SECURITY SAFEGUARDS POLICY

Quote My Car (Pty) Ltd (“QMC”) Version: 1.0 Effective Date: 27/11/2025

1. Introduction

This Security Safeguards Policy outlines the technical, organisational, and physical measures implemented by Quote My Car (Pty) Ltd (“QMC”) to protect personal information in accordance with:

• Protection of Personal Information Act (POPIA) – Condition 7
• Industry security standards for online platforms and auctions
• Requirements for handling KYC, identity verification, and bank verification data

This policy applies to all personal data processed by QMC.

2. Purpose of This Policy

This policy aims to:

1. Prevent unauthorised access, loss, or damage to personal information
2. Maintain confidentiality, integrity, and availability of data
3. Protect KYC and banking verification data
4. Ensure strong security across QMC’s online auction platform
5. Support compliance with POPIA and security best practices

3. Scope

This policy applies to:

• All QMC employees, directors, and contractors
• All sellers, dealers, and public bidders
• All third-party service providers
• All digital and physical systems used to process QMC data

4. Information Security Principles

QMC applies the following principles:

• Confidentiality: Information is restricted to authorised parties
• Integrity: Information is accurate and protected from alteration
• Availability: Systems and data remain available for legitimate use
• Accountability: All actions involving personal data are logged and monitored

5. Security Measures

5.1 Technical Safeguards

5.1.1 Encryption

• All sensitive information is encrypted in transit (TLS/HTTPS)
• Sensitive information is encrypted at rest, including:
  • KYC documents
  • Bank verification results
  • ID numbers
  • Auction bid logs

5.1.2 Access Control & Authentication

• Role-based access control (RBAC)
• Multi-factor authentication (MFA) for administrators
• Strong password enforcement
• Automatic session timeouts
• Device fingerprinting for fraud detection

5.1.3 Network & Infrastructure Security

• Secure cloud infrastructure
• Firewalls and DDoS protection
• Intrusion detection and prevention systems (IDS/IPS)
• Secure, encrypted backups
• API security (tokens, rate limiting, and monitoring)

5.1.4 Fraud & Abuse Protection

QMC implements fraud-prevention controls including:

• Mandatory KYC verification for bidders
• Bank account verification
• Behavioural analytics
• Bidder deposit validation
• Automated detection of fake or manipulated bidding behaviour
• Device & IP reputation screening

5.1.5 Logging & Monitoring

• Continuous monitoring of platform activity
• Audit logs for system actions
• Alerts for suspicious events
• Logs stored in secure environments
• Retention aligned with the Data Retention Policy

5.2 Organisational Safeguards

5.2.1 Staff Training

• POPIA compliance training for all staff
• Security training for technical teams
• Confidentiality agreements signed by all employees and contractors

5.2.2 Access Restrictions

• Access granted strictly on a need-to-know basis
• Quarterly review of user permissions
• Restricted access to KYC and banking information

5.2.3 Third-Party Security Controls

All service providers (hosting, KYC, bank verification, payments):

• Must comply with POPIA
• Must sign Operator/Processor Agreements
• Must notify QMC of incidents immediately
• Are subject to periodic security review

5.3 Physical Safeguards

5.3.1 Secure Workspace

Where physical documents exist:

• Access-controlled storage
• Locked filing systems
• Secure access to office premises
• Visitor logging and supervision

5.3.2 Device Security

• Device encryption
• Remote wipe capability
• No storage of KYC data on unsecured devices

6. Data Handling Procedures

6.1 Secure Data Collection

• KYC documents submitted through encrypted upload channels
• Bank verification via approved API providers
• No sensitive information accepted through unsecured channels

6.2 Secure Storage

• Segregated environments for sensitive data
• Database access controls
• No local storage of sensitive personal information

6.3 Secure Data Sharing

• Personal information shared only when necessary
• Auction-related contact details shared only when required
• No information shared with unauthorised third parties

7. Breach Detection & Incident Response

7.1 Detection

• Monitoring tools detect suspicious or abnormal activity
• Staff must immediately report any possible incidents

7.2 Containment

• Suspected accounts or systems isolated
• Harmful behaviours blocked

7.3 Assessment

• Determine what information was affected
• Identify root cause and scope

7.4 Notification (POPIA Requirement)

Affected data subjects and the Information Regulator are notified as soon as reasonably possible, including recommended mitigation steps.

7.5 Remediation

• Patching vulnerabilities
• Updating controls
• Adding monitoring or hardening as required

8. Business Continuity & Disaster Recovery

QMC maintains:

• Redundant hosting
• Encrypted backups
• Disaster recovery procedures
• Failover capability for critical systems

Backups are tested periodically.

9. User Responsibilities

Users (sellers, dealers, public bidders) must:

• Protect their passwords
• Report suspected misuse or suspicious activity
• Use strong credentials
• Comply with QMC Terms & Conditions

10. Policy Enforcement

Breaches of this policy by staff or contractors may result in:

• Disciplinary action
• Contract termination
• Reporting to authorities
• Legal action

11. Review of This Policy

This policy will be reviewed:

• Annually
• After major system changes
• After security incidents
• When legislation changes