Trust, Security & Data Protection
Independently assured (annual ISAE 3402), POPIA & Mauritius DPA aligned, data deployed where it needs to live, and built on Microsoft Azure.
Independently verified every year
Enterprise and public-sector customers need to verify their data is safe, not take our word for it. Our solutions rest on a disciplined, independently-assured control environment, a privacy-by-design approach to personal data, and the freedom for you to decide where your data lives. Here’s exactly how.
How we protect your data
Independently assured, ISAE 3402
Every year we undergo an independent ISAE 3402 assurance engagement covering our general IT control environment: the controls that govern system access, change management and IT operations. External, recurring and evidence-based: an independent auditor verifies our control discipline each year.
Data protection: POPIA & the Mauritius DPA
We design and operate in line with the data-protection laws of the markets we serve: POPIA in South Africa and the Data Protection Act in Mauritius. In practice: lawful, purpose-limited processing, data minimisation, defined retention and respect for data-subject rights, with privacy considered from the design stage.
Data sovereignty: where your data needs to live
Hosting and residency are agreed per engagement: we can deploy within your own Microsoft Azure tenant or a chosen Azure region, keeping South African data in South Africa, and handling Mauritian data in line with local requirements. You retain ownership and control of your data throughout.
A secure foundation, built on Microsoft
Our solutions are engineered on Microsoft Azure and the wider Microsoft ecosystem, and we hold Microsoft partner designations that reflect assessed capability and standing. Building on Azure means your solution sits on a platform that carries extensive, independently-audited security and compliance certifications.
What this means for you
The questions procurement and risk teams ask, and how this answers them.
- Is your control environment independently assured?Yes: an independent, annual ISAE 3402 over our general IT controls.
- Do you respect our data-protection obligations?Yes: POPIA and the Mauritius Data Protection Act, by design.
- Where will our data be hosted?Where you need it: your own Azure tenant or a chosen region; South African data stays in South Africa.
- Is the foundation secure?Microsoft Azure, with our Microsoft partner credentials and Azure’s audited platform certifications.
- How do you govern your use of AI?Under a formal Responsible AI Use Policy: human accountability, a zero-exposure rule for confidential data, and POPIA alignment.
Our governance policies
The formal policies that underpin how we use AI in client engagements and how we handle personal data.
Responsible AI Use Policy
1. Purpose
This policy outlines the principles, safeguards and responsibilities governing the use of Artificial Intelligence (AI) technologies by nVisionIT when delivering services to clients. The goal is to ensure that AI is used responsibly, ethically, securely and transparently, following industry-standard Responsible AI frameworks and aligning with applicable privacy regulations such as POPIA.
2. Scope
This policy applies to all AI systems, tools and models used in client engagements (including Generative AI, classification systems, Copilot-based tooling and automated analysis tools), and to all nVisionIT staff, contractors and partners involved in consulting, development, testing, data handling or solution delivery.
3. Responsible AI principles
- Accountability: nVisionIT maintains full accountability for any AI system used in a client environment. Humans remain responsible for reviewing, verifying and approving all AI-generated outputs.
- Fairness & bias mitigation: structured processes minimise bias during model selection, prompt design, data handling and output evaluation.
- Data privacy & POPIA alignment: all AI activities respect data minimisation, purpose specificity, consent requirements, secure processing and avoidance of confidential-data exposure.
- Transparency: we give clients clear visibility into how AI systems function, how outputs are generated and how content is validated.
- Security & safety: AI-enabled processes must be resilient, governed and protected from misuse, manipulation or leakage.
- Validity & reliability: all AI-generated material undergoes quality checks, testing and verification for accuracy, correctness and business relevance.
4. Acceptable use of AI in client environments
Permitted use: code scaffolding, automated testing, secure deployment analysis and regression analysis; document generation (BRDs, SADs, specs) and internal productivity; security-focused enhancements such as anomaly detection; and classification of data under POPIA and other regulatory frameworks. All outputs must be validated before inclusion in deliverables.
Prohibited use: employees must not provide any client, citizen, confidential or third-party data to public Generative AI tools without explicit approval; use AI tools to generate full systems or deploy unvalidated code; use AI in a way that violates laws, contracts, privacy requirements or industry standards; or generate deceptive, fraudulent or misleading content.
5. Data protection & confidentiality controls
Zero-exposure rule: no confidential, regulated, personal or client-owned data may be submitted to external AI platforms unless a contractual agreement exists, the platform meets client-specific security requirements, and explicit written approval is obtained.
Secure processing: AI systems used in client engagements must follow data classification, access controls, encryption standards and secure prompt-handling guidelines. A risk-based approach may assist with risk scoring, compliance tagging and identifying sensitive information under POPIA.
6. Client transparency & reporting
nVisionIT commits to disclosing where and how AI is used in deliverables, outlining validation steps and safeguards, and documenting governance and human-review processes. Clients may request model-usage details, data-handling procedures, security or audit assurances, and AI risk assessments.
7. Governance & oversight
Only approved AI technologies may be used for client projects, assessed on security posture, licensing, cost management and governance review. AI assists, humans own: all AI-generated artefacts must be reviewed, version-controlled and tracked in repositories. Internal governance teams periodically review model performance, security threats, compliance requirements and the effectiveness of controls.
8. Regulatory compliance commitment
nVisionIT commits to compliance with POPIA, client-specific data-protection terms, industry standards for responsible AI and global frameworks where applicable. Where AI is classified as “high risk”, appropriate controls, documentation and validation mechanisms are implemented.
9. Incident management & reporting
Any suspected or confirmed AI-related incident, including data leakage, incorrect outputs, harmful content or unauthorised access, must be escalated immediately to info@nvisionit.co.za or the Account Manager for containment and client notification where required. This policy is reviewed annually, or sooner if regulatory environments change or new AI capabilities introduce new risk considerations.
Talk to us about your security & compliance requirements
We’re happy to walk your security, risk and procurement teams through our controls, data-protection approach and hosting options.