Dootsa Enterprise Readiness Brief

Dootsa South African Compliance-Alignment Brief

Internal customer-facing handout for enterprise and public-sector procurement teams.

Value Proposition

Survey and engagement platform designed for enterprise governance, auditability, and role-based workflows.
Secure-by-default controls for media handling, privileged access, and operational evidence workflows.
Compliance-aligned readiness program mapped to South African enterprise expectations and ISO 27001-oriented controls.

Frequently Raised Security And Compliance Concerns

Concern	Dootsa Position
Data residency	Primary residency can be set to South Africa, with transfer controls tracked through compliance settings and processor inventory governance.
Cross-border processing	Cross-border transfers are controlled through policy and operator agreement requirements, including transfer mechanism tracking.
Access control and MFA	Role-based access and privileged MFA controls are enforced with auditable change logs.
Sensitive data exposure	Uploaded media uses signed internal URLs and private storage by default.
Encryption posture	TLS verification is hardened for database connections; sensitive MFA material is protected at rest.
Auditability	Operational and security changes are logged with evidence artifacts available for due diligence workflows.
Incident response and continuity	Runbooks, backup/restore test templates, and access review templates are maintained in the readiness pack.

Concern

Dootsa Position

Data residency

Primary residency can be set to South Africa, with transfer controls tracked through compliance settings and processor inventory governance.

Cross-border processing

Cross-border transfers are controlled through policy and operator agreement requirements, including transfer mechanism tracking.

Access control and MFA

Role-based access and privileged MFA controls are enforced with auditable change logs.

Sensitive data exposure

Uploaded media uses signed internal URLs and private storage by default.

Encryption posture

TLS verification is hardened for database connections; sensitive MFA material is protected at rest.

Auditability

Operational and security changes are logged with evidence artifacts available for due diligence workflows.

Incident response and continuity

Runbooks, backup/restore test templates, and access review templates are maintained in the readiness pack.

Current Readiness Deliverables

Framework Positioning (External)

Framework	Approved Positioning
SOC 1	Not currently attested. SOC-style governance and control evidence available for customer risk review.
SOC 2	Not currently attested. SOC 2-aligned controls and readiness evidence are maintained.
PCI-DSS	Not currently represented as certified/attested. PCI obligations are managed based on scope and contract requirements.
ISO 27001	ISO 27001-aligned ISMS (scope, SoA, risk register) with certification via SANAS-accredited body; status shared per audit stage at /trust.
ISO 27701 / 27017 / 27018	Phased roadmap after 27001: privacy (27701) and cloud SaaS (27017/27018). SANS-adopted equivalents apply.
POPIA	Operator controls, DPIA summary, DSAR workflow, and 27701 extension plan.
HIPAA	Not a default HIPAA-covered production environment; HIPAA scope is enabled when PHI and BAA requirements apply.
EU Model Clauses (SCCs)	Supported via SCC legal workflows and transfer safeguards, subject to signed agreements.

Framework

Approved Positioning

SOC 1

Not currently attested. SOC-style governance and control evidence available for customer risk review.

SOC 2

Not currently attested. SOC 2-aligned controls and readiness evidence are maintained.

PCI-DSS

Not currently represented as certified/attested. PCI obligations are managed based on scope and contract requirements.

ISO 27001

ISO 27001-aligned ISMS (scope, SoA, risk register) with certification via SANAS-accredited body; status shared per audit stage at /trust.

ISO 27701 / 27017 / 27018

Phased roadmap after 27001: privacy (27701) and cloud SaaS (27017/27018). SANS-adopted equivalents apply.

POPIA

Operator controls, DPIA summary, DSAR workflow, and 27701 extension plan.

HIPAA

Not a default HIPAA-covered production environment; HIPAA scope is enabled when PHI and BAA requirements apply.

EU Model Clauses (SCCs)

Supported via SCC legal workflows and transfer safeguards, subject to signed agreements.

ISO / SANS certification roadmap

Dootsa is preparing for full-stack certification: ISO/IEC 27001 (ISMS), then 27701 (privacy), then 27017/27018 (cloud). Standards are published by SABS as SANS equivalents; certificates are issued by SANAS-accredited certification bodies.

Public posture: /api/public/compliance/posture
Verified certificates: /trust
Evidence pack generation: npm run compliance:evidence-pack

Do not claim "certified" until a verified attestation is registered and approved for public disclosure.

What Customers Can Request

Support Escalation

Any additional concerns not covered in this brief are handled through the Dootsa support and security review process.

Claim guardrail: Use "compliance-aligned" language and avoid "certified", "attested", or "fully compliant" unless current external evidence confirms that status.