Compliance statement · Last reviewed 28 April 2026
POPIA Compliance Statement
How sonofgraig collects, processes, stores, and protects your personal information under the Protection of Personal Information Act 4 of 2013. This statement applies to sonofgraig.com and all sonofgraig platform products.
Version 3.0 · April 2026POPIA Act 4 of 2013AWS af-south-1Information Regulator registered
Version: 3.0Effective: 1 January 2024Reviewed: 28 April 2026Act: POPIA Act 4 of 2013
CompliantSOC 2 in progress
Section 11 — Consent ✓
Section 14 — Collection ✓
Section 19 — Security ✓
Section 22 — Breach ✓
Section 72 — Residency ✓
IR Registered ✓
SOC 2 in progress
Section 1
Overview & applicability
Who this statement applies to, what it covers, and the legal basis for our processing activities.
SonOfGraig Digital Solutions (Pty) Ltd is registered with the Information Regulator of South Africa as required under POPIA. Our processing activities are conducted in accordance with the Act and the eight conditions for lawful processing set out in Chapter 3. Information Regulator →
This POPIA Compliance Statement applies to all personal information processed by SonOfGraig Digital Solutions (Pty) Ltd ("sonofgraig", "we", "us", "our") in the operation of sonofgraig.com and all associated platform products including RAG Studio, Agent Builder, ML Ops, Governance Hub, Cloud Console, Analytics Studio, and all other services offered under the sonofgraig brand.
The Protection of Personal Information Act 4 of 2013Act 4 of 2013 came into full effect for enforcement purposes on 1 July 2021. It establishes the lawful and reasonable collection, processing, storage, and transfer of personal information. It grants individuals rights over their personal information and imposes obligations on entities — called responsible parties — that process that information.
sonofgraig is the responsible party for all personal information processed through our website and platform. Our appointed Information Officer is Tumiso Graig Ramaboya, who can be reached at tumiso@sonofgraig.com. The Information Officer is responsible for ensuring that sonofgraig complies with POPIA in all respects.
POPIA applies to the processing of personal information by private and public bodies in South Africa, as well as to foreign entities processing information about South African data subjects. It is structurally comparable to the EU General Data Protection Regulation (GDPR) and provides equivalent protections. POPIA resource hub →
Section 2
Eight conditions for lawful processing
POPIA Chapter 3 sets out eight conditions that all responsible parties must satisfy. POPIA Chapter 3, ss. 8–25
1
Accountability — sonofgraig is responsible for ensuring compliance with POPIA conditions. Our Information Officer holds this accountability. s.8
2
Processing limitation — We collect personal information only for a specific, lawful purpose and only to the extent necessary. ss.9–12
3
Purpose specification — Personal information is collected only for a specific, explicitly defined purpose communicated to the data subject. ss.13–14
4
Further processing limitation — Further processing is only permitted if compatible with the original collection purpose. s.15
5
Information quality — We take reasonable steps to ensure personal information is accurate, complete, and up to date. s.16
6
Openness — We maintain a publicly accessible PAIA Manual and notify data subjects of our processing activities. ss.17–18
7
Security safeguards — We implement appropriate, reasonable technical and organisational measures to secure personal information. ss.19–22
8
Data subject participation — Data subjects have rights to access, correct, and delete their personal information, and to object to processing. ss.23–25
sonofgraig relies on the following lawful grounds for processing personal information, as permitted under Section 11 of POPIA.
Section 11(1) of POPIA states that personal information may only be processed if at least one of six grounds exists: consent, contract, legitimate interest, legal obligation, vital interests, or public law. sonofgraig relies primarily on consent and contract performance for non-essential processing activities. Read Section 11 →
Ground (s.11(1))
How sonofgraig applies it
Consent (s.11(1)(a))
Obtained via our cookie consent banner for analytics, marketing, and AI personalisation cookies. Specific, informed, and voluntary. Withdrawal available at any time with no consequence to services. Consent is timestamped and versioned.
Contract (s.11(1)(b))
Processing required to perform our services agreement — account creation, service delivery, billing, support communication, and platform operation.
Legitimate interest (s.11(1)(f))
Security monitoring, fraud prevention, system performance, and internal analytics used to improve platform features. Interests are balanced against data subject rights.
Legal obligation (s.11(1)(c))
Tax records, financial reporting, and responding to lawful requests from authorities or the Information Regulator.
Consent withdrawal
Under POPIA Section 11(3), a data subject may withdraw consent at any time. Withdrawal does not affect the lawfulness of any processing already carried out. You may withdraw consent by: visiting the Privacy Settings on sonofgraig.com, emailing tumiso@sonofgraig.com, or using the cookie preference centre accessible from the footer of every page. Non-essential cookies are removed within 24 hours of withdrawal. POPIA s.11(3)
We collect only the minimum personal information necessary for the specific purpose for which it is collected — the data minimisation principle.
POPIA Section 14 requires that personal information collected must be adequate, relevant, and not excessive in relation to the purpose for which it is collected. POPIA s.14 sonofgraig implements data minimisation as a design principle across all platform products and services.
Name, email address, company name, role, use case description. Purpose: respond to enquiry and manage early access programme. Retained: duration of relationship plus 3 years.
Platform accounts
Name, email address, company, role, billing information. Purpose: account management, service delivery, billing. Retained: account duration plus legal retention period.
Document uploads (RAG Studio)
Document content uploaded by the customer's authorised users. PII within documents is scrubbed before embedding. Retained: as configured by the customer's data retention policy. Customer is the responsible party for their document content.
Platform usage telemetry
Feature usage events, session duration, performance metrics. Purpose: product improvement, support. All data is anonymised before leaving the platform boundary.
sonofgraig does not collect or process special personal information (as defined in POPIA Section 26 — health, ethnic origin, political views, religion, sexual life, trade union membership, or biometric data) unless explicitly required and consented to for a specific service. We do not process children's personal information without verified parental consent. POPIA ss.26–35 →
Technical and organisational measures we have implemented to protect personal information against loss, damage, unauthorised access, disclosure, or interference.
POPIA Section 19 requires that a responsible party take appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information and to prevent unlawful access to or processing of personal information. POPIA s.19
Encryption — data in transit and at rest
POPIA s.19(1) · Technical safeguard
Active
All data transmitted between the user's browser and sonofgraig servers is encrypted using TLS 1.3 (Transport Layer Security). Data stored in our databases is encrypted at rest using AES-256 encryption, enforced by AWS at the storage layer within af-south-1.
API keys, credentials, and secrets are stored using AWS Secrets Manager and are never hardcoded in source code or transmitted in plaintext. Authentication tokens use short-lived JWT with rotation.
TLS 1.3AES-256 at restAWS Secrets ManagerJWT rotation
Access control & authentication
POPIA s.19(1)(b) · Technical safeguard
Active
Access to personal information is controlled using role-based access control (RBAC) at the application layer. Row-level security is enforced at the database layer using Supabase RLS policies, ensuring that each organisation's data is isolated and inaccessible to other tenants.
Multi-factor authentication (MFA) is enforced for all internal staff accessing production systems. Platform customers can enforce MFA for their users. Principle of least privilege is applied — each service component has only the permissions required for its specific function.
POPIA s.19 · POPIA s.26 · sonofgraig-specific AI safeguard
Active
Before any document content passes through our AI processing pipeline (including vectorisation, embedding, or LLM inference), it is passed through our PII scrubber middleware. This middleware identifies and redacts South African-specific personal information identifiers including:
South African ID numbers (13-digit format per the Births and Deaths Registration Act)
South African mobile and landline phone numbers (+27 prefix and 0-prefix formats)
Email addresses, passport numbers, bank account numbers
Physical addresses and postal codes where contextually identifiable
Scrubbing occurs synchronously before any data leaves the customer's organisational boundary within the platform. A scrub log records: document ID, scrub timestamp, count of redactions per category, and whether PII was found — but never the PII values themselves.
Pre-embedding scrubSA ID regexPhone/email detectionScrub audit log
Audit logging — query-level audit trail
POPIA s.19(1)(c) · Monitoring safeguard
Active
Every query processed through RAG Studio, every agent execution in Agent Builder, and every Governance Hub assessment is logged in an immutable audit log table. Each log entry records:
User ID (hashed), organisation ID, timestamp (UTC), and session ID
Query hash (SHA-256 of query content — not the raw query text)
Document IDs accessed during retrieval
Token count of response and model version used
Audit logs are retained for a minimum of 12 months and are available to enterprise customers for their own compliance reporting. A regulator or court with appropriate authority may request access to these logs.
SOC 2 Type II audit process
POPIA s.19 · Independent security verification
In progress
sonofgraig has initiated the SOC 2 Type II audit process. SOC 2 Type II is an independent third-party audit that verifies that a company's security controls are operating effectively over a period of time (typically 6–12 months under observation).
The SOC 2 Type II report, when complete, will be available to enterprise customers under NDA. Target completion: within 18 months of this statement. Current phase: controls implementation and evidence collection.
Our obligations and procedures for notifying the Information Regulator and affected data subjects in the event of a security breach.
POPIA Section 22 requires that where there are reasonable grounds to believe that personal information of a data subject has been accessed or acquired by an unauthorised person, the responsible party must notify the Information Regulator and the affected data subject as soon as reasonably possible after discovery. POPIA s.22
T+0 — Breach detected
Incident containment & assessment
Security incident is escalated to the Information Officer immediately. Affected systems are isolated. The scope of exposure is assessed: what data, whose data, how accessed, and by whom. A formal incident record is opened.
T+24 hours
Internal review & notification decision
The Information Officer determines whether the breach creates a risk to affected data subjects. If personal information has been accessed by an unauthorised person, formal notification is required. Legal counsel is engaged where appropriate.
T+72 hours
Information Regulator notification
The Information Regulator is formally notified within 72 hours of discovery. The notification includes: nature of the breach, categories of personal information affected, estimated number of data subjects affected, likely consequences, and measures taken or proposed. Information Regulator contacts →
As soon as reasonably possible
Affected data subjects notified
Affected data subjects are directly notified by email where contact details are available. Notification includes: what happened, what information was involved, what we are doing, and what data subjects can do to protect themselves. A public statement is published on this page where the breach affects a significant number of data subjects. POPIA s.22(2)
How sonofgraig ensures personal information remains in South Africa and the conditions under which cross-border transfer may occur.
POPIA Section 72(1) prohibits the transfer of personal information about a data subject to a third party in a foreign country unless specific conditions are met. sonofgraig's primary data residency architecture ensures the default position is that no personal information leaves South Africa. Read Section 72 →
Infrastructure component
Location & data residency compliance
Primary database (PostgreSQL + pgvector)
AWS af-south-1 (Cape Town, South Africa). All customer data, vector embeddings, and audit logs reside in this region. No replication to regions outside South Africa by default.
File storage (document uploads)
AWS S3 af-south-1. Customer-uploaded documents are stored exclusively in the af-south-1 bucket. Bucket policies enforce region-lock.
Compute & API processing
AWS EC2/Lambda af-south-1. All processing of personal information occurs within the South African region.
LLM inference (Claude, Gemini)
Anthropic Claude API and Google Genkit are used for AI inference. Queries sent to these APIs are governed by their respective Data Processing Agreements. PII is scrubbed before any content is transmitted to external AI APIs — what is sent is redacted content, not raw personal information.
Analytics (Vercel Analytics)
Vercel Analytics processes anonymised page view data. No personal information is transmitted — IP addresses are anonymised before leaving the browser. Vercel's infrastructure is EU-hosted, but no personal information reaches this service.
PostHog product analytics
PostHog is deployed with IP anonymisation enabled and server-side filtering. No South African ID numbers, passport numbers, or identifiable contact information is transmitted to PostHog. Session recording is disabled by default and requires customer opt-in.
Where cross-border transfer is unavoidable (e.g. LLM inference APIs), sonofgraig ensures transfer only occurs after PII scrubbing, and only to parties that have adequate data protection legislation or binding agreements providing for data protection equivalent to POPIA Section 72(1)(b) and (c). POPIA s.72(1) →
Section 8
What personal information we collect
A complete inventory of personal information categories processed by sonofgraig across all touchpoints.
Category
Examples · Purpose · Retention
Identity information
Full name, company name, job title. Purpose: account management, communications, service delivery. Retention: duration of relationship plus 3 years.
Contact information
Email address, phone number (where provided). Purpose: communications, support, product updates. Retention: duration of relationship plus 3 years.
Technical identifiers
IP address (anonymised after collection), browser type, device type, referrer URL, session identifiers. Purpose: security, fraud prevention, anonymised analytics. Retention: 90 days raw, anonymised indefinitely.
Account & usage data
Platform login events, feature usage, API call logs (metadata only), support ticket content. Purpose: service delivery, support, product improvement. Retention: duration of account plus 12 months.
Commercial information
Billing details (processed by our payment provider — we do not store full card numbers), subscription tier, invoice history. Purpose: billing and financial records. Retention: 5 years (SARS requirement).
Communications
Emails sent to or from sonofgraig, support chat transcripts. Purpose: service delivery, compliance record-keeping. Retention: 3 years.
Customer document content
Documents uploaded to RAG Studio by the customer's authorised users. Processed exclusively as instructed by the customer. sonofgraig is an operator, not a responsible party, for this category. PII is scrubbed before embedding.
A full inventory of cookies used on sonofgraig.com, categorised by purpose and legal basis under POPIA Section 11.
Cookies that are not strictly necessary require your consent under POPIA Section 11. You can manage your cookie preferences at any time using the cookie preference centre accessible from the footer of every page or by contacting our Information Officer. POPIA s.11(1)(a)
Cookie
Purpose
Basis
Expiry
popia_consent_v3
Stores your cookie consent decision with timestamp and version. Required for compliance.
Always on
12 months
session_token
Authenticates your session when logged in to the platform. Encrypted.
Always on
Session
csrf_token
Protects against cross-site request forgery attacks. Security measure.
Always on
Session
sg_theme
Stores your dark/light theme preference to avoid flash of wrong theme.
Always on
1 year
sg_sidebar_state
Remembers sidebar expanded/collapsed preference for authenticated users.
Functional
1 year
va_session
Vercel Analytics. Anonymised page view session. No personal data transmitted.
Analytics
24 hours
ph_distinct_id
PostHog product analytics. Pseudonymous user identifier for feature usage analysis. IP anonymised.
Analytics
1 year
li_sugr, lidc
LinkedIn Insight Tag. B2B enterprise retargeting for enterprise outreach only.
Marketing
30 days
_ga, _gcl_au
Google Ads conversion tracking. Measures enterprise outreach campaign effectiveness.
Marketing
90 days
sg_ai_ctx
AI personalisation context for authenticated platform users. Stored in af-south-1.
POPIA grants data subjects a set of enforceable rights. sonofgraig is obliged to facilitate the exercise of these rights within the timeframes specified by the Act.
Right to access
You may request a copy of all personal information we hold about you. We will respond within 10 business days of a valid request.
POPIA s.23 · PAIA applies to access requests
Right to correction
You may request correction of inaccurate, incomplete, or out-of-date personal information. We will correct it without unreasonable delay.
POPIA s.24(1)
Right to deletion
You may request deletion of personal information. Subject to legal retention obligations (e.g. SARS 5-year requirement). We will delete what we are legally permitted to delete.
POPIA s.24(1)(b)
Right to object
You may object to processing on grounds of legitimate interest. We will stop processing unless we have compelling legitimate grounds that override your interests.
POPIA s.11(3) · s.11(2)(e)
Right to data portability
You may request your personal information in a structured, machine-readable format for transfer to another service provider. Provided where technically feasible.
POPIA s.23 (interpreted broadly)
Right to withdraw consent
You may withdraw any consent at any time without consequence to services already delivered. Non-essential cookies removed within 24 hours. We will not penalise withdrawal.
POPIA s.11(3)
Right to lodge a complaint
If you believe we have violated your POPIA rights, you may lodge a complaint with the Information Regulator of South Africa. Contact: inforegulator.org.za
POPIA s.74 · Information Regulator
Right to breach notification
You have the right to be notified if your personal information has been accessed or acquired by an unauthorised person. We will notify you as soon as reasonably possible after discovery.
POPIA s.22
To exercise any of these rights, submit a written request to tumiso@sonofgraig.com. We will acknowledge your request within 3 business days and respond substantively within 10 business days. For complex requests requiring third-party involvement, we may take up to 30 days and will notify you of the extended timeline. POPIA rights guide →
Section 11
AI & large language model processing
Specific disclosures about how sonofgraig's AI products handle personal information — an area not addressed by POPIA's original 2013 drafting but governed by its principles.
POPIA does not specifically regulate AI systems — it was enacted before current-generation large language models existed. However, the eight conditions for lawful processing apply fully to AI processing activities. sonofgraig treats every AI-processed document and query as personal information by default, applying all POPIA protections regardless of whether identifiable information is actually present.
AI model training disclosure
Transparency principle · POPIA s.18(1)
Clear policy
sonofgraig does not use customer data — including documents uploaded to RAG Studio, Agent Builder configurations, or any query content — to train shared foundation models.
AI personalisation features (remembering your RAG query preferences, Agent Builder configurations) improve your personal experience within your own account only. This data is stored in af-south-1 and is not pooled with other customers' data for model improvement.
If in the future sonofgraig develops any programme that uses customer data to improve shared models, it will only proceed with: explicit, specific, informed consent separate from this statement; a clear description of what data would be used; and the right to opt out without affecting services.
No shared model trainingPer-account personalisation onlySeparate consent required for any future training use
EU AI Act risk classification
EU AI Act 2024 · Applicable to EU-connected clients
Documented
The EU AI Act (Regulation (EU) 2024/1689) entered into force in August 2024. For clients with EU operations, sonofgraig maintains risk classification documentation for each platform product. EU AI Act →
Product
EU AI Act risk classification
RAG Studio
Minimal risk — document retrieval and citation. No automated decision-making affecting individuals.
Agent Builder
Limited to high risk (deployment-dependent) — autonomous agent execution. Human oversight controls are mandatory in our architecture.
Governance Hub
Potentially high risk — AI governance and bias detection used in consequential contexts. Full transparency, audit trail, and human review built in by design.
Section 12
Contact the Information Officer
How to submit data subject requests, raise compliance concerns, or contact us for any POPIA-related matter.
Data subject access request (DSAR)
To access, correct, or delete your personal information. Include your full name, email address, and a description of your request. We will acknowledge within 3 business days.
Enterprise legal teams require a formal DPA before contract execution. Our DPA is available for download and covers all processing activities, legal basis, security controls, and sub-processors.
If you believe your personal information has been involved in an unauthorised disclosure or breach, notify us immediately. We will investigate and respond within 24 hours for urgent matters.
If you are not satisfied with our response to your POPIA complaint, you have the right to escalate to the Information Regulator. Their contact details are publicly available.
Enterprise security and legal teams regularly require our Data Processing Agreement, SOC 2 status letter, B-BBEE certificate, PAIA manual, and information security questionnaire responses. Contact our Information Officer for any documentation package.
[1]Protection of Personal Information Act 4 of 2013. Government Gazette No. 37067, 26 November 2013. Enforcement effective 1 July 2021. gov.za/popi-act
[2]Information Regulator of South Africa. inforegulator.org.za — Responsible for enforcement, complaints, and guidance under POPIA and PAIA.
[3]POPIA Commencement Notice. Government Gazette No. 44394, 22 June 2021. Sections 2–38 and 55–109 came into force 1 July 2021. gov.za POPIA overview
[4]POPIA Conditions for Lawful Processing, Chapter 3 (Sections 8–25). Governs how responsible parties must collect, store, and process personal information.
[5]EU AI Act, Regulation (EU) 2024/1689 of the European Parliament and of the Council. Entered into force 1 August 2024. eur-lex.europa.eu/AI-Act
[6]POPIA Section 72 — Transfer of personal information outside the Republic. Governs conditions under which personal information may be transferred to foreign countries or international organisations.
[7]National AI Policy Framework, Department of Communications and Digital Technologies, South Africa (2023). Advisory framework — not legally binding. dcdt.gov.za