POPIA Compliance

1. Our Commitment to POPIA Compliance

CloudPrime Connect is fully committed to complying with the Protection of Personal Information Act 4 of 2013 (POPIA), South Africa's comprehensive data protection legislation. As a provider of telecommunications, AI-powered services, and business connectivity solutions, we understand the importance of safeguarding the personal information entrusted to us by our customers, website visitors, and business partners. This page outlines our approach to POPIA compliance, the measures we have implemented, and the rights available to data subjects whose personal information we process.

2. What is POPIA?

The Protection of Personal Information Act (POPIA) is South Africa's data protection law that gives effect to the constitutional right to privacy. POPIA establishes conditions for the lawful processing of personal information by both public and private bodies, and aims to promote the protection of personal information processed by public and private bodies. The Act is regulated by the Information Regulator (Information Regulator South Africa), established under Section 39 of POPIA. POPIA applies to the processing of personal information of South African data subjects and applies to all organisations operating in South Africa, regardless of where the data is processed.

3. Our POPIA Compliance Framework

CloudPrime Connect has implemented a comprehensive compliance framework addressing all eight conditions for the lawful processing of personal information as defined by POPIA:

• Accountability: We have designated an Information Officer responsible for ensuring compliance with POPIA. Our management structure ensures that data protection is embedded in all business processes, from customer onboarding through to service delivery and support.
• Processing Limitation: We collect and process personal information that is adequate, relevant, and not excessive for the specified purpose. We do not collect personal information beyond what is necessary to deliver our services effectively.
• Purpose Specification: All personal information processing is carried out for specific, explicitly defined, and lawful purposes related to our business operations and service delivery. These purposes are communicated to data subjects at the point of collection.
• Further Processing: Personal information collected for one purpose is not processed for a different, incompatible purpose without the data subject's consent or another valid legal basis under POPIA.
• Information Quality: We take reasonable steps to ensure that personal information is complete, accurate, and up-to-date. Customers can update their information through the client management portal or by contacting support.
• Openness: This POPIA Compliance page, together with our Privacy Policy and Cookie Policy, provides transparent notice of our data processing practices. Data subjects are informed of how their information is collected, used, and protected.
• Security Safeguards: We implement appropriate technical and organisational measures to secure personal information against unauthorised access, loss, alteration, or destruction. These include encryption, access controls, secure hosting, and regular security assessments.
• Data Subject Participation: We respect and facilitate the rights of data subjects to access, correct, delete, and object to the processing of their personal information as detailed below.

4. How We Process Personal Information

As a telecommunications and AI services provider, CloudPrime Connect processes personal information in the following contexts:

• Customer Accounts: Name, email, phone number, billing address, and banking details stored in WHMCS for account management and billing.
• CRM and Lead Management: Contact details and interaction history stored in EspoCRM for sales pipeline and customer relationship management.
• AI Chatbot Interactions: Names, email addresses, phone numbers, and conversation summaries collected when visitors interact with our AI chatbot on cloudprime.co.za.
• AI Receptionist and CloudPBX: Call recordings, voicemail transcriptions, and caller information processed through our AI-powered telephony services.
• WhatsApp Gateway: Message content and contact information processed through the business WhatsApp integration for customer engagement.
• Website Analytics: IP addresses, browser information, and browsing behaviour collected through cookies for website performance and analytics.
• Employment Records: Personal information of employees and contractors processed for HR and employment purposes.

5. Sensitive Personal Information (Special Personal Information)

POPIA defines "special personal information" as data relating to a person's health, sex life, biometric data, ethnic or social origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, and criminal behaviour. CloudPrime Connect does not routinely collect special personal information. In the unlikely event that we need to process special personal information (for example, for emergency medical contact information), we will obtain your explicit consent in accordance with Section 26 of POPIA and apply enhanced security measures for the protection of such information.

6. Cross-Border Data Transfers

CloudPrime Connect primarily processes and stores data within South Africa. Our servers are hosted in South African data centres, and our AI models are run locally (via Ollama) without reliance on international cloud AI providers. In certain circumstances, data may need to be transferred across borders, for example when using international payment processors. Any cross-border transfers are conducted in compliance with Section 72 of POPIA, ensuring the receiving country has adequate data protection laws or appropriate contractual safeguards are in place.

7. Automated Decision Making

Our AI chatbot and AI Receptionist services make automated decisions and generate responses using machine learning models. These automated systems assist with answering customer queries, routing calls, and providing service information. Decisions that could significantly affect customers (such as service suspension) are not made solely by automated means. You have the right to request human intervention or review of automated decisions that produce legal effects or similarly significant impacts on you.

8. Direct Marketing

In compliance with Section 11 of POPIA and Section 69 of the Electronic Communications and Transactions Act (ECTA), CloudPrime Connect will not send you unsolicited direct marketing communications unless you have opted in or given prior consent. Existing customers may receive service-related notifications (billing, maintenance alerts, security advisories) that are not considered direct marketing. You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, contacting us at admin@cloudprime.co.za, or managing your preferences in the client portal.

9. Data Breach Notification

In the event of a data breach involving personal information in our custody, CloudPrime Connect will notify the Information Regulator and affected data subjects as soon as reasonably possible, and within the timeframes prescribed by POPIA. Our breach response plan includes immediate containment, investigation, assessment of impact, notification of affected parties, and implementation of remedial measures to prevent recurrence.

10. Exercising Your Data Subject Rights

To exercise any of your rights under POPIA, please submit a written request to our Information Officer. We will acknowledge your request within 5 business days and respond substantively within 30 calendar days as required by POPIA. If we are unable to comply with your request within this period, we will inform you of the reasons and provide an estimated timeline for resolution.

11. Information Regulator

The Information Regulator is the supervisory authority established under POPIA to monitor and enforce compliance. If you are dissatisfied with our response to your data subject rights request, you have the right to lodge a complaint directly with the Information Regulator.