POPIA

it's important that we are fully transparent about all matters that relate to POPIA in order to give our clients confidence that we are safe-guarding the data that they entrust us with

The Protection of Personal Information Act (POPIA) is the act in South Africa which governs the use and processing of personal information and the right to privacy. More information on the act can be found here:

• the official act (opens new window)
• unofficial guidelines (opens new window)

As a processor of personal data - especially one that processes personal data on behalf of an intermediary - it's important that we are fully transparent about all matters that relate to POPIA in order to give our clients confidence that we are safe-guarding the data that they entrust us with.

This page describes the personal data that we manage, how we manage the data, and what measures we have put in place to safeguard this data. Where necessary it links to further information and guidelines to expand on a specific measure.

Personal information

There are 2 sets of personal data which Spike is exposed to:

1. bank statements of an account holder
2. registration details of a client

When a user signs up to Spike we capture their email address. We refer to users of our product as clients. We use clients' email address solely to communicate relevant information about the Spike service with clients. We do not undertake any Direct Marketing services with your contact details nor share these details with any 3rd parties. We make account settings available to clients that allow them control which communications they receive from us.

Clients use Spike in order to extract data from bank statements. These bank statements may be for a bank account owned by the client or for another user on who's behalf the client needs to process their data (e.g. the client is a lender, and the bank statements belong to a user whom is applying for a loan with the lender). These bank statements contain personal data: financial transactions, balances, account number, and name and address information. Spike does not retain this data - except temporarily under conditions describe in full below.

Consent

POPIA is clear that operators and responsible parties need to obtain consent from the owner of the data in order to process any personal data. Spike obtains this consent in two ways:

• when a new client registers we provide an opportunity to review our privacy policy and provide consent to the manner in which we process data as described therein
• further we provide links to this privacy policy in all touch points where personal data is submitted to Spike - namely:
  • in our online statement converter (opens new window)
  • and in our API documentation

Where clients are acting as a responsible party and submitting bank statements to us on behalf of an account holder, our terms & conditions warrant that the client has obtained consent from their users in order to have their data processed by a 3rd party.

Personal data retention

In general all personal data is destroyed within a week. A very small subset of data is retained for longer durations in order to ensure the ongoing provision and quality of the Spike service. These data retention rules are clearly described in our privacy policy. This is a full and accurate enumeration of all circumstances under which we encounter personal information. All processes to adhere to this policy are automated. We do not deviate from this policy. If ever there is cause to change these policies, we will notify all clients timeously via email prior to any changes being enacted.

Personal data breaches

Spike makes use a the latest best-practices in cloud security in order to safeguard the personal data that is entrusted to us. More information on these efforts can be found in our security policy below. However should we ever suffer a breach of personal information we follow our detailed breach policy. We put this policy together in order to commit ourselves to doing the right thing and in order to give our clients clarity on how we will handle the matter.

Right to be forgotten

POPIA includes provision for the "right to be forgotten". As per the personal data retention section above, Spike does not retain any personal data in perpetuity. However user data may be held temporarily in a queue. Any users who wish us to expunge their data from any temporary queues may contact us and we will happily comply.

In addition clients can contact us on the same link above in order to have all records of their account (including email addresses) permanently removed from our systems if they wish to do so after terminating their account with us.

Information officer

Any issues relating to Spike's adherence to POPIA can be addressed to our registered Information Officer:

• Mr. Ilan Copleyn
• [email protected]

Security policy

Our infrastructure conforms to industry best practices which includes secure https communications (with JWT auth), encrypt at rest data, and all servers are secured within an AWS VPS. Our detailed security guide describes our architecture in depth and lists the independent audits which we've passed. It is kept updated whenever we undertake new security measures.

Employee procedures

It's important that all staff are aware of the sensitivity of the data which we handle and commit to upholding data privacy. We have undertaken the following efforts in order to ensure that our staff remain cogniscant of these issues and that there is oversight of their actions:

• During our induction process we provide employees with training on information privacy and security and clarify both organisational and individual responsibilities.
• Employees contracts stipulate that they understand and will abide by these responsibilities.
• We have clear operating policies on how and when personal data can be accessed and managed and technology in place to ensure that staff can only access data that they require for a specific task