POPIA Compliance
Statement
How InTouch collects, processes, stores, and protects personal information in full alignment with the Protection of Personal Information Act (POPIA) — and what this means for your institution and your clients.
Our Commitment to Personal Information Protection
InTouch International is committed to the lawful, transparent, and secure processing of personal information. This statement sets out how InTouch complies with the Protection of Personal Information Act, 2013 (Act 4 of 2013) ("POPIA") in the delivery of its compliance automation and identity verification services.
POPIA came into full effect on 1 July 2021 and establishes the framework governing the collection, use, storage, and sharing of personal information about natural persons (and juristic persons) in South Africa. For accountable institutions using InTouch's platform, POPIA compliance is not merely good practice — it is a legal prerequisite for conducting any customer due diligence or verification activity.
InTouch operates simultaneously as a Responsible Party (in respect of platform users' data) and as an Operator (in respect of personal information processed on behalf of accountable institution clients). This document addresses both roles and the obligations arising from each.
FICA Section 21, read with POPIA Section 11(1)(c), requires that personal information collected for customer due diligence must have a lawful basis. By using InTouch, your institution benefits from a consent infrastructure, processing agreements, and data governance controls that are pre-built for this requirement — reducing your compliance burden significantly.
InTouch's Role Under POPIA
POPIA distinguishes between the Responsible Party (who determines the purpose and means of processing) and the Operator (who processes on behalf of the Responsible Party). InTouch occupies both roles depending on context.
InTouch as Responsible Party
For personal information collected about platform users (employees of accountable institutions who access the InTouch portal), InTouch is the Responsible Party. This includes login credentials, usage data, and contact information. InTouch determines the purpose of this processing and is accountable for its lawfulness.
InTouch as Operator
When accountable institution clients use InTouch to verify their customers' identities, InTouch processes that personal information as an Operator — acting under instruction from the institution (the Responsible Party). InTouch may not process this data for any purpose other than delivering the contracted verification service.
Data Processing Agreement (DPA)
POPIA Section 21 requires that Operators be engaged under a written agreement. All InTouch clients are bound by a Data Processing Agreement incorporated into the InTouch Terms of Service, which defines the scope, purpose, and security requirements for all processing carried out on their behalf.
Compliance with POPIA's Eight Conditions for Lawful Processing
POPIA Chapter 3 sets out eight conditions that must be satisfied for any processing of personal information to be lawful. InTouch's platform architecture and governance framework is designed to satisfy all eight.
InTouch has appointed an Information Officer registered with the Information Regulator, as required by POPIA Section 55. The Information Officer is responsible for overseeing POPIA compliance, managing data subject requests, and ensuring internal policies are enforced. A PAIA Manual is publicly available at intouch.io/paia-manual.
Personal information is collected only for the specific, explicitly defined purposes of identity verification, compliance screening, and related services. InTouch does not collect personal information beyond what is necessary for the service requested and does not retain it beyond the legally required period.
The purpose of all data collection is disclosed to data subjects before or at the time of collection via InTouch's Consent Service. Personal information is not used for any secondary purpose that is incompatible with the stated purpose for which it was collected.
InTouch does not further process personal information in a manner incompatible with the original purpose of collection. Verification data is used solely to deliver the specific verification result requested. No data is sold, licensed, or shared with third parties for commercial or marketing purposes.
InTouch verifies personal information against authoritative, real-time data sources including the Department of Home Affairs (DHA/HANIS) and CIPC. This ensures that verification results are based on accurate, complete, and up-to-date information. Data subjects can request correction of inaccurate records.
InTouch's Privacy Policy (published at intouch.io/privacy-policy), this POPIA Compliance Statement, and the PAIA Manual are publicly available. Data subjects are informed of the identity of InTouch, the purpose of processing, and their rights before any personal information is collected.
InTouch is built from the ground up in alignment with SOC 2 requirements across all five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. All architectural, operational, and governance decisions have been made to satisfy these standards. All personal information is protected by AES-256 encryption in transit and at rest, access controls, role-based permissions, multi-factor authentication, and regular security audits. Security incidents are managed in accordance with POPIA Section 22 notification requirements.
Data subjects may request access to, correction of, or deletion of their personal information held by InTouch. Requests are processed within 30 days in accordance with POPIA Section 23 and the PAIA framework. Requests can be submitted via hello@intouch.io or through the institution that initiated the verification.
Lawful Basis for Processing Personal Information
POPIA Section 11 requires that all processing of personal information has a lawful basis. InTouch relies on the following lawful grounds, depending on the context of processing.
| Processing Activity | Lawful Basis (POPIA s.11) | Notes |
|---|---|---|
| Identity verification of a client's customer | s.11(1)(c) — Legal obligation (FICA) | Verification is required by the FIC Act. Consent is also collected via InTouch's Consent Service as a supplementary ground. |
| AML / PEP / Sanctions screening | s.11(1)(c) — Legal obligation (FICA) + s.11(1)(f) — Legitimate interest | Screening is mandatory under the FIC Act and is also in the legitimate interest of protecting the financial system. |
| Bank account verification | s.11(1)(a) — Consent + s.11(1)(e) — Contract performance | Consent is obtained via the Consent Service. Also necessary for performance of the verification services contract. |
| Proof of address verification | s.11(1)(a) — Consent + s.11(1)(c) — Legal obligation (FICA) | Address verification is a FICA requirement. Consent is additionally obtained before processing. |
| Platform user account management | s.11(1)(e) — Contract performance | Necessary to provide access to the InTouch platform under the Terms of Service. |
| Audit trail and record retention | s.11(1)(c) — Legal obligation (FICA s.22–23) | 5-year retention is a mandatory FICA obligation. InTouch automates this retention on behalf of accountable institution clients. |
The InTouch Consent Service — Consent Done Right
Consent under POPIA must be voluntary, specific, informed, and unambiguous. InTouch's Consent Service is purpose-built to satisfy every requirement of a valid POPIA consent before any verification processing begins.
Consent Request Delivery
Consent requests are sent via your institution's preferred channel. The data subject receives a clear, plain-language explanation of what information will be collected, why, and by whom — before any processing occurs.
Branded Secure Consent Page
Customers review and approve on a secure, branded page. The experience is transparent and clearly associated with your institution — avoiding any confusion about who is requesting consent.
Timestamped Audit Log
Every consent response (grant or decline) is logged with a precise timestamp and stored in an immutable audit trail. This log constitutes proof of consent that satisfies POPIA Section 11 and is exportable on demand.
Withdrawal of Consent
Data subjects may withdraw consent at any time. InTouch records withdrawal events with the same precision as grants, and the system prevents further processing once withdrawal is logged.
Data subject full name and identity reference · Institution making the request · Purpose of processing (specific to the verification type requested) · Date and time of request · Date and time of response · Response outcome (consent granted / declined / withdrawn) · Channel used · Unique consent transaction ID · Link to the privacy notice presented at time of consent
Protecting the Rights of Data Subjects
POPIA grants data subjects significant rights over their personal information. InTouch respects and facilitates these rights for all individuals whose information is processed through its platform.
Right to be Notified
Data subjects are informed before their information is collected via the Consent Service — including the identity of the Responsible Party, purpose, and their rights.
Right to Access
Data subjects may request a copy of the personal information InTouch holds about them. Requests are fulfilled within 30 days via our Information Officer.
Right to Correction
If a data subject believes their information is inaccurate, incomplete, or outdated, they may request correction. InTouch will update records and notify relevant data sources where possible.
Right to Deletion
Data subjects may request deletion of their personal information where no lawful retention obligation exists. FICA's 5-year retention obligation supersedes this right during the mandatory retention period.
Right to Object
Where processing is based on legitimate interest, data subjects may object to processing. InTouch will assess and respond within 30 days.
Right to Complain
Data subjects may lodge complaints with the Information Regulator of South Africa (inforegulator.org.za) if they believe their POPIA rights have been infringed.
To exercise any of these rights, data subjects (or the accountable institutions acting on their behalf) may contact InTouch's Information Officer at hello@intouch.io, referencing their InTouch verification transaction ID where available.
Security Measures — Condition 7 in Detail
InTouch implements technical and organisational security measures appropriate to the risk of the processing activities it conducts. Security is not an afterthought — it is embedded in the architecture of the platform.
AES-256 Encryption
All personal information is encrypted at rest using AES-256. All data in transit is protected via TLS 1.3. Encryption keys are managed and rotated on a scheduled basis.
Role-Based Access Control
Platform access is governed by strict role-based permissions. No user can access personal information beyond what is required for their function. All access is logged.
SOC 2-Aligned Architecture
InTouch is built from the ground up in alignment with SOC 2 Trust Service Criteria covering security, availability, processing integrity, confidentiality, and privacy. All platform controls are designed and operated to meet these standards.
Security Incident Response
InTouch maintains a documented incident response plan. In the event of a security compromise affecting personal information, InTouch will notify affected clients and, where required by POPIA Section 22, the Information Regulator, within 72 hours of becoming aware.
Regular Penetration Testing
InTouch commissions penetration testing and vulnerability assessments on a regular basis. Results are reviewed by the security team and remediation is prioritised by risk severity.
Immutable Audit Logging
All access to personal information — who viewed, processed, or exported what, and when — is logged in an immutable audit trail that cannot be altered or deleted.
Third-Party Data Sources & Sub-Operators
InTouch integrates with authoritative government and commercial data sources to deliver verification results. All integrations are governed by appropriate data sharing and processing agreements.
| Data Source / Integration | Purpose | Data Shared | Governance |
|---|---|---|---|
| Department of Home Affairs (DHA/HANIS) | Identity verification against national ID register | ID number, name, date of birth | Government API |
| CIPC (Companies & IP Commission) | Company registration, director, and UBO verification | Company reg number, director names | Government API |
| PayInc SA (formerly BankservAfrica) | Bank account validity and ownership confirmation | Account number, ID number, name | Secure API + NDA |
| Credit Bureaus (accredited) | Address verification and contact enrichment | Name, ID number, address query | Secure API + NDA |
| Global Sanctions & PEP Databases | AML, PEP, and sanctions list screening | Name, date of birth | Secure API + NDA |
| Global News / Adverse Media APIs | Adverse media screening | Name only (no ID numbers transmitted) | Secure API + NDA |
InTouch does not sell, rent, or share personal information with any third party for marketing, commercial profiling, or purposes unrelated to the delivery of verification services. All sub-operators are bound by POPIA-compliant data processing agreements.
Data Retention & Deletion Policy
InTouch retains personal information only for as long as required by law or the purpose for which it was collected. Our retention framework is aligned to FICA's mandatory 5-year minimum and POPIA's prohibition on unnecessary retention.
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Customer verification records (KYC, identity, AML) | 5 years from end of business relationship | FICA Sections 22–23 (mandatory) |
| Consent records | 5 years from consent event or withdrawal | POPIA + FICA alignment |
| Audit trail logs | 5 years from the logged event | FICA Sections 22–23 |
| Platform user account data | Duration of client contract + 12 months | Contract performance + POPIA |
| Security / access logs | 24 months from log date | Security best practice + POPIA |
Upon expiry of the retention period, personal information is securely deleted or anonymised in a manner that prevents reconstruction. Clients receive notification 30 days before scheduled deletion of records, allowing them to export any records they are required to retain independently.
Formal Compliance Declaration
InTouch 27 (Pty) Ltd hereby declares that, to the best of its knowledge and belief, its collection, processing, storage, and sharing of personal information complies with the requirements of the Protection of Personal Information Act, 2013 (Act 4 of 2013), and that appropriate technical, organisational, and governance measures are in place to maintain this compliance on an ongoing basis.
This statement is reviewed and updated at least annually, or sooner in the event of material changes to the law, the platform, or InTouch's processing activities.
For all POPIA-related enquiries, data subject requests, or questions regarding this compliance statement, contact InTouch's Information Officer at hello@intouch.io or visit intouch.io/privacy-policy. For formal complaints, data subjects may approach the Information Regulator of South Africa at inforegulator.org.za.
Questions about our data practices?
Our team is available to walk you through our POPIA compliance framework and answer any due diligence questions your institution or legal counsel may have.
No credit card required · Cancel anytime