Last updated: 3 June 2026
Data Protection & Compliance
AfriEmail Trust Gateway is built for regulated organisations — banks, governments and schools. This page summarises how we support compliance with South Africa's Protection of Personal Information Act (POPIA) and the EU General Data Protection Regulation (GDPR).
Roles
When you process your organisation's email through AfriEmail, you are the responsible party / controller and we act as the operator / processor, processing data on your documented instructions under a Data Processing Agreement (available to enterprise customers).
POPIA conditions we support
- Accountability & processing limitation — we process scan data only to deliver the service.
- Purpose specification & retention — configurable retention windows; deletion on request.
- Security safeguards — encryption in transit and at rest, RBAC, MFA-ready auth, audit logging.
- Data-subject participation — access, correction and deletion workflows.
GDPR support
- Lawful bases documented in our Privacy Policy.
- Data Processing Agreement with sub-processor list on request.
- Standard Contractual Clauses for international transfers.
- Breach-notification procedures.
- Data-subject rights: access, rectification, erasure, portability, restriction and objection.
Security program
- Encryption everywhere; secrets management for keys.
- Role-based access control and least-privilege service credentials.
- Tamper-evident audit logs of scans, logins and administrative actions.
- Static-only attachment analysis — files are never executed.
- SOC 2 readiness roadmap for enterprise deployments.
Sub-processors
We use vetted providers for hosting, database, transactional email and payments, each under data-protection terms. A current list is available to customers under NDA.
Requesting documents
For a DPA, sub-processor list or security questionnaire, contact compliance@afriemail.com.