Data Protection Protocol

This Privacy Policy ("Protocol") is issued by Lumosoft (Pty) Ltd (referred to herein as "Lumosoft", "we", "us", or "our").

This document governs the privacy protocols and data protection standards applied to our digital properties, managed software platforms, and custom engineering engagements. It details how we collect, process, secure, and destroy personal data in strict compliance with the Protection of Personal Information Act, No 4 of 2013 (POPIA), the Promotion of Access to Information Act (PAIA), and internationally recognized frameworks including the General Data Protection Regulation (GDPR) for our global deployments.

By accessing our corporate website, engaging our consultation services, or deploying our software infrastructure, you acknowledge that you have read, understood, and accept the technical and administrative parameters outlined in this Protocol.

Due to the nature of enterprise software engineering and managed platform hosting, Lumosoft operates under two distinct legal classifications depending on the data interaction:

To execute our engineering mandates, we collect specific categories of data. This collection occurs through direct digital interactions, system logs, and automated architecture monitoring.

Lumosoft applies a strict principle of data minimization. We only process data that is mathematically or operationally necessary to fulfill our business mandate. Data is utilized for the following purposes:

• Service Execution: To engineer, deploy, and configure custom software platforms according to agreed specifications.
• Infrastructure Management: To allocate cloud resources, monitor system uptime, and execute automated database backups.
• Financial Operations: To process setup fees, manage monthly subscription billing, and issue tax-compliant invoices.
• Security & Forensics: To detect unauthorized access attempts, mitigate DDoS attacks, and patch software vulnerabilities.
• Client Support: To authenticate users logging into the Client Portal and resolve direct engineering support tickets.

As a software engineering firm, data security is integrated into our core architecture. We implement defensive design principles and enterprise-grade technical measures to prevent data breaches, unauthorized access, and accidental destruction.

Technical Safeguards

• Encryption in Transit: All data transmitted between clients and our servers is secured via TLS 1.2/1.3 cryptographic protocols (SSL).
• Encryption at Rest: Production databases hosted on our managed infrastructure utilize AES-256 encryption at the storage volume level.
• Access Architecture: Internal access to production environments and client source code is governed by Zero Trust principles, requiring multi-factor authentication (MFA) and secure tunneling.
• Code Integrity: All custom assets undergo vulnerability scanning and dependency auditing prior to production deployment.

While Lumosoft enforces rigid security perimeters, clients acknowledge that no system connected to the internet can guarantee absolute cryptographic invulnerability.

Lumosoft retains personal and corporate data only for the duration strictly required to execute the purposes defined in this Protocol, or as mandated by statutory law.

• Active Engagements: Data is maintained for the lifecycle of the active software subscription or development contract.
• Financial Records: Invoices, billing history, and tax-related identity data are retained for a legally mandated period of 5-7 years under South African corporate law.
• System Telemetry: Server logs and APM data are generally rotated and expunged automatically after 30 to 90 days, unless retained for an active forensic security investigation.

Upon termination of a Managed Platform agreement, client database snapshots are securely transferred to the client, after which all primary and backup instances on Lumosoft hardware are permanently destroyed using cryptographic wipe protocols.

Lumosoft does not sell, trade, or monetize data. To deliver enterprise-grade software, we utilize highly vetted third-party sub-processors. We ensure these entities comply with equivalent global data protection standards.

Under the parameters of POPIA and applicable international data laws, data subjects maintain stringent rights regarding their personal information held by Lumosoft:

• Right to Access: Request a cryptographic copy of the personal data we hold about your entity.
• Right to Rectification: Mandate the correction of inaccurate or incomplete technical or billing data.
• Right to Erasure (Right to be Forgotten): Request the deletion of data, provided it does not conflict with our statutory retention obligations or active operational contracts.
• Right to Object: Object to the processing of data for marketing or non-essential operational purposes.

To execute any of these rights, formal requests must be submitted to our Information Officer via the contact details provided below. Identity verification will be strictly required prior to the release or modification of any data.

To ensure the secure and functional operation of Lumosoft's digital infrastructure, we utilize essential cryptographic and session-based cookies. Under the parameters of POPIA, these strictly necessary cookies are exempt from prior consent requirements as they are technically mandated for the site's core architecture.

• csrftoken: Cross-Site Request Forgery protection. A security token mandated by our framework to verify that form submissions are authentic and protect against malicious cross-site exploits. (Duration: 1 Year).
• sessionid: Session architecture. Facilitates secure authentication and state management when clients log into the Lumosoft Client Portal or managed infrastructure. It does not track activity across external public networks. (Duration: Active Session).

Lumosoft does not deploy third-party marketing, tracking, or analytical cookies without explicit, opt-in consent via a dedicated permission gateway.

For inquiries regarding this Protocol, data access requests, or to report a security vulnerability, please contact our administrative command center directly.

Should you feel that Lumosoft has processed your data outside the parameters of the law, you maintain the right to lodge a formal complaint with the Information Regulator of South Africa at inforeg@justice.gov.za.