Pursuant to Condition 7: Security Safeguards of the POPI Act, 4 of 2013

Physical Security:

All of Our Company’s data processing equipment is hosted in the Iris AI data centre (“Data Centre”) located in a secure office park. The office park can be found at 7 Drome Road, Formain, Lyndhurst, Gauteng, 2090. Access is restricted to both the office park and Data Centre by well-defined processes and ID Readers. They are also monitored on a 24/7 basis by security staff and surveillance cameras. A copy of the security measures implemented by Iris AI can be found on its website www.irisai.co.za. Alternatively, you can request a copy from our Information Officer.

Logical Access Prevention:

Our Company’s data processing systems are accessed by a limited number of authorised users with appropriate access rights. Dual-factor authentication is implemented for each role. Such access is restricted to a few users from the Administrative, Support and Management Teams. Within these teams, different roles are created based on the job requirements. Also, the activity of each user is monitored through monitoring solutions.

Data Access Control:

Only a limited set of users from Our Company’s Administrative, Support and Management Teams have access to the data processing systems which contain personal information. Data access privileges are defined by the job role of the user; accordingly, only authorised users with appropriate privileges have the access to personal information. No other user has any kind of access to this data. Our Company has implemented monitoring solutions to identify any attempts or actual unauthorised access to its systems and data.

Data Transfer Control:

Our Company’s processes and systems ensure that all personal information is encrypted whilst in transit or in storage. Our Company has implemented logging mechanisms to track data flows. Our Company’s users have restricted access to personal information.

Entry Control:

Our Company has implemented logging and monitoring which enable tracking of changes and any addition/modification/deletion of personal information and by whom. Additionally, Our Company has implemented role-based access mechanisms along with dual-factor authentication.

Instruction Control:

Our Company has defined and implemented standard process and policies which require special approval of the concerned parties within its business, including operational, legal and technical teams. Pre-identified individuals from Our Company’s Administrative and Support Teams are only involved in the actual processing of personal information. Pre-defined processes are in place to ensure that the confidentiality and the integrity of such data is maintained.

Availability Control:

Our Company has implemented well-defined disaster recovery plans which are tested on a regular basis. Back-up procedures and schedules have been defined and implemented.

Separation Control:

Data is separated both by logical and physical access controls. Network segmentations are in place to ensure that data is stored in the most restrictive zone of the network. Access to the data processing systems and the data itself is restricted by role-based privileges and dual-factor authentication. All access to the data systems and the data is logged and monitored. The production environment is completely segregated from the test environment.