Data Processing Policy

Last updated: August 2025

1. Introduction

TrustLedger Auditors ("we," "our," or "us") is committed to processing data in accordance with its responsibilities under the Protection of Personal Information Act (POPIA) of South Africa and similar international data protection regulations.

This Data Processing Policy outlines our approach to data processing, the measures we take to ensure compliance, and the rights of data subjects. It should be read in conjunction with our Privacy Policy.

2. Scope and Definitions

This policy applies to all personal information processed by TrustLedger Auditors, whether as a data controller or data processor.

For the purpose of this policy:

"Personal information" means information relating to an identifiable, living individual or existing company.
"Processing" means any operation performed on personal information, including collection, use, storage, disclosure, or deletion.
"Data subject" means the person to whom personal information relates.
"Responsible party" (or "data controller" under GDPR) means the entity that determines the purpose and means of processing personal information.
"Operator" (or "data processor" under GDPR) means the entity that processes personal information on behalf of a responsible party.

3. Data Processing Principles

TrustLedger Auditors adheres to the following principles when processing personal information:

3.1. Lawfulness, Fairness, and Transparency

We process personal information lawfully, fairly, and in a transparent manner. We ensure that data subjects are informed about how their personal information is collected, used, and shared.

3.2. Purpose Limitation

We collect personal information for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.

3.3. Data Minimization

We limit the collection of personal information to what is necessary for the purposes for which it is processed.

3.4. Accuracy

We take reasonable steps to ensure that the personal information we process is accurate and kept up-to-date.

3.5. Storage Limitation

We retain personal information for no longer than necessary for the purposes for which it was collected, subject to legal retention requirements.

3.6. Security and Confidentiality

We implement appropriate technical and organizational measures to protect personal information against unauthorized or unlawful processing, accidental loss, destruction, or damage.

3.7. Accountability

We take responsibility for complying with data protection principles and are able to demonstrate compliance.

4. Data Subject Rights

TrustLedger Auditors recognizes and respects the rights of data subjects under POPIA and similar regulations, including:

The right to be informed
The right of access
The right to rectification
The right to erasure (subject to legal limitations)
The right to restrict processing
The right to data portability (where applicable)
The right to object to processing
Rights in relation to automated decision-making and profiling

5. Data Processing Activities

We maintain a record of our data processing activities, including:

Categories of data subjects and personal information processed
Purposes of processing
Categories of recipients of personal information
Transfers of personal information to other countries or international organizations
Retention schedules
Security measures implemented

6. Data Protection Impact Assessments

We conduct data protection impact assessments (DPIAs) where processing operations are likely to result in high risk to the rights and freedoms of data subjects.

7. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of personal information
Access controls and authentication measures
Regular security assessments
Employee training on data protection
Physical security measures
Business continuity and disaster recovery procedures

8. Data Breach Management

In the event of a personal information breach, we will:

Investigate the breach to determine its cause and scope
Implement measures to contain and mitigate the breach
Notify relevant authorities and affected data subjects as required by law
Document the breach and response actions
Review and update our security measures as necessary

9. Transfer of Personal Information

We transfer personal information across borders only when adequate safeguards are in place to protect the information, such as:

Data processing agreements with appropriate clauses
Binding corporate rules
Adequacy decisions by relevant authorities
Explicit consent of data subjects (where appropriate)

10. Data Protection Officer

TrustLedger Auditors has designated a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and implementation. The DPO serves as a point of contact for data subjects and supervisory authorities.

11. Vendor Management

When engaging third-party vendors who process personal information on our behalf, we:

Conduct appropriate due diligence
Enter into data processing agreements that include appropriate data protection clauses
Regularly monitor and audit vendor compliance

12. Training and Awareness

We provide regular training to our employees on data protection requirements and best practices. All employees are required to comply with this policy and related procedures.

13. Policy Review

We review this Data Processing Policy periodically to ensure its continued effectiveness and compliance with applicable laws and regulations. Changes to this policy will be communicated appropriately to relevant stakeholders.

14. Contact Information

For questions or concerns about this Data Processing Policy or our data protection practices, please contact our Data Protection Officer at:

Data Protection Officer
TrustLedger Auditors
42 Somerset Road
Green Point, Cape Town
8005, South Africa

Phone: +27 21 004 6810
Email: dpo@cretanovalab.sbs