Where POPIA ends and FICA begins — hosted end-to-end in af-south-1.
If you collect someone's ID, proof of address or bank statement, two SA laws pull in opposite directions: one says keep it for five years (FIC Act s 23), the other says hand it back or delete it on request (POPIA s 23 · s 24). Vault33 is a South-African-hosted vault that lets you do both — with encryption you control, signed checkouts when data leaves, and a tamper-evident log of every write.
Every South African business that keeps a copy of someone's ID, bank statement or proof of address runs into the same contradiction. Vault33 is built to satisfy both sides at once.
Under POPIA, any person can ask you what you hold on them (s 23) and demand you correct or delete it (s 24). You have 30 days to act or put your refusal in writing.
That ID and proof of address you collected for KYC has to be kept for five years (FIC Act s 23). Deleting it early is a criminal offence (s 68) — so honouring the tenant's request the wrong way puts you on the wrong side of either law.
Google Drive, SharePoint, email and a PC under a desk can't tell you who read a document, when, or under what legal basis. The Information Regulator can — and will — ask.
Not a document manager. Not a KYC service. Not a compliance toolkit. Vault33 is the storage layer the law already describes — built on three ideas that are expensive to fake.
Every document is encrypted at rest with a key that belongs to that single data subject — never a shared one. When you revoke access or delete on request, we destroy the key. The file on disk stays (so FIC Act s 23 retention is intact) but nobody — not us, not a rogue admin, not a court order — can read it again.
AWS KMS envelope encryption · per-subject data key · crypto-erasure
Data never leaves the vault silently. When a conveyancer, bank or agent needs a record, they raise a signed request; the subject (or their delegate) approves it via OTP; the package leaves with a tamper-evident signature. If the grant is later revoked, a public /verify URL immediately reports the package as invalid.
OTP approval · signed package · public /verify oracle
Every write and grant records a row you cannot edit or delete. The lawful basis under POPIA (contract, legal obligation, consent) is captured inline, and each row cryptographically references the one before it — so tampering is visible at the row. This is the evidence layer the Information Regulator expects to see.
HMAC-chained rows · lawful basis recorded · enforced at database role
Not a "we're better than them" list. These are six design choices we made on day one that turn compliance from a signed-off PDF into something an engineer can actually point at.
Every subject gets their own encryption key. When consent ends, we destroy the key. The encrypted file stays on disk (so FIC Act s 23 retention is intact) but nobody can read it again — not us, not an insider, not a court order. This is how POPIA s 24 deletion and FICA retention live under the same roof.
Every write and grant writes a row — and the database itself is configured so that row cannot be changed or deleted. Each row cryptographically references the one before it, so tampering would show up immediately. Most "audit logs" are just a view over editable rows; this one is not.
Every storage layer — database, cache, object store, key manager — runs in AWS Cape Town (af-south-1). Search runs on a locally hosted embedder. OTP delivery goes through a South-African-hosted SMS provider. In the default install, zero personal information leaves the jurisdiction; optional LLM-assisted classification is an explicit opt-in that updates the s 72 disclosure the moment you flip it on.
Every outbound document is a signed, audited checkout — with the recipient, the purpose and the lawful basis captured. Your rental agents, conveyancers and bank counterparties all talk to one vault under one consent graph, through the same public API.
Vault33 models people, companies, trusts, close corporations, sole props and assets as typed entities joined by named relationships. So "who ultimately owns >25% of company X via which trust on date Y" is a query — not a two-week consulting engagement.
Production wraps every subject key with AWS KMS in af-south-1 — so key rotation, revocation and deletion are standard cloud operations, not one-off scripts. The envelope design means we never have to re-encrypt documents to change providers or compliance regimes.
Segmented by the job, not the industry. If you hold someone else's personal information for longer than you'd like — under laws written before your systems existed — Vault33 is the layer underneath.
1–50 managed units
Pain · Re-collecting the same FICA pack two or three times a year. No real answer when a tenant asks "what do you hold on me?" A real worry about being the next POPIA fine headline.
Fit · One vault per agency, shared with your landlords. When a tenant moves on, revoke access with one click — the record stays for the five years FICA demands, but stops being readable.
Hundreds of FICA packs a year
Pain · Big conveyancing firms still receive FICA packs by email. No clean way to cut off access once a transaction closes. A Legal Practice Council audit expects a paper trail you can't produce.
Fit · Every outbound pack is a signed, audited checkout tied to the receiving firm and matter — so you can prove who received what and when, and revoke their continued access when the deal is done.
100+ units · multi-entity BO
Pain · Companies Act s 56(7) beneficial-ownership registers. Group structures flattened into folders. SARB or FIC review readiness measured in weeks, not hours.
Fit · Entities and relationships stored as a graph, not folders — so questions like "who ultimately owns >25% of company X, via which trust, on date Y" are a query, not a consulting project.
We track the South African rules that actually apply to the data we hold — and we version our checklist so you can see exactly which rule is live in which release. In plain terms, that means: the Protection of Personal Information Act (POPIA, Act 4 of 2013) and its April 2025 amendment; the new Health Data Regulations — the Regulations relating to the Processing of Data Subjects' Health Information by Certain Responsible Parties, 2026 — issued under POPIA s 112(2)(c) and in force since 6 March 2026; the FIC Act as amended in 2022, which requires you to keep KYC records for five years (s 23); the Companies Act beneficial-ownership register obligation (s 56(7), hard-stop 1 July 2024); and the Rental Housing Act deposit rules in s 5. None of that is a marketing promise — it's a checklist that ships inside the product.
Get the compliance brief →We are onboarding a small number of design-partner customers — South African property agents, boutique law firms and fiduciaries who hold personal information under POPIA and FIC Act retention. If you roughly know where your tenant or client data lives, but cannot prove it on demand, start here.