Data is encrypted in transit between our API and Web App using A-grade SSL certificates and Transport Layer Security (TLS). Data stored at rest in our database, and files generated and uploaded on our platform, are encrypted with industry-standard AES-256 encryption. We run automated nightly backups on our database that are securely stored in a different data center, with additional system-level snapshots backed up weekly.
Rehabit does not store or process customer payment details. Our billing provider is Level 1 PCI DSS certified, which guarantees that your credit card payments are done in a secure environment. We do not have access to your credit card details, nor will we ask you to disclose your payment details to us.
We only use trusted third parties for sub-processing certain parts of your data. We disclose the minimum amount of data necessary for them to provide various services on our behalf (such as payment processing and transactional emails). We require that all of our third party service providers practice good information security and are POPIA compliant or equivalent. See our Privacy Policy for a list of third party vendors.
Our service is cloud-based and our servers reside on infrastructure that is hosted in data centers outside of South Africa. Data that is transferred out of South Africa is done in accordance with the POPI Act’s requirements for lawful transfer. Our infrastructure is provided by well-known, reputable vendors who process your data responsibly. See our Privacy Policy for a list of third party vendors.
We process data in accordance with the POPI Act. We are transparent about what data we collect, what we do with it, and who we disclose it to. We respect the right to information security and privacy, and will do everything in our power to protect the information that we are responsible for.
If we have grounds to believe that personal information has been accessed or acquired by an unauthorized person, we will notify law enforcement, the information regulator, and any affected subjects as soon as reasonably possible. This will include a report of the incident, potential consequences of the data breach, and recommendations to mitigate potential adverse effects.