At Makerble, protecting personal information is not just a compliance objective, it's fundamental to how we build and maintain our platform. This article explains how Makerble supports organisations operating under South Africa's Protection of Personal Information Act (POPIA), and what your organisation needs to do to use Makerble responsibly under that framework.

Please note: This article provides general guidance only. It is not legal advice. If you are unsure whether or how POPIA applies to your organisation, consult a qualified legal adviser. For any questions about Makerble's security and privacy practices, contact data.security@makerble.com.

What is POPIA?

The Protection of Personal Information Act (POPIA) is South Africa's comprehensive data protection law. It came into full force on 1 July 2021 and governs how organisations collect, process, store and share personal information about individuals. It applies to any organisation that processes the personal information of South African residents, including organisations based outside South Africa that use automated or non-automated means to process data within the country.

POPIA is built around eight conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Together, these conditions set a framework broadly comparable to GDPR in Europe.

Penalties for non-compliance can reach R10 million and serious offences can carry criminal sanctions.

Makerble's role under POPIA

Under POPIA, your organisation is the responsible party which means that you are the entity that determines the purpose and means of processing personal information. Makerble acts as the operator which means that we are a third party that processes personal information on your behalf, under your instruction.

POPIA requires responsible parties to have a written contract with their operators that ensures the operator maintains appropriate security measures. Makerble's Terms and Conditions and Data Processing Agreement fulfil this requirement. Please review these documents and retain a copy for your compliance records.

1. Data security and encryption

Makerble implements industry-standard security measures across the platform.

At rest: All data stored within Makerble is encrypted using AES encryption, ensuring that personal information held on our servers is protected from unauthorised access.

In transit: All data transmitted between users and the platform is encrypted using Secure Socket Layer (SSL/TLS) technology.

These measures support POPIA's requirement for appropriate, reasonable security safeguards to protect personal information against loss, damage, and unauthorised access or processing.

2. Access controls

Makerble restricts access to personal information through robust user authentication mechanisms.

Two-Factor Authentication (2FA): All user accounts can be protected with 2FA, requiring a second form of verification in addition to a password, e.g. a code sent to an email address or to a mobile phone.

Role-based access: Administrators can control which team members have access to which data within the platform, limiting exposure of personal information to those with a legitimate need.

These controls support POPIA's requirement that personal information is accessible only to authorised parties.

3. Cross-border data transfer

Makerble's platform is hosted on Microsoft Azure in Ireland (EU). This means that personal information entered into Makerble is stored and processed in the European Union.

POPIA places restrictions on the transfer of personal information outside South Africa. A transfer to a third-party country is permissible where that country has an adequate level of data protection in place. The EU's GDPR (General Data Protection Regulation), to which Ireland is subject, is widely regarded as meeting this standard. The EU has robust data protection law that effectively upholds the conditions for lawful processing that are comparable to POPIA's own requirements.

By using Makerble, your organisation is transferring personal information to an operator based in a jurisdiction with strong, enforceable data protection law. We recommend that you document this transfer and the basis for it as part of your POPIA compliance records.

4. Breach notification

POPIA requires responsible parties to notify the Information Regulator and affected data subjects as soon as reasonably possible when there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person.

Makerble has an incident response process in place to detect and respond to security incidents. In the event of a data breach affecting your organisation's data, Makerble will notify you promptly, providing you with the information you need to fulfil your notification obligations under POPIA.

Our incident response process includes:

• Automated monitoring for unusual activity
• A dedicated cybersecurity team responsible for incident response
• Clear escalation and communication procedures
• Post-incident recovery and restoration

5. Audit activity

Makerble maintains activity logs of user actions within the platform, including records of which users accessed or modified data and when. These logs support your organisation's ability to demonstrate compliance with POPIA's accountability condition.

Please note: Makerble currently logs user activity at the action level. A full version history of individual field changes, i.e. recording what a field contained before it was edited, is not currently available. This is on our development roadmap. If field-level version history is a specific compliance requirement for your organisation, please discuss this with us before committing to the platform as we may well be able to accelerate the development of this feature.

6. Data subject rights

POPIA grants individuals rights including the right to access their personal information, the right to request correction or deletion, and the right to object to processing. As the responsible party, your organisation is accountable for responding to these requests.

Makerble supports this by allowing administrators to locate, view, correct and delete contact records within the platform. Data can also be exported in CSV format at any time, enabling your organisation to respond to data subject access requests efficiently.

7. Appointing an Information Officer

POPIA requires organisations to appoint an Information Officer who is responsible for encouraging compliance with the Act and liaising with the Information Regulator. This is your organisation's responsibility, not Makerble's. Ensure your Information Officer is registered with the South African Information Regulator and is aware of your use of Makerble as a data processing platform.

What your organisation needs to do

Using Makerble in a POPIA-compliant way requires your organisation to take the following steps:

• Appoint and register an Information Officer with the Information Regulator
• Document your lawful basis for collecting and processing each category of personal information you handle on Makerble
• Obtain appropriate consent from data subjects before collecting their information, or establish another lawful basis under POPIA
• Maintain a record of your use of Makerble as a data operator, including the cross-border transfer to EU infrastructure
• Include Makerble in your privacy policy as a third-party processor of personal information
• Respond to data subject requests promptly using Makerble's export and contact management tools
• Report breaches to the Information Regulator and affected individuals where required

For questions about Makerble's security and data practices, contact data.security@makerble.com. For legal advice on POPIA compliance, consult a qualified South African data protection lawyer or the Information Regulator's website.