Trust
Trust and legal baseline for South African operations
This baseline is designed for CyberSec's current model: South African cybersecurity services with an expanding client platform. The goal is practical legal coverage that stands up in procurement, due diligence, and customer security review. It is implementation guidance, not legal advice.
Applicability at a glance
- POPIA: in scope for website and platform personal-information processing.
- PAIA Manual: in scope for private-body access-to-information obligations.
- Cookies: in scope where non-essential analytics or marketing technologies are active.
- Terms: website terms and platform terms should remain separate.
- Responsible disclosure: expected baseline for a cybersecurity provider.
- GDPR: conditional, based on territorial or targeting triggers.
- KYC/FICA/AML: conditional, not baseline for the current model.
Must-have artifacts
- Privacy notice (POPIA): processing purpose, data categories, rights handling, retention, transfers, and Information Officer details.
- PAIA manual: records categories, request process, and responsible contacts.
- Cookie and tracking notice: cookie categories, consent model, and preference controls.
- Website terms: browsing, public-content, and acceptable-use boundaries for website visitors.
- Security testing authorization: written authority, scoping requirements, pre-test obligations, and authorization template language for intrusive services.
- Platform terms: authenticated tenant usage boundaries, data obligations, and service constraints.
- Responsible disclosure: reporting channel, safe-harbor position, and response targets.
Strongly recommended artifacts
- Security/trust page with control posture, tenant boundaries, and incident communication commitments.
- DPA/privacy schedule in customer contracts to define roles, instructions, and accountability.
- Sub-processor and cross-border transfer transparency where data leaves South Africa.
Applicable only when triggered
- FICA/KYC/AML: include when accountable-institution obligations are triggered.
- GDPR: include where territorial or targeting criteria are met.
- Certifications: reference only independently attained and actively maintained certifications.