Data Compliance

Glossary

POPI(A)

Protection Of Personal Information Act (South Africa)

Data Subject

A natural person whose personal data is processed by a controller or processor

Data Controller

The entity that determines the purposes, conditions, and means of personal data processing

Personal Data

Any information related to a natural person that can be used to directly or indirectly identify them

Data Processor

The entity that processes data on behalf of the data controller

Introduction

At Parallax Solutions, we treat security and the protection of personal information as a core responsibility. As a data processor, we recognise the trust our clients place in us to handle their data with care, and we are committed to meeting and exceeding the standards set by POPIA and other applicable data protection regulations.

We view data compliance not as a once-off exercise, but as an ongoing commitment that evolves alongside the regulatory landscape. This policy outlines the measures we take to process, store, transfer, and protect data in accordance with these obligations.

Data Protection Officer

The data protection function at Parallax Solutions is managed by our directors. For any queries related to data protection, you can reach our information officer at:

Technical Security Measures

As an organisation that builds and delivers technology solutions for clients across industries, we maintain rigorous security practices appropriate to the sensitivity of data we handle. Our technical measures are designed to safeguard data at every stage of its lifecycle. Further details are available on request.

Keeping Personal Data Confidential

Business Data

Client business data and organisational personal information is treated as strictly confidential. Access is limited to authorised personnel on a need-to-know basis, governed by existing NDA and confidentiality agreements. No personal data is shared publicly or with internal staff unless explicitly required for service delivery. Should a business relationship end, all personal data can be returned on request and removed from our records.

Project Data

Project-level personal data is access-controlled and only available to individuals with explicit, role-based authorisation. Passwords within systems built by Parallax Solutions are encrypted using industry-standard hashing (bcrypt), ensuring that neither our staff nor infrastructure providers can decrypt stored credentials.

Record Keeping

Business Data

All business-related records are maintained securely using enterprise-grade platforms for document storage and communication. Should a business relationship end, personal information can be returned on request and deleted from our records.

Project Data

Project-related data is retained in line with each project's specific retention policy. We follow a data minimisation approach, only collecting and storing information that is operationally or commercially essential. Where applicable, records are maintained in secured databases with appropriate access controls.

Data Breach / Incident Response

In accordance with POPIA requirements, we commit to the following actions upon discovering a data breach that poses risk to the rights and freedoms of data subjects:

• Notifying the data controller within 72 hours of becoming aware of the breach
• Describing the nature of the breach, including the approximate categories and number of affected data subjects and records
• Providing contact details of our data protection officer for further information
• Describing the likely consequences of the breach
• Outlining the measures taken or proposed to address the breach and mitigate potential harm

Where it is not possible to provide all details simultaneously, information will be communicated in phases. We will also assist the data controller with any required communication to affected data subjects.

To request a copy of our Incident Response & Breach Management Policy, please contact information-officer@parallaxsolutions.co.za.

Data Processing Principles

As a data processor, we adhere to the core principles set out in POPIA to ensure responsible handling of personal data:

Sub-processors & Hosting

Outsourced Work

As a general practice, Parallax Solutions does not operate on an outsourced or sub-contracting model for project delivery. All individuals involved in client work are directly employed by or contracted to Parallax Solutions. Should any exception arise, the data controller will be informed as required by regulation.

Hosting

We do utilise third-party hosting providers to deliver solutions to market. The identity of these providers is always disclosed to the data controller, and hosting arrangements can be tailored to meet specific project or compliance requirements.

Compliance Guidance

We are committed to continuous improvement in our compliance practices. Where we identify that a data controller's instructions or requests may not align with applicable regulation, we will proactively raise this to support better compliance outcomes for all parties.

Cross-border Data Transfers

With our head office based in South Africa, there may be instances where personal data is transferred across borders. We take every reasonable step to limit such transfers, particularly where project-level personal data is concerned, and can facilitate hosting within specific jurisdictions where compliance requires it.

Where cross-border transfer of personal data is necessary, we follow the safeguards outlined in POPIA for cross-border transfers. Data subjects are informed of such transfers where appropriate.

Data Subject Rights

As a data processor, Parallax Solutions supports data controllers in upholding the rights of data subjects as set out in POPIA, including:

• Clear and transparent communication about what personal information is collected and why
• The right of access to personal data
• The right to rectification of inaccurate data
• The right to erasure ("right to be forgotten")
• The right to restriction of processing
• Notification upon any rectification or deletion of personal data
• The right to data portability

Privacy Policies & Consent

Where required by project scope, Parallax Solutions assists data controllers in ensuring appropriate privacy policies are in place, clearly explaining the personal data collected and its purpose.

In line with POPIA's consent requirements, we ensure that where processing is based on consent, the data controller is able to demonstrate that the data subject has given their informed consent.

In Closing

Data protection compliance is an ongoing effort, and we treat it as such. Within the scope of this document, Parallax Solutions operates as a data processor and is committed to assisting data controllers in their compliance obligations while ensuring data subjects can be confident in how their personal information is managed.

We acknowledge that compliance is a collection of efforts, policies, documentation, and intent, and we are committed to upholding these standards in everything we do.