Skip to main content

Legal

Information Officer, responsible party, and lawful processing.

Last updated: 2026-07-03

This notice is published in compliance with section 18 of the Protection of Personal Information Act, 2013 (“POPIA”). It applies to the Auto Alpha Security website operated by Auto Alpha Advisory and supplements the Privacy Policy.

1. Responsible party

Auto Alpha Advisory
Auto Alpha Security is its web-security practice.
Principal place of business: Cape Town, South Africa
Website: autoalpha-sec.com

2. Information Officer

The Information Officer as contemplated in POPIA §1, read with ss55–56, is:

The Information Officer named above is the responsible party’s designated Information Officer for all purposes under POPIA ss55–56.

No deputy Information Officer has been appointed. All POPIA requests should be directed to Matt Owen at the email above.

3. Lawful basis for processing (POPIA §11)

We process personal information on the following lawful bases:

  • Consent(§11(1)(a)) — the primary basis. When you submit the scan-request form and tick the consent box, you consent to us processing your enquiry details to contact you and scope your request. Consent is revocable at any time (see section 7).
  • Legitimate interest(§11(1)(f)) — processing operational log data (IP address, user-agent) to maintain the security and integrity of this website. Our interest does not override the data subject’s right to privacy.

4. Categories of data subjects and personal information

4.1 Data subjects

  • Enquirers— individuals who submit the scan-request form or otherwise contact us through this website.
  • Visitors— individuals who browse the website.

4.2 Categories of personal information processed

  • Contact information: name, company name, work email address
  • Enquiry details: target URL(s), scope note, and your domain-ownership answer
  • Device and network identifiers: IP address, user-agent string (in server logs)

We do not process special personal informationas defined in POPIA §26 (health, biometrics, race, religion, sexual orientation, criminal record, or political persuasion), nor information relating to children.

5. Recipients of personal information — sub-processor list

The following operators (in POPIA terms, “operators” who process personal information on behalf of the responsible party) receive personal information in the course of delivering the Service:

OperatorRole / data receivedRegion
Vercel Inc.Website hosting and serverless execution of the scan-request form; edge analytics; processes requests containing enquiry dataUSA (fra1 edge for SA traffic)
Resend Inc.Delivers your scan-request enquiry to us by email; receives the details you submit in the formUSA

6. Cross-border transfers (§72)

The Service involves the transfer of personal information outside South Africa, primarily to processors in the United States. South Africa has not issued a general adequacy finding for the United States. We rely on the following basis for these transfers under POPIA §72:

  • Contractual commitments(§72(1)(b)) — each US-based processor is bound by a DPA, standard contractual clauses, or equivalent published processing terms that impose data-protection obligations substantially equivalent to POPIA.

The processors that receive personal information via cross-border transfer are: Vercel Inc. and Resend Inc.

7. Data-subject rights under POPIA

As a data subject, you have the following rights under POPIA:

  • Right to be notified(§18) — to be informed of what information is collected about you and for what purpose. This notice fulfils that obligation.
  • Right of access(§23) — to request a copy of personal information held about you.
  • Right to correction or deletion(§24) — to request correction of inaccurate information or deletion of information that is no longer necessary, subject to our legal-retention obligations.
  • Right to object(§11(3)) — to object to processing based on legitimate interest; we will cease such processing unless we can demonstrate compelling grounds that override your interests.
  • Right to complain(§73) — to lodge a complaint with the Information Regulator if you believe your rights have been infringed.

To exercise any right, email matt@autoalphaadvisory.co.za with subject “POPIA Request”. We will acknowledge within 3 business days and respond within 7 business days, or notify you if additional time is required.

8. Security safeguards (§19)

We have implemented the following technical and organisational measures:

  • This website operates without its own user database; enquiry details are transmitted to us by email rather than stored in a database on the site.
  • Encryption in transit (TLS 1.3) with HTTPS and HSTS enforced on every response.
  • A strict Content Security Policy and standard security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) on every response.
  • Environment-secret management for all API keys; secrets are not exposed in application code or client bundles.

In the event of a personal information breach that is likely to result in harm to data subjects, we will notify the Information Regulator and affected data subjects within the timelines prescribed by POPIA §22 and any regulations made thereunder.

9. Complaints to the Information Regulator

If your POPIA request is not resolved to your satisfaction, or if you believe we have processed your personal information in violation of POPIA, you may lodge a complaint with:

  • The Information Regulator (South Africa)
  • Website: inforegulator.org.za
  • Email: complaints@inforegulator.org.za

10. Updates to this notice

This notice will be updated to reflect changes in our processing activities, our sub-processor list, or applicable law. The “Last updated” date at the top of this page reflects the current version.

This is a parameterized template, not legal advice. Have it reviewed by a qualified attorney before launch.