Data Protection Notice

1. Purpose of this Notice

This Data Protection Notice is the Operator's formal statement of how the HumanCapital Platform meets the obligations imposed by the Cyber and Data Protection Act [Chapter 12:07] (the "CDPA") of the Laws of Zimbabwe.

It is issued in addition to, and read together with, the Operator's Privacy Policy and Terms of Service. Where the Privacy Policy describes our practices in plain commercial language, this Data Protection Notice maps those practices to specific CDPA obligations and provides the technical and procedural detail that institutional clients, regulators, auditors, and Data Protection Authority enquiries may require.

2. Applicable Legal Framework

The processing of Personal Information through the Platform is governed by the following legal instruments:

• Constitution of Zimbabwe, in particular section 57 (right to privacy);
• Cyber and Data Protection Act [Chapter 12:07], the principal data-protection statute, establishing data-controller and data-processor obligations, the rights of data subjects, the powers of the Data Protection Authority, and the obligations to register, to notify breaches, and to designate a Data Protection Officer;
• Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) in its capacity as Data Protection Authority under the CDPA;
• Labour Act [Chapter 28:01], in respect of records the Operator maintains on behalf of Clients in the employment context;
• Income Tax Act [Chapter 23:06] and subsidiary legislation, in respect of payroll and tax records;
• National Social Security Authority Act, in respect of NSSA records;
• Consumer Protection Act, where applicable to the Operator's relationships with end users.

The Operator complies with these instruments and considers parallel obligations under the South African Protection of Personal Information Act, 2013 (POPIA) in connection with cross-border data transfer to South Africa for hosting (see clause 9).

2A. Abbreviations

The following abbreviations are used in this Notice:

3. The Operator's Status under the CDPA

3.1 Data Controller

In respect of the categories of Personal Information set out in clause 3.1 of the Privacy Policy, the Operator is the Data Controller, with full responsibility under the CDPA for determining the purposes and means of processing.

3.2 Data Processor

In respect of the categories of Personal Information set out in clause 3.2 of the Privacy Policy — broadly, Personal Information of Client employees, contractors, and beneficiaries processed for the Client's payroll, leave, and HR operations — the Operator is the Data Processor and processes only on the documented instructions of the relevant Client.

3.3 Registration with the Data Protection Authority

The Operator has registered, or is in the process of registering, with POTRAZ as a Data Controller in respect of its Data Controller activities, and complies with disclosure obligations applicable to Data Processors. The current registration status, registration number, and date of registration are published in this Notice as soon as they are confirmed.

4. Processing Principles

The Operator processes Personal Information in accordance with the data-processing principles set out in the CDPA. The Operator's specific operational implementation of each principle is set out below.

4.1 Lawfulness, Fairness, and Transparency

Personal Information is processed only on a lawful basis, identified in advance and documented. Data Subjects are informed of the processing through this Notice, the Privacy Policy, and channel-appropriate notices on first interaction with the Platform. The Operator does not rely on hidden processing or processing outside the documented purposes.

4.2 Purpose Limitation

Personal Information collected for a specified purpose is not processed for a further purpose incompatible with the original. Each operational purpose is enumerated in clause 6 of the Privacy Policy. The Operator reviews any new processing proposal against this constraint before adoption.

4.3 Data Minimisation

The Platform collects and retains only the Personal Information necessary for the operational purpose. Optional fields are explicitly marked. Where the same outcome can be achieved with less Personal Information, the Platform is configured accordingly.

4.4 Accuracy

The Platform supports correction of inaccurate Personal Information through:

• Self-service profile updates by Employees, for non-sensitive fields;
• Authorised User actions, with separation-of-duties enforcement where applicable;
• Correction Runs in respect of payroll outputs, processed through the standard approval workflow.

The leave ledger and audit log are append-only by architectural design: corrections are recorded as new entries with explicit reason codes, never as silent edits to history. This design supports both accuracy in current state and defensibility of historical records.

4.5 Storage Limitation

Personal Information is retained only for the period necessary for the purpose, subject to statutory minimum retention obligations. Retention periods are set out in clause 9 of the Privacy Policy.

4.6 Integrity and Confidentiality

The Platform applies the security controls set out in clause 7 of the Privacy Policy and clause 7 of this Notice.

4.7 Accountability

The Operator maintains records of processing, records of data-subject requests, records of personal data breaches, the audit log itself, and other documentation sufficient to demonstrate compliance with the CDPA. These records are made available to POTRAZ on request.

5. Lawful Bases of Processing

The Operator relies on the following lawful bases under the CDPA:

Each processing activity is mapped to one or more of these bases in the Operator's internal records of processing.

6. Categories of Personal Information

The categories of Personal Information processed are set out in detail in clause 4.1 of the Privacy Policy. They include identity, contact, employment, statutory, compensation, leave, benefit-scheme, self-service interaction, audit, and document-attachment information.

Of these, the following are treated as Highly Sensitive within the Platform's data-classification model and receive heightened protection:

• Bank-account details (encrypted with a dedicated key);
• Identity-document numbers;
• Tax references (ZIMRA Tax Reference and similar);
• NSSA Employee Social Security Numbers;
• Medical aid membership and tier (where applicable);
• Financial deduction details (loans, garnishees);
• Designated beneficiaries of life cover and similar schemes.

Highly Sensitive information is structurally restricted at the channel boundary: it is not transmitted through messaging channels, is not modifiable through self-service channels, and is never logged in plain text.

7. Security Measures

The Platform targets the OWASP Application Security Verification Standard, Level 3 as a structural release gate. This clause summarises the technical and organisational measures in place. The full description is in clause 7 of the Privacy Policy.

7.1 Encryption

• TLS 1.2 minimum for all transport. TLS 1.0 and 1.1 explicitly disabled. HSTS with minimum one-year lifetime.
• Transparent Data Encryption on all databases.
• Three dedicated encryption keys for Highly Sensitive categories: bank-account details, remittance and creditor account details, and general sensitive Personal Information. Decryption rights are partitioned by service account.

7.2 Access Control

• Tenant isolation: every query is scoped by Client identifier; cross-Client data access is structurally prevented at the data access boundary.
• Typed role-based authorisation; no string-based dispatch at the authorisation boundary.
• Separation of duties: enforced at the workflow level for payroll, leave, employee-record, garnishee, and loan operations.
• Channel-level data classification: Highly Sensitive information cannot leave the Web channel.
• Agent scope inheritance: where Agent capabilities are enabled, the Agent operates as a client of the Platform with no privileged execution path; its data access is bounded by the human acting-on-behalf-of.

7.3 Audit and Tamper Evidence

• Append-only audit log on every state-changing action.
• Hash-chain tamper-evidence: each entry contains the hash of its content and a reference to the hash of the previous entry, so any alteration is detectable.
• Daily verification job recomputes the chain and raises high-severity alerts on any break.
• Hourly batch shipping to immutable external storage with seven-year retention, outside application write scope.
• Application runtime account explicitly denied database UPDATE and DELETE on the audit log; entries can only be appended.

7.4 Resilience and Anti-Abuse

• Multi-dimensional rate limiting at network edge and application layer, including authentication endpoint limits and tenant-level limits.
• Anti-forgery enforcement at the platform write boundary for browser-based state-changing operations.
• Idempotency enforcement on commands to ensure retry-safety.

7.5 Operational and Personnel Controls

• Personnel access to Personal Information is logged, reviewed, and rescinded promptly on role change or end of engagement.
• Confidentiality undertakings and data-protection training are conditions of engagement.
• Diagnostic logging excludes secrets, credentials, bank-account numbers, identity-document numbers, and salary figures in plain text.

8. Data Subject Rights

The CDPA grants the following rights to Data Subjects. The Operator's procedures for exercising each right are set out below.

8.1 Right of Access

A Data Subject may request confirmation of whether their Personal Information is being processed and a copy of that information. Requests are addressed to the Data Protection Officer, who:

• Verifies the identity of the requester through reasonable means;
• Coordinates with the relevant Client where the Operator holds the data as a Data Processor;
• Provides a response within thirty (30) days of receipt of a valid request.

Where the request is complex or voluminous, the period may be extended once by a further sixty (60) days, with reasons provided.

8.2 Right of Correction

A Data Subject may request correction of inaccurate or incomplete Personal Information. Where the Operator is the Data Controller, correction is effected directly. Where the Operator is the Data Processor, the request is directed to the relevant Client and the Operator supports the correction in coordination with the Client.

8.3 Right of Deletion

A Data Subject may request deletion of Personal Information that is no longer necessary for the original purpose, or for which consent has been withdrawn (where consent was the lawful basis). Deletion is subject to:

• Statutory retention obligations (payroll, tax, NSSA, audit logs);
• Audit-log entries that exist for the protection of all stakeholders and cannot be deleted on individual request;
• The interests of the Client in retaining records necessary for ongoing employment or contractual relationships.

The Operator and the relevant Client will document the disposition of the request and explain to the Data Subject any retention that continues to apply.

8.4 Right of Restriction

A Data Subject may request that processing be restricted in defined circumstances, for example pending verification of accuracy or pending the resolution of an objection. Where restriction is granted, the Personal Information is retained but is not actively processed (other than for storage, defence of claims, or legal compliance).

8.5 Right of Objection

A Data Subject may object to processing performed on the basis of legitimate interests. The Operator will weigh the Data Subject's particular situation against the interests pursued and will notify the Data Subject of the outcome.

8.6 Right of Portability

A Data Subject may request to receive their Personal Information in a structured, commonly-used, machine-readable format, where processing is automated and based on consent or contract. The Platform produces structured exports for this purpose.

8.7 Right to Object to Solely Automated Decisions

The Platform does not make solely automated decisions producing legal effects on Data Subjects. Payroll calculations are automated against versioned statutory and policy parameters, but every payroll run is subject to human review under the separation-of-duties model before any disbursement, statutory submission, or benefit remittance.

8.8 Right to Lodge a Complaint

A Data Subject who is dissatisfied with the Operator's response to a request, or with the Operator's processing more generally, may complain to:

• The Operator's Data Protection Officer (clause 13);
• POTRAZ as Data Protection Authority.

8.9 Submission of Requests

Requests should be sent in writing to the Data Protection Officer (clause 13). The Operator does not charge for the exercise of rights, save where requests are manifestly unfounded or excessive, in which case a reasonable fee may be charged or the request refused, with reasons.

9. International Data Transfer

The Platform's production data is hosted in the Republic of South Africa. This constitutes a transfer of Personal Information outside Zimbabwe within the meaning of section 28 of the CDPA.

9.1 Adequacy of Protection

South Africa operates under the Protection of Personal Information Act, 2013 (POPIA), which establishes data-protection principles materially equivalent to those of the CDPA and the European Union's General Data Protection Regulation. The Information Regulator of South Africa is an established supervisory authority. The Operator considers that POPIA provides an adequate level of protection for Personal Information transferred for the purpose of operating the Platform.

9.2 Contractual Safeguards

The Operator's contract with its hosting provider includes binding obligations on:

• Confidentiality and security;
• Personal data breach notification;
• Use and approval of subcontractors;
• Cooperation with the Operator's data-subject-rights workflows;
• Return or deletion of data on termination.

9.3 Operational Safeguards

The technical security controls described in clause 7 apply independently of the hosting provider's own controls. Encryption keys for Highly Sensitive data are managed by the Operator and are not held by the hosting provider in plain form.

9.4 Onward Transfers

Personal Information is not transferred to any jurisdiction other than Zimbabwe (collection) and South Africa (hosting), save in the limited circumstances set out in clause 8.3 of the Privacy Policy.

10. Personal Data Breach Procedure

10.1 Detection

The Platform's security architecture includes detection mechanisms for unauthorised access, audit-chain anomalies, and abnormal patterns of activity.

10.2 Internal Containment

On detection of a suspected breach, the Operator activates its incident-response procedure, which includes containment, evidence preservation, root-cause analysis, and remediation.

10.3 Notification to POTRAZ

The Operator notifies POTRAZ of a personal data breach without undue delay, and where feasible within seventy-two (72) hours of becoming aware of it, in accordance with the CDPA. The notification includes:

• A description of the nature of the breach;
• The categories and approximate number of Data Subjects affected;
• The categories and approximate volume of records affected;
• The likely consequences;
• The measures taken or proposed.

Where the seventy-two-hour timeline cannot be met, the notification will explain the reasons for the delay.

10.4 Notification to Affected Clients

The Operator will notify each affected Client of any breach affecting that Client's data without undue delay, with information sufficient to enable the Client to discharge its own notification obligations.

10.5 Notification to Data Subjects

Where the breach is likely to result in a high risk to the rights and freedoms of Data Subjects, the Operator will, in coordination with affected Clients, notify Data Subjects directly.

10.6 Internal Register

The Operator maintains a register of all personal data breaches, including those that did not require external notification, in accordance with section 22 of the CDPA.

11. Records of Processing

In accordance with section 21 of the CDPA, the Operator maintains records of processing activities under its responsibility, including:

• Categories of Data Subjects and Personal Information;
• Purposes of processing;
• Categories of recipients;
• Cross-border transfers and the safeguards applied;
• Retention periods;
• A general description of technical and organisational security measures.

Records are made available to POTRAZ on request.

12. Data Protection Impact Assessment

For high-risk processing activities — for example, the introduction of a new Agent capability, the integration of a new third-party service, or a material change in the cross-border data flow — the Operator conducts a Data Protection Impact Assessment that:

• Describes the processing and its purposes;
• Assesses necessity and proportionality;
• Identifies risks to Data Subjects;
• Documents mitigations and residual risk;
• Records the decision to proceed, modify, or abandon.

DPIA records are retained and may be made available to POTRAZ on request.

13. Data Protection Officer

The Operator has designated a Data Protection Officer in accordance with section 19 of the CDPA. The DPO operates with sufficient independence to perform the role effectively and reports to senior management.

The DPO can be contacted directly by Data Subjects, by Clients, by Authorised Users, and by POTRAZ. Communications to the DPO are treated as confidential.

14. Sub-Processors

The Operator engages a small number of third-party processors to operate the Platform. Each is engaged under a written contract that imposes data-protection obligations equivalent to those binding on the Operator.

The Operator publishes an updated list of sub-processors when material changes occur, and provides advance notice to affected Clients in accordance with the Service Agreement.

15. Updates

This Data Protection Notice will be updated when:

• Material changes occur in the Operator's processing practices;
• Material changes occur in applicable law;
• POTRAZ issues updated guidance affecting the contents of this Notice.

The version number and "Last updated" date at the top of this Notice will be incremented on each change. Earlier versions remain available on request from the Data Protection Officer.