POPIA Compliance

Preamble

Verification is, by its nature, a high-trust act. To do it well, we hold information that most platforms will never touch — South African ID numbers, criminal-record clearances, immigration status, biometric photographs. This statement sets out, in plain English, how we comply with the Protection of Personal Information Act and the Promotion of Access to Information Act when handling that information. It is reviewed annually, and at any time the law or our practices materially change.

Reading time

~10 minutes

Sections

10 · numbered 01–10

Governing law

Republic of South Africa

Section 01

Our commitment to POPIA

Hustla processes special and sensitive personal information as a routine part of its business. South African ID numbers, criminal-record results returned by SAPS, work-permit and immigration status returned by the Department of Home Affairs, and biometric facial photographs all pass through our systems. Without that information we cannot verify a worker; with it, we accept obligations that go beyond those of an ordinary platform.

We treat POPIA not as a paperwork exercise but as the governing framework for the entire product. Every collection point, every storage decision, every access by an operator and every transfer outside South Africa is mapped against the Act before it is permitted. This statement is the public version of that internal mapping.

This statement is reviewed and republished at least once every twelve months, and immediately on any material change in the law, our processing, or our sub-processor arrangements. The "Last updated" stamp at the top of the page is the canonical record of the current version.

Section 02

Who is the responsible party

Under Section 1 of POPIA, the responsible party is the person or entity that, alone or in conjunction with others, determines the purpose of and means for processing personal information. For everything Hustla does, that is Thought Into Reality (Pty) Ltd.

Responsible party

Trading name: Hustla
Legal entity: Thought Into Reality (Pty) Ltd
Registered at: Atrium on 5th, 9th Floor, 5th Street, Sandton, Johannesburg, 2196
Information Officer: [email protected] (interim)
General contact: [email protected]

iDeployed UG (haftungsbeschränkt), the parent company of Thought Into Reality and based in Leipzig, Germany, acts as an operator on our behalf. It provides engineering, hosting orchestration and security services and processes personal information only on documented instructions from us. The relationship is governed by a written data processing agreement that satisfies Section 21 of POPIA and the requirements of the EU General Data Protection Regulation. The agreement is available on request to the Information Officer.

Operator (sub-processor)

Legal entity: iDeployed UG (haftungsbeschränkt)
Based in: Leipzig, Germany
Role: Operator under Section 1 POPIA / Processor under GDPR
Governing instrument: Data Processing Agreement (Sections 20 & 21 POPIA)

The Information Officer is presently held on an interim basis by the founding team and reachable at the address above. A permanent appointment, registered with the Information Regulator under Section 55 of POPIA, will be announced on this page when it takes effect.

Section 03

The eight conditions for lawful processing

Sections 8 to 25 of POPIA set out eight conditions that all processing of personal information in South Africa must satisfy. Each one places a specific duty on the responsible party. This section explains how Hustla meets each condition in practice — not by quoting the Act, but by describing the controls we apply.

How we meet each condition

1 · Accountability: Thought Into Reality (Pty) Ltd, as the responsible party, owns POPIA compliance end to end. The Information Officer is the single point of accountability inside the company, reports to the board, and is supported by a written compliance register that maps every processing activity to its lawful basis and retention rule. (Section 8.)
2 · Processing limitation: We collect only the categories of personal information set out in the Privacy Policy, and only with the data subject’s consent or under a statutory ground listed in Section 11. A worker may withdraw consent at any time; where withdrawal is incompatible with a statutory obligation, we explain which and for how long. (Section 9 to 12.)
3 · Purpose specification: Every category of information is tied to a specific, explicitly defined and lawful purpose at the point of collection — verification, matching, account integrity, legal obligation, or service improvement. We do not collect information speculatively. The purposes are disclosed in the Privacy Policy before consent is requested. (Section 13.)
4 · Further processing limitation: Information collected for verification is not re-used for marketing, profiling, advertising or training of machine-learning models. Any new purpose is treated as a new collection and requires fresh consent or a new statutory ground. (Section 15.)
5 · Information quality: We take reasonable, practicable steps to keep the information we hold complete, accurate, not misleading and up to date. Workers can correct their own profiles directly; verification results are pulled from the source authority and timestamped, so the record always shows when it was last refreshed. (Section 16.)
6 · Openness: The Privacy Policy, this POPIA Compliance Statement and the PAIA Manual are published on hustla.co.za and available on request. Every data subject is told, at the point of collection, what we collect, why, who we share it with, and how long we keep it. (Section 17 to 18.)
7 · Security safeguards: We apply the technical and organisational controls set out in Section 06 below — AES-256 encryption at rest, TLS 1.3 in transit, isolated document storage, least-privilege access, audit logging, annual third-party review, and a tested incident-response plan. Operators are bound by written agreements that impose the same standard. (Section 19 to 22.)
8 · Data subject participation: Workers and employers can ask for a copy of the personal information we hold about them, correct it, delete it where the law allows, and object to processing. Requests are handled by the Information Officer within 30 calendar days. The full procedure is set out in Section 07 below. (Section 23 to 25.)

Section 04

Special personal information

Section 26 of POPIA prohibits the processing of special personal information except where one of the grounds in Section 27 applies. Hustla relies on Section 27 to process the categories below — each one is essential to verification and cannot be replaced by a less sensitive alternative.

Special categories we process

South African ID numbers: Used to confirm identity against the National Population Register via the Department of Home Affairs. Stored encrypted with AES-256 at rest, masked in all user-facing screens, and exposed in full only to the verification subsystem at the moment of a check. Lawful ground: Section 27(1)(b) — processing required for the establishment, exercise or defence of a right or obligation in law.
Criminal-record information: Returned by the South African Police Service Criminal Record Centre on a worker’s consented request. The result is recorded as a pass-or-flag status; the underlying record is not retained beyond the verification window and is purged on completion. Lawful ground: Section 27(1)(a) — consent given by the data subject, supported by Section 33 for criminal behaviour information.
Work-permit and immigration status: Verified against the Department of Home Affairs where the worker is a foreign national. Stored as a verified-yes-or-no flag with the permit category and expiry; the full document image is destroyed once the check has cleared. Lawful ground: Section 27(1)(b) — compliance with the Immigration Act and labour-law obligations on employers.
Biometric photograph: A facial photograph captured at registration and matched against the photograph held by the Department of Home Affairs. Used only for identity matching, never shared with employers in raw form, and never used for surveillance or training of facial-recognition models. Lawful ground: Section 27(1)(a) — explicit consent obtained at registration.

No special personal information is processed without one of the grounds in Section 27 being recorded against it in our internal compliance register. We do not process religious or philosophical beliefs, race, political persuasion, trade-union membership, health, sex life or sexual orientation under any circumstances.

Section 05

Trans-border information flows

Section 72 of POPIA restricts the transfer of personal information outside South Africa. A transfer is only lawful where the recipient is subject to a law, binding corporate rules or binding agreement that provides an adequate level of protection, where the data subject has consented, or where one of the other grounds in Section 72 applies. Every transfer Hustla makes is mapped against that test.

Recipients outside South Africa

iDeployed UG (haftungsbeschränkt) — Germany: Our parent company and primary operator. The European Union is recognised by the Information Regulator as providing an adequate level of protection through the General Data Protection Regulation. Transfers are additionally governed by a written processing agreement and EU standard contractual clauses, satisfying Section 72(1)(a).
Google Cloud Platform — multi-region: Underlying infrastructure for storage, compute and managed databases. Data is held in regional buckets and processed under Google’s POPIA-aligned data processing addendum and EU standard contractual clauses. Satisfies Section 72(1)(a).
Resend — United States: Transactional email delivery for account verification, notifications and Information Officer correspondence. Bound by a written data processing agreement incorporating EU standard contractual clauses and equivalent commitments under Section 72(1)(a).

No personal information is transferred outside South Africa other than as set out above. Each recipient is bound by a written agreement that obliges it to process the information only on our instructions, to apply controls equivalent to ours, and to return or destroy the information at the end of the engagement. The full agreements are available to the Information Regulator on request.

Section 06

Security measures

Section 19 of POPIA requires the responsible party to secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures. The measures we apply are set out below. They are reviewed at least annually and are subject to an independent third-party assessment.

Technical & organisational controls

Encryption at rest: All personal information is stored encrypted with AES-256. Encryption keys are managed in a hardware-backed key-management service with separation of duties between key administrators and data administrators.
Encryption in transit: All traffic between client and server, and between internal services, is protected by TLS 1.3. Older protocol versions are refused at the load balancer.
Isolated document storage: Verification documents — ID images, SAPS results, DHA confirmations — are held in a dedicated Google Cloud Storage bucket separate from application data, with its own access keys, its own logging, and no public read path.
Access control: Access to production systems is granted on a least-privilege basis through single sign-on with a hardware-key second factor. Roles are reviewed quarterly; access is removed on the same day a team member leaves.
Audit logging: Every read of a verification record is logged with the operator’s identity, the time, and the business reason. Logs are immutable and retained for seven years to meet POPIA and the Tax Administration Act.
Annual independent review: Our security posture is reviewed by an independent assessor at least once a year. A summary report is published on our transparency page and the full report is available to the Information Regulator on request.
Incident response: A written incident-response plan is maintained and tested by tabletop exercise twice a year. The plan covers detection, containment, notification and remediation, and assigns named owners for each step.
Breach notification: Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we notify the Information Regulator and every affected data subject as soon as reasonably possible and without undue delay, in accordance with Section 22 POPIA.

Section 07

Data subject rights

POPIA grants every data subject a defined set of rights over their personal information. Hustla is obliged to give effect to those rights, and the procedure below sets out exactly how to exercise them.

Your rights and how to exercise them

Right to access (Section 23): You may ask to be told whether we hold personal information about you and, if so, to be given a copy of that information together with the identity of any third party who has had access to it. The first request in any twelve-month period is free of charge; subsequent requests may carry a reasonable fee.
Right to correction & deletion (Section 24): You may ask us to correct or delete information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained, and to destroy or delete information we are no longer authorised to retain. Where deletion is constrained by a legal hold, we will say which hold applies and delete the rest.
Right to object to processing (Section 11(3)): You may object, on reasonable grounds and in the prescribed form, to the processing of your personal information for any purpose other than a statutory one. We will stop the processing in question unless an overriding statutory ground compels us to continue.
Right to complain to the Regulator: You may at any time submit a complaint to the Information Regulator of South Africa about the way we have processed your personal information. Our contact details and those of the Regulator are in Section 10 below.

To submit any of the above, write to [email protected] with the subject line "POPIA Request" and tell us which right you wish to exercise and what information the request relates to. We will acknowledge your request within five business days and respond in full within 30 calendar days. Where a request is unusually complex, we will tell you within the same 30 days why a longer period is needed and how long it will take.

Section 08

Retention and destruction

Section 14 of POPIA prohibits the retention of personal information for longer than is necessary for the purpose for which it was collected, unless retention is required by law, reasonably required for a lawful purpose related to a function or activity, or agreed to by the data subject. The schedule below sets out the periods we apply, and our destruction process.

Retention schedule

Active worker profile: Retained for the lifetime of the worker’s account. Closed by the worker at any time from account settings; closure is actioned within 30 days.
Verification records: Five years from the date of issue, in line with PSiRA record-keeping rules and the standard limitation period for civil claims in South Africa.
Criminal-record information: Not retained. The pass-or-flag outcome is recorded against the verification file; the underlying SAPS record is purged from our systems as soon as the verification is complete.
Contact and Information Officer messages: Two years from the date of the most recent correspondence, to allow for follow-up and reference.
Audit logs: Seven years, as required to evidence POPIA compliance and to meet the record-keeping obligations of the Tax Administration Act.

Destruction is by secure cryptographic purge: the encryption keys protecting the information are destroyed, rendering the underlying data unrecoverable, and the storage location is then overwritten. Destruction is logged with the time, the operator and the basis for the action. Where the law obliges us to keep information beyond the active life of an account, we restrict access to it, isolate it from production systems, and delete it as soon as the obligation falls away.

Section 09

PAIA manual

The Promotion of Access to Information Act (Act 2 of 2000) gives every person the right to request access to records held by a private body where the record is required for the exercise or protection of a right. Section 51 of PAIA requires Hustla to publish a manual describing the records we hold and the procedure for requesting access to them.

Hustla’s PAIA Manual is available free of charge on request to the Information Officer. The manual sets out the categories of records we hold, the subjects on which we hold them, the prescribed request form, the fees that apply, and the grounds on which we may refuse a request.

How to request the PAIA Manual

By email: Write to [email protected] with the subject line "PAIA Manual" and we will send a copy by return.
By post: Address a written request to the Information Officer, Thought Into Reality (Pty) Ltd, Atrium on 5th, 9th Floor, 5th Street, Sandton, Johannesburg, 2196.
To request access to a record: Complete Form 2 of the PAIA regulations and submit it to the Information Officer at the email or postal address above. We will respond within 30 calendar days, as required by Section 56 of PAIA.

Section 10

Contact the Information Officer

All POPIA correspondence — requests, complaints, notifications, queries — should be addressed to the Information Officer at the details below. We acknowledge every message within five business days and resolve substantive matters within 30 calendar days.

Information Officer · Hustla

Holder: [email protected] (interim)
Responsible party: Thought Into Reality (Pty) Ltd
Postal: Atrium on 5th, 9th Floor, 5th Street, Sandton, Johannesburg, 2196
Subject line: POPIA Request · PAIA Request · POPIA Complaint

If you are not satisfied with our response, or you believe we have processed your personal information unlawfully, you have the right under Section 74 of POPIA to lodge a complaint with the Information Regulator of South Africa.

Information Regulator of South Africa

Website: www.inforegulator.org.za
Email: [email protected]
Telephone: 010 023 5207
Postal: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

A complaint to the Regulator should set out the conduct complained of, the personal information affected, the steps already taken with the responsible party, and the outcome the complainant seeks. The Regulator will assess the complaint, may conduct an investigation, and may issue an enforcement notice under Section 95 of POPIA where it finds interference with the protection of personal information.

— Thought Into Reality (Pty) Ltd|Information Officer · Sandton, May 2026End of chapter 16

POPIA Compliance Statement