Legal & Trust Centre

Security and Trust

Security measures, incident response and trust commitments for the MK Assist platform.

Security and Trust

Plain-language summary

Explains the security control framework, access model and shared responsibilities.

1. Security approach

MK Assist uses a risk-based control model for business knowledge and customer conversations. It does not claim that any system is fully secure. The controls below form part of the operating security model and are tested and evidenced through service governance.

2. Required production controls

Control area Service control

Tenant separation Each business operates in a separate workspace, with enforced separation across users, conversations, knowledge, files and indexed content.

Access control Role-based access distinguishes business administrator, agent and platform administrator. Privileged access requires MFA.

Data protection Encryption is used in transit and at rest; credentials and secrets are stored in protected facilities and excluded from client-visible logs.

WhatsApp ingress Webhook signatures are verified; duplicate events and technical retries are not processed as new customer conversations.

Human takeover MK Assist is paused while an authorised team member controls the conversation and cannot reply simultaneously.

Sensitive information Supported categories are detected, warnings are presented and masking or purging follows the configured rule.

Knowledge deletion Source files, extracted text, chunks and embeddings are designed to be removed from active systems through a controlled process.

Logging Authentication, acceptance, administrative, break-glass, deletion, security and critical configuration events are protected and reviewable.

Resilience Backups are designed to run on the approved schedule, remain access-controlled and expire within the stated cycle.

Service-provider access MK Assist and authorised service-provider access is least privilege, time-bound where possible and removed when no longer required.

Incidents A documented response process covers containment, evidence, operator notices, regulator assessment and client communications.

3. Client responsibilities

Clients must protect credentials, invite only authorised users, remove leavers, review roles, keep business and recovery information current, use secure endpoints, configure accurate knowledge, review high-risk responses, obtain WhatsApp opt-in, and report suspected compromise without delay. Agents must not share credentials or export conversations outside approved business systems.

4. Support and break-glass access

Routine platform administration must not provide unrestricted message-content access. Where content access is required for support, investigation, security or law, the break-glass process records requester, reason, approval, time, scope, action, expiry, review and client notification where appropriate. The Ops Director approves access.

5. Incident communication

A client must report urgent security concerns to hello@mkassist.co.za and tondani@mkassist.co.za. MK Assist will triage, contain and preserve evidence. Operator notifications to affected clients are made without undue delay and, where reasonably practicable, within 24 hours of sufficient awareness. Statutory notifications remain subject to the Information Officer and responsible-party analysis.

6. Assurance and evidence

Assurance is based on architecture evidence, configuration, access reviews, test results, provider contracts, restoration tests and control sign-off. MK Assist does not claim an external certification, penetration-test result or insurance cover unless it holds and can evidence it.