POPIA Compliance

Introduction

This document describes our policies and procedures that have been put in place to ensure POPI compliance and data integrity to keep you and your customer data safe while using ServCraft. ServCraft adheres specifically to:

  • CPA Section 11
  • Protection of Personal Information ACT (POPI)
  • ISO 27001 Information Security Management System principles
Our terms and conditions are accessible on our website
Terms of usePrivacy Policy
Information Request & Contact Details
If your personal information changes (e.g. your email address or cell phone number), or if you no longer wish to use or access the service, ServCraft supports you to correct, update, or remove the personal information that you provided. This can be done by contacting us.

In the event that a data subject (i.e. a customer contact in your list) would like access to their data, requests must be submitted to us in writing. Requests for personal information will be handled in accordance with the POPI Act.

Our Information Officer is Daniyel Falk.

For any information or removal requests pertaining to POPI, please email popi@servcraft.co.za

We have a 72-hour response time in relation to emails sent to this address.

Alternatively, call 087 813 1137 for additional help or escalations.

Technology Setup

Databases
ServCraft uses Microsoft Azure SQL Database as our primary hosting platform for all core data. Our databases utilize Azure's enterprise-grade security features including:
  • Transparent Data Encryption (TDE) with AES 256-bit encryption for data at rest
  • Transport Layer Security (TLS) for data in transit
  • Azure Active Directory integration for authentication
  • Advanced Threat Protection for real-time security monitoring
  • Network Service Endpoints for network isolation
  • Firewall rules restricting access to authorized IP addresses only
Access to these databases is governed by our internal staff policies and Azure's role-based access control (RBAC). All database access is logged and monitored through Azure's built-in auditing capabilities.

We utilize logical separation of customer data within our database architecture. The fundamental code of ServCraft has been carefully constructed to ensure the integrity of this logical separation, ensuring that customer data is only accessible with the correct authenticated access for authorized individuals.
Application
ServCraft is a cloud-based application hosted primarily on Microsoft Azure App Services. Our application infrastructure includes:
  • Azure App Services for web application hosting
  • Azure API Management for secure API access
  • Azure Application Gateway with Web Application Firewall (WAF)
  • Azure Load Balancer for high availability
  • Azure Monitor for comprehensive logging and monitoring
Access to production systems is strictly controlled through Azure's identity and access management systems, with multi-factor authentication required for all administrative access.

Legacy Systems: We maintain certain ancillary services on Xneelo infrastructure, but these systems do not contain any core customer data or personal information. These are limited to non-critical support services only.

We do not allow scripts to be executed in any location that the application has access to.
Other Data
We use Amazon Web Services (AWS) S3 to store files and videos attached to ServCraft by our customers. Amazon complies with the highest international standards, including GDPR. Additional information about their compliance can be found at https://aws.amazon.com/compliance/gdpr-center/

ServCraft utilizes S3 to store files in two ways:
  • Public accessibility: Only used for customer logos, similar to how logos would be available on company websites
  • Private access: All other files are accessible only through private URLs generated exclusively within the ServCraft platform, requiring valid authentication
Other document files (such as job cards or quote PDFs) are generated on demand through ServCraft's frontend or when sending email communications as attachments.
Backup
Our backup strategy leverages Azure's native backup capabilities:
  • Azure SQL Database Backups:
    • Automated backups with point-in-time recovery (PITR) up to 35 days
    • Long-term retention (LTR) backups stored for up to 1 year
    • Geo-redundant storage ensuring backups are replicated across Azure regions
    • Backup encryption using service-managed keys
  • Application and Configuration Backups:
    • Azure App Service automatic backups
    • Infrastructure as Code (IaC) templates stored in version control
    • Configuration backups to Azure Storage with geo-redundancy
All backup access is protected by Azure's identity and access management with multi-factor authentication required.
Service Providers
ServCraft utilizes service providers that comply with the highest international standards including GDPR and POPIA:
Primary Data Hosting
Our primary hosting is on Microsoft Azure in the South Africa North region with geo-redundancy to South Africa West. Physical access to Azure data centers is highly restricted and managed by Microsoft according to international security standards.

Our servers and applications are managed by our internal staff through Azure's management interfaces. There is no direct physical access to servers, and all access is logged and audited.
Mobile App
ServCraft's mobile app can run offline, synchronizing a limited subset of data to Android or Apple devices. This data is:
  • Limited to the customer's particular data as defined by authenticated login access
  • Limited to the access restrictions for that particular user
  • Encrypted using platform-native encryption (iOS Keychain, Android Keystore)
The local database is not accessible without authenticated access from within the app.
SSL/TLS
All data transfer utilizes Transport Layer Security (TLS) 1.2 or higher, ensuring data is encrypted during transmission. Azure App Service enforces HTTPS-only connections.
System Monitoring
ServCraft uses Azure Monitor and Application Insights for comprehensive monitoring including:
  • Real-time performance monitoring
  • Security threat detection
  • Automated alerting for anomalies
  • Compliance monitoring and reporting
Application Access Control and Audit Logs
We use industry-standard procedures and protocols to ensure the highest levels of access control. All access to the application is logged in Azure's audit logs and our application audit logs, with changes replicated to our core database systems.
Secure Login
We implement multiple layers of security. Password and tokenized access. With JWT Token standard being adopted in late 2025.
Passwords
Passwords are encrypted using industry-standard hashing algorithms and cannot be decrypted. All API integration passwords are similarly protected.

Users can change passwords within the application using the 'forgot password' function. Administrators can reset passwords only for users within their customer account.
Brute Force Attack Prevention
Azure App Service provides built-in DDoS protection and rate limiting. Azure Application Gateway includes Web Application Firewall (WAF) rules to detect and prevent brute force attacks.
Service Logs
Application logs are managed through Azure Monitor with automatic retention policies. Log files are encrypted and access is restricted to authorized personnel only.

Disaster Recovery (DR)

Our disaster recovery strategy leverages Azure's global infrastructure:

  • Database Recovery:
    • Azure SQL Database geo-replication to secondary regions
    • Automated failover groups for seamless recovery
    • Point-in-time recovery capabilities
  • Application Recovery:
    • Multi-region deployment capabilities
    • Azure Traffic Manager for automatic failover
    • Infrastructure as Code for rapid environment recreation
  • Recovery Objectives:
    • Recovery Time Objective (RTO): Less than 4 hours
    • Recovery Point Objective (RPO): Less than 1 hour
All DR infrastructure maintains the same privacy and security standards as production systems, governed by our internal policies.

Internal Controls

Physical Access
All servers reside in Microsoft Azure & Xneelo data centers with enterprise- grade physical security. We work remotely, and no documents or data pertaining to customers are stored at physical locations besides company- managed devices. Device protection is governed by our staff policies and procedures.
ServCraft Staff Policies and Procedures
Client access is managed through role-based permissions with senior account managers having appropriate access to support their clients. Access is governed by:
  • Employment contracts with specific privacy clauses
  • Regular security training and awareness programs
  • IP address restrictions for accessing client data
  • Principle of least privilege access
All ServCraft staff and contractors attest to terms and conditions that specifically outline privacy, information security, and confidentiality requirements.
Employee, Contractor, and Service Provider Procedures
  • Background checks including criminal record and credit checks for all staff and contractors
  • Immediate access revocation upon employment termination or role changes
  • Security training before accessing confidential information
  • Formal contracts with contractors and service providers aligned with POPI Act requirements
  • Regular access reviews and audits
Data Protection Controls
Paper Records
  • Secure handling with restricted access
  • Secure shredding of confidential documents
  • Locked storage when not in use
  • No use of facsimile technology
Email and Communications
  • No unencrypted email for personal/sensitive data
  • Mandatory encryption for data transfers
  • Secure email facilities for sensitive communications
Remote Access
  • Secure VPN connections with multi-factor authentication
  • Endpoint protection requirements
  • Device compliance monitoring
Mobile Device Security
  • Password protection mandatory
  • Mobile device management (MDM) policies
  • Secure deletion procedures
  • Personal device restrictions
Data Transmissions
  • Encrypted channels only
  • No manual transfers via removable media
  • Secure courier services when physical transfer necessary

ISO 27001 Policies

ServCraft has implemented comprehensive ISO 27001 Information Security Management System policies (we are currently working toward certification). Our implemented policies include:

  • Data Protection and Privacy Policies:
    • DP 01: Data Protection Policy
    • DP 02: Data Retention Policy
  • Information Security Policies:
    • IS 01: Information Security Policy
    • IS 02: Access Control Policy
    • IS 03: Asset Management Policy
    • IS 04: Risk Management Policy
    • IS 05: Information Classification and Handling Policy
    • IS 06: Information Security Awareness and Training Policy
    • IS 07: Acceptable Use Policy
    • IS 08: Clear Desk and Clear Screen Policy
    • IS 09a: Mobile and Teleworking Policy - Office Based
    • IS 09b: Mobile and Teleworking Policy - Fully Remote
    • IS 10: Business Continuity Policy
    • IS 11: Backup Policy
    • IS 12: Malware and Antivirus Policy
    • IS 13: Change Management Policy
    • IS 14: Third Party Supplier Security Policy
    • IS 15: Continual Improvement Policy
    • IS 16: Logging and Monitoring Policy
    • IS 17: Network Security Management Policy
    • IS 18: Information Transfer Policy
    • IS 19: Secure Development Policy
    • IS 20: Physical and Environmental Security Policy
    • IS 21: Cryptographic Key Management Policy
    • IS 22: Cryptographic Control and Encryption Policy
    • IS 23: Document and Record Policy
    • IS 24: Significant Incident Policy and Collection of Evidence
    • IS 25: Patch Management Policy
    • IS 26: Cloud Service Policy
    • IS 27: Intellectual Property Rights Policy
These policies ensure comprehensive coverage of information security management across all aspects of our operations.

Lodge a Complaint with the Information Regulator Regarding Our Privacy Policy

Regarding Our Privacy Policy
If you wish to raise a complaint about our compliance with this Privacy Policy or any concerns related to this policy, you can lodge a complaint with the Information Regulator.

Information Regulator Contact Details: 
Website: https://justice.gov.za/inforeg/
Contact Information
For POPI Compliance matters:
For incident reporting or data removal requests: