Privacy Policy

Last updated: 10 February 2026
Effective date: Immediate
Data Protection Contact: privacy@kaylasolutions.co.za
Telephone: (010) 449 7572
Registered office: Crescent Office Park, 3 Eglin Road, Sunninghill, Sandton, 2157, South Africa

1. Our commitment

Kayla Business Solutions (Pty) Ltd (“KBS”, “we”, “our”) promises to treat personal information entrusted to us with clarity, restraint and measurable care. We will:

  • collect only the personal information necessary to fulfil a clearly stated business purpose;
  • use that information only for the purposes we describe;
  • keep customer data under customer control wherever we rely on Microsoft tenant-hosted designs;
  • protect data using appropriate technical and organisational measures; and
  • be transparent and accountable to customers, partners and regulators.

This Policy is a corporate promise and a public record of how we operate.

2. Scope and roles

Scope. This Policy covers personal information processed by KBS in our corporate operations (website, sales, contracting, HR, finance) and in our role as a supplier to customers (including Smart DMS deployments). Product-specific statements (for Smart DMS) apply in addition to this Policy for data processed inside that solution.

Roles.

  • When Smart DMS or other KBS solutions are deployed within a customer’s Microsoft tenant, the customer is the Data Controller and KBS acts as a Data Processor (processing data only under the customer’s instructions). See Smart DMS for product details and boundary design: .
  • For corporate operations (website enquiries, recruitment, billing), KBS is the Data Controller.

3. What we collect — explicitly and only as needed

KBS collects personal information only when there is a legitimate business reason.

Corporate / Commercial

  • Contact details (name, business email, phone), job title, organisation.
  • Billing and contractual information required for invoicing, VAT and compliance.

Website and technical data

  • IP address, browser type and version, device type, pages visited, time on site, cookie preferences. This data is used to operate and improve our site and to detect abuse.

Recruitment

  • CVs, employment history, qualifications, interviewer notes and references; processed only by authorised HR personnel.

Smart DMS (product data)

  • Where Smart DMS is used inside a customer tenant, personal data categories processed include identity/directory data (name, email, job title, Entra ID), business workflow content (memos, attachments, approvals) and operational metadata (audit trails). KBS’s Smart DMS design keeps customer personal data within the customer-owned Microsoft 365 / Power Platform environment unless the customer authorises otherwise.

Sensitive data

  • KBS does not require special categories of personal data. If sensitive data is supplied by a customer inside Smart DMS (by the customer’s own users), KBS will process it only on explicit customer instruction.

4. How we collect data — always transparently

We collect information:

  • directly from individuals (webforms, emails, phone calls, contract negotiations);
  • from customers (directory attributes and user-entered workflow content when Smart DMS is used);
  • automatically (web analytics and cookies); and
  • from partners or public sources where minimal, relevant contact information is available.

We do not acquire personal data from data brokers for marketing.

5. Lawful basis and purposes — explicit

KBS processes personal data only for lawful business purposes including:

  • Contract performance — preparing proposals, delivering contracted services, billing;
  • Legal compliance — accounting, tax and statutory record-keeping;
  • Legitimate interests — security, fraud prevention, infrastructure management and limited marketing after balancing tests; and
  • Consent — where required for marketing or non-essential cookies.

We do not rely on legitimate interest where that would override individual rights; we always document and balance the rationale.

6. How we use personal information — strictly limited

We use personal information to:

  • respond to enquiries, prepare proposals and contracts and deliver services;
  • operate and secure our systems and website;
  • invoice, collect payments and comply with tax obligations;
  • recruit and manage staff; and
  • fulfil legal obligations or protect KBS or its customers against fraud or abuse.

We do not sell or rent personal information and we will not use customer personal data for KBS internal marketing or profiling without explicit agreement.

7. Retention, location and end-of-use — practical specifics

Where data is stored

  • Smart DMS personal data remains within the customer’s Microsoft 365 tenant and Power Platform environment by design (tenant-resident). KBS does not operate a parallel customer personal-data repository under normal operation: .
  • Corporate data is stored in secure cloud services (principally Microsoft cloud services and approved third-party providers).

Retention examples (corporate):

  • Recruitment/applicant records: 1 year after process closure unless consented otherwise.
  • Billing and tax records: 6 years (statutory compliance).
  • Website logs: aggregated for analysis; raw logs retained 12–24 months depending on operational need.
  • Customer contract records: retained for contract life and commonly 6 years thereafter for warranty and compliance.

Customer-controlled retention

  • For Smart DMS, retention, archiving and deletion are controlled by the customer’s Microsoft 365 retention policies and Power Platform configuration. KBS will not impose independent retention on customer data unless contractually agreed.

8. Security — what KBS actually does

KBS operates a defence-in-depth security programme appropriate to our size and risks:

Platform controls

  • We rely on Microsoft cloud infrastructure for physical and platform security and implement tenant isolation and logical separation. KBS will not weaken native platform security.

Encryption

  • Data in transit is protected by TLS (minimum TLS 1.2). Data at rest uses platform-provided encryption. Where required and contractually agreed, KBS supports customer-managed encryption keys or related options available through the platform.

Identity & access

  • Authentication and identity use Microsoft Entra ID for solutions and corporate systems where appropriate. We enforce role-based access control (RBAC), least privilege and require multi-factor authentication (MFA) for privileged accounts.

Operational

  • Patch management, vulnerability scanning, logging and monitoring. KBS completes periodic security reviews and commissions third-party penetration tests for critical components as part of our security lifecycle.

Support access

  • KBS staff do not have standing access to customer personal data. Support access is provided only with explicit customer authorisation, limited in scope and duration, logged against a support ticket and reviewed after use (see section 9).

9. Support access, operational handling and audits

If KBS must access customer data for support:

  • the customer must authorise access in writing or via an agreed ticket;
  • access is time-limited, minimally privileged and fully logged;
  • KBS provides an access report to the customer on request; and
  • for emergency access where prior authorisation cannot be obtained, KBS will document the action and obtain retrospective written authorisation.

KBS will cooperate with customer audits where agreed contractually, subject to confidentiality limits. We will share available compliance artifacts, security test reports and evidence as appropriate.

10. Sub-processors and third-party services — full transparency

KBS uses sub-processors for hosting, analytics, email, backups and support. The principal platform for Smart DMS and many KBS services is Microsoft (Azure, Microsoft 365, Power Platform, Entra). Other subcontractors are reputable vendors used for operational needs.

Commitment: KBS maintains and will provide a current list of sub-processors and processing purposes on request. Sub-processors are contractually required to maintain confidentiality, implement appropriate security measures and process data only per KBS instructions.

11. Cross-border transfers — safeguards in place

Because we use cloud service providers, personal data may be processed or stored outside South Africa. KBS transfers personal data across borders only where:

  • there is a legal ground for transfer and
  • appropriate safeguards are applied (contractual terms, standard contractual clauses or equivalent).

We ensure contractual and technical safeguards preserve an equivalent level of protection.

12. Data subject rights — how to exercise them

Individuals may exercise the following rights (subject to legal limits):

  • Access — request a copy of personal data we hold;
  • Rectification — correct inaccurate information;
  • Erasure — request deletion where lawful;
  • Restriction — ask to limit processing;
  • Objection — object to processing where lawful;
  • Portability — request machine-readable export where applicable.

How to request: Send an email to privacy@kaylasolutions.co.za with proof of identity and a clear description of your request. We acknowledge receipt promptly and aim to respond within 30 days (extensions only where permitted by law). We will verify identity before responding.

13. Privacy incidents — what we will do

KBS maintains an incident response capability. If a privacy incident affecting personal data under KBS control occurs, we will:

  • notify affected customers without undue delay and, where the incident risks the rights and freedoms of individuals, aim to notify within 72 hours of discovery;
  • provide scope, data categories affected, remediation steps and mitigation;
  • cooperate fully with customer investigations and regulatory obligations; and
  • coordinate with Microsoft for incidents involving platform services.

14. Assurance, testing and privacy-by-design

KBS applies privacy-by-design across our solutions:

  • privacy considerations are included early in design and implementation;
  • security testing (vulnerability scanning, penetration testing) is performed for critical components;
  • staff receive security and privacy training;
  • KBS will provide evidence of controls as reasonably requested in procurement processes or audits.

KBS does not claim certifications it does not hold. Where certification or third-party audit evidence is available and relevant, KBS will provide it under NDA or contractual terms.

15. Cookies and tracking — specifics for website users

KBS uses cookies for core site functionality and to measure aggregate site usage. We do not use cookies for cross-site advertising or profiling.

Representative cookies (examples):

  • kbs_cookie_consent — records consent for non-essential cookies (1 year)
  • session_id — session and authentication (session)
  • analytics_id — aggregated site metrics (24 months)
  • fonts_loaded — UI performance (1 year)

Users can disable non-essential cookies in their browser; doing so may reduce website functionality.

16. Retention and end-of-service (product)

  • Corporate retention is described in section 7.
  • For Smart DMS, retention is governed by customer-configured Microsoft 365 and Power Platform retention policies. At service termination, the customer retains control and ownership of their data and may request export or deletion per contractual terms.

17. Children and sensitive categories

KBS does not target its services to children and does not intentionally collect children’s personal data. KBS does not seek sensitive personal data in corporate operations. If sensitive data appears in customer-submitted content within Smart DMS, KBS processes it only under the customer’s instruction.

18. Changes to this Policy

We may update this Policy to reflect legal, technical or operational changes. The “Last updated” date will be revised. Material changes will be communicated to customers as appropriate.

19. Complaints and supervisory authorities

If you have concerns, contact privacy@kaylasolutions.co.za. If you remain dissatisfied you may escalate the matter to the relevant data protection authority (for example the Information Regulator in South Africa).

20. Contact — explicit accountability

Data Protection Contact (DPO): privacy@kaylasolutions.co.za
Telephone: (010) 449 7572
Address: Crescent Office Park, 3 Eglin Road, Sunninghill, Sandton, 2157, South Africa

Statement of truth and accountability

This Policy accurately describes KBS practices and is a public commitment we make to customers and regulators. Where KBS relies on third-party platforms (notably Microsoft) we are explicit about that relationship and the safeguards we require. KBS will cooperate with customers, Microsoft and regulatory authorities on audits, security reviews and incident response.