POPIA compliance
Built for South Africa. POPIA-aligned by default.
Octava Solutions is a Johannesburg-based responsible party under the Protection of Personal Information Act, 2013 (Act 4 of 2013). This page is our public POPIA manual — it tells you who's accountable for your information, what we hold, on what legal basis, and how to exercise the rights POPIA gives you.
Last updated · 26 May 2026
1 · What POPIA is
The Protection of Personal Information Act, 2013 ("POPIA") is South Africa's primary data protection law. It came fully into force on 1 July 2021 and applies to anyone in South Africa — or processing South African residents' data — who collects, stores or otherwise uses personal information.
The law is overseen by the Information Regulator (South Africa), an independent body with the power to investigate, issue enforcement notices, and impose administrative fines.
2 · Information Officer
POPIA requires every responsible party to appoint an Information Officer accountable for compliance. Ours is reachable at:
Information Officer
Octava Solutions Studio
Johannesburg · Remote-first
Our Information Officer is registered with the Information Regulator in line with the requirements of section 55 of the Act.
3 · Categories of personal information
We process the following categories of personal information about prospects, clients, and members of the public who interact with us:
- Identity data: name, the company you represent, your role.
- Contact data: email, phone number, physical address (where you choose to share it).
- Engagement data: the brief you send us, project notes, meeting calendar, and the outputs we produce together.
- Financial data: for paying clients, invoice records, bank-transfer references, VAT numbers.
- Technical data: aggregate page-view counts (no cookies, no fingerprinting). See our cookie policy for the full list.
We do notprocess special personal information (race, religion, health, biometrics, etc.) or children's data.
4 · Lawful basis for processing
POPIA section 11 lists six lawful grounds for processing personal information. We rely on these three:
- Consent (s.11(1)(a))— you submit a contact form, book a discovery call, or sign up for an announcement list. You can withdraw consent at any time (see "your rights" below).
- Contract (s.11(1)(b)) — once you sign a proposal, we process the data necessary to deliver that engagement (kick-off briefs, weekly demos, invoices, support).
- Legal obligation (s.11(1)(c)) — South African tax law requires us to retain invoices and related records for 7 years even after you ask us to delete other data.
5 · Retention periods
- Contact-form & booking records: 24 months from the last interaction, then archived to a cold backup and deleted at month 36.
- Active project records: for the duration of the engagement, plus 7 years (tax retention).
- Invoices and quotes: 7 years from the tax year in which they were issued.
- Database backups: daily for 30 days, then monthly for 12 months, then deleted.
Beyond these periods, we delete records in the next quarterly cleanup unless a specific legal hold requires us to keep them.
6 · Cross-border transfers
Section 72 of POPIA restricts the transfer of personal information out of South Africa. The destinations we use are all in jurisdictions with substantially similar protection (the EU under the GDPR, and the UK under the Data Protection Act 2018):
- Database & file storage: Supabase in the EU (eu-west-1) region. Subject to GDPR.
- Email delivery: Resend (US, with EU-aligned standard contractual clauses) or Google Workspace, depending on the channel.
- Calendar: Google Workspace, with EU data residency where the calendar is enabled.
We require all sub-processors to maintain contractual POPIA-equivalent safeguards and to notify us within 72 hours of any security incident affecting your data.
7 · Security safeguards
We follow industry-standard technical and organisational safeguards:
- TLS 1.3 in transit; AES-256 encryption at rest on Supabase.
- Access to the admin panel is restricted to a small set of named staff, gated by hardware-key MFA.
- Credentials are never stored in plain text; they live in environment variables on the hosting platform and are rotated on offboarding.
- Daily encrypted backups; restore drills run quarterly.
- Incident-response runbook with a 72-hour notification commitment to affected data subjects in the event of a material breach (POPIA s.22).
8 · Your rights as a data subject
POPIA grants you, as the "data subject", the following rights:
- Right to be notified when your information is collected (s.18).
- Right of access to confirm what we hold and request a copy (s.23).
- Right to correction of inaccurate or outdated data (s.24).
- Right to deletion of data we no longer need to retain (s.24).
- Right to object to processing on specific grounds (s.11(3)).
- Right to withdraw consent at any time (s.11(2)).
- Right to lodge a complaint with the Information Regulator (s.74).
9 · Filing a request
To file a Data Subject Access Request, send an email to support@octava.co.zawith the subject line "POPIA Request — [Access | Correction | Deletion | Objection]" and include:
- The email address you used when you interacted with us (so we can locate the record).
- The right you're exercising and the data scope.
- A reasonable proof of identity (e.g. a reply from the same email).
We respond within 30 calendar daysas required by section 24 of POPIA, free of charge for reasonable requests. For requests that require substantial effort (e.g. large historical exports), we'll quote a fee in advance per the prescribed Form 3.
The official PAIA/POPIA Form 2 (request for access) is accepted but not required — a clear email with the information above is enough.
10 · Filing a complaint
If you believe we have not handled your information in line with POPIA, you can complain directly to us first — we treat every complaint as a P1 issue and reply within two business days.
You also have the right to escalate to the Information Regulator at any time:
Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
complaints.IR@justice.gov.za
inforegulator.org.za
11 · Contact
Our Information Officer answers POPIA questions personally — usually inside one business day. Email support@octava.co.za or call +27 11 555 0199 during South African business hours.
Questions about this document? We answer them ourselves. Reach out and a real person will reply within one business day.