Trust Center

Security Is Not a Feature.
It Is the Foundation.

How Social Wiiv protects client data, governs platform operations, and builds toward internationally recognised security standards — so your brand and your users are always protected.

Our Commitment Security Inquiries
42
Critical Controls
CEO-enforced
24/7
Monitoring
Continuous compliance
IO
POPIA Registered
IO + Deputy IO
A+
Email Security
DMARC A+ rating
A+
SSL / TLS
TLS 1.3 + HSTS
Security Commitment

42 Enforced Critical Controls

Social Wiiv maintains 42 enforced critical controls governing information security, data protection, and platform operations — locked by CEO authority and cannot be bypassed by any team member, workflow, or automation.

Our security programme follows defence-in-depth principles. We conduct continuous monitoring, maintain formal incident response procedures, and integrate lessons learned from every security event into our policies.

12
Information Security

Access control, encryption, incident response & backup

14
Data Protection

POPIA, cross-border, retention, DSAR & privacy

10
Platform Governance

Human oversight, data isolation & integrity controls

6
Additional NFC & Physical Controls

Covering in-person brand activations, NFC/RFID deployments, cashless systems & event access control

Data Protection

POPIA — Registered with Information Regulator

Information Officer and Deputy Information Officer are registered with the South African Information Regulator. Our published privacy policy covers all Social Wiiv platform entities.

Your rights under POPIA

We maintain documented procedures for data subject requests including access, correction, deletion, and objection. Contact:

Client data isolation

Each client's data is isolated in separate database tenants. No client data may be used to enrich, benchmark, or cross-reference another client's engagement.

Zero data breaches since founding. All platform incidents are logged, investigated, and resolved with documented corrective controls.

DPAs
Active
Data Processing Agreements with all primary vendors

Cross-border & privacy safeguards

  • Standard Contractual Clauses for all international data flows
  • Privacy-first analytics — no personal data collected for internal analytics
  • No client data used for advertising or sold to third parties
  • Board-approved privacy policy covering all platform entities
Email Security

A+ Email Authentication

Every email from Social Wiiv is authenticated and encrypted. All domains achieve full DMARC enforcement with A+ ratings — verify independently on any DMARC lookup tool.

A+ socialwiiv.com — DMARC p=reject, DKIM signed, SPF strict, MTA-STS enforced, BIMI active, TLS 1.3.

DMARCUnauthorised senders rejectedp=reject
DKIMCryptographic signingSigned
SPFPrevents spoofingStrict
MTA-STSPrevents TLS downgradeEnforce
BIMIBrand logo verificationActive
TLSAll email encrypted in transit1.3
Responsible AI Use

AI Governance Framework

Social Wiiv uses AI technologies to enhance platform capabilities including personalisation, engagement scoring, and analytics. All AI integrations are governed by our formal AI governance framework.

Controls in place
  • All AI recommendations reviewed before influencing client-facing outputs
  • No automated decisions without human oversight
  • Client data not shared with AI providers for training
  • Monthly verification of data opt-out compliance
  • Strict data integrity prevention (CEO-enforced)
Legal framework
  • Data Processing Agreements with all AI service providers
  • Full IP ownership of AI-assisted outputs retained by clients
  • White-label clients retain full rights to platform outputs
  • AI contribution documented in platform methodology
Standards alignment
  • Aligned with NIST AI RMF principles
  • Transparent disclosure of AI-assisted features
  • AI role documented in all client deliverables
  • University of Helsinki Ethics of AI framework
Training & Awareness

Security Training Programme

Security awareness is not a one-time exercise. Social Wiiv maintains an ongoing training programme covering information security, data protection, and responsible AI use.

100% team completion on mandatory security and data classification training. All attestations signed and maintained on file.

100%
Staff Trained
Security awareness complete

Responsible Technology Commitment

  • Transparency by default. Every platform feature discloses how data is used.
  • Human oversight, always. Automation augments our team — never replaces judgement.
  • Compliant from day one. Contractual safeguards, not just technical ones.

Planned Certifications

  • ISO 27001:2022 Certified
  • SOC2 - Target Q4 2026
  • NIST Cybersecurity Framework 2.0 self-assessment
  • CIS Controls IG1 self-assessment

Awareness Programme

  • Quarterly security awareness communications to all staff
  • Incident-driven policy updates
  • Annual compliance review cycle with CEO sign-off
Infrastructure & Encryption

Platform Security Architecture

Data in Transit

TLS 1.3 with HSTS 1-year max-age. HSTS preload submitted. Comprehensive CSP, X-Frame-Options DENY, Permissions-Policy.

Mozilla Observatory: A+

Data at Rest

AES-256 encryption on all endpoint devices and storage. Daily encrypted backups with formally defined RTO and RPO.

AES-256 across all systems

Data Residency

Client databases hosted EU-West (Ireland) with multi-region replication. All cross-border flows covered by Data Processing Agreements.

GDPR-aligned data residency

Security headers — all verified active

Content-Security-PolicyActive
Strict-Transport-SecurityActive
X-Content-Type-OptionsActive
X-Frame-OptionsDENY
Permissions-PolicyActive
Cross-Origin-Opener-PolicyActive
Compliance Journey

Continuous Security Monitoring

Social Wiiv has implemented continuous security monitoring as we pursue ISO 27001:2022 certification. Automated compliance monitoring provides real-time control validation across our technology stack.

42
Controls
28
ISMS Policies
7+
Integrations
Q4 '26
SOC2 Target

Framework alignment

ISO 27001:2022 NIST CSF 2.0 SOC 2 Trust POPIA NIST AI RMF GDPR

Certification Roadmap

Complete
ISO 27001:2022 Certification
Trust page published, IO registered with Information Regulator, incident response procedures documented and tested. All staff trained and attested.
Target: Q4 2026
SOC2 Certification
Stage 1 documentation review, Stage 2 certification audit with accredited certification body, and formal award of certificate.

We maintain a formal incident management process. Each incident is investigated and resolved with corrective controls that prevent recurrence. Zero unresolved incidents on record.

Vendor Risk Management

Structured Vendor Assessment

We conduct formal due diligence on all service providers across eight areas: data handling, encryption, access controls, incident response, compliance certifications, business continuity, subprocessor management, and contractual protections.

Data Processing Agreements50% — Target 100% Q4 2026
Vendor Security Assessments85%
Contractual Protections75%

Vendor categories assessed

  • Cloud infrastructure and hosting providers
  • Payment processing and cashless transaction partners
  • NFC and RFID hardware and software vendors
  • AI and machine learning service providers
  • Communication and notification services
  • Analytics and monitoring platforms
  • Identity and access management providers

Target: 100% vendor DPA coverage by Q4 2026. Currently tracking across 14 vendors — DPAs in place for all primary infrastructure and AI service providers.

Available on Request

We Believe in Transparency

The following documents are available to clients and prospective clients upon request. Contact our security team and we will share the relevant documentation within 2 business days.

Contact to request any document.

Privacy PolicyView
Terms of ServiceView
Data Processing Agreement templateOn request
Business Continuity Plan summaryOn request
Vendor SOC 2/3 reportsOn request
Penetration test resultsOn request
ISMS Policies (28 signed documents)On request
Environmental Commitment

Responsible Digital Operations

As a digital-first SaaS platform provider, our environmental footprint is primarily cloud infrastructure and business operations. We measure what matters and set honest targets.

71%
Cloud providers on renewable energy — target 75% by 2027
133%
Carbon offset coverage of operational emissions
~0
Paper consumption — fully digital-first operations
Certified
E-waste destruction by certified recycler

Carbon offset programme verified and registered. Credible Carbon certified. South African solar energy projects supported.

2026 Baselines & Targets

Cloud renewable energy71% → 75% by 2027
E-waste certified recyclingTarget: 100%
Paper usage reductionNear-zero maintained
Carbon offset coverage133% — exceeds target

We follow an Avoid-Reduce-Offset hierarchy aligned with the GHG Protocol (Scope 3) and target a 10% year-on-year reduction in operational emissions. ESG policies signed by leadership, 100% staff attendance on compliance training.

ESG Performance

Sustainability & Governance

Achieved
ISO 27001:2022

We are proud to be ISO 27001:2022 compliant, ensuring strong, trusted protection for your data and information security.

In Progress
SOC2 Type1

We’re progressing toward SOC 2 certification, Stage 1 documentation review underway. Targeting full certification by Q4 2026.

Registered
POPIA IO Registered

Information Officer registered with the Information Regulator. Zero data breaches since founding. Full POPIA compliance maintained.

2026 ESG Commitments

  • ESG and ISMS policies signed by CEO, distributed to all team members
  • Mandatory training sessions completed — 100% staff attendance
  • Conflict of Interest declarations completed by all team members
  • Key vendors assessed for ESG, security, and financial sustainability
  • Grievance and whistleblowing channel active
  • Zero H&S incidents, zero data breaches, zero employment disputes
ESG Review Cycle
Annual CEO reviewActive
Sustainability reportingOn request
ISO27001:2022 SurveillanceAug 2026
Pentest resultsDec 2025
Security Inquiries

Get in Touch

For security inquiries, data protection requests, or to report a vulnerability, please contact our team directly. We take all reports seriously and respond within 2 business days.

Security Team

General security inquiries, policy questions, and compliance requests.

Information Officer

POPIA data subject rights, access requests, and privacy matters.

Vulnerability Disclosure

Responsible disclosure of security vulnerabilities in our platforms.

This page is reviewed quarterly and updated when our compliance posture changes. Last reviewed: Q1 2026.