Protection of Personal Information Act (POPI Act) – Data Protection Compliance & Security Policy

Contents

The POPIA Act
1. Introduction
2. Compliance
3. Definitions
4. Privacy Principles
5. Contact Rocketseed
6. Changes To This Policy
Data Collection and Processing
7. Information Rocketseed Collect
8. Processing
9. Disclosing Information
10. Retaining Information
11. Data Protection Rights
Service and Support
12. Implementation
13. Hosting Options
Security and Safeguarding Data
14. Security
15. Business Continuity
16. Access Control
17. Contact Rocketseed

The POPIA Act

1. Introduction

1.1 This POPI Compliance and Security Policy describes how Rocketseed (and applicable subsidiaries, together ‘Rocketseed’) operate in South Africa. The below sections clarify how Rocketseed collects, processes and safeguards personal information and data from individuals/clients using the Rocketseed software and services. This Policy was last revised on January, 2023.

1.2 Rocketseed has two main responsibilities regarding Personal Data:

  • Collecting information for the purpose to fulfil the requirements of a contractual and/or service relationship.
  • Collecting the necessary information needed to provide service of conveying pertinent content through everyday email branding and signatures.

1.3 Rocketseed is a Responsible Party / Controller regarding the client’s Personal Information: company details, staff/user details, such as email, addresses, phone numbers, billing details, and other information used to do business.

1.4 Rocketseed is the Operator/Processor regarding the Personal Information that the client uploads in the form of a database, distribution list, or the like, as we process Personal Information.

2. Compliance

2.1 Rocketseed is compliant with the following South African legislations:

  • Protection of Personal Information (POPI) Act
  • Promotion of Access to Information Act (PAIA)
  • Electronic Communications Act of 2002 (ECT)
  • The Consumer Protection Act, 68 of 2008 (CPA)
  • Section 14 of the Constitution of the Republic of South Africa
  • Cybercrime and Cybersecurity Act

2.2 Rocketseed globally is also compliant to a number of international legislations, where applicable, on data safety and security such as:

  • EU-General Data Protection Regulation 2016/679 (EU-GDPR) and the UK-General Data Protection Regulation (UK-GDPR);
  • United States Privacy Act, the Safe Harbor Act and the Health Insurance Portability and Accountability Act
  • Open Web Application Security Project (OWASP) development principals – applicable to RocketDev only.

2.3 Additionally, Rocketseed is also in the process of ISO27k certification with a Letter of Commitment available upon request.

3. Definitions

3.1 Personal data/Personal information: defined to include information relating to both an identifiable, living, natural person, and where applicable, an identifiable juristic person or legal entity, and includes

3.2 Sensitive data/Special Personal Information: includes all information relating to a person’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behavior. POPIA also specifically regulates personal information (of a child). Not collected by Rocketseed.

3.3 Data controller/Responsible Party: A public or private body that determines the purpose and means for processing personal information of a data subject. In our case it is our clients who contract us to process information through our Software.

3.4 Data processor/Operator: A party that processes personal information on behalf of a responsible party, without coming under the direct authority of the responsible party. In our case, it is a Rocketseed subsidiary with whom the contract is signed.

3.5 Data subject: Any party to whom personal information relates.

3.6 Biometric data/Biometrics: A technique of personal identification that is based on physical, physiological, or behavioral characterization including blood typing, fingerprinting, DNA analysis, retinal scanning, and voice recognition. Not collected by Rocketseed.

3.7 Health data: Not collected by Rocketseed.

3.8 Pseudonymization: POPIA does not provide a definition for pseudonymization. However, ‘de-identify’, in relation to personal information of a data subject, means to delete any information that:

  • identifies the data subject;
  • can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
  • can be linked by a reasonably foreseeable method to other information that identifies the data subject; and
  • ‘de-identified’ has a corresponding meaning.

3.9 Right To Request/Access information/erasure: POPIA allows a data subject the right to request that a responsible party correct or delete personal information that is inaccurate, irrelevant, and excessive, or which the responsible party is no longer authorized to retain;

3.10 or which the responsible party is no longer authorized to retain.

4. Privacy Principles

4.1 Being fully compliant with the POPI Act, Rocketseed has adopted its well-accepted attributes and principles which must be addressed for a successful POPIA implementation.

4.1.1 Accountability: Rocketseed has an appointed Information Officer who is responsible for ensuring that the information protection principles within POPIA and the controls are in place and complied with.

4.1.2 Processing Limitation: Rocketseed only collects the minimum of necessary information needed with consent, justification and objection to be able to provide service and meet contractual obligation.

Additionally, processing can only be done for which it was intended and agreed, and further processing must be compatible for what was previously specified.

4.1.3 Purpose Specification: The personal information collected is or a specific purpose and the data subjects must be made aware of the purpose for which the personal information was collected.

4.1.4 Security Safeguards: Rocketseed has rigorous procedures in place, so that the integrity of the personal information in its control is secured through technical and organisational measures.

4.1.5 Information Quality and Data Subject Participation: Rocketseed takes reasonable steps to ensure that the personal information that has been collected is complete, accurate, not misleading and up to date.

4.1.5.1 Data subjects have the right to request that a Responsible Party confirm (free of charge) whether it holds personal information about the data subject, and he or she may also request a description of such information.

4.1.5.2 Rocketseed provides a Right to Request form on through its compliance platform, where data subjects have the right to request that a Responsible Party confirm (free of charge) whether it holds personal information about the data subject, and he or she may also request a description of such information.

4.1.5.3 Data subject also has the right to request data to be deleted.

5. Contact Rocketseed

5.1 Data subjects have the right to access, correct, amend, or delete any Personal Information Rocketseed may hold, register a complaint, or simply want to know more. A request can be submitted via the Group Privacy Page.

5.2 Via email at privacy@rocketseed.com

5.3 By submitting the Data Subject Request Form, also displayed on the Privacy Page.

6. Changes to this Policy

6.1 If we make any material changes, we will notify you by email or by providing the revised policy on our website. Your continued use of our services following the update means that you accept Rocketseed’s updated Data Protection Compliance & Security Policy.

Data Collection and Processing

7. Information Rocketseed Collects

7.1 Collection of personal information from clients

7.1.1 We collect personal information in the following ways:

  • Directly from Client during the inception of the contractual service.
  • Indirectly from Client when interacting with us electronically; e.g. browsing our website (including through mobile), filling out online forms, submitting requests for ticketing etc.
  • Directly from other sources, such as public databases, data aggregators and third parties etc, e.g. LinkedIn.

7.2 Directly from Users of Service

7.2.1 As a user of our services, personal information is required to fulfil the requirements of a contractual or service relationship, which may exist between Client and our organization. We collect:

  • Financial Details
  • Identification Number
  • Location Information
  • Banking Details
  • Confidential Correspondence
  • Email, Social Networks
  • Name
  • Telephone contact details

7.3 Indirectly Through Branding Interaction in B2B Emails

7.3.1 Our technology allows Clients of the Rocketseed software product, to convey pertinent content through everyday email branding and signatures. Clients and their Recipients of emails are businesses who engage with each other and may already have an established relationship and communication.

7.3.2 If full engagement measurement is required, apart from normal information needed to send emails (such as an email address), the following data is stored for analytical purposes only;

  • IP address
  • Time of click
  • URL served – i.e. where the branding redirects the recipient as defined by the Client.

7.3.3 In the case of providing Data Analytics as an Operator, Rocketseed can only do so if requested by Client as part of the contractual agreement of service and processing instructions. Hence, Clients should present in their Privacy Note on their website if they are collecting data for Analytical purposes.

7.3.4 If Pseudonymization of data is requested, in which case we only have limited analytics capabilities, the information stored is limited to:

  • Domain name (e.g. @gmail.com)
  • Time of click
  • URL served – i.e. where the branding redirects the recipient as defined by the Client

8. Processing

8.1 The lawful bases Rocketseed relies on for processing

  • We have your consent to do so;
  • We have an obligation to carry out the performance of a contract with you;
  • We are required by law to process your personal information;
  • The processing protects your legitimate interest; and
  • We have a legitimate interest to pursue.

8.2 Processing information of children

  • Rocketseed does NOT collect or process any data on children.

8.3 Processing and Sub-Processing

8.3.1 Rocketseed engages with third party data centres for data storage and large scale processing. These are referred to as sub-processors. Sub-processors are vetted based on their ability to provide rigorous safety environment, ISO certifications and stringent breach management and prevention procedures, as well as robust business continuity infrastructure. are hosted by sub-processors (data centres), which have been assessed having. Personal information is held at local data centres who operate within South Africa, ensuring that such data is not transferred outside of South Africa in line with POPI Act compliance requirements.

8.3.2 Information on our Sub-Processors can be found here, along with their locations and Data Protection Policies.

8.3.3 For added reassurance, Clients may opt to have a dedicated server within their own premises, and behind their own firewalls.

9. Disclosing Information

9.1 To maintain and improve our services, personal information may need to be shared with or disclosed to service providers, other Controllers or, in some cases, public authorities. We may be mandated to disclose personal information in response to requests from a court, police services or other regulatory bodies. Where feasible, Rocketseed will consult with Client prior to making such disclosure and, in order to protect privacy, we will ensure that we will disclose only the minimum amount of information necessary for the required purpose.

10. Retaining Information

10.1 We will keep information only for as long as we need it, given the purpose for which it was collected, or as required by law (including tax legislation) and any other statutory obligations (including anti-money- laundering and counter-terrorism requirements).

10.2 Personal Information for processing purposes (e.g. emails, IP addresses or domain names) are purged from the system bi-annually to remove inactive/retired users. If data subject requests removal sooner, Rocketseed will oblige within the time limit set out in Data Protection Laws.

11. Data Protection Rights

11.1 PAIA gives legislative effect to the right of access to information

11.2 Clients and individuals who have conducted business with Rocketseed or believe we may hold their personal data, has the right to request a record from us about the type of personal information we hold, as well as information about all third parties with whom we have shared that personal information. Once Rocketseed responded to the request, we can be asked to:

  • correct or delete the personal information in our possession or under our control if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or has been obtained unlawfully;
  • destroy or delete a record of any personal information that we are no longer authorized to keep in terms of the Act or other regulatory requirements; or
  • stop or start sending you marketing messages by informing us in writing by post or email through our office network, or website.

11.3 A request can be submitted at any time to Rocketseed via our Privacy Page, or email privacy@rocketseed.com.

Service and Support

12. Implementation

12.1 Project Management

12.1.1 To ensure smooth implementation, Rocketseed uses a clearly defined project management methodology, which incorporates parallel processes for the technical and marketing aspects of the rollout and customized the needs of Clients.

12.2 Structured Rollout and Support

12.2.1 The key to implementation is a controlled rollout process, with defined focus areas encompassing:

  • step-by-step technical and security setup procedures conducted alongside intense monitoring until sign-off
  • continued normal 24/7 monitoring with feedback for continued functionality of hardware, email flow and potential risk of disruptions
  • resolution via technology and support process enables the immediate correction of any issues that may arise, including email format issues

12.3 Procedures include:

  • Mark-up testing
  • Functional Testing
  • Load testing
  • Security reviews

13. Hosting Options

13.1 Shared servers – Logical Separation

13.1.1 Rocketseed hosts shared servers in data centres in USA, UK, and South Africa. Each server handles outbound email traffic for a number of customers. Customers are segregated into individual accounts and cannot see or affect other users’ mail traffic and branding.

13.1.2 All such servers are maintained with failover pairs in distinct locations. If an issue should affect a primary server, there is a spare server at the ready to take over branding duties until the problem is resolved. Cutover is made by Rocketseed staff and does not require any action by the customer.

13.2 Dedicated Servers and Azure – Physical Separation

13.2.1 Customers can be provisioned on a dedicated server hosted in one of our data centres. Rocketseed remains responsible for the hardware, networking, monitoring and backups. Each dedicated server delivers mail from a unique IP address, ensuring there is no reputation risk from other clients’ traffic creating blacklist entries.

13.2.2 These servers are normally set up in tandem pairs in distinct locations to ensure full failover redundancy if desired.

13.2.3 The Rocketseed software is fully compatible with modern virtualization environments. In particular, hosting a Rocketseed email media appliance in the Azure cloud makes sense for many customers hosted on Microsoft Office 365.

13.3 Release strategy – Installation, Testing, and Rollback

13.3.1 The process of installing a new server undergoes extensive testing and training by Rocketseed system administrators. Each new installation, as well as software upgrade, requires a sequence of steps to ensure that functionality is complete, and a checklist is employed to test all aspects of the system before customers access it.

13.3.2 Rocketseed installations consist of a pair of servers acting in tandem with offsite database backups to ensure the ability to roll back any upgrades if needed.

13.4 Service Level Agreement (SLA)

13.4.1 SLA are provided with more detailed outline of the support and incident management procedures.

Security and Safeguarding Data

14. Security

14.1 Product Security

14.1.1 Patch management of servers and desktops are properly maintained with the latest updates in order to reduce system vulnerability to enhance and repair application functionality.

14.1.2 Third Party Security Scans are performed on software updates and tested for security vulnerabilities and to validate data integrity, using up to date scanning software.

14.1.3 The software is fully tested for various hacking processes, as well as breaches. Other tests, practices and monitoring are put into place to ensure system stability.

14.2 Cyber Security

14.2.1 All US, UK and EU Rocketseed hosting providers are ISO 27001 and 9001 certified with tier-one security premises and have stringent controls in place.

14.2.2 Server Hardening procedures fully lock down Rocketseed servers and have been developed to pass 3rd party security review processes, such as those from legal, technical or financial enterprise customers, with high security requirements. Servers can be further secured with additional measures, where requested.

14.2.3 Both hardware and software based firewalls, and regular penetrations tests are performed to provide additional security.

14.3 Reports & Incidents

14.3.1 Rocketseed information security incident response, business continuity, and disaster recovery plans to follow should an incident occur. In general it follows the below steps:

  • Identification and classification of incident or threat
  • Containment, recovery and response
  • Notification of breach
  • Evaluation
  • Risk assessment
  • Future controls for mitigation

15. Business Continuity

15.1. Escrow Deposits

15.1.1. Each major release of the Rocketseed software is delivered to a third-party escrow management company and is regularly updated. This ensures that in the event of a complete dissolution of the Rocketseed development team, or a complete loss of the development archives, the entire software system can be recreated.

15.2. Real Time Monitoring And Response

15.2.1. Each server is monitored from a centralized Rocketseed control system; tracking email flow, disk and memory usage, server load and other parameters that measure email delivery and branding operations.

15.2.2. Notification occurs via email and SMS alerts, and is configured to reach a number of different support personnel to ensure prompt response.

15.3. Server Redundancy

15.3.1. Each Rocketseed server is configured with internal redundancy to ensure the highest possible hardware uptime.

15.3.2. Every hosted Rocketseed server is configured with a matching spare server in stand-by at a separate data centre.

15.3.3. Further elements of redundancy management includes:

  • Live database redundancy
  • Mail server redundancy
  • Complete system redundancy

15.4. Data Backups

15.4.1. No data from backups are shared with any third party unless Rocketseed would be legally obligated to. The scheduled data backups are stored in an separate offline database and are encrypted.

15.4.2. Daily Backups

15.4.3. Daily snapshot backups are performed on every account including contact data, messages, and reports. These daily backups are kept onsite for 14 days (two weeks).

15.4.4. Two types of backups are performed:

  • Physical backups entailing the entire server and data on site and remotely – for UK/US only
  • Logical backups regards the database exclusively, both locally and remotely.

15.4.5. Offsite Backups

15.4.6. Complete daily backups are stored offsite for 3 days and then updated.

15.5. Encryption

15.5.1. Although the data is not encrypted at rest(the upgraded tech stack(not cloud) is being testing with encryption of data at rest), it is encrypted in transit via TLS, HTTPS, SSH.

15.5.2. The database is encrypted when not in use on dedicated systems. Moreover, it does not actively communicate through external ports. Firewall limitations permit access to the system only for whitelisted IP addresses using non-root, key-based authentication following the industry-standard SSH protocol.

  • Secure ISP: Our internet service provider uses the highest security protocol.
  • SFTP/SCP: We transfer files using a secure data stream.
  • HTTPS: This secure layer encrypts and decrypts user page requests and pages returned by the server.
  • Secure MTA: Our MTA uses strict security measures to make sure all messages are secure during transfer.

16. Access Control

16.1 Physical Access to the Office

16.1.1 The following physical safety measures are applicable to Rocketseed offices:

  • Gated security
  • Keycard entry
  • Security alarms
  • Receptionist to identify and ensure visitors sign-in register
  • CCTV

16.2 Staff

16.2.1 All staff, including employees and contractors, are vetted through agencies with thorough background checks (criminal records, eligibility to work at a specified location etc), references and with necessary documentations requested.

16.2.2 All staff are moderated by their contracts.

16.2.3 All staff attest to terms and conditions that specifically outline privacy, information security, and confidentiality and must verify in signing that they have read and understood all the procedures and policies of the company.

16.2.4 This also includes necessary training and coaching before being allowed to access any confidential or personal files.

16.2.5 Our Data Safety as well as HR Handbooks form part of the employment/working relationship between Rocketseed and its staff, and must be signed prior to work commencing. These include, but not limited to:

  • Acceptable Usage Policy relating to the use of any office technology and software (e.g. telephone, mobile phone, fax, email, internet, intranet, and remote access, etc.) are outlined in our internal handbooks.
  • Clean Desk Policy and Awareness ensures that visitors or unauthorized persons are unable to view personal or sensitive information, whether held on paper documents or displayed on monitors, etc.
  • Other policies include; e.g. email usage, remote access, password/passphrase creations, laptops and other company devices, cyber security, ethics, harassment, and overall business conduct.

16.3 Third Party Platforms and Server Access

16.3.1 Access to various platforms concerning day-to-day activities, (Google Drive, PeopleHR, Salesforce, ticketing systems, etc) are managed by top directors with admin access. Staff access to data on these platforms are given in a tiered fashion.

16.3.2 Email is controlled by top management technical staff (‘super admins’) who either add upon employment start, or immediately remove staff upon decision to retire or leave the company.

16.3.3 Access to servers is managed through rigorous controls by Rocketseed, as well as host centre, or sever provider. The controls are company confidential and restricted to the specific IP addresses of certain, authorised Rocketseed, listed as ‘high-level’ Rocketseed technical staff.

16.3.4 Staff who access servers for installation, maintenance or support purposes also need identity verification from the data centre for additional security and control, meaning, both ends need to identify the requestor for successful access.

16.3.5 Retired or resigned staff are removed immediately from access control lists.

Rocketseed meets all key Security and Compliance standards