Data Processing & Protection Policy

Version History

1. Introduction

This document describes SuperPayroll's standard policy with regards to handling and protection of data, including the responsible handling and disposal of sensitive data and hardware. This relates specifically to data of a sensitive or confidential nature, or data that requires specific measures and protection under the law. Specifically, without limiting the generality of the foregoing, it includes consumer data, customer contact data, customer confidential data, company confidential data, and payroll data that may be used to identify or contact data subjects.

Relevant legislation includes:

• The EU General Data Protection Regulation or GDPR. Note that even though SuperPayroll does not operate in the EU, this is relevant for any data involving EU-affiliated customers or data subjects.
• Protection of Personal Information Act (POPIA) 2013 of South Africa.

2. SuperPayroll Principles

SuperPayroll's core business is not to collect, resell, or otherwise use customer data.

The data we collect is a natural consequence of running our business (in the case of SuperPayroll's own data) or of our core payroll software and services business. Our customers' data, unless specifically agreed otherwise with a customer, remains the property of the customer at all times and any access to such data by SuperPayroll is only for the purpose of providing our services to the customer. Given this role, we have a responsibility to protect the data that we gain access to and to protect our customers' data, especially when we host that data.

The general principle is therefore that data belongs to the party that provides it to us and that we may process that data as required to provide the services that we've been contracted for or as necessary to run our business, but that we will treat data sensitively and adhere to the following principles:

1. No customer's data shall be shared with any third party without the customer's prior written consent, unless required by law.
2. Reasonable security measures shall be taken to ensure that customers' data is protected and secure.
3. Customer data shall be retained only for as long as is practically necessary to fulfill our duties to the customer in an efficient manner.
4. SuperPayroll's responsibility is towards our customer first and, unless specifically agreed otherwise with a customer or required by law, we will communicate with only the customer and nobody else on topics relating to their data.

3. Data Security and Protection

SuperPayroll implements and maintains reasonable technical security measures for data it processes. Specifically, this includes:

1. Keeping operating system software up to date to protect against security flaws.
2. Keeping database software and other applications up to date to protect against security flaws.
3. Installing and keeping up to date anti-virus and anti-malware software on its computers.
4. Using e-mail infrastructure that automatically scans incoming and outgoing e-mails against viruses or malware.
5. Enforcement of password policies to ensure authentication security.
6. Data hosted by SuperPayroll is hosted on servers or cloud services with VPN or similar access control measures.
7. Least-privilege principle is followed when allocating access to such servers or services — i.e. deny by default, access is only granted to those who require it, and access is limited to only what is necessary.
8. Regular (at least daily) backups of hosted data and redundant storage of such backups.

4. Data Retention

In general, SuperPayroll will retain data only for as long as is practically necessary to efficiently fulfill the purpose of the data processing performed by SuperPayroll. Exact data retention periods will depend on the nature of data and the contractual obligations of data retention for backup purposes for a customer.

Data will be erased whenever a customer request is received to erase such data, or as soon as is practically possible once it becomes clear that there is no practical reason to further retain data in order to fulfill the purpose for which the customer originally shared such data with SuperPayroll.

SuperPayroll does not, unless a specific agreement is in place with a customer, have any obligation to retain customer data after expiry of a contract. However, for ex-customers whose payrolls SuperPayroll processed on an outsource basis, it is standard practice to retain an archived backup copy of the customer's payroll database as at end of contract for a grace period of 5 years (60 months) after contract expiry to enable follow-up queries to be handled efficiently. These archive backups are retained in archive storage that may require several days' notice to retrieve and are therefore only available on specific request.

5. Data Usage

SuperPayroll will only process data insofar as is required to fulfill the purpose for which the customer shared data with SuperPayroll. In general, this means that data will only be used to support customers' software systems or allow the customers' payrolls to be processed by SuperPayroll. Unless required by law or requested by the customer, SuperPayroll will not make a customer's data available to any third parties in any way whatsoever.

6. SuperPayroll Data

The same policies as are in place for customer data are generally applied to SuperPayroll data as well, except that the purpose of processing this data relates to ongoing operation of SuperPayroll's business and data is therefore retained for longer periods in order to ensure audit compliance especially with regards to financial and payroll data and in some cases may be retained indefinitely for record-keeping purposes.

7. Sub-processing

SuperPayroll will ensure that any third parties subcontracted to process data on its behalf agree to this policy or will have a materially similar policy of its own. Customers will also be notified before any third parties are involved to subcontract processing of the customer's data.

8. Secure Disposal of Data

8.1 Data Encryption and Erasure

• Sensitive data includes personally identifiable information (PII), financial data, intellectual property, and other confidential information.
• Before disposal, ensure all sensitive data is encrypted or permanently erased via third party software or internally generated scripts.
• Sample checks are performed in order to ensure that the expected outcome was obtained.

8.2 Physical Device Destruction

• Hardware devices not eligible for reuse are securely, physically destroyed by trusted hardware destruction specialists.
• A SuperPayroll staff member will verify and confirm that any such destruction has been duly performed and where applicable will collect and store evidence of such destruction in SuperPayroll's document repository.

9. Notification of Breach

SuperPayroll will notify customers of any breach of data security as soon as is practically possible, and no later than 72 hours after it becomes aware of such breach.

10. Contact

For any queries or communication, contact us at privacy@superpayroll.co.za or +27-(0)87-7019673 or at SuperPayroll, 47 King Street, Irene, Centurion, 0062, South Africa. Alternate contact: support@superpayroll.co.za

---

Common Questions

Is SuperPayroll POPIA compliant?

Yes. SuperPayroll's data processing practices are designed to comply with the Protection of Personal Information Act (POPIA) of South Africa, as well as the EU General Data Protection Regulation (GDPR) for any data involving EU-affiliated customers or data subjects.

How does SuperPayroll protect and secure client payroll data?

SuperPayroll implements technical security measures including up-to-date operating system and database software, anti-virus and anti-malware protection, enforced password policies, VPN-controlled access to hosted data, a least-privilege access principle (deny by default), and at least daily backups with redundant storage.

How long does SuperPayroll retain payroll data after a contract ends?

SuperPayroll retains an archived backup copy of a client's payroll database for a grace period of five years (60 months) after contract expiry to handle follow-up queries efficiently. These archives are held in long-term storage and are available only on specific request.

What happens to my data when I leave SuperPayroll?

SuperPayroll will erase client data upon request, or as soon as there is no longer a practical reason to retain it. A final archived backup is kept for five years after contract expiry for follow-up queries, after which it is securely disposed of using data erasure or physical device destruction.

Does SuperPayroll notify clients of data breaches, and how quickly?

Yes. SuperPayroll will notify clients of any data security breach as soon as practically possible, and no later than 72 hours after becoming aware of the breach.

How does SuperPayroll securely dispose of data?

Before disposal, sensitive data is encrypted or permanently erased using dedicated software, with sample checks to verify the outcome. Physical hardware devices not eligible for reuse are securely destroyed by trusted specialists, with destruction verified and documented by a SuperPayroll staff member.