Privacy Policy

2. Who This Policy Applies To

This Policy applies to personal information processed in connection with AIC One, including information relating to:

• authorised users of the Platform, such as employees, administrators, managers, contractors, and other approved tenant members;
• external participants, portal users, integration partners, and other persons whose information is processed through an Organisation's AIC One tenant;
• users of connected platforms and modules, including Proba, Orcaa, ComplyOn, X-Verdict, EngageNet, and other integrated services;
• service providers, partners, and other third parties whose information may be processed through approved workflows;
• visitors to AI Campus websites or persons who contact AI Campus directly; and
• job applicants, suppliers, and business contacts of AI Campus where AI Campus acts as Responsible Party.

3. Definitions

For purposes of this Policy:

• "AIC Ecosystem": refers to all systems, platforms, services, applications, integrations, and infrastructure connected to or managed through AIC One.
• "AIC One": means the AIC One platform and its modules, interfaces, services, workflows, AI services, and supporting infrastructure made available by AI Campus.
• "AI Campus": means AI Campus (Pty) Ltd.
• "AI Services": refers to artificial intelligence, machine learning, automation, or knowledge retrieval functionality integrated into AIC One, including support assistants, workflow recommendations, and analytics.
• "Data Subject": means the natural person to whom personal information relates. Where POPIA's protections extend to identifiable existing juristic persons, references to data subject include such juristic persons in respect of records relating to them.
• "De-identified": means personal information that has been processed so that it cannot, by reasonably foreseeable means and taking into account the cost and time required, be re-identified, whether by AI Campus, the Organisation, or any other person, having regard to the standard set out in POPIA's definition of 'de-identify' and any guidance issued by the Information Regulator.
• "Information Officer": means, as the context requires, the information officer of the relevant Responsible Party or the information officer of AI Campus in relation to personal information for which AI Campus is itself the Responsible Party.
• "Operator": means a person or entity that processes personal information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party.
• "Organisation": means any private body, public body, or other entity that subscribes to and uses AIC One.
• "Personal Information": has the meaning assigned to it in POPIA and includes information relating to an identifiable, living natural person and, where applicable, an identifiable existing juristic person.
• "Platform": means the AIC One platform and its integrated modules, dashboards, AI services, collaboration tools, and supporting infrastructure.
• "POPIA": means the Protection of Personal Information Act, 4 of 2013, together with regulations and applicable guidance issued under it, including the POPIA Amendment Regulations of 17 April 2025.
• "Processing": means any operation or activity concerning personal information, whether or not by automatic means, including collection, receipt, recording, storage, organisation, updating, retrieval, use, dissemination, restriction, deletion, destruction, or any combination of those activities.
• "Responsible Party": means the public or private body, or any other person, that determines the purpose of and means for processing personal information.
• "Special Personal Information": means personal information falling within the categories recognised by POPIA, namely information concerning a data subject's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour, and the personal information of children.
• "Sub-Operator": means a third party engaged by AI Campus to process personal information on behalf of an Organisation in connection with the delivery of the Platform or related services.
• "Tenant": refers to an isolated environment, workspace, organisation, or client instance operating within the AIC One ecosystem.

4. About AIC One

AIC One is a centralised operational environment that serves as the primary access point and orchestration layer for the AIC ecosystem, enabling users to authenticate once and securely access the platforms, modules, tools, and resources they are authorised to use.

Depending on the Organisation's configuration, AIC One may be used for functions such as:

• Single Sign-On (SSO) and centralised authentication across the AIC ecosystem;
• unified access to connected platforms and modules via a single interface;
• role-based access control and permission management across tenants;
• AI-powered assistance, knowledge retrieval, and workflow automation;
• centralised document and file management through AIC Drive;
• internal collaboration and communication through One Chat;
• dashboarding, reporting, analytics, and workspace management;
• notification and workflow orchestration;
• tenant and demo environment provisioning and management;
• governance, auditing, and monitoring across the ecosystem; and
• integration with external systems, APIs, and third-party platforms.

Where an Organisation configures public-facing portals or outputs, those outputs must contain only information that the Organisation is lawfully entitled to publish, whether in anonymised, aggregated, de-identified, or otherwise authorised form.

5. Role of the Organisation and AI Campus

5.1 Organisation as Responsible Party

In relation to an Organisation's AIC One tenant, the Organisation is the Responsible Party. The Organisation determines the purpose of the processing and the lawful basis on which personal information is processed. The Organisation is responsible for, among other things:

• ensuring that there is a lawful basis for the processing activity;
• issuing collection notices or privacy notices where required;
• determining what information is collected and how it is used;
• deciding who should have access to the information;
• responding to data subject requests where required by law; and
• ensuring compliance with any sector-specific, archival, records-management, or statutory requirements that apply to the processing.

5.2 AI Campus as Operator

AI Campus processes personal information within an Organisation's AIC One tenant only on documented instructions from the relevant Organisation and in accordance with a written operator agreement concluded in terms of section 21 of POPIA (or equivalent binding instrument) between AI Campus and the Organisation. Each operator agreement addresses, at a minimum:

• the obligation on AI Campus to process personal information only in accordance with the Organisation's documented instructions;
• the security measures that AI Campus must implement and maintain;
• confidentiality obligations binding on AI Campus and its personnel;
• conditions governing the engagement of Sub-Operators, including the requirement for the Organisation's prior written consent or a general authorisation subject to a right of objection;
• obligations relating to assistance with data subject requests, breach notification, and data protection impact assessments;
• obligations on return, deletion, or de-identification of personal information upon termination of services; and
• audit and inspection rights.

Permitted Operator processing: As Operator, AI Campus does not determine the Organisation's substantive lawful basis for processing and does not use personal information from an Organisation's AIC One tenant for AI Campus's own commercial purposes, other than for the operation, security, abuse detection, maintenance, support, and service improvement of the Platform, and for the generation of de-identified or aggregated analytics that cannot reasonably be linked to any identifiable data subject. An Organisation may instruct AI Campus in writing to exclude its tenant data from de-identified analytics use. AI Campus may process limited personal information as necessary to provide the contracted services, including support, maintenance, security, access administration, monitoring, incident response, and related operational functions, always subject to the Organisation's mandate and the applicable contractual framework.

5.3 AI Campus as Responsible Party for Its Own Records

AI Campus is a Responsible Party in relation to personal information it processes for its own independent business purposes, including:

• customer and contracting records;
• invoicing and payment administration;
• support-contact records;
• internal security and access records;
• website enquiries and marketing communications where lawfully permitted;
• supplier and vendor management;
• recruitment and hiring;
• legal compliance; and
• the exercise or defence of legal rights.

5.4 Client-Specific Collection Notices

This Policy is a general privacy policy. It does not replace any collection notice, privacy notice, employee notice, or other programme-specific notice that an Organisation may be required to provide in relation to a specific processing activity. The relevant Organisation remains responsible for ensuring that data subjects are informed, where reasonably practicable, of the matters required by POPIA in relation to a specific collection or processing activity.

6. Personal Information We May Process

The categories of personal information processed through AIC One vary according to the Organisation's configuration, module usage, tenant setup, and authorised use cases.

6.1 Platform User Information

This may include:

• names and surnames;
• email addresses and contact details;
• phone numbers (where applicable);
• job title, role, department, and team name;
• profile photograph;
• usernames and authentication-related records (login credentials are stored in encrypted form);
• roles, permissions, tenant designations, and SSO attributes;
• login history, access logs, user actions, and audit records; and
• records relating to support requests, approvals, or workflow actions.

6.2 One Chat (Collaboration and Communication)

Depending on the Organisation's use of One Chat, this may include:

• messages, replies, and reactions;
• file attachments shared within chats;
• mentions and tags;
• channel or workspace membership records; and
• time and date of activity.

Content shared through One Chat is visible to users within the relevant tenant or authorised channel as configured by the Organisation.

6.3 AIC Drive (Document and File Management)

Depending on the Organisation's use of AIC Drive, this may include:

• uploaded files (PDF, Word, Excel, images, scanned documents, and other formats);
• document metadata, version history, and access logs;
• file sharing and permission records;
• folder structures and organisational taxonomy; and
• download and activity logs.

6.4 AI Services

When users interact with AI-powered services within AIC One, this may include:

• queries and prompts submitted to AI assistants;
• AI-generated responses and outputs;
• interaction logs used for quality, security, and governance purposes; and
• workflow automation inputs and outputs.

Users acknowledge that sensitive or restricted information should not be submitted into AI Services unless expressly authorised by the Organisation. AI interactions may be monitored to maintain quality, security, and governance, subject to the limits set out in Section 21.

6.5 Connected Platforms and Integrations

Where AIC One integrates with connected platforms including Proba, Orcaa, ComplyOn, X-Verdict, EngageNet, analytics environments, and third-party APIs, personal information may flow between systems in accordance with the Organisation's configured integrations. Each connected platform may be subject to its own terms, policies, and governance requirements in addition to this Policy.

6.6 Dashboard, Reporting, and Analytics

AIC One may generate and process analytical data derived from platform activity, including:

• user activity trends and engagement metrics;
• workflow performance and bottleneck indicators;
• tenant-level usage and adoption statistics; and
• security and audit analytics.

6.7 Special Personal Information

AI Campus does not intentionally collect special personal information as defined in sections 26 to 33 of POPIA. However, AI Campus acknowledges that users may upload or transmit content through AIC One that incidentally contains special personal information.

Platform safeguards. Where the Organisation's deployment scope includes such functionality, AIC One offers configurable controls that an Organisation may enable to support the lawful processing of special personal information, including content classification tags, restricted folder permissions, retention overrides, and access auditing. The availability and configuration of these controls depend on the deployment and the Organisation's instructions.

Allocation of responsibility. The Organisation, as Responsible Party, is responsible for ensuring that any special personal information processed within its tenant is processed in accordance with sections 26 to 33 of POPIA, including obtaining any required authorisation from the Information Regulator under section 27(2), and for putting in place additional safeguards proportionate to the risk.

6.8 Children's Personal Information

AIC One is a business-to-business platform and is not a consumer-facing service directed at children. AI Campus does not knowingly collect personal information directly from children. Where an Organisation's lawful use case involves the processing of information relating to children (including, by way of example, learners, beneficiaries of social programmes, or grant recipients), the Organisation, as Responsible Party, remains responsible for:

• ensuring that the processing is lawful, including obtaining consent of a competent person as required by section 35 of POPIA;
• implementing additional safeguards required by sections 34 and 35 of POPIA proportionate to the sensitivity of the processing; and
• ensuring that any disclosure or transfer of children's information complies with applicable law.

6.9 Technical and System Information

AI Campus may process technical and system information such as:

• device, browser, and operating-system information;
• IP address and network metadata;
• system and application logs;
• API and integration logs;
• SSO and authentication event logs;
• performance and diagnostic data; and
• security monitoring and incident records.

6.10 AI Campus Business Records

Where AI Campus acts as Responsible Party for its own records, personal information may include:

• names, business contact details, and correspondence records;
• contractual, billing, tax, and payment information;
• support and service-management records;
• supplier and vendor contact information;
• recruitment, application, and interview records;
• website form submissions; and
• visitor, access-control, and internal security records.

7. Sources of Personal Information

Depending on the context, personal information may be collected:

• directly from the data subject;
• from the relevant Organisation;
• from another authorised user, implementing partner, service provider, or authorised third party acting for the Organisation;
• through forms, uploads, integrations, SSO attributes, or workflows configured by the Organisation;
• from connected platforms and APIs within the AIC ecosystem;
• from system use, audit logging, or security monitoring; or
• from publicly available or official sources where lawfully permitted.

Where personal information is not collected directly from the data subject, the relevant Organisation is responsible for ensuring that any notice obligations under POPIA are met, unless an exception applies.

8. Purposes of Processing

8.1 Within an Organisation's AIC One Tenant

AI Campus may process personal information on behalf of an Organisation for purposes such as:

• administering and operating the Platform and AIC ecosystem;
• enabling collaboration and communication through One Chat;
• managing documents, files, and version control through AIC Drive;
• providing AI-powered assistance, knowledge retrieval, and workflow automation;
• facilitating SSO and centralised authentication;
• generating reports, dashboards, analytics, and audit-support outputs;
• enforcing access controls, role-based permissions, and tenant isolation;
• maintaining audit trails and evidentiary records;
• synchronising data across devices and integrated platforms;
• delivering notifications, alerts, and workflow orchestration;
• maintaining platform security, resilience, integrity, and availability;
• providing technical support, maintenance, and troubleshooting; and
• complying with lawful instructions and contractual obligations.

8.2 For AI Campus's Own Business Purposes

Where AI Campus acts as Responsible Party, it may process personal information for purposes such as:

• contracting and account administration;
• invoicing, collections, and financial administration;
• service delivery and customer support;
• internal governance, compliance, and audit;
• supplier and procurement management;
• recruitment and hiring;
• website administration and response to enquiries;
• fraud prevention, security, and incident investigation; and
• establishing, exercising, or defending legal rights.

9. Lawful Basis for Processing

9.1 Organisation Processing

For personal information processed by or on behalf of a subscribing Organisation through AIC One, the applicable lawful basis depends on the nature and purpose of the processing activity. Depending on the use case, an Organisation may rely on any lawful basis recognised by POPIA, including consent, contractual necessity, legal obligation, legitimate interest, or the proper performance of a public law duty by a public body. The relevant Organisation remains responsible for identifying, documenting, and communicating the lawful basis applicable to its processing activities.

9.2 AI Campus's Own Processing

Where AI Campus processes personal information for its own business purposes, the applicable lawful basis for each primary category of processing is as follows:

• Contracting, invoicing, and account administration: Processing is necessary for the conclusion or performance of a contract to which the data subject is a party (section 11(1)(b)) and/or for compliance with a legal obligation (section 11(1)(c)).
• Customer support and service management: Processing is necessary for the performance of a contract (section 11(1)(b)) or is in pursuit of the legitimate interests of AI Campus (section 11(1)(f)), having regard to the reasonable expectations of data subjects.
• Security, fraud prevention, and incident investigation: Processing is necessary for the pursuit of the legitimate interests of AI Campus or of a third party to whom the information is supplied (section 11(1)(f)), supported by a legitimate interest balancing assessment that is documented and reviewed periodically.
• Workforce monitoring and audit of platform activity: Where AI Campus monitors activity within its own systems for security, integrity, or compliance purposes, the processing is conducted on the basis of legitimate interests (section 11(1)(f)) and subject to a documented balancing test. Where the Organisation conducts monitoring within its tenant, the Organisation, as Responsible Party, is responsible for the lawful basis of that monitoring and for any notifications required under the Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (RICA) and applicable labour legislation.
• Website enquiries and marketing: Where voluntary consent has been given (section 11(1)(a)) and, in respect of direct marketing by electronic communication, with consent as required by section 69.
• Recruitment and hiring: Processing is necessary for pre-contractual measures (section 11(1)(b)) and, where special personal information is processed, on a lawful ground under section 27.
• Supplier and vendor management: Processing is necessary for the performance of a contract (section 11(1)(b)).
• Legal compliance and defence of rights: Processing is necessary for compliance with a legal obligation (section 11(1)(c)) or for the establishment, exercise, or defence of a right or obligation in law (section 11(1)(e)).

10. Mandatory or Voluntary Supply of Information

Whether the supply of personal information is mandatory or voluntary depends on the specific workflow, module, form, legal obligation, or service context. Where an Organisation collects information through AIC One, that Organisation is responsible for informing the data subject, where required by law, whether the provision of the information is mandatory or voluntary, the consequences of failing to provide it, and any law authorising or requiring the collection. Where AI Campus collects personal information directly for its own business purposes, the relevant form, process, contract, or notice will indicate whether provision is mandatory or voluntary and the consequences of non-provision where applicable.

11. Data Minimisation, Purpose Limitation, and Quality

AI Campus supports the processing of personal information in a manner that is adequate, relevant, and not excessive for the purpose for which it is processed. AIC One includes configurable tools and controls that may support:

• role-based or permission-based access and least-privilege enforcement;
• tenant isolation and workspace restrictions;
• validation rules and required fields;
• versioning and audit trails;
• correction workflows; and
• records of changes to information.

The availability and configuration of these controls depend on the deployment and the Organisation's instructions. The relevant Organisation remains responsible for deciding what information is collected and ensuring that information is accurate, complete, not misleading, and updated where necessary for the intended purpose.

12. Disclosure of Personal Information

AI Campus does not sell, rent, or trade personal information. Personal information may be disclosed only where permitted by law and authorised under the relevant arrangement, including disclosure:

• within the relevant Organisation's tenant where necessary and authorised;
• to authorised collaborators, administrators, and users in accordance with configured permissions;
• to connected platforms within the AIC ecosystem where integration has been authorised by the Organisation;
• to service providers, infrastructure providers, support providers, or other operators or Sub-Operators engaged for lawful service delivery;
• where required by law, court order, subpoena, lawful regulatory process, or other binding legal requirement;
• where necessary to investigate security incidents, fraud, or unlawful conduct; or
• where necessary to protect lawful interests, rights, safety, or property, subject to applicable law.

Where AI Campus engages Sub-Operators or service providers, it takes reasonable steps to ensure that such parties are bound by appropriate confidentiality, security, and data-protection obligations.

13. Direct Marketing

13.1 Consent Requirement

AI Campus will only send electronic direct marketing communications to persons who have given their prior consent in accordance with section 69 of POPIA, or where section 69(2) applies.

13.2 Identification and Opt-Out Mechanism

Every electronic direct marketing communication sent by AI Campus will include the identity of AI Campus, the email address or other contact detail from which the communication originates, and a clear and functional mechanism to opt out of further communications at no cost to the recipient.

13.3 Opt-Out Processing

Opt-out requests will be processed as soon as reasonably practicable and in any event without undue delay. AI Campus aims to honour electronic opt-out requests within 10 business days of receipt.

13.4 Form of Consent

In accordance with the POPIA Amendment Regulations of 17 April 2025, an opt-out from future communications does not constitute consent for the purposes of section 69. Consent for unsolicited electronic direct marketing must be obtained in writing on a form substantially similar to Form 4 prescribed under the Regulations.

13.5 Marketing on Behalf of Organisations

AI Campus does not engage in direct marketing on behalf of an Organisation through AIC One unless specifically instructed and authorised by the Organisation in writing.

14. Sub-Operators

14.1 Engagement of Sub-Operators

AI Campus engages Sub-Operators to assist in delivering AIC One and related services, including cloud infrastructure providers, email and communications providers, security and monitoring providers, and analytics service providers.

14.2 Authorisation Framework

AI Campus typically operates under a general authorisation arrangement, under which the Organisation, in concluding the operator agreement, authorises AI Campus to engage Sub-Operators subject to a right of objection. Where an Organisation has not granted general authorisation, AI Campus will obtain the Organisation's prior written consent before engaging a new Sub-Operator that will process personal information from that Organisation's tenant.

14.3 Notification of New Sub-Operators

Before engaging a new Sub-Operator, AI Campus will notify the relevant Organisation of the identity and location of the proposed Sub-Operator and the nature of the processing, and will provide a reasonable period for objection where the general authorisation framework applies.

14.4 Contractual Safeguards

AI Campus ensures that each Sub-Operator is bound by written terms that impose data-protection, confidentiality, and security obligations no less protective than those binding AI Campus under the applicable operator agreement.

14.5 Accountability

AI Campus remains accountable to the Organisation for the acts and omissions of its Sub-Operators in respect of the processing of personal information.

14.6 List of Sub-Operators

A current list of Sub-Operators engaged for each deployment is maintained by AI Campus and made available to the relevant Organisation on request.

15. Cross-Border Processing and Transfers

15.1 Primary Hosting Location

The AIC One production environment is hosted within the Republic of South Africa.

15.2 Ancillary Cross-Border Processing

Certain ancillary services, including cloud infrastructure, email delivery, error monitoring, security threat intelligence, connected third-party APIs, and disaster-recovery replication, may involve the processing of limited personal information outside the Republic of South Africa.

15.3 Lawful Bases for Cross-Border Transfers

Where personal information is transferred outside the Republic of South Africa, AI Campus will ensure that the transfer is permitted under section 72 of POPIA on one or more of the following bases:

• the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection substantially similar to POPIA, including upholding the principles for the lawful processing of personal information and including provisions substantially similar to section 72 in respect of onward transfers (section 72(1)(a));
• the data subject has consented to the proposed transfer (section 72(1)(b));
• the transfer is necessary for the performance of a contract between the data subject and the Responsible Party, or for pre-contractual measures taken in response to the data subject's request (section 72(1)(c));
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the Responsible Party and a third party (section 72(1)(d)); or
• the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the consent of the data subject, but if it were, the data subject would be likely to give it (section 72(1)(e)).

15.4 Reliance on Contractual Safeguards

AI Campus relies primarily on binding contractual safeguards with its Sub-Operators that impose data-protection obligations substantially similar to those required by POPIA.

15.5 Transparency on Cross-Border Processing

Where an Organisation's deployment involves or may involve cross-border processing, AI Campus will, on request, provide the Organisation with a list of countries and Sub-Operators involved in the processing, together with the applicable legal basis under section 72 for each transfer.

16. Information Security

AI Campus implements and maintains reasonable technical and organisational measures designed to protect personal information against loss, misuse, unauthorised access, disclosure, alteration, and destruction, having regard to generally accepted information security practices, the nature of the information, and the risks associated with the processing.

Depending on the deployment, hosting model, contractual scope, and Organisation's configuration, these measures may include:

• AES-256 encryption of personal information at rest;
• TLS encryption of personal information in transit;
• role-based access control (RBAC) and least-privilege permissions;
• multi-factor authentication (MFA) and SSO session management controls;
• device and location-based access restrictions;
• tenant isolation and environment separation controls;
• audit logging, monitoring, and anomaly detection;
• vulnerability and patch management;
• backup and recovery controls;
• incident management procedures;
• API and integration security controls;
• confidentiality obligations for personnel; and
• due diligence and contractual controls for third parties.

No method of transmission, storage, or processing is completely secure. For that reason, AI Campus does not warrant that any environment or communication channel will be completely immune from all security risks. Users share responsibility for maintaining platform security by protecting credentials, devices, and authorised access.

17. Security Incidents

17.1 Operator Notification Obligation

If AI Campus becomes aware that personal information processed on behalf of an Organisation has been, or is reasonably believed to have been, accessed or acquired by an unauthorised person, AI Campus will:

• notify the relevant Organisation immediately, as required by section 21(2) of POPIA, and in any event within 72 hours of confirmation of the incident, providing such information as is reasonably available at that time to enable the Organisation to comply with its obligations under section 22 of POPIA; and
• provide follow-up information as it becomes available to support the Organisation's assessment, notification decisions, and remediation.

17.2 Contents of Initial Notification

The initial notification will include, to the extent reasonably ascertainable at the time:

• a description of the nature of the incident, including the categories and approximate number of data subjects and records affected;
• the likely consequences of the incident; and
• the measures taken or proposed to address the incident and mitigate its effects.

17.3 Assistance to the Responsible Party

AI Campus will provide all information reasonably necessary to enable the Organisation, as Responsible Party, to determine whether notification to the Information Regulator (via the eServices portal at https://eservices.inforegulator.org.za, mandatory from 1 April 2025) or to affected data subjects is required under section 22 of POPIA, and will support the Organisation's notification efforts on request.

17.4 AI Campus as Responsible Party

Where AI Campus is itself the Responsible Party in respect of the compromised information, AI Campus will notify the Information Regulator via the eServices portal and notify affected data subjects as required by section 22 of POPIA, including providing the prescribed notification content under sections 22(4) and 22(5).

17.5 User Reporting Obligations

Users must immediately report to the designated administration or governance team any suspected unauthorised access, credential compromise, suspicious activity, data breaches, malware or phishing incidents, security vulnerabilities, or system misuse. AI Campus may investigate incidents and take corrective, disciplinary, technical, or legal action where necessary.

18. Data Retention and Deletion

18.1 Organisation Data

Retention periods for information processed within an Organisation's AIC One tenant are determined primarily by the relevant Organisation's legal, regulatory, archival, records-management, operational, and contractual requirements. Upon expiry of the applicable retention period, or upon termination of the relevant services, AI Campus will, subject to applicable law and the requirements set out in this section, delete, return, anonymise, or otherwise deal with the information in accordance with the Organisation's documented instructions and the applicable agreement. For AIC Drive and connected document workflows, document records, approval logs, timestamps, identity records, and version history may be retained for up to 7 years, or longer where required by contract, sectoral regulation, litigation hold, or the Organisation's internal policies, given the legal significance of such records.

18.2 Backups and Operational Retention

Encrypted backups of tenant data are retained for a maximum of 90 days from the date of the backup, after which they are securely overwritten or destroyed in accordance with backup-cycle rotation. Where personal information has been deleted from a live environment but remains in a backup, that information is treated as restricted: it will not be restored to live systems other than for legitimate disaster-recovery purposes, and any restoration is logged. Backups containing deleted personal information that are restored for disaster-recovery purposes will be re-deleted in the live environment within a reasonable period. Retention of personal information beyond the primary applicable retention period for reasons of legal hold, dispute preservation, security investigation, or statutory obligation is logged and is subject to periodic review. AI Campus does not rely on indefinite retention exceptions.

18.3 AI Campus Records

Where AI Campus acts as Responsible Party for its own records, it retains personal information only for as long as reasonably necessary for the purpose for which it was collected, or as required by law, contract, internal governance requirements, or the establishment, exercise, or defence of legal rights.

18.4 Indicative Retention Periods for AI Campus Records

The following indicative retention periods apply to AI Campus's own records, subject to applicable law, litigation hold requirements, and regulatory obligations:

• Contracting and invoicing records: Duration of the contract plus 5 years
• Support and service-management records: Duration of the contract plus 3 years
• Website enquiries and marketing consent: 3 years from last meaningful contact or until consent is withdrawn, whichever is earlier
• Recruitment records (unsuccessful applicants): 12 months from decision, unless the applicant consents to longer retention
• Security and access logs: 12 months, or longer where required for an ongoing investigation
• Supplier and vendor records: Duration of the relationship plus 5 years
• Encrypted backups of tenant data: 90 days maximum from date of backup
• AI interaction logs (governance/security): AI interaction logs are retained according to a tiered schedule: full interaction content (prompts and responses) for 12 months from the date of interaction; pseudonymised interaction metadata and decision records for 5 years to support audit, governance, and the defence of legal claims; and flagged security or safety events for 24 months, or longer where required for an ongoing investigation. Where AI Campus processes AI interaction logs as an operator on behalf of a customer, retention is governed by the customer's documented instructions, subject to a maximum of 5 years unless a longer period is justified by the customer's lawful basis.

19. Data Subject Rights

19.1 Organisation-Controlled Processing

Where personal information is processed within an Organisation's AIC One tenant, requests to exercise rights under POPIA should be directed, in the first instance, to the relevant Organisation as Responsible Party, using that Organisation's Information Officer or other published channel. AI Campus, as Operator, will assist the Organisation where required under contract or law.

19.2 Rights Under POPIA

Subject to POPIA and any applicable limitations or exemptions, data subjects may have the right to:

• be notified that personal information is being collected or has been accessed or acquired by an unauthorised person where notification is required by law;
• request confirmation of whether personal information is held;
• request access to personal information and information relating to that processing;
• request correction, deletion, destruction, or restriction of personal information in circumstances recognised by law;
• object, on reasonable grounds relating to their particular situation, to certain processing where permitted by POPIA;
• object to direct marketing where applicable;
• withdraw consent where processing is based on consent, subject to the lawfulness of prior processing;
• not be subject, in the circumstances contemplated by POPIA, to a decision based solely on automated processing that has legal consequences or similarly significant effects; and
• lodge a complaint with the Information Regulator or seek other remedies available under law.

In accordance with the POPIA Amendment Regulations of 17 April 2025, data subjects may exercise these rights free of charge and through any accessible channel, including email, post, hand delivery, telephone (provided the request is recorded and made available to the data subject on request), SMS, or WhatsApp.

19.3 Response Timelines

AI Campus will respond to requests directed to it as follows:

• requests for access to records governed by the Promotion of Access to Information Act, 2 of 2000: within 30 days of receipt, in accordance with that Act;
• other requests under POPIA (including correction, deletion, objection, and withdrawal of consent): as soon as reasonably practicable and in any event without undue delay; and
• where a request requires action by the Organisation as Responsible Party, AI Campus will acknowledge receipt and direct the request to the relevant Organisation without undue delay.

19.4 How to Contact the Information Regulator

Current complaint channels, forms, and contact details for the Information Regulator are published on the Information Regulator's official website at https://inforegulator.org.za.

20. Automated Processing and Analytics

20.1 Scope of Automated Features

AIC One may include features such as user activity analytics, productivity metrics, workflow bottleneck analysis, AI-assisted recommendations, engagement statistics, and other automated support functions. These features are designed to support human decision-making and operational workflows.

20.2 Default Configuration

In their default configuration, AIC One's automated features do not make decisions based solely on automated processing that produce legal effects concerning a data subject or that affect a data subject to a substantial degree as contemplated by section 71 of POPIA.

20.3 Access to Individual-Level Data

Individual-level performance or activity data is accessible only to workspace administrators and authorised management users designated by the subscribing Organisation. Data subjects have the right to object to the processing of their personal information for analytics purposes in accordance with section 11(3) of POPIA.

20.4 Solely Automated Decision-Making

Where an Organisation configures or uses a feature in a manner that may result in solely automated decision-making with legal or similarly significant effects, the Organisation, as Responsible Party, is responsible for:

• identifying a lawful basis that permits such processing;
• putting in place appropriate safeguards, including the opportunity for the data subject to make representations;
• informing affected data subjects of the nature and implications of the automated processing; and
• ensuring that any exemption relied upon is lawfully available.

20.5 Allocation of Responsibility

Decisions made by an Organisation's users or systems based on outputs generated by AIC One's automated or AI-assisted features remain the responsibility of the Organisation as Responsible Party. The allocation of liability between AI Campus and the Organisation in respect of such outputs is governed by the applicable operator agreement or master services agreement between the parties.

21. AI Services and Future AI-Assisted Features

21.1 No Use of Customer Data for Model Training

AI Campus does not use customer data, in identifiable or de-identified form, to train, fine-tune, or otherwise improve foundation models, generative AI models, or third-party AI models. 'Customer data' means any personal information or content uploaded, created, transmitted, or processed by users within their AIC One tenant environments. AI Campus may use aggregated statistical data and de-identified operational metrics — de-identified to a standard at which the information cannot, by reasonably foreseeable means, be re-identified — solely for the purposes of platform monitoring, performance reporting, capacity planning, and improvement of non-model platform features. An Organisation may instruct AI Campus in writing to exclude its tenant data from such uses.

21.2 Accuracy of AI Outputs

AI-generated responses may contain inaccuracies or incomplete information. AI outputs should be reviewed before operational, legal, financial, or compliance decisions are made. The subscribing Organisation reserves the right to restrict, monitor, suspend, or audit AI usage within its tenant where necessary.

21.3 Introduction of New AI Features

Where AI Campus introduces new AI-assisted features in future (such as advanced document classification, automated compliance alerts, predictive analytics, or similar capabilities), AI Campus will provide subscribing Organisations with reasonable prior notice and a separate AI Data Processing Notice describing the feature, the categories of personal information processed, and any material change to the lawful basis or risk profile of the processing. Where a feature involves processing that is likely to result in a high risk to the rights of data subjects (including any feature involving solely automated decision-making with legal or similarly significant effects), the feature will be made available on an opt-in basis at the level of the subscribing Organisation.

21.4 Prior Impact Assessment

A Prior Impact Assessment will be conducted before any new AI feature is deployed that may materially affect the processing of personal information.

22. Data Protection Impact Assessments

22.1 When an Assessment is Recommended

Where an Organisation's use of AIC One involves processing that is likely to result in a high risk to the rights of data subjects, including large-scale processing of special personal information, systematic monitoring, AI-assisted decision-making, or innovative use of technology, AI Campus recommends that the Organisation conduct a data protection impact assessment prior to commencing the relevant processing.

22.2 AI Campus Assistance

AI Campus will provide reasonable assistance to the Organisation in conducting such an assessment, including by providing information about the Platform's technical and organisational measures, data flows, and processing operations, to the extent such information is within AI Campus's possession.

22.3 Internal Risk Assessments

AI Campus may also conduct its own internal risk assessments in relation to the Platform's design, features, security posture, and AI capabilities.

23. Cookies and Similar Technologies

23.1 Use of Cookies

The AIC One web interface uses cookies, tokens, and similar technologies that are strictly necessary for secure authentication, session management, SSO functionality, fraud prevention, system integrity, and service performance.

23.2 Categories of Cookies

The following categories of cookies may be used:

• Strictly necessary cookies: Session tokens, CSRF tokens, SSO tokens, and authentication cookies required for Platform functionality. These expire at the end of the browser session or within a short period.
• Performance and monitoring cookies: Cookies or similar technologies used by security monitoring or performance tools to collect limited technical data (such as page load times, error rates, and anonymised usage patterns).

23.3 Cookies Not Used

AIC One does not use advertising cookies, behavioural-tracking cookies, or third-party marketing cookies.

23.4 User Control

Users may manage or disable cookies through their browser settings, but disabling strictly necessary cookies may impair Platform functionality.

24. Ownership of Tenant Content

All content created within an Organisation's AIC One tenant (including messages, documents, task records, uploaded files, AI interaction outputs where generated on behalf of the Organisation, and related data) is considered organisational business data and remains the property of the subscribing Organisation. If a user leaves the Organisation, certain records may be retained to preserve business continuity, workflow integrity, and audit trail requirements. Such retention does not override the data subject's rights under POPIA as set out in Section 19 of this Policy.

25. Monitoring, Logging, and Auditing

25.1 Scope of Monitoring

The Platform may log and monitor authentication activity, access attempts, system usage, file activity, administrative actions, API activity, AI interactions, security events, audit trails, and workspace and tenant activities.

25.2 Purposes of Monitoring

Monitoring is conducted to maintain security and operational integrity, detect unauthorised access or misuse, support investigations and incident response, meet compliance and audit obligations, and improve system performance and reliability.

25.3 Lawful Basis for AI Campus Monitoring

Where AI Campus conducts monitoring within its own systems for security, integrity, or compliance purposes, the processing is conducted on the basis of legitimate interests (section 11(1)(f) of POPIA), supported by a documented legitimate interest balancing assessment, which has regard to the reasonable expectations of data subjects, the necessity and proportionality of the monitoring, and the safeguards in place to limit intrusion.

25.4 Workforce Monitoring by Organisations

Where the Organisation conducts or directs monitoring of its workforce or platform users within its tenant, the Organisation, as Responsible Party and employer, is responsible for ensuring that:

• a lawful basis under POPIA exists for the monitoring;
• affected data subjects (including employees) are informed of the monitoring in accordance with applicable law;
• any notifications or consents required under the Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (RICA) are obtained or given; and
• any obligations arising under labour legislation, including the Labour Relations Act, 1995, and the Basic Conditions of Employment Act, 1997, are met.

25.5 Operator Security Measures

AI Campus may, in its capacity as Operator, take reasonable measures to enforce platform security and integrity, including suspending access in response to suspected misuse, in accordance with the operator agreement and applicable law.

26. AI Campus Information Officer Contact Details

26.1 Designation and Registration

AI Campus has designated and registered an Information Officer with the Information Regulator in terms of section 56 of POPIA.

• Organisation: AI Campus (Pty) Ltd
• Role: Information Officer
• Email: popia@aicampus.co.za
• Telephone: 011 084 1100
• Postal Address: Ground Floor, 35 Ferguson Road, Illovo, Sandton, 2196, Gauteng, South Africa

26.2 Accessible Channels for Requests

In accordance with the POPIA Amendment Regulations of 17 April 2025, the Information Officer will accept requests through any accessible channel, including email, telephone, post, SMS, and WhatsApp. Where a request is made by telephone, the request will be recorded and a copy of the recorded request will be made available to the data subject on request.

26.3 Requests to AI Campus as Responsible Party

Requests addressed to AI Campus in its capacity as Responsible Party will be handled in accordance with applicable law, AI Campus's PAIA Manual where relevant, and any applicable internal procedures.

26.4 Tenant Data Subject Access Requests

Data Subject Access Requests (DSARs) relating to personal information processed within an Organisation's AIC One tenant should be directed, in the first instance, to the relevant Organisation's appointed Information Officer.

26.5 PAIA Manual

AI Campus has compiled a manual in terms of section 51 of the Promotion of Access to Information Act, 2 of 2000. A current copy of the PAIA Manual is available on AI Campus's website and may also be obtained by written request to the Information Officer. AI Campus reviews the PAIA Manual at least annually.

27. Changes to This Policy

27.1 Right to Update

AI Campus may update this Policy from time to time to reflect changes in law, regulation, technology, security practices, services, platform capabilities, or business operations.

27.2 Notice of Material Changes

Where a proposed change is material, AI Campus will publish the updated Policy at least 30 days before the change takes effect and will notify affected Organisations by email or through the Platform. A change is material if it alters the categories of personal information processed, introduces new categories of recipients or cross-border transfers, modifies data subject rights, introduces new AI capabilities with personal information implications, or materially reduces AI Campus's security or confidentiality commitments.

27.3 Fresh Consent for Material Changes

Where a change requires fresh consent under POPIA, or introduces a new lawful basis for processing, AI Campus will obtain such consent or communicate the new lawful basis before the change applies to a data subject's personal information. Continued use of AIC One constitutes acceptance of changes that do not require fresh consent or a new lawful basis.

27.4 Version History

Each version of this Policy bears a version number and effective date. Prior versions are available on request. The version history of material changes is maintained by the Information Officer.

28. Compliance and Enforcement

Failure to comply with this Policy or applicable law may result in:

• suspension or revocation of access;
• administrative action;
• disciplinary procedures;
• contractual remedies;
• legal action; and
• reporting to regulatory authorities where required.

AI Campus reserves the right to enforce this Policy to protect the integrity, security, and operational stability of the AIC ecosystem.

29. Governing Law and Jurisdiction

29.1 Governing Law

This Policy is governed by the laws of the Republic of South Africa.

29.2 Jurisdiction

Subject to the dispute resolution provisions of any applicable operator agreement, master services agreement, or written contract between AI Campus and the Organisation, the parties submit to the exclusive jurisdiction of the High Court of South Africa, Gauteng Division, in respect of any dispute arising from or in connection with this Policy. Where such an agreement provides a different dispute resolution mechanism, that mechanism prevails.

29.3 Access to Records

Where applicable, requests for access to records held by AI Campus are also governed by the Promotion of Access to Information Act, 2 of 2000, and AI Campus's PAIA Manual.

---

Approved and Issued by
AI Campus (Pty) Ltd
Information Officer
Date: 20 May 2026