POPIA & Data Compliance

Section 01

Our Commitment to POPIA

Nexo Technologies (Pty) Ltd is committed to processing personal information responsibly, lawfully, and transparently. We have implemented policies, procedures, and technical controls to ensure ongoing compliance with POPIA across all areas of our business.

Our compliance programme includes:

Appointment and registration of an Information Officer with the Information Regulator
Staff training on data protection obligations
Data processing impact assessments for high-risk activities
Binding data processing agreements with all third-party operators
Regular audits of personal information processing activities
Documented retention and destruction schedules

Section 02

Information Officer

As required by POPIA Section 55, Nexo Technologies (Pty) Ltd has appointed an Information Officer and registered them with the Information Regulator of South Africa.

Information Officer
Jared David Chellan
Nexo Technologies (Pty) Ltd
Registration No: 2026-005742

Email: [email protected]
Phone: 076 690 8838
Address: Unit G07 InoSpace Malibongwe Exchange, 123 Malibongwe Drive, Strydompark, Johannesburg, 2195, South Africa

The Information Officer is responsible for ensuring compliance with POPIA, handling data subject requests, managing data breaches, and liaising with the Information Regulator.

Deputy Information Officers may be appointed as needed. Contact [email protected] to confirm current details.

Section 03

The Eight Conditions of Lawful Processing

POPIA requires all processing of personal information to comply with eight conditions. Here is how Nexo meets each condition:

Condition 1

Accountability

We accept responsibility for all personal information in our possession and have appointed a registered Information Officer.

Condition 2

Processing Limitation

We only collect personal information that is adequate, relevant, and not excessive relative to its purpose. We collect with the consent of the data subject or on another lawful ground.

Condition 3

Purpose Specification

Personal information is only collected for a specific, explicitly defined, and lawful purpose. We document all processing purposes and inform data subjects at the time of collection.

Condition 4

Further Processing Limitation

We do not process personal information in a manner incompatible with the purpose for which it was originally collected.

Condition 5

Information Quality

We take reasonable steps to ensure that personal information is complete, accurate, not misleading, and kept up to date. We provide mechanisms for data subjects to correct their information.

Condition 6

Openness

We maintain this POPIA compliance page and our Privacy Policy to inform data subjects about our processing activities. We have notified the Information Regulator as required.

Condition 7

Security Safeguards

We implement appropriate technical and organisational measures to protect personal information against loss, damage, and unlawful access or processing.

Condition 8

Data Subject Participation

Data subjects can request access to their information, ask for corrections, and request deletion. We respond to all requests within 30 days.

Section 04

Your Rights as a Data Subject

POPIA grants you the following rights in relation to your personal information held by Nexo:

Right	What It Means	How to Exercise
Right to access	Request a copy of the personal information we hold about you	Submit a PAIA request (see Section 5)
Right to correction	Request correction of inaccurate, incomplete, or outdated information	Email [email protected]
Right to deletion	Request deletion of personal information where there is no lawful basis for continued retention	Email [email protected]
Right to object	Object to the processing of your personal information, including for direct marketing	Email [email protected] or use the unsubscribe link in any marketing email
Right to withdraw consent	Withdraw any previously given consent at any time	Email [email protected]
Right to complain	Lodge a complaint with the Information Regulator if you believe your rights have been violated	Contact the Information Regulator directly (see Section 12)

We will acknowledge all data subject requests within 3 business days and respond in full within 30 days, as required by POPIA.

Section 05

Access Requests — PAIA

Access to records held by Nexo Technologies (Pty) Ltd is governed by the Promotion of Access to Information Act 2 of 2000 (PAIA).

To submit a formal access request:

Complete the prescribed Form C (available from the South African Government website)
Submit it to our Information Officer at [email protected] or by post to Unit G07 InoSpace Malibongwe Exchange, 123 Malibongwe Drive, Strydompark, Johannesburg, 2195
Pay the prescribed request fee (where applicable)

We will respond within 30 days of receiving a valid request. We may extend this period by a further 30 days in exceptional circumstances, with written notice to you.

Access may be refused on grounds set out in PAIA, including where disclosure would unreasonably infringe another person's privacy, or where the information is protected by legal privilege.

Our PAIA Manual is available on request from our Information Officer. It sets out the categories of records held by Nexo and the procedure for access requests in full.

Section 06

Data Processing by Operators

Nexo engages third-party service providers ("Operators" as defined by POPIA) to process personal information on our behalf. Examples include cloud hosting providers, email delivery services, and analytics platforms.

We ensure that all Operators:

Are bound by a written data processing agreement that imposes equivalent data protection obligations to those in POPIA
Process personal information only on our documented instructions
Implement appropriate security measures
Notify us immediately of any data breach or security incident
Delete or return all personal information on termination of the processing relationship

Where Nexo processes personal information on behalf of its clients (i.e. where a Nexo client's customer data flows through our platform), Nexo acts as an Operator and the client is the Responsible Party. In this context, clients are responsible for ensuring their use of the Nexo platform complies with POPIA.

Section 07

Security Safeguards

We implement the following technical and organisational measures to protect personal information:

Technical controls:

TLS/SSL encryption for all data in transit
Encryption of sensitive data at rest
Role-based access controls limiting data access to authorised personnel only
Multi-factor authentication for administrative access
Regular vulnerability assessments and penetration testing
Automated monitoring and alerting for suspicious activity

Organisational controls:

Mandatory data protection training for all staff
Data protection policies and procedures reviewed annually
Confidentiality agreements with all employees and contractors
Incident response plan documented and tested
Vendor due diligence process for all new Operators

Section 08

Breach Notification

In the event of a security compromise involving personal information, Nexo will follow this process in accordance with POPIA Section 22:

Containment: Immediately contain the breach and preserve evidence
Assessment: Assess the nature, scope, and impact on data subjects within 72 hours
Notification to the Information Regulator: Notify the Information Regulator as soon as reasonably possible after discovery
Notification to data subjects: Notify affected data subjects by the most expedient means possible where the breach poses a risk to their rights and freedoms
Remediation: Implement measures to prevent recurrence

Notifications will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.

Section 09

Retention Schedule

We retain personal information only for the minimum period necessary. Our documented retention schedule is summarised below:

Category	Retention Period	Basis
Customer account data	Duration of contract + 5 years	Contractual / legal obligation
Transaction records	5 years from transaction date	SARS / Banks Act requirements
FICA / KYC verification documents	5 years after relationship ends	Financial Intelligence Centre Act
Marketing consent records	Until withdrawal + 3 years	Audit trail / legitimate interest
Website analytics data	24 months	Legitimate interest
Support correspondence	3 years from last interaction	Legitimate interest
Employee records	Duration of employment + 3 years	Labour law requirements
Audit logs	12 months rolling	Security / legitimate interest

At the end of each retention period, personal information is securely deleted or anonymised using industry-standard methods. Physical documents are shredded.

Section 10

Cross-Border Transfers of Personal Information

Where personal information is transferred outside South Africa, we ensure compliance with POPIA Section 72 by verifying that at least one of the following conditions is met:

The recipient country has adequate data protection laws (as determined by the Information Regulator)
The recipient is bound by a binding agreement that upholds processing conditions equivalent to POPIA
The transfer is necessary for the performance of a contract between the data subject and the responsible party
The data subject has consented to the transfer

Current cross-border transfers occur in connection with the following categories of Operators: cloud infrastructure (data may be hosted in the EU or US with EU Standard Contractual Clauses in place), and email delivery services. All such transfers are governed by binding data processing agreements.

Section 11

Special Personal Information

POPIA affords heightened protection to certain categories of personal information ("Special Personal Information" as defined in Section 26), including:

Religious or philosophical beliefs
Race or ethnic origin
Trade union membership
Political persuasion
Health or sex life
Biometric information
Criminal behaviour

Nexo does not intentionally collect Special Personal Information in the ordinary course of its business. Where such information is incidentally collected (for example, in the course of FICA compliance), we apply heightened protection and do not process it except on a lawful basis under Section 27 of POPIA.

Section 12

Complaints to the Information Regulator

If you are not satisfied with how Nexo has handled your personal information or responded to your request, you have the right to complain directly to the Information Regulator of South Africa.

Information Regulator of South Africa
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Website: www.justice.gov.za/inforeg
Email: [email protected]
Complaints email: [email protected]
Telephone: 010 023 5207

We encourage you to first contact us directly so we can attempt to resolve your concern before escalating to the regulator. However, you are free to contact the Regulator at any time.

Section 13

Contact Our Information Officer

For any POPIA-related enquiries, access requests, or concerns, contact us directly:

Information Officer
Jared David Chellan
Nexo Technologies (Pty) Ltd

Email: [email protected]
Phone: 076 690 8838
Address: Unit G07 InoSpace Malibongwe Exchange, 123 Malibongwe Drive, Strydompark, Johannesburg, 2195, South Africa

Response times: We acknowledge all enquiries within 3 business days and provide a substantive response within 30 days as required by POPIA.