PRAXIMA DATA & PRIVACY POLICY

1. EXECUTIVE ACKNOWLEDGMENT AND APPROVAL

WHEREAS, Praxima Holdings (Pty) Ltd. is committed to maintaining robust, transparent, and effective governance practices to ensure compliance with applicable laws, regulations, and internal standards;

WHEREAS, Praxima Holdings (Pty) Ltd. has established policies and procedures to guide its operations, promote ethical conduct, and safeguard the interests of its stakeholders, including employees, shareholders, and partners;

WHEREAS, the undersigned, in their capacity as a duly authorized executive of Praxima Holdings (Pty) Ltd., has been granted the authority to review, approve, and enact policies on behalf Praxima Holdings (Pty) Ltd. in accordance with its established governance framework;

NOW, THEREFORE, by affixing their signature to this document, the undersigned hereby:
Formally approves and adopts this policy, inclusive of any and all revisions, modifications, amendments, or supplements thereto, as presented and reviewed. This policy shall serve as the governing framework for the subject matter addressed herein and shall supersede and replace any and all prior policies, procedures, guidelines, or practices, whether written or unwritten, pertaining to the same subject matter.
Confirms that this policy, including any revisions, edits, or comments incorporated therein, has been thoroughly reviewed and evaluated in accordance with Praxima Holdings (Pty) Ltd. governance procedures, bylaws, and applicable legal and regulatory requirements.
Directs that this policy be implemented and enforced across all relevant departments, divisions, and subsidiaries of Praxima Holdings (Pty) Ltd., as applicable, effective immediately upon execution or as otherwise specified within the policy.
Represents and warrants that the approval of this policy adheres to Praxima Holdings (Pty) Ltd. established protocols for policy review, including consultation with relevant stakeholders, legal counsel, and/or advisory committees, as required.
Acknowledges that Praxima Holdings (Pty) Ltd. reserves the right to amend, modify, or rescind this policy at any time, subject to the appropriate governance processes, and that such amendments shall be binding upon approval by an authorized executive.

Document History

• 11.07.2017 – V1.1 – Privacy/data Protection Policy write up
• 30.11.2021 – V1.2 – Review and update of the policy
• 09.11.2023 – V1.3 – Review and Update
• 16.02.2025 – V1.4 – Policy Review
• 28.06.2025 – V1.5 – Consult Policy Governance Framework

2. Contents

1. Purpose
2. Definitions
3. Scope
4. Enforcement
5. Policy Statements
   • Promotion of Access Information Act, 2000 (PAIA)
   • Personal Information Sharing Policy
   • Definition of Personal identifiable information (PII)
   • Definition of sensitive personal information (SPII)
   • Confidential Information
   • Need-to-know-basis
   • Business Information
   • Security
   • Transmission of Data
   • Customer Profile
   • Newsletters
   • Cookies
   • Product-Related Information Collection
   • Account Set-Up and Access
   • Web-based Services
   • Praxima Products & Services
   • Third-Party Products
   • Partner and Government Service
   • Services and Product Data
   • Praxima Email Promotions
6. Data Privacy
7. Access to your Data
8. Managed Hosting
9. Firewall and Intrusion detection
10. Data Backups
11. SSL Security
12. Internal Training
13. Internal audit preformed on industry standards

3. Purpose

The purpose of this Privacy and Data Protection Policy is to affirm the commitment of Praxima to safeguard the personal information of individuals in strict compliance with applicable data protection laws, including, but not limited to, the Protection of Personal Information Act, 2013 (POPIA) of South Africa, the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) of the European Union, and the United Kingdom General Data Protection Regulation (UK GDPR) as tailored by the Data Protection Act 2018 of the United Kingdom. This Policy establishes a framework for the lawful, transparent, and secure processing of personal data, ensuring the protection of data subjects’ rights, including their right to privacy, while fostering trust and accountability in all data-handling activities. It outlines the principles, procedures, and obligations governing the collection, use, storage, disclosure, and disposal of personal data to ensure adherence to the aforementioned regulatory requirements and to mitigate risks associated with data processing activities.

4. Definitions

Unless the contrary is clearly indicated, the following words and/or phrases used in this policy shall have the following meaning:

• “Policy/policy” shall mean this document together with any and all other written appendices, annexures, exhibits or amendments attached to it from time to time.
• “Client/Customer” shall mean the person or entity to whom services are being rendered by Praxima in whichever form.

5. Scope

This policy applies to all Praxima employees, consultants, temporary workers, third-party vendors and clients who have access to Praxima information systems, interns and contractors who has access and works with information in Praxima’s custody or under its control, and/or who apply privacy and security controls to Praxima’s information technology assets.

This policy further applies to all personal data processed by Praxima, its employees, contractors, agents, and any third parties acting on its behalf, in connection with its business operations, services, and activities. The scope encompasses the collection, use, storage, transfer, disclosure, and disposal of personal data, whether obtained directly from data subjects or through third parties, in compliance with privacy regulations. This policy covers personal data processed in both digital and physical formats, across all jurisdictions in which Praxima operates, and applies to all data subjects, including, but not limited to, customers, employees, suppliers, and other stakeholders whose personal data is processed by Praxima. The policy further extends to all systems, processes, and technologies used for data processing, ensuring that all such activities are conducted in a manner that upholds the rights of data subjects and complies with applicable data protection laws and regulations

6. Enforcement

Failure to comply with this policy may result in actions which include, but are not limited to, the following:

• Denial of access to Praxima’s information and information technology assets.
• Contractual remedies, as may be appropriate for third party suppliers, consultants and/or contractors, such as provisions for breach or termination of contract.
• Disciplinary action for employees, including, but not limited to, written warnings, suspensions with or without pay, and/or termination of employment following a disciplinary process.
• Reporting to regulatory bodies in line with reporting requirements.
• Financial and/or operational sanctions.

Furthermore, Praxima shall cooperate fully with relevant supervisory authorities, including the Information Regulator in South Africa, the Information Commissioner’s Office in the United Kingdom, and relevant Data Protection Authorities in the European Union, to address any violations and ensure remedial actions are taken promptly. This policy does not create a precedent for discretionary enforcement, and Praxima reserves the right to take appropriate action at its sole discretion to address any violations, without prejudice to its obligations under applicable data protection laws.

7. Policy Statements

7.1 Promotion of Access Information Act, 2000 (PAIA)

Praxima is committed to full compliance with the Promotion of Access to Information Act to promote transparency and access to information in accordance with its legal obligations. To this end, Praxima has ensured the timely preparation and submission of annual reports to the Information Regulator, detailing its compliance with PAIA, including the number and nature of requests for access to information received and processed during the reporting period. Furthermore, Praxima maintains and updates a comprehensive PAIA manual, as required under Section 51 of the Act, which is made readily available to the public in both physical and electronic formats, outlining the procedures for requesting access to information and the categories of records held by the organization. The manual is reviewed and updated as necessary to reflect any changes in Praxima’s operations or legal requirements. Additionally, Praxima has appointed and registered an Information Officer with the Information Regulator, as mandated by PAIA, to oversee Praxima’s compliance with the PAI Act, including the handling of information access requests and ensuring adherence to all related obligations.

7.2 Personal Information Sharing Policy

Definition of Personal identifiable information (PII)
Personal Identifiable Information (PII) is information that, when used alone or with other relevant data, can identify an individual. PII may contain direct identifiers (e.g., identification number information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.

Definition of sensitive personal information (SPII)
Sensitive Personal Identifying Information (SPII) is defined as information that if lost, compromised, or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. In general terms, it is any information that could be used by criminals to conduct identity theft, blackmail, stalking, or other crimes against an individual.

Confidential Information
Means any and all non-public information, whether in written, oral, electronic, or any other form, disclosed or made available by or to Praxima, its employees, contractors, agents, third parties, or any other recipients, or obtained by Praxima in the course of its business operations, which is designated as confidential or which, by its nature or the circumstances of its disclosure, ought reasonably to be treated as confidential. This includes trade secrets; proprietary business information; financial records; customer and supplier data; strategic plans; and any other sensitive information relating to Praxima or its operations, or its stakeholders. Confidential Information shall exclude information that: (i) is or becomes publicly available through no breach of this policy or any related agreement; (ii) was lawfully in the possession of the recipient prior to disclosure without an obligation of confidentiality; (iii) is lawfully obtained from a third party without restriction on disclosure; or (iv) is independently developed by the recipient without use of or reference to the Confidential Information. All handling, processing, and disclosure of Confidential Information shall comply with the applicable data protection laws and the provisions of this policy to ensure its protection and confidentiality.

Need-to-know-basis
Also referred to as data minimalization. Praxima employees are assigned restricted access/view based on their level per Client. The various levels are assigned individually per Praxipay, the Employee Self Service Portal and the respective Revenue Authority.

Business Information
Any information that identifies or may identify a company or an individual contact at a company or that allows others to contact a company or an individual contact at a company.

7.3 Security

This policy explains our commitment to safeguarding our customers’ data and serves as our agreement with our customers and other parties about our data handling practices. This policy lists the types of data we collect, explains how we use and protect that data, and discloses our key procedures surrounding privacy. Praxima may change this policy from time to time by publishing an updated version, and the updated version will become effective immediately or as per the date indicated on the official document.

Praxima places the utmost importance on safeguarding the privacy of our customers, affiliates, and stakeholders. In furtherance of this commitment, we uphold the following principles:

• Praxima will not sell, rent, or otherwise disclose personally identifiable information to third parties, except as required by law or with the explicit consent of the data subject, in strict compliance with applicable data protection regulations, including the Protection of Personal Information Act, 2013 (POPIA), the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), and the United Kingdom General Data Protection Regulation (UK GDPR) as tailored by the Data Protection Act 2018.
• Praxima expressly prohibits the use of our services for the dissemination of unsolicited communications, commonly referred to as spam, and our policies strictly enforce measures to prevent such activities, ensuring a respectful and lawful engagement with all Clients.

Praxima will use the personal information you submit and will retain the information submitted for the time required by applicable law or in accordance with our standard retention practice, whichever is longer. In the event that a client requires us to delete all information relating to the services rendered, a proper hand-over process will have to be embarked upon as regulation requires. Revenue Authorities may require records further back to maintain compliance. Praxima would need to be indemnified if deletion is required and will not be held liable for any damages.

Praxima requires that our service providers/subcontractors keep your personal information confidential as well. In addition, to prevent unauthorised access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate procedures to safeguard the information we collect.

7.4 Transmission of Data

Praxima is committed to ensuring the secure transmission of Confidential Information and personal data in accordance with privacy regulations. To safeguard the confidentiality, integrity, and availability of such information, Praxima mandates the use of secure, encrypted portals for all data transmissions, employing industry-standard encryption protocols and robust security measures to protect against unauthorized access, interception, or disclosure. Transmission of Confidential Information or personal data through unsecured or unauthorized methods, including but not limited to unencrypted email, physical media, or non-secure third-party platforms, is strictly prohibited unless expressly authorized by Praxima in writing and subject to equivalent security safeguards. Praxima shall implement regular security assessments, access controls, and monitoring mechanisms to ensure the ongoing effectiveness of these secure portals and compliance with applicable data protection laws. Any breach or suspected breach of these transmission protocols shall be promptly investigated, and appropriate remedial actions shall be taken in accordance with this Policy and relevant legal obligations.

7.5 Customer Profile

Praxima collects Business Information when Praxima implements Know-Your-Customer procedures and when Praxima creates a customer profile on Praxipay, which is required in order to obtain access to the payroll. This information includes company name and contact information and other information about your company (for example, size, and number of employees). Praxima uses this information in accordance with this policy to identify you, process your requests, and administer your Praxima account(s).

7.6 Newsletters

When you subscribe or sign up to receive newsletters published or offered, Praxima will ask you for information necessary to enable us to process the request and to send you information regarding relevant tax and payroll updates or legislation changes.

7.7 Cookies

Praxima uses Cookies to enhance the user experience, deliver personalized content, and collect information about the use of the Employee Self Service. "Cookies" are small computer files that we transfer to your computer's hard drive. Cookies allow us to statistically monitor how many people are using the Sites and for what purposes, how often someone visits the Sites, and the length of their stay. Cookies are not designed to retrieve personal or business data from your hard drive, your email, or any other personal information. Most browsers are initially set to accept Cookies, but users can change the setting to refuse Cookies or to be alerted when Cookies are being sent. Although refusal of Cookies will not interfere with the ability to interact with most of the sites, you will need to accept Cookies in order to access information and use certain functions. For example, Cookies are required to be accepted for access to our web-based services. The Cookies are renewed each time a user logs on to one of the sites that uses Cookies.

7.8 Product-Related Information Collection

We collect certain additional information in connection with your use of our services or desktop products with online features. For instance:

7.9 Account Set-Up and Access

Upon subscribing to our services, we collect Business Information which may include information such as user ID, and your customer profile information, in order to identify you and authorize your access and use of the services and provide you with your relevant account information.

7.10 Web-based Services

In connection with certain of our web-based services we collect certain additional information, including IP address, browser, connection speed, domain, referring URL, and other environment-related information to enable us to provide a secure environment for the use of the services, to pre-populate forms, and calculate aggregate statistical information about the customers using these services.

7.11 Praxima Products & Services

In addition to the uses set forth above, we may use your Business Information to: 1) inform you of product upgrades and updates and subscription renewals; 2) inform you of tax, regulatory, and other compliance issues with your payroll; 3) contact you for survey purposes to determine how we can better service you or provide better products to meet your needs.

7.12 Third-Party Products

From time to time, we may be required to release Business Information: 1) to comply with valid legal requirements such as a law, regulation, search warrant, subpoena, or court order; 2) to enforce or apply the terms of any of our service or license agreements; or 3) in special cases, such as protecting the rights, property, or safety of Praxima, our customers, or others. We may also provide Business Information to government agencies and to our vendors, suppliers, authorised resellers, and other business, development, and industry partners ("Partners") to enable them to: 1) provide us with products and services to better operate and maintain the Sites; 2) provide you with a product or service requested by you.

7.13 Partner and Government Service

We may engage Partners to perform functions on our behalf, which may include assisting us in processing your Business Information. Certain Partners and government agencies may collect Business Information (such as business name, address, email address, and customer ID directly from you and use of that information and other information provided by you to third parties is not governed by this policy even though those Partners and government agencies may share such information with us.

7.14 Services and Product Data

We will not provide your Product Data or Services Data to any third party or permit any third party to access your Product Data or Services Data, except by your permission or to comply with valid legal requirements such as a law, regulation, search warrant, subpoena, or court order. In addition, if at any time you decide to discontinue your use of the applicable service, your Services Data will be destroyed and removed from all servers according to terms set forth in your Service Agreement or agreed terms and conditions.

7.15 Praxima Email Promotions

In the event that we send out relevant payroll or tax updates, and you wish to unsubscribe to the email list, you will have the option to opt-out of such subscription.

8. Data Privacy

The security of payroll data is of utmost importance to Praxima. Our commitment to security will ensure that data is safe and secure.

9. Access to your Data

User data is protected by a username and password. Each authorised user has their own username and password. If a user is logged in and do not use employee self-service for an extended period, such user will automatically be logged out.

10. Managed Hosting

Payroll and personal information data is stored in a managed hosted environment at a secure physical location with 24/7 armed security personnel and offsite monitoring via CCTV. All physical equipment is housed in a security controlled and monitored centre. Access to the data centre is restricted to authorised personnel only.

11. Firewall and Intrusion detection

Praxipay operates behind an industry-standard firewall. This firewall ensures that only intended traffic reaches the payroll service. The firewall generates logs and alerts which are reviewed on an ongoing basis to determine intrusion, service attacks and injection attempts. All systems are reviewed on an ongoing basis to identify possible weaknesses or new vulnerabilities. System event and system logs are reviewed on an ongoing basis to identify possible intrusion attempts. Industry-standard monitoring technologies are in place to continuously check that the Praxipay server is available. This ensures that the physical environment is monitored, and any system hardware or software errors are resolved within the shortest possible time thereby minimising downtime.

12. Data Backups

Accounting data is backed up daily. Backups are stored for up to two weeks. Data is stored in two alternative locations, accommodating multiple points of failure.

13. SSL Security

Information sent to and retrieved from Praxipay is encrypted. Praxipay utilises a security certificate obtained from a reputable certificate provider. This certificate is fully authenticated and verified, encrypting data with up to 256-bit encryption (browser dependant) and therefore ensuring that data is safe.

14. Internal Training

Internal training is provided to all staff on a monthly basis, including the importance of privacy/data and information security. Updates of relevant legislation and technical training is also included on a monthly basis.

15. Internal audit preformed on industry standards

An internal audit based on the above standards are reviewed internally on a regular basis to provide our client with the necessary assurance surrounding the business controls. All other matters not addressed by the Data & Privacy Policy has been dealt with in other applicable policies, available upon request.