Security Standards

Pertaining the Centricity Platform.

Effective Date: 12th June 2019

Data Security in the Centricity Platform

The protection of client’s data is of critical importance to Rizzolve (Pty) Ltd. Handling sensitive client data is part of our core business and our right to exist would be threatened if we did not handle client data with the utmost care.

POPI (Protection of Personal Information)

The South African Protection of Personal Information Act, No 4 of 2013 promotes the protection of personal information by public and private bodies.

The Protection of Personal Information (POPI) Act has been signed into law in South Africa on 19 November 2013 and published in the Government Gazette Notice 37067 on 26 November 2013. Once the Act is made effective, companies will be given a year’s grace period to comply with the Act, unless this grace period is extended as allowed by the Act.

The President has signed a proclamation declaring some parts of the Protection of Personal

Information Act No 4 of 2013 effective from 11 April 2014. The sections that became effective deals with the appointment of the Information Regulator, to which the National Assembly approved the appointment of members to the Information Regulator on 7 September 2016. The Regulator will be responsible for education, monitor and enforce compliance, handle complaints, perform research and facilitate cross-border cooperation.

Certain sections of Protection of Personal Information Act (POPI) have already commenced (under proclamation No. R. 25, 2014), but it is only a few limited sections. The majority of POPI (especially the sections that create compliance requirements) will only commence on a later date to be proclaimed by the President (expected to be in 2018).

We are comfortable that our products, services and standard operating procedures adheres to the core principles of data security which are generally accepted and also covered by the POPI bill. Once the POPI Act is fully proclaimed and active, Rizzolve (Pty) Ltd will obtain the necessary POPI act compliance certifications.

Technical Measures Implemented to protect Client Data

On a high level, the following Technical measures are in place to protect client data:

Rizzolve (Pty) Ltd currently monitors security recommendation’s, standards and best practices from organizations such as OWASP (www.owasp.org) and others to ensure our products and services are as secure as possible. It must be noted that no system can ever be “tamper” or “hack proof”, this has been proven by the many successful attacks against some of the biggest online services in the world.

Rizzolve (Pty) Ltd takes appropriate measures to prevent and minimize risks of unauthorized access to, improper use and the inaccuracy of the customer’s personal information.

Rizzolve (Pty) Ltd will not disclose the any personal information to a person/company who is not directly involved in the delivery of our products/services or without the customer’s permission, unless compelled by law/in terms of a court order to do so, or in public interest or necessary to protect the rights and ensure the integrity and operation of its business and systems.

Rizzolve (Pty) Ltd uses enterprise standard technology such as MSSQL RDMS, C# Language, JavaScript, NodeJS, Amazon S3, Elasticsearch and IIS Application Server. These technologies are tried and tested and used by a vast array of businesses around the world to create secure systems. Furthermore, we use an Enterprise Agile Development Platform called Outsystems, that further enhances the security of the platform.

Rizzolve (Pty) Ltd adheres to industry practices in terms of securing the servers that the Centricity Platform are hosted upon, the standards include ISO 27001 certification as the Centricity Platform and Data are hosted on Amazon Web Services (AWS) located in Ireland.

AWS has achieved ISO/IEC 27001:2013, 27017:2015, and 27018:2014 certification of their Information Security Management System (ISMS) covering their infrastructure, data centers, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC). ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and best practices for a systematic approach to managing company and customer information that’s based on periodic risk assessments appropriate to ever-changing threat scenarios. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This certification reinforces Amazon’s commitment to providing transparency into our security controls and practices. AWS’s ISO 27001 certification includes all AWS data centers in all regions worldwide and AWS has established a formal program to maintain the certification.

SSL (Secure Sockets Layer) is used by Centricity to establish an encrypted link between our servers and a web browser accessing the Centricity Platform. SSL is a connection standard security technology. (see details of our SSL Security Certificate at the end of this document).

Commercial Measures Implemented to protect Client Data

Data security (with specific reference to the member’s personal information) is detailed in our standard Privacy Policy. It is stated that Centricity is not allowed to use the database for any other purpose other than for the fulfilment of their agreement and is not allowed to make know or disseminate the database or any part thereof to any third party that is not directly involved in the delivery of the contracted products and/or services.

Please see the Services Agreement which refers to the Customer Data, the protection thereof, the return of this data to the client, and destruction of data and any copies thereof, if requested, pending an accepted fee for this service.

Previous Versions

None