Compliance.

POPIA — South Africa

IDVero is registered as a Responsible Party with the Information Regulator. The lawful condition for processing is consent under section 11(1)(a) where the user initiates the verification, or contract under 11(1)(b) where verification is required by a partner product's service contract. All eight POPIA conditions are met: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, data subject participation.

NDPR — Nigeria

We follow the NITDA-issued Nigeria Data Protection Regulation and its 2025 amendments. We maintain a registered DPCO contact point and submit annual data audits where Nigerian users exceed the audit threshold.

GDPR — European Union

EU users are subject to GDPR. Identity images are processed under explicit consent (Art. 9(2)(a)) and, where applicable, substantial public interest grounds (Art. 9(2)(g)) for fraud prevention. The lawful basis for non-biometric processing is user consent or contract performance.

Cross-border transfer

We honour data residency by the user's country of verification wherever infrastructure exists. Cross-border transfers between Agodi entities are governed by intra-group data transfer agreements; transfers to vendors use Standard Contractual Clauses (EU) and the equivalent under POPIA section 72.

Audits + reports

• Annual SOC 2 Type II — first report targeted Q4 2026.
• Annual ISO 27001 surveillance audit — certification targeted Q2 2027.
• Quarterly internal compliance reviews against the latest ASVS, NIST CSF, and CCPA published deltas.

Sub-processors

The current sub-processor list (cloud, email, observability, fraud detection vendors) is available on request to verified partner platforms. Material changes are notified 30 days before deployment.

Contact

Data Protection Officer
Agodi Technologies (Pty) Ltd
privacy@agoditechnologies.com