POPIA Compliance

1. Introduction

IntelliDesk ("IntelliDesk", "we", "our", "us") is a helpdesk and project-management platform operated by i60 (i60.co), a South African business. This page explains how we comply with the Protection of Personal Information Act, 2013 ("POPIA") when we process personal information of our customers, their end-users, and visitors to our website at intellidesk.co.

POPIA is the primary South African data protection law. It sets out eight conditions for the lawful processing of personal information and creates rights for data subjects. We take POPIA obligations seriously and have implemented the measures described below to satisfy those conditions.

2. Our role — Responsible Party vs Operator

POPIA distinguishes between a Responsible Party (the entity that determines the purpose and means of processing — equivalent to a "data controller" under GDPR) and an Operator (an entity that processes personal information on behalf of a Responsible Party — equivalent to a "data processor" under GDPR). IntelliDesk operates in both capacities depending on the data in question:

• IntelliDesk as Responsible Party. When we collect personal information directly from visitors to our marketing site, from prospective customers evaluating the service, and from our own employees and contractors, we act as the Responsible Party. We determine the purpose and means of that processing and are directly accountable under POPIA.
• IntelliDesk as Operator. When a customer uses IntelliDesk to manage support tickets, project cards, contacts, helpdesk messages, and attachments, the customer is the Responsible Party for the personal information contained in that data. IntelliDesk processes that data only on the customer's behalf and in accordance with their instructions (their configuration of the service and their written terms with us). Our obligations as Operator are set out in Section 20 and 21 of POPIA and are mirrored in our Data Processing Agreement.

3. Information Officer

Under Section 55 of POPIA, every Responsible Party must designate an Information Officer. Our Information Officer is responsible for ensuring compliance with POPIA, managing data-subject requests, responding to the Information Regulator, and maintaining the policies and procedures required by the Act.

• Information Officer: Leon Nel
• Entity: i60
• Email: privacy@intellidesk.co
• Information Regulator registration: Registration with the Information Regulator of South Africa is maintained in accordance with the Regulator's requirements. Registration details are available on request.

4. POPIA's eight conditions for lawful processing

POPIA requires that all processing of personal information satisfies eight conditions. Here is how IntelliDesk meets each condition:

4.1 Accountability (Section 8)

We are accountable for complying with POPIA in respect of the personal information we process as Responsible Party. Our Information Officer (Section 3 above) is tasked with overseeing this compliance. When we act as Operator for a customer, the customer is the accountable party, and our obligations to them are governed by our Data Processing Agreement.

4.2 Processing limitation (Section 9–12)

We only process personal information that is lawful, fair to the data subject, and not excessive for the purpose. Processing is carried out only if it is necessary to provide the service the data subject or customer has requested, or if we have another lawful basis (such as consent, contractual necessity, legal obligation, or legitimate interest). We collect personal information directly from the data subject wherever practicable.

4.3 Purpose specification (Section 13–14)

Personal information is collected for specific, explicit, and lawful purposes related to a function or activity of our business: operating the IntelliDesk platform, providing support, billing, communicating service updates, and complying with the law. We do not use personal information for purposes that are incompatible with the purpose for which it was originally collected.

4.4 Further processing (Section 15)

If we need to use personal information for a purpose different from the one for which it was collected, we will assess whether the new purpose is compatible with the original purpose, whether we need to obtain fresh consent, or whether another lawful basis applies. We will not further-process personal information in a way that is incompatible with the purpose for which it was collected.

4.5 Information quality (Section 16)

We take reasonably practicable steps to ensure that personal information we hold is complete, accurate, not misleading, and updated where necessary. Customers can update their own account information through the IntelliDesk user interface. Data subjects can request correction of their personal information through the procedure in Section 6 below.

4.6 Openness (Section 17–18)

We are transparent about the personal information we process and the purposes for which we process it. Our Privacy Policy sets out the categories of personal information we collect, the sources, and the recipients. Data subjects can request access to their personal information through the procedure in Section 6 below.

4.7 Security safeguards (Section 19–22)

We implement appropriate technical and organisational measures to protect the personal information we hold against loss, damage, unauthorised access, and destruction. These include:

• Encryption of data in transit using TLS/HTTPS
• Encryption at rest of sensitive data such as API keys, OAuth refresh tokens, and IMAP credentials (AES-256-GCM)
• Tenant-level isolation in our database: each customer's data is scoped to its own tenant record, and all queries enforce tenant ownership before returning results
• Role-based access controls within the application so that agents can only access data within helpdesks they are members of
• Authentication via Clerk, including multi-factor authentication options
• Regular security reviews of our codebase and dependencies
• Audit logging of administrative and data-deletion actions

In the event of a security compromise where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person (a "security compromise" under Section 22 of POPIA), we will notify the Information Regulator and affected data subjects as soon as reasonably possible, consistent with the requirements of the Act. Customers acting as Responsible Party are contractually required to notify us promptly of any compromise affecting data we process on their behalf, so we can assist them in meeting their own notification obligations.

4.8 Data subject participation (Section 23–25)

Data subjects have the right to ask whether we hold personal information about them, to request a description of that information, and to request correction or deletion where appropriate. Section 6 below sets out how to exercise these rights.

5. Your rights as a data subject

If you are a South African data subject whose personal information is processed by IntelliDesk, you have the following rights under POPIA:

• Right to be notified — to be told that we are collecting your personal information and the purpose for which it is being collected
• Right of access — to ask whether we hold personal information about you, and to receive a description of that information
• Right to correction or deletion — to request that we correct personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully; or that we delete personal information that is no longer authorised to be retained under Section 14 of POPIA
• Right to object — to object to the processing of your personal information on reasonable grounds, or where processing is for direct marketing purposes
• Right to complain — to submit a complaint to the Information Regulator of South Africa if you believe your personal information has been processed in contravention of POPIA

6. How to exercise your rights

To exercise any of the rights in Section 5, please contact our Information Officer at privacy@intellidesk.co. Please include enough information for us to verify your identity and to locate your records. We will respond to your request within a reasonable time, ordinarily within 30 days.

Access requests under POPIA are made using the procedures in the Promotion of Access to Information Act, 2000 ("PAIA"). Our PAIA manual is available on request from the Information Officer.

If you are not satisfied with our response, you may lodge a complaint with:

• The Information Regulator of South Africa
• Website: inforegulator.org.za
• Email for complaints: POPIAComplaints@inforegulator.org.za

7. Sub-operators (sub-processors)

We engage the following sub-operators to help us provide the IntelliDesk service. Each sub-operator is contractually required to implement appropriate security measures and to process personal information only in accordance with our instructions.

• Convex (convex.dev) — Real-time database and backend infrastructure. Our production Convex deployment is hosted in the EU-West region.
• Vercel (vercel.com) — Application hosting and delivery (edge network).
• Clerk (clerk.com) — Authentication, user management, and organisation management.
• Stripe (stripe.com) — Payment processing for subscription billing. Card details are never stored on IntelliDesk servers.
• Google (Gmail API) — Used only when a customer connects their Gmail account to ingest inbound email. Subject to the Google API Services User Data Policy as set out in our Privacy Policy.
• Microsoft (Microsoft Graph / Outlook) — Used only when a customer connects their Office 365 mailbox for the same purpose.
• SendGrid / transactional email provider — Used for outbound system email (notifications, password resets, billing receipts).

We will give customers at least 30 days' notice before adding or replacing a material sub-operator, during which customers may object to the change. If a customer reasonably objects to a new sub-operator and the objection cannot be resolved, the customer may terminate their subscription without penalty. Updates to this list will be reflected on this page and communicated to customers as appropriate.

8. Cross-border data transfers

Section 72 of POPIA restricts the trans-border flow of personal information unless certain conditions are met. Because several of our sub-operators are located outside South Africa (notably Convex in the EU-West region, Vercel, Clerk, Stripe, Google, and Microsoft, whose data centres are typically in the European Union or the United States), personal information processed through IntelliDesk may be transferred across borders.

We rely on Section 72(1)(a) of POPIA: the recipient is subject to a law, binding corporate rules, or binding agreements that provide an adequate level of protection that effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information in POPIA, and that include provisions substantially similar to Section 72(1) regarding onward transfer. Our agreements with sub-operators include standard contractual clauses or equivalent protective measures.

Where Section 72(1)(a) does not apply, we will obtain the data subject's consent to the transfer, or rely on another lawful basis permitted by Section 72.

9. Data retention and deletion

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, subject to any legal, contractual, or regulatory requirement to retain the information for longer. Specific retention periods are set out in our Privacy Policy.

On termination of a customer's subscription, or on request by a customer exercising their rights under Section 14 of POPIA, we will delete or de-identify the customer's data within a commercially reasonable timeframe, subject only to backups that are rotated and over-written on a regular cycle.

10. Data Processing Agreement

Customers who use IntelliDesk as an Operator for personal information of their own end-users (their employees, contacts, or customers) may require a written Data Processing Agreement (DPA) that codifies our obligations under Sections 20 and 21 of POPIA.

Our standard DPA is available at intellidesk.co/dpa. For most customers, the DPA is automatically incorporated into the Terms of Service by reference. Customers who require a countersigned DPA for their compliance records may print the DPA from the web page, sign it, and send a copy to privacy@intellidesk.co — we will countersign and return it.

11. Changes to this page

We may update this page from time to time to reflect changes in our processing, our sub-operators, our security measures, or applicable law. Material changes will be communicated to our customers by email or in-app notification. The "Effective date" at the top of this page indicates when the current version took effect.

12. Contact

For POPIA-related enquiries, including data-subject requests, sub- operator objections, and compliance documentation:

• Information Officer: privacy@intellidesk.co
• Entity: i60 — https://i60.co
• Related pages: Privacy Policy, Terms of Service, Data Processing Agreement, Cookie Policy