Data Protection & Retention Policy

Last Updated: 25 June 2025

This Data Protection & Retention Policy explains how Shared Futures NPC (“we,” “us,” “our”) stores, secures, and retains personal data collected through our website (https://sharedfutures.africa) and related services, and outlines our procedures for data‐breach notification.

1. Scope & Purpose

We collect personal data from donors, volunteers, program participants, job applicants, and site visitors. This policy ensures that:

• Data is stored securely and only as long as necessary.
• We comply with South Africa’s POPIA and applicable international standards.
• We respond promptly in the unlikely event of a data breach.

2. Data Storage & Security Measures

2.1 Storage Locations

• Primary Servers: Encrypted cloud servers located in South Africa (AWS Africa-Cape Town region).
• Backup Servers: Encrypted backups in the European Union under Standard Contractual Clauses.

2.2 Security Controls

• Encryption
  • Data in transit: TLS 1.2+
  • Data at rest: AES-256
• Access Controls
  • Role-based access, least-privilege principle
  • Multi-factor authentication for all staff accounts
• Infrastructure Protections
  • Regular vulnerability scans and annual penetration tests
  • Web application firewall and DDoS protection (via Cloudflare)
• Organizational Measures
  • Annual staff training on POPIA, GDPR, and security best practices
  • Incident response plan with defined roles & escalation paths

3. Data Retention Schedule

All retention periods will be reviewed annually. Data no longer needed will be securely deleted or anonymized.

4. Data-Breach Notification Procedures

4.1. Definition

A “data breach” is any confirmed or suspected incident leading to unauthorized access, disclosure, alteration, or destruction of personal data.

4.2. Incident Response Steps

1. Detect & Contain
   • Security team isolates affected systems.
   • Preserve logs and evidence.
2. Assess & Investigate
   • Determine scope, data types involved, and risk to individuals.
3. Notify Authorities
   • Within 72 hours of becoming aware, notify the Information Regulator (as per POPIA) and, where applicable, relevant EU supervisory authority.
4. Notify Data Subjects
   • If breach poses a high risk to individuals, inform affected persons without undue delay, describing:
     • Nature of breach
     • Data categories involved
     • Potential consequences
     • Mitigation measures taken
     • Contact details for further information
5. Remediate & Review
   • Implement fixes to prevent recurrence.
   • Conduct post-incident review and update this policy and response plan as needed.

5. Roles & Responsibilities

• Data Protection Officer (DPO)
  • Oversee compliance, handle breach notifications, and respond to subject requests.
• IT & Security Team
  • Maintain technical controls, conduct audits, and lead incident response.
• All Staff & Contractors
  • Adhere to this policy, report suspected breaches immediately, and complete annual data-protection training.

6. Subject Rights & Requests

Data subjects may:

• Request access to their personal data (POPIA Section 23; GDPR Articles 15–16).
• Request correction, deletion, or restriction of processing.
• Withdraw consent at any time.

Submit any request or complaint to:
Data Protection Officer
Shared Futures NPC
9 Hofmeyer Road, Midrand, Gauteng, South Africa
Email: privacy@sharedfutures.africa

We will acknowledge all requests within 5 business days and respond no later than 30 days.

7. Policy Review

This policy is reviewed annually or after any significant security incident or legal change. Updates will be published on our website with a revised “Last Updated” date.