Security & compliance
for South African property data.
How we approach property management software security in South Africa. Your data is hosted in South Africa for POPIA residency, encrypted in transit, with sensitive fields encrypted at rest, role-based access, an audit trail and daily backups. We describe the controls we actually operate — and we are explicit that no third-party certification is claimed.
- Hosted in South Africa
- Encrypted in transit
- Role-based access
- POPIA-aligned controls
The production database runs in the AWS Cape Town region, chosen for POPIA data residency — personal information stays in the country.
Integration tokens and other secrets are encrypted at the field level before they touch the database; traffic is encrypted in transit over TLS.
We do not claim ISO 27001, SOC 2 or any third-party certification. We describe the real controls and let you evaluate them.
We describe how we approach security and data protection — not a certification we do not hold.
Choosing property management software means handing a vendor your tenants’ identity numbers, your owners’ banking details, your trust-account movements and years of lease and payment history. That is exactly the kind of personal and financial information POPIA exists to protect, so it is fair to ask hard questions about where the data lives, who can reach it, and what happens when something goes wrong.
This page sets out the controls Regalis actually operates today, in plain terms. We have deliberately avoided marketing absolutes. You will not find a claim that the platform is “unhackable”, “fully POPIA-compliant” or “certified secure”, because no software can honestly promise that and we hold no third-party security certification. What we can do is be precise about residency, encryption, access control, audit logging, backups and the POPIA-supporting machinery built into the product.
Where a control is on the roadmap rather than live — a database proxy layer, tighter network lockdown, a formal certification programme — we say so rather than implying it already exists. Security is an operating posture, not a badge, and we would rather you evaluate ours on the specifics.
What sits behind your data, in defensible terms.
Each of these is a real mechanism in the platform today. We have described what it does, and stopped short of any claim we cannot stand behind.
Hosted in South Africa
The production database runs in the AWS Cape Town region (af-south-1). Hosting locally was a deliberate choice to keep personal information inside South Africa for POPIA data residency, rather than routing it offshore.
Encrypted in transit
Traffic between the browser and the platform travels over HTTPS/TLS. Email transport uses STARTTLS or implicit TLS. Data does not move across the open internet in the clear.
Sensitive fields encrypted
Secrets such as bank and accounting integration tokens are encrypted at the field level with AES-256-GCM before storage, and decrypted only server-side when a connection is in use.
Role-based access control
Every account carries a defined role. The platform is structured so people see and act only on what their role allows, with staff, landlord and tenant areas separated by a route guard.
Organisation-scoped API guard
API requests pass through a wrapper that confirms the signed-in identity and the correct organisation before returning data, so one organisation cannot read another’s records.
Hashed passwords & sessions
Passwords are stored as bcrypt hashes, never plain text. Sessions use signed JSON Web Tokens, and trusted-device handling applies role-based session lifetimes with country-drift revocation.
Audit logging
Sensitive operations — integration connections, approvals, feature toggles, arrears actions, subscription changes — write an audit entry recording actor, action and affected record for accountability.
Daily backups & restore checks
A daily database backup runs with a separate weekly restore-verification step and a long retention window. Administrators can see snapshot and verification state and run a backup manually.
Document integrity
Uploaded documents record a SHA-256 checksum and an encryption note, so a file can be checked for tampering and its handling traced. Uploads are limited by type and size.
Information Officer surface
Each organisation captures its own Information Officer details, surfaced in the privacy centre and the published PAIA manual — the human point of contact POPIA expects for data-protection matters.
Consent ledger
Every grant and withdrawal of consent — marketing, screening, messaging, mandates, e-signature, cookies — is recorded with timestamp, IP and the version of the disclosure text agreed to.
Retention & deletion
A daily sweep removes records past their window, with legal hold for disputes. Data-subject access and deletion requests run through the privacy centre, preserving records that carry a legal retention basis.
From sign-in to backup, in one chain.
Identity & role at the door
A person signs in against a bcrypt-hashed password and receives a signed session. Their role determines which portal they land in and what they can reach, with staff, landlord and tenant areas separated by the route guard.
- bcrypt-hashed passwords
- Signed JWT sessions
- Role-based portal separation
Every request is organisation-scoped
API calls run through an organisation guard that re-checks the identity and the organisation on each request. Data is returned only for the caller’s own organisation — cross-organisation reads are blocked by design.
- Per-request auth check
- Organisation isolation
- Consistent across the API surface
Sensitive data is protected at rest and in transit
Traffic is encrypted over TLS. Integration secrets are encrypted at the field level with AES-256-GCM. Documents carry a checksum. The data path is built to avoid clear-text exposure of the things that matter most.
- TLS in transit
- AES-256-GCM for secrets
- Checksummed documents
Actions are logged, data is retained responsibly, backups verified
Sensitive operations write to the audit log. The daily retention sweep enforces deletion windows. A daily backup runs with weekly restore verification, so the data is both governed and recoverable.
- Audit trail on sensitive actions
- Automated retention sweep
- Daily backup + weekly restore check
Designed to support POPIA — and to support property-practitioner requirements — without overstating it.
POPIA does not hand out compliance certificates, and neither do we. What the Act asks for is a clear lawful basis for each processing activity, the ability to prove what was processed and on whose authority, and a genuine way to honour the rights of a data subject within the statutory window. Regalis is built to make those three things practical rather than aspirational: the consent ledger records what was agreed, the audit log records who did what, the retention sweep enforces deletion windows, and the privacy centre lets a person exercise their access, correction and deletion rights.
Each organisation registers its own Information Officer — the role POPIA expects to own data-protection matters — and that contact is surfaced in the privacy centre and the published PAIA manual, which reflects the 2021 transfer of PAIA oversight to the Information Regulator. For managing agents, this sits alongside the trust-accounting posture that supports property-practitioner record-keeping requirements.
We describe this as POPIA-aligned, not POPIA-compliant, and as supporting your obligations rather than discharging them. Compliance is something your organisation holds, with the help of tooling like this. We have built the tooling to be defensible; the accountability stays with you, and we would rather be precise about that line than blur it.
Continue exploring how Regalis handles the rest of the rental operation.
POPIA & PAIA compliance
Consent ledger, registered Information Officer, retention sweep, subject-access exports, deletion execution and a published PAIA manual.
Read moreData Processing Agreement
The processing terms that govern how Regalis handles personal information on your behalf as operator under POPIA.
Read moreSubprocessors
The third-party providers that support the platform, what they do and where they sit — published so you can assess the data path.
Read moreEvaluating property software security
A practical checklist for assessing the security and data-protection posture of any South African property platform before you commit.
Read moreCommon questions about security and data protection.
Where is property and tenant data stored?+
In South Africa. The production database runs in Amazon Web Services’ Cape Town region (af-south-1), chosen specifically to keep personal information inside the country for POPIA data-residency purposes. Documents and generated files are held in managed object storage. We use established cloud infrastructure rather than self-hosting in a back office.
Is the data encrypted?+
Traffic between your browser and the platform travels over HTTPS/TLS, so data is encrypted in transit. Sensitive secrets — for example the access tokens that connect your bank and accounting integrations — are encrypted at the field level using AES-256-GCM before they are written to the database. Uploaded documents carry an integrity checksum and an encryption note. We describe the approach honestly rather than over-claiming blanket guarantees.
Does Regalis hold any security certification like ISO 27001 or SOC 2?+
No. We do not hold, and do not claim, ISO 27001, SOC 2, a published penetration-test attestation, or any third-party security certification. We describe the controls we actually operate — residency, encryption, access control, audit logging and backups — and let you evaluate them on their merits. If a formal certification programme is something your procurement requires, tell us and we can discuss the roadmap.
How is access to data controlled?+
Every account has a defined role, and the platform is structured so that people only see and act on what their role permits. API requests run through an organisation-scoped guard that confirms both the signed-in identity and the right organisation before any data is returned. Sign-in uses bcrypt-hashed passwords with a JSON Web Token session, and trusted-device handling applies role-based session lifetimes.
Is there an audit trail of who did what?+
Yes. Sensitive operations — integration connections, feature toggles, approvals, arrears actions, subscription changes and more — write an audit entry capturing the actor, the action and the affected record. The audit log is part of how the platform supports accountability under POPIA and how a managing agent demonstrates control of trust-account and personal-data activity.
What happens to data if it is no longer needed, or a tenant asks for it?+
A daily retention sweep removes records past their defined window automatically, with a legal-hold setting to pause deletion for anything under active dispute. A data subject can file an access, correction or deletion request through the public privacy centre; access requests compile a complete bundle, and deletion anonymises personal fields while preserving records that carry their own legal retention basis. These controls are POPIA-aligned and support property-practitioner record-keeping requirements.
How are backups handled?+
The platform runs a daily database backup with a separate weekly restore-verification step, and applies a long retention window before older snapshots are pruned. An administrator can see the latest snapshot and verification state, and trigger a manual run, from the in-app backup posture page. We do not publish a contractual uptime number or recovery-time SLA on this page.
Ask us the hard questions about your data.
We will answer them straight.
Walk through residency, encryption, access control, audit logging, backups and the POPIA-supporting controls with someone from the team — and tell us what your procurement process needs.