Dootsa Enterprise Readiness Brief

Dootsa South African Compliance-Alignment Brief

Internal customer-facing handout for enterprise and public-sector procurement teams.

Value Proposition

Survey and engagement platform designed for enterprise governance, auditability, and role-based workflows.
Secure-by-default controls for media handling, privileged access, and operational evidence workflows.
Compliance-aligned readiness program mapped to South African enterprise expectations and ISO 27001-oriented controls.

Frequently Raised Security And Compliance Concerns

Concern	Dootsa Position
Data residency	Primary residency can be set to South Africa, with transfer controls tracked through compliance settings and processor inventory governance.
Cross-border processing	Cross-border transfers are controlled through policy and operator agreement requirements, including transfer mechanism tracking.
Access control and MFA	Role-based access and privileged MFA controls are enforced with auditable change logs.
Sensitive data exposure	Uploaded media uses signed internal URLs and private storage by default.
Encryption posture	TLS verification is hardened for database connections; sensitive MFA material is protected at rest.
Auditability	Operational and security changes are logged with evidence artifacts available for due diligence workflows.
Incident response and continuity	Runbooks, backup/restore test templates, and access review templates are maintained in the readiness pack.

Concern

Dootsa Position

Data residency

Primary residency can be set to South Africa, with transfer controls tracked through compliance settings and processor inventory governance.

Cross-border processing

Cross-border transfers are controlled through policy and operator agreement requirements, including transfer mechanism tracking.

Access control and MFA

Role-based access and privileged MFA controls are enforced with auditable change logs.

Sensitive data exposure

Uploaded media uses signed internal URLs and private storage by default.

Encryption posture

TLS verification is hardened for database connections; sensitive MFA material is protected at rest.

Auditability

Operational and security changes are logged with evidence artifacts available for due diligence workflows.

Incident response and continuity

Runbooks, backup/restore test templates, and access review templates are maintained in the readiness pack.

Current Readiness Deliverables

Framework Positioning (External)

Framework	Approved Positioning
SOC 1	Not currently attested. SOC-style governance and control evidence available for customer risk review.
SOC 2	Not currently attested. SOC 2-aligned controls and readiness evidence are maintained.
PCI-DSS	Not currently represented as certified/attested. PCI obligations are managed based on scope and contract requirements.
ISO 27001	ISO 27001-aligned controls and audit engagement planning are in place; certification status is shared per audit stage.
HIPAA	Not a default HIPAA-covered production environment; HIPAA scope is enabled when PHI and BAA requirements apply.
EU Model Clauses (SCCs)	Supported via SCC legal workflows and transfer safeguards, subject to signed agreements.

Framework

Approved Positioning

SOC 1

Not currently attested. SOC-style governance and control evidence available for customer risk review.

SOC 2

Not currently attested. SOC 2-aligned controls and readiness evidence are maintained.

PCI-DSS

Not currently represented as certified/attested. PCI obligations are managed based on scope and contract requirements.

ISO 27001

ISO 27001-aligned controls and audit engagement planning are in place; certification status is shared per audit stage.

HIPAA

Not a default HIPAA-covered production environment; HIPAA scope is enabled when PHI and BAA requirements apply.

EU Model Clauses (SCCs)

Supported via SCC legal workflows and transfer safeguards, subject to signed agreements.

What Customers Can Request

Support Escalation

Any additional concerns not covered in this brief are handled through the Dootsa support and security review process.

Claim guardrail: Use "compliance-aligned" language and avoid "certified", "attested", or "fully compliant" unless current external evidence confirms that status.