Aivolution
Data Security & POPIA

Your data stays
in South Africa.

Most automation platforms run your business data through overseas cloud accounts and pass raw customer records into AI prompts. Your Digital Employees run on infrastructure we control, in a Johannesburg data centre, and personal information is stripped out before anything reaches an AI model.

Hosted in a Teraco data centre in Johannesburg, ISO 27001 certified. Encrypted in transit and at rest, with encrypted backups held locally. Personal information is stripped out before AI processing and re-inserted after. Every client runs in an isolated environment, under a signed POPIA operator agreement.

Teraco Isando, Johannesburg

Where your data lives.

One question decides most security reviews: where does the data physically sit, and who else can touch it. Here is the honest answer, drawn out.

SOUTH AFRICAData residency boundaryYour businessTLSTeraco data centreISO 27001 certified facility, Tier IIIYour environmentOwn automation instance + own databaseAnother clientFully isolated, no shared data or databaseAnother clientFully isolated, no shared data or databaseDisk encryption at rest on the serverBackupsAES-256, in SAOffshore cloudUS / EU serversYour data nevermakes this trip.
AI without exposure

Personal information never rides along.

AI models make your Digital Employees smart. They do not need to know who your customers are to do it. Because we build the workflow layer ourselves, we control exactly what a model sees.

Before

Identifiers stripped

Names, contact details, and other personal identifiers are replaced with placeholders on our infrastructure, before anything leaves for the model.

During

Anonymised processing

The AI model works on the anonymised version only. It classifies, drafts, and decides without ever seeing who the data belongs to.

After

Details re-inserted

The real details are merged back in on our server, inside South Africa, before anything reaches your customer or your records.

We also hold data processing agreements with our AI providers, and API data is not used to train their models. Platform automation tools cannot offer this: they pass your raw customer records straight into AI prompts, because they have no layer in between. We built that layer.

The specifics

Concrete answers, not adjectives.

South African hosting

Your Digital Employees run in a Teraco data centre in Isando, Johannesburg. The facility is ISO 27001 certified and built to Tier III standards. Your data is processed and stored inside South Africa, so the cross-border question never arises.

Isolated per client

Every client gets a separate, isolated environment with its own automation instance and its own database. Your data is never pooled with other clients, and a problem in one environment cannot reach yours.

Encrypted everywhere

Encrypted in transit and at rest. Every connection runs over TLS, server disks are encrypted, and backups are AES-256 encrypted and held inside South Africa.

POPIA in writing

We sign a POPIA operator agreement with every client. You remain the responsible party for your data; we act as your operator with defined, documented obligations. A real agreement, not a badge.

Credentials handled properly

API keys and passwords are collected through a secure setup page and stored in an encrypted vault, never over email or WhatsApp. Access is scoped per client and execution logs do not retain secrets.

Sub-processors disclosed

Any third-party service your automation uses, such as Airtable, OpenAI, or Meta for WhatsApp, appears on a per-client sub-processor list you receive up front. Nothing touches your data without being on that list.

Why this is different

A platform account is not an architecture.

Most agencies run your automation inside a shared overseas SaaS platform. That choice is invisible until a client, an auditor, or a breach makes it visible.

Typical platform setup
  • ×Hosted on US or EU servers, so your client data crosses borders by default
  • ×Multi-tenant: your data sits in the same system as thousands of other accounts
  • ×Compliance answered with a link to someone else’s policy page
  • ×Raw customer records, names and numbers included, passed straight into AI prompts
  • ×If the platform changes pricing or terms, your automation goes with it
The Aivolution setup
  • Hosted in South Africa, in a Teraco data centre in Johannesburg
  • Isolated environment and database per client, nothing shared
  • Compliance answered with a signed POPIA operator agreement and artifacts on request
  • Personal information stripped before AI processing and re-inserted after, under signed DPAs
  • You own your Digital Employees; we host and maintain on infrastructure we control
For your IT team

Bring your hardest questions.

If your IT team or compliance officer wants to dig in, good. Our POPIA operator agreement, per-client sub-processor list, the data centre's certifications, and a one-page security overview are available on request. We would rather you check than take our word for it.

Operator agreementSub-processor listFacility certificationsSecurity overview
Common questions

Data security and POPIA, answered.

Where is my data physically hosted?

In a Teraco data centre in Isando, Johannesburg. Teraco is the operator of Africa’s largest carrier-neutral data centres. Your data is processed and stored inside South Africa and never crosses a border.

Is the environment shared with other clients?

No. Every client runs in a separate, isolated environment with its own automation instance and its own database. Your data is never mixed with anyone else’s, and an issue in one environment cannot reach another.

How is my data encrypted?

In transit, every connection uses TLS. At rest, the server disks are encrypted, and backups are encrypted and held inside South Africa.

What POPIA paperwork do you provide?

We sign a POPIA operator agreement with every client. You remain the responsible party for your data, and we act as your operator with defined obligations. The agreement, our sub-processor list, and the facility’s certifications are available on request.

Which third parties touch my data?

Only the services your specific automation needs, disclosed up front in a per-client sub-processor list, each covered by a data processing agreement. Where an AI model is involved, personal information is stripped out before the request and re-inserted afterwards, so the model works on anonymised data. Nothing is added without it appearing on your list.

Does my customers’ personal information go into AI models?

No. Before any data reaches an AI model, names, contact details, and other identifiers are replaced with placeholders. The model processes the anonymised version, and the real details are re-inserted on our infrastructure afterwards. On top of that, we hold data processing agreements with our AI providers, and API data is not used to train their models.

How are my passwords and API keys handled?

Credentials are collected through a secure setup page and stored in an encrypted vault, never over email or WhatsApp. Access is scoped per client, and execution logs are configured not to retain secrets.

Security questions answered.
Now see what we can automate.

Book a free 45-minute audit. We map your processes, show you exactly where the hours are leaking, and you keep the analysis either way.

Book a free audit