Privacy Policy

Last updated on 21 January 2020
This policy should be read in conjunction with the CloudSquad/Arksoft Security Statement and POPI Page. CloudSquad/Arksoft is committed to protecting the privacy of your business and clients, whilst also developing technology that gives you the most powerful and safe online experience. Our privacy policy has been created by combining the most stringent rules from the regions in which we operate. Therefore, all data handling and storage is done in full compliance with, and often in excess of the requirements laid out in POPI. We are committed to helping you uphold your own and your clients’ rights over their personal information, whilst also making your obligations in meeting the requirements under data protection legislation as simple as possible.

Guiding Principles

Our commitment to protecting privacy is guided by our information security principles. These are as follows:

Processing Limitation – We will only process the data you have provided to us, for the purpose which it was shared.

Accuracy – We will endeavour to make it as easy as possible for you to keep your information up to date.

Data Minimisation – If information you shared with us is no longer necessary to fulfil our contractual obligations, we shall ensure that any data which isn’t erased is in a non-identifiable form.

Openness – We pride ourselves in exceptional customer service, helping make your life easier, whilst also guarding your interests. Therefore, should you require further explanation on a subject, we will happily clarify our role and involvement with you.

Consent – If for any reason we should need to undertake further processing of information provided by you, we shall not do so without your consent, unless legally obliged.

Confidentiality – Fundamentally, we want to give you peace of mind, so that you can share information with CloudSquad/Arksoft with confidence! This will mean you can focus on the excellent service we provide.

Collection of Personal Information

You, the studio, collect personal information from your clients/students and provide this information in the CloudSquad Administration system, so that you can easily manage the administration and billing of your studio. It is therefore presumed that in adding this information to the CloudSquad system, you are authorised to do so.

Some of the personal information required is personally identifiable, such as an email address, name, home address or telephone number. Other non-identifiable information is also provided, such as anonymous demographic information, which is not unique, such as a person’s postal code, age, gender, preferences, interests, and favourites.

Information about your computer hardware and software is automatically collected by CloudSquad; this information can include: your IP address, browser type, domain names, access times and referring website addresses. CloudSquad uses this information for the operation of the System, to maintain quality of the System, and to provide general statistics regarding use of the System.

Security and Storage of Personal Information

Each region in which CloudSquad operates is assigned a data protection officer (DPO), whose role is to ensure that the company remains compliant with data protection legislation and honours this policy.

CloudSquad stores the information provided by you, however you retain all rights to such information.

CloudSquad secures your personal information against any unauthorised access, use or disclosure. The personally identifiable information you provide is held on computer servers in a controlled, secure environment. The transfer of data is protected using encryption, such as the Secure Socket Layer (SSL) protocol.

Changes to This Policy

CloudSquad/Arksoft may, from time to time, update its policy and so encourages you to periodically visit this page to review any changes made. CloudSquad/Arksoft will also notify you by e-mail of any significant changes.

CloudSquad welcomes any feedback that you may have regarding this Policy. Furthermore, if you believe that CloudSquad has not adhered to this Policy, please contact CloudSquad at support@cloudsquad.co.za and we will use commercially reasonable efforts to promptly determine and remedy the problem.

POPI

What is POPI?

The Protection of Personal Information Act No.4 of 2013 (POPI) is South Africa’s legislation for the protection of individuals’ personal information against unethical use. The preamble to the Act states the intention is to:

“Regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests.”

The purpose behind POPI can therefore be seen as the promotion of the constitutional right to privacy by ensuring that responsible parties and operators engage in lawful processing of personal information in accordance with, and with respect for, the rights of data subjects.

Responsible Parties and Operators

The responsible party in respect of POPI is the public or private body or any other person which determines the purpose of and means for the processing of information.

An operator is a person or entity who processes information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

Putting this into context, you, the client is the responsible party for your students (data subjects) personal information. CloudSquad/Arksoft is acting as an operator for your benefit, processing your student’s personal information in order to assist you in your studios administration. The relevance of this is that a party’s role determines their rights, obligations, and liabilities.

Lawful Processing of Personal Information

Personal information is information which can be used to identify a data subject – a definitive list can be found in Section 1 of the Act. The data subject is the person to whom the personal information relates and can be either a natural or juristic person. Almost any way that a company interacts with the personal information of a data subject constitutes processing – a definitive list is once again available in Section 1 of the Act.

Under POPI there are eight principles for the lawful processing of information, aimed at posing a balance between the necessary processing of data for business purposes and protecting the rights of individuals. These are:

  • Accountability
  • Processing Limitation
  • Purpose Specification
  • Further Processing Limitation
  • Information Quality
  • Openness
  • Security Safeguards
  • Data Subject Participation

More detailed information on each of these principles is provided in Chapter 3 of POPI. Whose legal responsibility it is to ensure compliance with POPI depends on the relationship between the data subject and the organisation doing the processing.

Rights of Data Subjects

Under POPI, data subject rights include the right to access what information of theirs is held, the right to correct information, the right to be notified of collection and the purpose of the collection, the right to object to the processing of their information and, in certain circumstances, the right to erasure.

In the case of an alleged infringement of a data subject’s rights, any person has the right to lodge a formal complaint with the Regulator. Pursuant to section 74, complaints can be made to the Information Regulator, by completing and submitting the relevant form found on their website.

POPI and CloudSquad/Arksoft (Pty) Ltd

CloudSquad/Arksoft has always been committed to the strictest levels of data protection and privacy. We treat the personal information of your studio and students with the utmost circumspection and respect for the rights of data subjects. More detailed information on how we do this can be found in our Privacy Policy and Security Statement below.

Privacy and data protection are cornerstones of the culture at CloudSquad/Arksoft, and, as such, we have for some time been largely compliant with the obligations that are now statutorily imposed by virtue of being an operator under POPI.

These obligations have been codified within POPI as follows:

Processing – Only process information with the authorisation of the responsible party.
Confidentiality – Treat personal information which comes to their knowledge as confidential.
Security – Put in place technical and organisational measures to ensure that the confidentiality and integrity of personal information is protected, and immediately notify the responsible party where there are reasonable grounds to believe that personal information of a data subject has been accessed or acquired by an unauthorised person.

The personal information provided to CloudSquad/Arksoft by you includes information such as data subjects’ names, dates of birth, gender, physical address, email address and contact numbers. On signup and to make use of CloudSquad, you are required to agree to our Terms of Service. These contain a clause consenting to the lawful collection and processing of personal information.

As was the case before POPI, CloudSquad/Arksoft will continue to make reasonable efforts to assist you in the provision of personal information in line with your obligations to your clients/students (data subjects) rights under POPI, as laid out in sections 23 to 25 of the Act.

As well as complying with the principles of lawful processing, which for CloudSquad/Arksoft includes meeting the three obligations covered above, the following are relevant:

Appointment and registration of a company Information Officer – CloudSquad/Arksoft has completed the registration of our Information Officer and Deputy Information Officer. They can be contacted at support@cloudsquad.co.za.

Security Statement

This Statement should be read in conjunction with the CloudSquad/Arksoft Privacy Policy and POPI Page.

CloudSquad/Arksoft protects you against the unauthorised access, use and disclosure of your information, both in transit when you access your information, and at rest in our server. Our adopted measures meet and often exceed the requirements laid out in the relevant data protection legislation. Some of our key controls are detailed below:

Protection of Data in Transit

Data transferred between your browser and the CloudSquad servers is encrypted and secured by SSL certificates – the same protocol used by your internet banking – so that no-one can eavesdrop on your communications.

Protection of Data at Rest

The CloudSquad servers are stored in a data centre in South Africa, hosted by Azure. Access to the buildings, data floors and individual areas is strictly controlled by means of individually programmed access cards – using biometrics and visual identification – ensuring secure, single-person entry.

High Security Standards

The CloudSquad inward and outward facing infrastructures are secure by design. We follow the Open Web Association Security Project (OWASP) guidelines and verify that they have been followed before making changes to our system. Role based access controls are in place to limit the amount of information any one member of our team has access to and all activity on privileged accounts is logged.

Our system is constantly being developed to protect your data from common attacks, such as cross-site scripting (XSS) and SQL injection. The processes we use have been designed with security at their heart and we continue to look for ways to update and improve them.

CloudSquad/Arksoft views the security measures of our service providers before contracting with them, ensuring that they are not a weak link in terms of our security. The Azure data centre has effective technical and organisational measures in place to ensure the protection of all information assets across their operations.

Availability and Confidentiality

The CloudSquad server infrastructure has alerts in place for unsatisfactory performance and is also monitored manually by our team to maintain service.

Your password’s confidentiality is preserved by storing them via a one-way hash function on our database. This means that even if an unauthorised person were able to access the CloudSquad server, this information is still protected.

Personal Data Breach Process

In the unlikely event of a data breach, CloudSquad/Arksoft will contact all affected parties in accordance with our data breach process. This process is formulated to meet the strictest data protection requirements of our operational regions.