Security & Compliance
Built with security and South African data protection regulations at the core.
POPIA Compliant
Full compliance with South Africa's Protection of Personal Information Act
Encrypted
TLS 1.3 encryption for data in transit and at rest
SA Data Residency
All data stored in South African data centers
Audit Logs
Complete audit trail of all system actions
Data Protection & Privacy
POPIA Compliance
NoQue is designed from the ground up to comply with the Protection of Personal Information Act (POPI Act, 2013):
- Accountability: Clear data processing policies and procedures
- Processing Limitation: Personal information collected only for lawful, legitimate purposes
- Purpose Specification: Clear communication of data collection purposes
- Further Processing: No processing beyond the original purpose without consent
- Information Quality: Mechanisms to ensure data accuracy
- Openness: Transparent about data collection and use
- Security Safeguards: Technical and organizational measures to protect data
- Data Subject Participation: Rights to access, correct, and delete personal data
Data Minimization
We collect only the minimum data required for appointment booking:
- Phone number (for OTP authentication)
- SA ID number (optional, for identity verification)
- Booking details (service, time, location)
- No financial information collected
Data Retention
Data retention policies aligned with government record-keeping requirements:
- Booking records retained for 7 years (NARS compliance)
- Audit logs retained for 5 years
- Personal information anonymized after retention period
- Right to erasure honored (POPIA Section 24)
Infrastructure Security
Encryption
- In Transit: TLS 1.3 for all connections
- At Rest: AES-256 encryption for stored data
- Database: PostgreSQL with encrypted connections
- Backups: Encrypted backups stored securely
Data Residency
- Primary database hosted in Johannesburg
- Backup database in Cape Town
- No data stored outside South Africa
- Compliance with data sovereignty requirements
Access Control
- Row-Level Security: Database-level data isolation
- Role-Based Access: Admin/user permission separation
- Multi-Factor Auth: Optional for admin accounts
- Session Management: Automatic timeouts and token expiry
Audit Logging
- All admin actions logged with timestamps
- User identity captured for accountability
- Immutable audit trail (append-only)
- Exportable logs for compliance review
Application Security
Security Best Practices
Input Validation
All user inputs validated and sanitized to prevent injection attacks
SQL Injection Prevention
Parameterized queries and ORM usage throughout
XSS Protection
Content Security Policy headers and output encoding
CSRF Protection
Token-based CSRF protection on all state-changing operations
Rate Limiting
API rate limits to prevent abuse and DDoS attacks
Secure Authentication
Bcrypt password hashing, OTP verification, JWT tokens
Incident Response
We take security incidents seriously with a clear response protocol.
- 24/7 security monitoring
- Immediate incident notification to affected partners
- Breach notification within 72 hours (POPIA requirement)
- Post-incident analysis and remediation
- Regular security assessments
Report a Security Issue
If you discover a security vulnerability, please contact us immediately:
Email: security@noque.co.za
Phone: +27 (0)21 XXX XXXX
We have a responsible disclosure policy and will work with security researchers to address vulnerabilities.
Questions About Security?
Our security team is here to address your concerns and provide detailed information.
Contact Security Team Privacy Policy