Data Governance and Classification

To ensure absolute clarity under POPIA, Vizabiliti strictly distinguishes between the two categories of data we process. Each is governed by specific protocols codified in our Master Service Agreement (MSA).

Tier 1: Operational Data

Vizabiliti as “The Operator”.

Deceased Estate information, reminders and management data uploaded by you. You are the Responsible Party here!

We process this strictly on your behalf. We claim no ownership and access it only for technical support.

Tier 2: Subscriber Data

Vizabiliti asThe Responsible Party”.

Your firm’s administrative details, user lists and billing information.

We protect your business confidentiality. Your client lists and volume metrics are never mined or sold.

The Relationship

We protect your data so you can protect your practice

Your Legal Burden

POPIA Section 19

As the Tax Practitioner, you determine the purpose of the data. You are legally liable for the integrity and confidentiality of your client’s personal information.

Failure to secure this data can result in fines and reputational damage.

Our Contractual Duty

POPIA Section 20

Vizabiliti acts as your designated Operator. We provide the mandatory ‘technical and organisational measures’ required by law to secure the data.

We handle the encryption, access control and backups so you satisfy Section 19 automatically.

Operator Mechanisms

The Legal Mandate

Data Processing Agreement (DPA)

Our Terms of Service includes a formal Data Processing Agreement (DPA) that satisfies your legal requirement to have a written mandate with your provider.

The Technical Shield

Verified Security Measures

Data is encrypted at rest and in transit. While we utilize US-based redundant storage for disaster recovery, decryption keys are managed in South Africa, ensuring data sovereignty.

Breach Protocol

Section 22 Notification Assurance

Automated notification systems ensure that if a compromise occurs, you are alerted immediately to fulfil your Section 22 reporting obligations.

Tier 2 : Subscriber Business Confidentiality

Protecting your firm’s proprietary intelligence.

Policy 1: Commercial Confidentiality (No Data Mining)
We guarantee that your firm’s metadata (client lists, estate volumes, performance stats) is treated as Proprietary Business Information. It is strictly ring-fenced for billing purposes and is never mined for marketing or shared with third-party financial entities.

Policy 2: Zero-Standing Access (“The Ghost Rule”)
Our engineering staff have “no standing access” to your live environment. Access to Operational Data for technical support is:
* Consent-Based: Initiated only upon your specific support ticket request.
* Time-Bound: Uses temporary tokens that expire automatically.
* Audited: Every internal access event is logged in your immutable Audit Trail.

Technical Specifications

Infrastructure & Encryption

  • Hosting: South Africa (Johannesburg) – Low latency and data sovereignty. (Domains.co.za, Teraco)
  • Encryption: AES-256 SSL encryption in transit + Encryption at rest.
  • Disaster Recovery: Encrypted, geo-redundant backups stored via Backblaze (USA) with South African key management.

Access Control

  • High-Entropy Authentication: Mandatory 16-character complex password policy (exceeding standard dictionary attacks).
  • Subscriber-Controlled 2FA: Optional Multi-Factor Authentication, configurable by the Subscriber Admin based on internal risk assessment.
  • Session Security: Aggressive auto-logout for idle workstations to protect office environments.

Need to perform vendor due diligence?

Our Compliance Pack includes our full Master Service Agreement, Security Schedule and PAIA Manual.

Book a Demo & Request Compliance Pack

Scroll to Top