is the customers’ FICA compliance obligations.

Section 72 of the POPIA allows for the transfer of data across international borders. There are certain conditions that are required to be met, which include the following:
  • Data subjects must consent to the transfer of their personal data.
  • AWS, as a subcontractor, must be subject to a law, binding corporate rules, or a binding agreement with DocFox.
  • Providing adequate protection for such transfer and that the transfer is necessary for the performance or conclusion of a contract, concluded in the interest of the data subject between DocFox and AWS.
The transfer of our customers’ data from SA to Ireland, which falls within the European Union, meets the requirements of section 72 of POPIA. This has been confirmed by two separate legal opinions sought by DocFox.

As a subcontractor and data processor to DocFox, AWS and Heroku are subject to Irish Data Protection Laws. Ireland is subject to the GDPR, which is viewed globally as a leading, multi-jurisdictional law on data protection. The legal opinions referenced above also provide that Irish Data Protection Laws uphold principles for fair data processing that are substantially similar to the conditions set by POPIA.
3. Compliance and Data Protection Measures
DocFox takes the security of our customer data very seriously and therefore has implemented the following data privacy compliance and security controls to mitigate the risk of data breaches. These controls are monitored regularly to ensure their operating effectiveness.
3.1 Data Privacy Policy
DocFox has a privacy policy and our policy approach is consistent with the core principles of POPIA, which is to protect the privacy rights of individuals and juristic entities and to ensure the secure handling of personal data. DocFox is registered with the Information Regulator in South Africa, and any privacy-related concerns or complaints can be directed via
3.2 Service Level Agreements (SLAs)
DocFox has an SLA in place with every customer, where it is incumbent on the customer to obtain the necessary consent of their data subjects. The SLA confirms that DocFox will only collect, store, and process data which is necessary to deliver agreed services. In addition, we have SLAs in place with our subcontractors, which state that data is not permitted for onward transmission.

Clauses in the SLA also address a vital part of POPIA, which is the destruction or de-identification of personal information when DocFox no longer has the legal right to retain such information. For example, when an SLA with a customer is cancelled or is not renewed.

The fact that our customers and their respective clients’ data is stored offshore with AWS is clearly communicated in clause 18 of DocFox’s current SLA with customers. In terms of the SLA, the customer also warrants that their client’s consent will be obtained for the transfer of personal information, which is in line with s72(1)(b) of POPIA. Through the customer’s signature of the SLA, it also consents to the transfer of its personal information and that of its clients to AWS hosted in the Republic of Ireland. The provisions of s72 of POPIA are also clearly articulated and communicated to our customers throughout clause 18.
3.3 Data Access Control
Customer data is only examined directly if it is absolutely necessary for technical reasons. Furthermore, only the core development and support team have access privileges that allow for the direct modification of production data. Such modification is to be done in only the most critical of cases and/or at the documented request of a customer.
3.4 Data Encryption & Recovery Processes
Technical security measures are also monitored by DocFox, this includes all customer data being encrypted during transmission and at rest. All data is backed up on a regular basis, and disaster recovery tests are run annually per company policy.

Users of the web interface must authenticate themselves with a username, password, and multi-factor authentication. DocFox uses various software, infrastructure, and architecture to restrict logical access, including a defence-in-depth approach with gateway and perimeter defences, encryption, secure operations policies and procedures, secured endpoints, and backups.
4. Conclusion
DocFox’s security and risk management procedures have been audited by an independent audit firm, that has tested our controls as per the SOC 2 (Security and Organisational Controls) reporting standards. We trust that this provides your organisation with assurance with regard to our commitment to data privacy and security standards. Should you have any further questions, please feel free to contact our Sales Team at

Redirection Notice

You are being redirected to the DocFox Knowledge Base Login. Click ‘Continue’ to proceed to the DocFox Knowledge Base or ‘Cancel’ to stay on this website”.

Redirection Notice

You are being redirected to the DocFox App Login. Click ‘Continue’ to proceed to the DocFox App or ‘Cancel’ to stay on this website”.

Attend Our Upcoming Webinars
Subscribe to our newsletter
Get tickets to our upcoming conference