Information

Our infrastructure providers maintain industry standard security certifications, including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC, 2 SOC, 3 and PCI DSS Level 1.
Compliance standards are in place in accordance with the Protection of Personal Information Act (POPIA)
 

Responsible parties are required to obtain prior authorization from the Information

Regulator before processing personal information in certain circumstances prescribed

in section 57 of POPIA, for example, were special personal information or personal

information of children is transferred to a third party in a foreign country that does not

provide an adequate level of protection for the processing of personal information and

where information on criminal behavior or unlawful or objectionable conduct is

processed on behalf of third parties. Prior authorization is also required when

processing personal information for the purposes of credit reporting or when

processing unique identifiers for a purpose other than the purpose for which it was

originally collected and linking it with personal information processed by other third

parties. Responsible parties are not otherwise required to register their processing of

personal information.

POPIA caters for two scenarios relating to the transfer of personal information, namely

where a responsible party in South Africa sends personal information to another

country to be processed and where a responsible party in South Africa processes

personal information that has been received from outside South Africa.

The requirements for the processing of personal information prescribed in POPIA will

apply to any personal information processed in South Africa, irrespective of its origin.

The recipient is subject to a law, binding corporate rules or a binding agreement

which:

Upholds principles for reasonable processing of the information that are

substantially similar to the conditions contained in POPIA; and 

Includes provisions that are substantially similar to those contained in POPIA

relating to the further transfer of personal information from the recipient to third

parties who are in another country.

The transfer is necessary for the performance of a contract between the data

subject and responsible party, or for the implementation of pre-contractual

measures taken in response to the data subject’s request; or 

The transfer is necessary for the conclusion or performance of a contract concluded

in the interest of the data subject between the responsible party and a third party,

or the transfer is for the benefit of the data subject and: 

It is not reasonably practicable to obtain the consent of the data subject to that

transfer; and 

If it were reasonably practicable to obtain such consent, the data subject would

be likely to give it.

Section 19 of POPIA places an obligation on a responsible party to secure the integrity

and confidentiality of personal information in its possession or under its control by

taking appropriate, reasonable technical and organizational measures to prevent loss,

damage to, or unauthorized destruction of, and unlawful access to, personal

information.

To comply with this obligation, the responsible party must take reasonable measures

to do all of the following:

Identify all reasonably foreseeable internal and external risks to personal

information under its control.

Establish and maintain appropriate safeguards against the risks identified; Regularly verify that the safeguards are effectively implemented; and ensure that the safeguards are continually updated in response to new risks or

deficiencies in previously implemented safeguards.

The responsible party must also have due regard to generally accepted information

security practices and procedures which may apply to it generally or be required in

terms of specific industry or professional rules and regulations.

​

Process Flow

​

1. Procedural description

1. User Sign up - Email and Password creation

2. Disclaimer Notice

3. The user then engages in the xvault.org system registration - by submitting the registration the user accepts the noted disclaimer notice

4. The user then fills in the system registration form. Once all parameters are met within the system registration, the team at xvault.org stores the custom user id password for referencing uploaded documentation.

5. By clicking the submit button both parties that are to interact agrees to the terms in the memorandum of agreement and once submitted with all parameters valid, a password will be issued to access the compliance upload page wherein the sender or receiver bank uploads a certificate of account balance with all compliance documentation.

6. Sender and Receiver compliance documentation is needed before the issuing of a password to access the sender or receiver ledger to ledger transmission page. Note a one-off fee of R50 is required to access the vault.

7. At the bottom of this page both sender and receiver xvault.org identification codes are required.

8. Within the transmission page all data input and validation requests are to be met in order for the transmission to be sent to the user on both ends (sender and or receiver)

9. Once the sender and or receiver complete the transmission of the transaction transmission form from xvault.org vault portal, team@xvault.org secure mail will send the logged data as a csv file via team@xvault.org.

10. After successful receipt of the transaction depicted through the transmission a balance of account after reconciliations is to be uploaded to xvault.org in the upload balance of account button.

11. xvault.org issues the balance after reconciliations done by the sender or receiver bank and issues it via secure mail to the sender and receiver bank via team@xvault.org secure mail.

User Compliance Example 

 Strong Customer Compliance Documentation

This refers to documentation related to ensuring that customers and their activities comply with laws and internal policies—especially around anti-money laundering (AML), know your customer (KYC), and fraud prevention.

1. Know Your Customer (KYC) Documentation

Customer Identification Program (CIP): Legal name, date of birth, address, ID verification.

Customer Due Diligence (CDD): Risk profile of the customer, source of funds, expected transaction types.

Enhanced Due Diligence (EDD): For high-risk customers (e.g., PEPs, offshore entities), with deeper documentation such as:

Source of wealth

Business ownership details

Justification for complex structures

2. Anti-Money Laundering (AML) Documentation

Transaction Monitoring Records: Logs and alerts from automated monitoring systems.

Suspicious Activity Reports (SARs): Filed with regulators when suspicious behavior is identified.

AML Risk Assessments: Internal assessments of exposure to money laundering.

AML Program Documents: Policies, procedures, training materials, and system documentation.

3. Customer Consent and Communication Records

Consent for data sharing (e.g., GDPR compliance).

Records of disclosures and agreements signed (e.g., terms of service, privacy policy).

Audit trail of customer communications (calls, emails, chat logs).

4. Sanctions and Watchlist Screening

 

OFAC, EU, UN Sanctions List Screening Logs.

False positive handling documentation.

Name screening and resolution records.

 General Compliance Documentation

This is broader and touches on how the bank ensures it operates within legal, regulatory, and ethical boundaries across all departments.

1. Regulatory Compliance Programs

Compliance Policies and Procedures Manual: Covers all areas—lending, deposits, investments, marketing.

Compliance Monitoring & Testing Reports.

Internal Compliance Audits.

Regulatory Examination Files: Responses and remediation plans following inspections by authorities (e.g., OCC, FDIC, FCA).

2. Governance and Risk Oversight

Board and Committee Meeting Minutes: Especially from risk and compliance committees.

Compliance Risk Assessments.

Compliance Training Records: Proof that employees have received required training.

Whistle blower Program Documentation.

3. Privacy and Data Protection

Data Protection Impact Assessments (DPIA).

Records of Processing Activities (ROPA).

Incident and Breach Logs.

Third-Party Risk Assessments (for vendors handling customer data).

4. Product Compliance

Product Approval and Review Documentation.

Marketing Compliance Reviews (including disclaimers and disclosures).

Customer Outcome Testing (for consumer protection rules).

Characteristics of Strong Compliance Documentation

Consistency: Formats and naming conventions are standardized.

Traceability: Audit trails and version control are in place.

Accessibility: Documents are securely stored and retrievable by relevant teams.

Up-to-date: Regular reviews ensure policies align with current laws and risks.

Approval Hierarchy: Evidence of proper sign-offs and ownership.

​

Security ​

​​​

Internet Security Protocols HTTPS TLS 1.2

Automatic SSL Certification

Data at rest AES-256 Encryption

Anti-DDoS Protection

SOC & SIEM

PCI DSS Level 1

Soc 2 Type 2

Several ISOs

GDPR, CCPA, LGPD compliant

Physical Data Security: Google Cloud, AWS and EQUINIX

User registration log

Web Interface is a non-invasive online application

 ​Our data in transit uses HTTPS, TLS 1.2 + Automatic SSL, while data at rest uses AES-256 the strongest encryption standard commercially available.

Team@xvault.org falls under the above hosted security provider measures.

​