Our commitment to protecting privacy is guided by our information security principles. These are as follows:
Processing Limitation – We will only process the data you have provided to us, for the purpose which it was shared.
Accuracy – We will endeavour to make it as easy as possible for you to keep your information up to date.
Data Minimisation – If information you shared with us is no longer necessary to fulfil our contractual obligations, we shall ensure that any data which isn’t erased is in a non-identifiable form.
Openness – We pride ourselves in exceptional customer service, helping make your life easier, whilst also guarding your interests. Therefore, should you require further explanation on a subject, we will happily clarify our role and involvement with you.
Consent – If for any reason we should need to undertake further processing of information provided by you, we shall not do so without your consent, unless legally obliged.
Confidentiality – Fundamentally, we want to give you peace of mind, so that you can share information with CloudSquad/Arksoft with confidence! This will mean you can focus on the excellent service we provide.
You, the studio, collect personal information from your clients/students and provide this information in the CloudSquad Administration system, so that you can easily manage the administration and billing of your studio. It is therefore presumed that in adding this information to the CloudSquad system, you are authorised to do so.
Some of the personal information required is personally identifiable, such as an email address, name, home address or telephone number. Other non-identifiable information is also provided, such as anonymous demographic information, which is not unique, such as a person’s postal code, age, gender, preferences, interests, and favourites.
Information about your computer hardware and software is automatically collected by CloudSquad; this information can include: your IP address, browser type, domain names, access times and referring website addresses. CloudSquad uses this information for the operation of the System, to maintain quality of the System, and to provide general statistics regarding use of the System.
Each region in which CloudSquad operates is assigned a data protection officer (DPO), whose role is to ensure that the company remains compliant with data protection legislation and honours this policy.
CloudSquad stores the information provided by you, however you retain all rights to such information.
CloudSquad secures your personal information against any unauthorised access, use or disclosure. The personally identifiable information you provide is held on computer servers in a controlled, secure environment. The transfer of data is protected using encryption, such as the Secure Socket Layer (SSL) protocol.
CloudSquad/Arksoft may, from time to time, update its policy and so encourages you to periodically visit this page to review any changes made. CloudSquad/Arksoft will also notify you by e-mail of any significant changes.
CloudSquad welcomes any feedback that you may have regarding this Policy. Furthermore, if you believe that CloudSquad has not adhered to this Policy, please contact CloudSquad at firstname.lastname@example.org and we will use commercially reasonable efforts to promptly determine and remedy the problem.
The Protection of Personal Information Act No.4 of 2013 (POPI) is South Africa’s legislation for the protection of individuals’ personal information against unethical use. The preamble to the Act states the intention is to:
“Regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests.”
The purpose behind POPI can therefore be seen as the promotion of the constitutional right to privacy by ensuring that responsible parties and operators engage in lawful processing of personal information in accordance with, and with respect for, the rights of data subjects.
The responsible party in respect of POPI is the public or private body or any other person which determines the purpose of and means for the processing of information.
An operator is a person or entity who processes information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
Putting this into context, you, the client is the responsible party for your students (data subjects) personal information. CloudSquad/Arksoft is acting as an operator for your benefit, processing your student’s personal information in order to assist you in your studios administration. The relevance of this is that a party’s role determines their rights, obligations, and liabilities.
Personal information is information which can be used to identify a data subject – a definitive list can be found in Section 1 of the Act. The data subject is the person to whom the personal information relates and can be either a natural or juristic person. Almost any way that a company interacts with the personal information of a data subject constitutes processing – a definitive list is once again available in Section 1 of the Act.
Under POPI there are eight principles for the lawful processing of information, aimed at posing a balance between the necessary processing of data for business purposes and protecting the rights of individuals. These are:
More detailed information on each of these principles is provided in Chapter 3 of POPI. Whose legal responsibility it is to ensure compliance with POPI depends on the relationship between the data subject and the organisation doing the processing.
Under POPI, data subject rights include the right to access what information of theirs is held, the right to correct information, the right to be notified of collection and the purpose of the collection, the right to object to the processing of their information and, in certain circumstances, the right to erasure.
In the case of an alleged infringement of a data subject’s rights, any person has the right to lodge a formal complaint with the Regulator. Pursuant to section 74, complaints can be made to the Information Regulator, by completing and submitting the relevant form found on their website.
Privacy and data protection are cornerstones of the culture at CloudSquad/Arksoft, and, as such, we have for some time been largely compliant with the obligations that are now statutorily imposed by virtue of being an operator under POPI.
These obligations have been codified within POPI as follows:
Processing – Only process information with the authorisation of the responsible party.
Confidentiality – Treat personal information which comes to their knowledge as confidential.
Security – Put in place technical and organisational measures to ensure that the confidentiality and integrity of personal information is protected, and immediately notify the responsible party where there are reasonable grounds to believe that personal information of a data subject has been accessed or acquired by an unauthorised person.
The personal information provided to CloudSquad/Arksoft by you includes information such as data subjects’ names, dates of birth, gender, physical address, email address and contact numbers. On signup and to make use of CloudSquad, you are required to agree to our Terms of Service. These contain a clause consenting to the lawful collection and processing of personal information.
As was the case before POPI, CloudSquad/Arksoft will continue to make reasonable efforts to assist you in the provision of personal information in line with your obligations to your clients/students (data subjects) rights under POPI, as laid out in sections 23 to 25 of the Act.
As well as complying with the principles of lawful processing, which for CloudSquad/Arksoft includes meeting the three obligations covered above, the following are relevant:
Appointment and registration of a company Information Officer – CloudSquad/Arksoft has completed the registration of our Information Officer and Deputy Information Officer. They can be contacted at email@example.com.
CloudSquad/Arksoft protects you against the unauthorised access, use and disclosure of your information, both in transit when you access your information, and at rest in our server. Our adopted measures meet and often exceed the requirements laid out in the relevant data protection legislation. Some of our key controls are detailed below:
Data transferred between your browser and the CloudSquad servers is encrypted and secured by SSL certificates – the same protocol used by your internet banking – so that no-one can eavesdrop on your communications.
The CloudSquad servers are stored in a data centre in South Africa, hosted by Azure. Access to the buildings, data floors and individual areas is strictly controlled by means of individually programmed access cards – using biometrics and visual identification – ensuring secure, single-person entry.
The CloudSquad inward and outward facing infrastructures are secure by design. We follow the Open Web Association Security Project (OWASP) guidelines and verify that they have been followed before making changes to our system. Role based access controls are in place to limit the amount of information any one member of our team has access to and all activity on privileged accounts is logged.
Our system is constantly being developed to protect your data from common attacks, such as cross-site scripting (XSS) and SQL injection. The processes we use have been designed with security at their heart and we continue to look for ways to update and improve them.
CloudSquad/Arksoft views the security measures of our service providers before contracting with them, ensuring that they are not a weak link in terms of our security. The Azure data centre has effective technical and organisational measures in place to ensure the protection of all information assets across their operations.
The CloudSquad server infrastructure has alerts in place for unsatisfactory performance and is also monitored manually by our team to maintain service.
Your password’s confidentiality is preserved by storing them via a one-way hash function on our database. This means that even if an unauthorised person were able to access the CloudSquad server, this information is still protected.
In the unlikely event of a data breach, CloudSquad/Arksoft will contact all affected parties in accordance with our data breach process. This process is formulated to meet the strictest data protection requirements of our operational regions.