Vendor self-service pre-assessment

Ten questions, two minutes, no sign-up. This gives an indicative view of how you would fare in our vendor compliance assessment — a full, evidence-backed assessment follows onboarding. No answers here affect a formal assessment.

A2 · POPIA ss 55–56 · GDPR Art 37
Have you appointed an Information Officer (or equivalent, e.g., DPO), and is that officer registered with the SA Information Regulator where required?
B1 · POPIA ss 20–21 · GDPR Art 28 · ISO A.5.19
Will you sign a written operator/data-processing agreement that obligates you to confidentiality and the security safeguards required by POPIA ss 20–21?
Mandatory requirement in the full assessment
C2 · POPIA s 72 · GDPR Art 44–46
Is our data ever processed, transited, cached, or accessed (including by support staff or downstream model/API providers) outside the agreed region without a valid POPIA s 72 mechanism?
Mandatory requirement in the full assessment
D1 · GDPR Art 28(3)(a)
Do you, or any sub-processor (including AI model providers), use our data to train, fine-tune, or improve models or services for anyone other than us?
Mandatory requirement in the full assessment
E1 · GDPR Art 32 · ISO 27001 (whole standard)
Do you hold current independent certifications or attestations (ISO/IEC 27001, SOC 2 Type II, or equivalent)?
E2 · GDPR Art 32 · ISO A.8.24
Is data encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent)? Who holds and manages the encryption keys, and can we bring/manage our own keys?
E5
Do you run vulnerability management and at least annual independent penetration tests?
F1 · POPIA s 22 · GDPR Art 33 · ISO A.5.24
Will you notify us of any security compromise affecting our data as soon as reasonably possible after becoming aware, and no later than a contractually agreed maximum (target: 24–72 hours), with sufficient detail for us to meet our POPIA s 22 duties?
Mandatory requirement in the full assessment
F3
Do you test the incident-response plan at least annually (tabletop or live)? When was the last test?
G1 · POPIA ss 23–25 · GDPR Art 15–17
Can you locate, export, correct, and delete a specific data subject’s personal information in our dataset on request? State your response SLA.

Optional: tell us who you are

Leave these blank to stay anonymous. If you share an email, our compliance team can follow up about onboarding. We store only what you enter here.

Back to sign in