DocFox Privacy Policy
DOCFOX AFRICA (PTY) LTD, REGISTRATION NUMBER 2015/275633/07 (“DocFox Africa”) WEBSITE PRIVACY POLICY (“PRIVACY POLICY”)
The information, content, services and/or materials offered by DocFox Africa on, or through its website www.docfox.co.za (“the Website”), is made available subject to the provisions contained below.
Please read this Privacy Policy carefully to understand how your personal information will be treated when you use the Website.
All queries and/or requests relating to this Privacy Policy should be sent to privacy@docfox.co.za
INTRODUCTION
- DocFox Africa endeavours to comply with all laws and regulations providing for privacy including, but not limited to the Constitution of the Republic of South Africa, 108 of 1996 and the Protection of Personal Information Act, 4 of 2013 (“the Act”);
- For purposes of this Privacy Policy the person accessing the Website, or on whose behalf the Website is accessed, is referred to as “the User” and the term “Personal Information” bears the meaning as ascribed to it in the Act;
- DocFox Africa seeks to ensure the quality, accuracy and confidentiality of all Personal Information in its possession and recognises the importance of protecting the User’s privacy in respect of the User’s Personal Information collected by DocFox Africa when the User visits the Website. DocFox Africa is committed to protecting and preserving the Personal Information of all visitors to the Website;
- By accessing the Website, the User agrees to the processing of the User’s Personal Information for the purposes stated in this Privacy Policy;
- This Privacy Policy includes various consents and permissions provided by the User to DocFox Africa in respect of the User’s Personal Information;
- The User should not use this Website if the User does not agree with DocFox Africa’s processing activities described in this Privacy Policy;
- DocFox Africa undertakes that the processing of the User’s Personal Information shall be carried out by it solely in accordance with the provisions of this Privacy Policy;
- The User will be subject to the Privacy Policy in force at the time that the User accesses the Website;
- This Privacy Policy should not be viewed in isolation and must be read together with the applicable terms of use of the Website (which are available on the Website) and any further agreement/s entered into between the User and DocFox Africa (such as an agreement in terms of which the User elects to subscribe for any of the services rendered by DocFox Africa).
INFORMATION COLLECTION AND USE
- DocFox Africa strives to collect only that Personal Information which is necessary for the intended purpose of the collection;
- DocFox Africa and/or its authorised agents shall collect certain Personal Information from the User in connection with the User’s use of the Website. The information collected is used for the following purposes:
- To make the User’s visit to the Website more efficient;
- To enable efficient use of the Website;
- To process electronic communications and transactions;
- To administer any promotion, survey or similar interactive activity conducted by DocFox Africa; and
- To provide the User with newsletters or other periodic emails and/or promotional materials as requested by the User;
- When the User accesses the Website the User’s Personal Information will be automatically collected in relation to the User’s visit to the Website, such information includes but is not limited to:
- The User’s browser type and version;
- The User’s operating system and information about the User’s use of the Website including details of the User’s visits to the Website (such as pages viewed and the resources that the User accessed on the Website);
- The Website also uses different types of cookies, such as: cookies which provide web analytics services, flash cookies and other types of cookies. DocFox Africa’s hosting agents and/or service providers may automatically log the User’s “IP address” (the unique identifier for the User’s computer and/or other access device). The aforesaid information collected by DocFox Africa is for aggregate purposes only and cannot be used to identify the User personally;
- Should the User subscribe to receive any newsletter, periodic email, or promotional material or information distributed by DocFox Africa, the User’s Personal Information (including but not limited to the User’s email address) will be processed by DocFox Africa. DocFox Africa may also track whether the User has read the material supplied by DocFox Africa and/or whether the User has clicked on any of the links so provided. All DocFox Africa communications shall contain an unsubscribe link and by following the unsubscribe process the User shall be removed from the relevant distribution list and DocFox Africa shall no longer send the User the subscription content or contact the User.
CONSENT TO PROCESS PERSONAL INFORMATION
- By accessing the Website the User agrees and consents that DocFox Africa may process the User’s Personal Information for the purposes set out in this Privacy Policy including providing the User with access to the Website and the contents of the Website;
- By providing DocFox Africa with his/her/its Personal Information, the User expressly consents to having his/her/its Personal Information processed in accordance with this Privacy Policy, which processing is necessary to enable DocFox Africa to carry out the actions required of it in relation to the User when the User accesses the Website;
- Processing shall include the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, use; dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as blocking, degradation, erasure or destruction of information;
- This consent is effective immediately and will endure until the User’s relationship with DocFox Africa has been terminated, alternatively until such time as the User expressly notifies DocFox Africa that such consent is retracted.
RETAINING PERSONAL INFORMATION
- The User expressly consents to DocFox Africa retaining the Personal Information once the User’s relationship with DocFox Africa has been terminated for the following purposes:
- Aggregate, statistical and reporting purposes and for only so long as is necessary to enable DocFox Africa to achieve the purpose for which the Personal Information was collected or subsequently processed, subject to the further provisions of section 14 of the Act;
- In order to ensure that the User’s Personal Information is treated in accordance with the User’s prior instructions, for example ensuring that the User remains unsubscribed from DocFox Africa’s mailing list; and
- DocFox Africa’s operational purposes and/or for production as evidence by DocFox Africa in legal proceedings in which event records relating to the User’s use of the Website and the Personal Information submitted by the User may be required to be retained in terms of legislated records retention requirements.
- The User expressly consents to DocFox Africa retaining the Personal Information once the User’s relationship with DocFox Africa has been terminated for the following purposes:
TRANSBORDER FLOW OF PERSONAL INFORMATION
- DocFox Africa appoints certain agents, third parties and/or service providers which operate outside the borders of the Republic of South Africa, alternatively outside the country in which the User resides and/or operates from. As a result, DocFox Africa is required to transmit the User’s Personal Information outside South Africa, alternatively outside the country in which the User resides and/or operates from;
- The purpose of the trans-border flow of the User’s Personal Information may include, but is not limited to data hosting and storage;
- The User expressly consents to the trans-border flow of the Personal Information, in order to enable the trans-border flow of the aforesaid information;
- DocFox Africa warrants in this regard that it shall only engage the services of third parties (in relation to the aforesaid trans-border flow of information) which subscribe to internationally recognised standards in this regard and in order to secure the integrity and confidentiality of the User’s Personal Information.
HANDLING OF THE USER’S PERSONAL INFORMATION
- DocFox Africa shall secure the integrity and confidentiality of the User’s Personal Information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of damage to or unauthorised destruction of the User’s Personal Information and the unlawful access to or processing of such Personal Information;
- DocFox Africa will not sell, exchange or transfer the User’s Personal Information to any third party without the User’s consent and save as provided for in this Privacy Policy.
DISCLOSURE OF PERSONAL INFORMATION
- DocFox Africa may disclose the User’s Personal Information to its third-party service providers, where necessary. DocFox Africa requires that its service providers take appropriate, reasonable, technical and organisational measures to keep the User’s Personal Information secure and such third parties may not use or disclose the User’s Personal Information for any purpose other than providing the services required by the User on DocFox Africa’s behalf;
- DocFox Africa may disclose the User’s Personal Information under the following circumstances:
- to comply with the law or with legal process;
- to protect and defend DocFox Africa’s legitimate interests (safety, property or other rights);
- to protect DocFox Africa against misuse or unauthorised use of the Website and/or of the services offered by DocFox Africa; and
- to protect other customers, Website users or third parties affected negatively by the User’s actions in his/her/its use of the Website.
ACCESSING AND UPDATING PERSONAL INFORMATION BY THE USER
- DocFox Africa will take reasonable steps to keep the User’s Personal Information accurate and complete. DocFox Africa suggests that the User regularly updates his/her/its Personal Information;
- The User can request access to any of his/her/its Personal Information held by DocFox Africa at any time and for any purpose, including to request DocFox Africa to correct any portion of the Personal Information held by DocFox Africa which is inaccurate, or to delete the Personal Information which DocFox Africa is no longer entitled to retain by law or for a legitimate purpose;
- The User also has the right to revoke his/her/its consent to the processing of his/its Personal Information by DocFox Africa.
Data Privacy Compliance (POPIA & GDPR)
1. Introduction
DocFox Africa (DFA) provides its services to Accountable Institutions to assist them in
meeting their compliance obligations in terms of the Financial Intelligence Act (FICA). These
services are provided using software licensed from DocFox Inc (DInc), incorporated in
Delaware in the United States. For ease of reference, DFA and DInc will be referred to
collectively as DocFox where applicable. The integrity and confidentiality of the personal
information of our customers and their clients is of critical importance for DocFox.
2. Data Privacy Laws and Regulations
The flow of our customer data originates in South Africa and is then transferred offshore,
where it is hosted via third-party providers. DocFox therefore complies with local (Protection
of Personal Information Act) (POPIA) and global (General Data Protection Regulation)
(GDPR) data privacy laws and regulations.
The reason for this offshore data transmission is that DocFox’s data cloud storage centre is hosted in the Republic of Ireland, by two main subcontractors. These subcontractors are AWS (supplier of infrastructure-as-a-service) and Heroku (supplier of platform-as-a-service) respectively. Personal information is only processed by DocFox, as well as our third-party service providers, for the specific, lawful purpose for which it is gathered, which is the customers’ FICA compliance obligations.
Section 72 of the POPIA allows for the transfer of data across international borders. There are certain conditions that are required to be met, which include the following:
As a subcontractor and data processor to DocFox, AWS and Heroku are subject to Irish Data Protection Laws. Ireland is subject to the GDPR, which is viewed globally as a leading, multi-jurisdictional law on data protection. The legal opinions referenced above also provide that Irish Data Protection Laws uphold principles for fair data processing that are substantially similar to the conditions set by POPIA.
The reason for this offshore data transmission is that DocFox’s data cloud storage centre is hosted in the Republic of Ireland, by two main subcontractors. These subcontractors are AWS (supplier of infrastructure-as-a-service) and Heroku (supplier of platform-as-a-service) respectively. Personal information is only processed by DocFox, as well as our third-party service providers, for the specific, lawful purpose for which it is gathered, which is the customers’ FICA compliance obligations.
Section 72 of the POPIA allows for the transfer of data across international borders. There are certain conditions that are required to be met, which include the following:
- Data subjects must consent to the transfer of their personal data.
- AWS, as a subcontractor, must be subject to a law, binding corporate rules, or a binding agreement with DocFox.
- Providing adequate protection for such transfer and that the transfer is necessary for the performance or conclusion of a contract, concluded in the interest of the data subject between DocFox and AWS.
As a subcontractor and data processor to DocFox, AWS and Heroku are subject to Irish Data Protection Laws. Ireland is subject to the GDPR, which is viewed globally as a leading, multi-jurisdictional law on data protection. The legal opinions referenced above also provide that Irish Data Protection Laws uphold principles for fair data processing that are substantially similar to the conditions set by POPIA.
3. Compliance and Data Protection Measures
DocFox takes the security of our customer data very seriously and therefore has
implemented the following data privacy compliance and security controls to mitigate the risk
of data breaches. These controls are monitored regularly to ensure their operating
effectiveness.
3.1 Data Privacy Policy
DocFox has a privacy policy and our policy approach is consistent with the core principles of
POPIA, which is to protect the privacy rights of individuals and juristic entities and to ensure
the secure handling of personal data. DocFox is registered with the Information Regulator in
South Africa, and any privacy-related concerns or complaints can be directed via
privacy@docfox.co.za.
3.2 Service Level Agreements (SLAs)
DocFox has an SLA in place with every customer, where it is incumbent on the customer to
obtain the necessary consent of their data subjects. The SLA confirms that DocFox will only
collect, store, and process data which is necessary to deliver agreed services. In addition,
we have SLAs in place with our subcontractors, which state that data is not permitted for
onward transmission.
Clauses in the SLA also address a vital part of POPIA, which is the destruction or de-identification of personal information when DocFox no longer has the legal right to retain such information. For example, when an SLA with a customer is cancelled or is not renewed.
The fact that our customers and their respective clients’ data is stored offshore with AWS is clearly communicated in clause 18 of DocFox’s current SLA with customers. In terms of the SLA, the customer also warrants that their client’s consent will be obtained for the transfer of personal information, which is in line with s72(1)(b) of POPIA. Through the customer’s signature of the SLA, it also consents to the transfer of its personal information and that of its clients to AWS hosted in the Republic of Ireland. The provisions of s72 of POPIA are also clearly articulated and communicated to our customers throughout clause 18.
Clauses in the SLA also address a vital part of POPIA, which is the destruction or de-identification of personal information when DocFox no longer has the legal right to retain such information. For example, when an SLA with a customer is cancelled or is not renewed.
The fact that our customers and their respective clients’ data is stored offshore with AWS is clearly communicated in clause 18 of DocFox’s current SLA with customers. In terms of the SLA, the customer also warrants that their client’s consent will be obtained for the transfer of personal information, which is in line with s72(1)(b) of POPIA. Through the customer’s signature of the SLA, it also consents to the transfer of its personal information and that of its clients to AWS hosted in the Republic of Ireland. The provisions of s72 of POPIA are also clearly articulated and communicated to our customers throughout clause 18.
3.3 Data Access Control
Customer data is only examined directly if it is absolutely necessary for technical reasons.
Furthermore, only the core development and support team have access privileges that allow
for the direct modification of production data. Such modification is to be done in only the
most critical of cases and/or at the documented request of a customer.
3.4 Data Encryption & Recovery Processes
Technical security measures are also monitored by DocFox, this includes all customer data
being encrypted during transmission and at rest. All data is backed up on a regular basis,
and disaster recovery tests are run annually per company policy.
Users of the web interface must authenticate themselves with a username, password, and multi-factor authentication. DocFox uses various software, infrastructure, and architecture to restrict logical access, including a defence-in-depth approach with gateway and perimeter defences, encryption, secure operations policies and procedures, secured endpoints, and backups.
Users of the web interface must authenticate themselves with a username, password, and multi-factor authentication. DocFox uses various software, infrastructure, and architecture to restrict logical access, including a defence-in-depth approach with gateway and perimeter defences, encryption, secure operations policies and procedures, secured endpoints, and backups.
4. Conclusion
DocFox’s security and risk management procedures have been audited by an independent
audit firm, that has tested our controls as per the SOC 2 (Security and Organisational
Controls) reporting standards. We trust that this provides your organisation with assurance
with regard to our commitment to data privacy and security standards. Should you have any
further questions, please feel free to contact our Sales Team at sales@docfox.co.za.