Sign in Request access
POPIA & Security

POPIA & Security

What we collect

From every resident: name, email, mobile, role within the community. Optionally: profile photo and unit / erf number.

From every community: the data you put in — chat history, votes, transactions, projects, incidents, etc. This is your community's operational data, and it stays in your tenant.

From every device: standard request metadata (IP address, user agent, timestamp) for security and abuse prevention. Stored separately from application data, retained 90 days unless flagged for forensic review.

What we don't

  • We don't sell, share, or rent your community's data to anyone. Ever.
  • We don't use community data to train ML models — ours or anyone else's.
  • We don't run third-party advertising trackers on the app.
  • We don't collect ID numbers, bank details, or biometric data. If you want to add bank details for treasury, we tokenise via Stripe — we never see the card.

Where your data lives

South Africa. Primary region is af-south-1 (Cape Town), with encrypted backups in the same region. Data is not replicated outside South Africa.

Our subprocessors: Supabase (database hosting), Vercel (web hosting), Stripe (payment tokenisation), Resend (transactional email), BulkSMS (SMS). Full subprocessor list available on request as part of the DPA.

Who can see what

Inside your community, role-based access controls who sees what. A resident can't see another resident's transaction unless it's a public proposal vote. A treasurer can see all transactions for the community. An admin can see everything within the community.

Across communities, no one in another community can see your data — ever. A municipal admin can only see communities assigned to their group, and only with the specific flags granted (moderate, export, suspend).

tribe.one staff: support engineers can read aggregated platform metrics. Customer support agents can access tenant data only via the impersonation flow — with your community's permission, time-limited to 1 hour, and every action logged forensically.

Tenant isolation

We enforce data isolation at three independent layers. All three have to allow a request before it sees data:

  • URL. Every tenant route is namespaced under /[tenant-slug]/. Middleware resolves the slug to a tenant ID and verifies the user has an active membership.
  • Request headers. The resolved tenant ID is injected into the request as a header; every server action and component reads from that context, never from a global.
  • Database row-level security. Every tenant-scoped table has a Postgres RLS policy that filters by tenant. Even a buggy query that forgets to filter will return zero rows.

This is intentionally redundant. If one layer has a bug, the other two still block the request.

Encryption

In transit: TLS 1.3 across every connection.

At rest: AES-256 across all databases, file storage buckets, and backups. Storage buckets are private by default — signed URLs expire in 1 hour.

Sensitive secrets (API keys, OAuth tokens) are encrypted with a separate KMS key and never logged.

Audit logs

Every write to your community's data lands in an append-only audit log: who, when, what changed, before/after values. We can never edit or delete audit entries — only insert.

Platform-level actions (impersonation, subscription changes, support ticket access) land in a separate platform audit log with different retention and access. You can request a full audit export of actions affecting your community at any time.

Your data rights

Under POPIA, every data subject has rights of access, correction, deletion, and objection. We honour all of these:

  • Access: any resident can request a full export of their own data through the app — instant, no human required.
  • Correction: profile data is editable directly in the app. Other corrections (e.g. an incorrectly recorded transaction) require trustee action with audit.
  • Deletion: a resident leaving a community has their personal profile data scrubbed within 30 days; references in immutable records (votes, transactions) are anonymised, not deleted, to preserve community audit integrity.
  • Objection: opt out of any non-emergency notification category through your preferences.

When you leave

Communities (whole tenants): on cancellation we deliver a full export of your data within 7 days (JSON + CSV). We retain a tombstone record for 30 days in case of accidental cancellation, then everything is purged.

Individuals (a single resident): your personal profile, contact, and chat content can be scrubbed on request. Financial records and votes remain but with your name anonymised — this is a non-negotiable for audit and dispute defence.

Incident response

We monitor security events 24/7. In the event of a confirmed data security incident affecting personal information:

  • We notify the affected community admin(s) within 24 hours of confirming the incident.
  • We notify the South African Information Regulator within 72 hours, per POPIA § 22.
  • We publish a postmortem within 30 days, including root cause and remediation.

Responsible disclosure

If you've found a vulnerability, please tell us. Email security@tribeone.co.za with details. We respond within 48 hours, do not threaten legal action against good-faith reporters, and publicly thank you (with your permission) in our security acknowledgements.

Information officer

Our designated POPIA Information Officer is Aisha Khan. Reach her at popia@tribeone.co.za for access requests, complaints, or any question this page didn't answer.

Last updated 22 May 2026. Material changes are announced in the in-app notification stream at least 30 days in advance.