Legal & Trust Centre
POPIA and Data Protection
How MK Assist meets POPIA obligations and supports client compliance.
POPIA and Data Protection
Plain-language summary
Summarises POPIA roles, processing principles and shared client responsibilities.
1. Responsibility model
Processing context Primary POPIA role of MK Assist Primary POPIA role of client
Website visitors, prospects, client account contacts, billing and support administration Responsible party Independent responsible party for its own records
Customer conversations, customer details and client knowledge processed to provide the service Operator acting under documented client instructions, except where law requires independent action Responsible party
Platform security, fraud prevention, service integrity and legally required records Responsible party for the limited processing it independently determines Responsible party for its own corresponding obligations
Meta/WhatsApp processing under their own terms Separate recipient and, depending on the processing, operator/processor or independent responsible party/controller under its terms Responsible party for its customer communications and opt-in
The client decides why customer conversations and business knowledge are processed and is normally the responsible party. MK Assist processes that information to provide the contracted service and is normally the operator. MK Assist is independently responsible for its own website, account, billing, support, security and legal records.
2. POPIA conditions translated into controls
POPIA principle MK Assist control Client responsibility
Accountability Information Officer, processing register, DPA, control evidence and review Lawful purpose, notices, sector compliance and instructions
Processing limitation Business-specific use, role controls, no general-purpose chatbot and data minimisation Upload and collect only necessary, lawful information
Purpose specification Workspace-specific configuration and documented purposes Define customer-service purposes and avoid incompatible reuse
Further processing limitation No cross-client learning or shared model training Do not repurpose conversations unlawfully
Information quality Client approval of knowledge, testing and correction paths Keep prices, terms, hours and business information current
Openness Privacy notices, AI disclosure, subprocessor list and point-of-need copy Provide customer-facing business and sector notices
Security safeguards Tenant separation, RBAC, encryption, logs, incident response and deletion controls Protect credentials, manage users, secure endpoints and report concerns
Data-subject participation Request channel, client assistance, export and deletion tools Respond as responsible party and instruct MK Assist
3. Operator commitments
MK Assist processes client-controlled personal information only on documented instructions, treats it as confidential, ensures authorised persons are bound by confidentiality, applies appropriate technical and organisational measures, controls subprocessors, assists with rights and incidents, deletes or returns information on exit, and provides information reasonably required to demonstrate compliance.
4. Information Officer
Tondani Netili, Director, is the Information Officer contact for MK Assist. Requests and escalations must be sent to tondani@mkassist.co.za. The Information Officer oversees the compliance framework, impact assessment, PAIA Manual, request processes, awareness and evidence required by the Information Regulator.
5. Direct marketing
A client may send a business-initiated WhatsApp message only where it has the required opt-in or another lawful permission, uses an approved template where required, clearly identifies itself, gives a practical opt-out and honours the opt-out. MK Assist optional marketing consent is separately recorded and can be withdrawn.
6. Special information and children
The service does not permit unrestricted processing of health, biometric, criminal, financial credential or children's information. Regulated sectors and education involving children require manual review. A client must not use MK Assist for prohibited legal, medical, financial or eligibility decisions. Prior authorisation must be assessed where the proposed processing falls within POPIA sections 57 and 58.
7. Security compromise responsibilities
An operator must immediately notify the responsible party of a compromise affecting client-controlled information. MK Assist contractually commits to notify without undue delay and, where reasonably practicable, within 24 hours of sufficient awareness to provide a meaningful initial notice. The client remains responsible for regulator and data-subject notification unless MK Assist is the responsible party for the affected processing. All reportable compromises must be handled under the Information Regulator's current process.