Licentia takes reasonable and appropriate technical, organisational, and procedural measures to secure the integrity and confidentiality of personal information in its possession or under its control, and to prevent loss, damage, unauthorised destruction, unlawful access, unlawful disclosure, or unlawful processing.

These safeguards apply across Licentia Franchise SA (Pty) Ltd, the provincial entities, authorised franchise operators, internal departments, and any approved systems or service providers used within the Licentia governance framework.

9.1 General Security Standard

Licentia implements and maintains security safeguards appropriate to the nature of the personal information processed, the risks associated with such processing, and the operational environment in which the information is collected, stored, shared, and used.

Safeguards are designed to protect:

• client identification and contact details;
• business and entity records;
• compliance documentation and submissions;
• financial and commercial information;
• inspection media and evidence packs;
• legal and enforcement records; and
• system logs, communications, and governance records.

9.2 Technical Safeguards

Licentia may apply technical safeguards, including, where applicable:

• password protection and user authentication;
• role-based access controls;
• restricted administrator access;
• audit logging and access traceability;
• encrypted or otherwise secured storage environments;
• protected cloud and backup environments;
• firewall, anti-malware, and system protection measures;
• controlled export, download, and deletion permissions; and
• system monitoring and incident detection measures.

The precise technical controls may evolve as Licentia’s systems, hosting environments, applications, and regulatory requirements develop.

9.3 Organisational and Governance Safeguards

Licentia applies organisational safeguards, including:

• internal governance policies and compliance procedures;
• confidentiality obligations applicable to employees, franchise operators, internal departments, and authorised service providers;
• lawful access restrictions based on function and need-to-know principles;
• training and compliance awareness measures;
• oversight by Head Office and the Information Officer structure; and
• audit and escalation controls where risks, errors, or breaches are identified.

These safeguards are intended to ensure that personal information is processed only for lawful purposes and only by authorised persons.

9.4 Franchise, Provincial, and Departmental Access Controls

Access to personal information is controlled across the Licentia network in accordance with territorial responsibility, role, and operational necessity.

Accordingly:

• provincial users may access information relevant to their territorial operations and lawful functions;
• Head Office may access information across the Licentia network for governance, oversight, audit, legal, financial, and system integrity purposes;
• internal departments, including Compliance, Finance, Audit, IT Governance, and Legal, may access records where reasonably required for lawful execution of their functions; and
• access by franchise operators and authorised independent contractors is limited to information necessary to execute the authorised mandate or process.

Licentia applies role-based controls and traceability measures to reduce the risk of unauthorised access or misuse.

9.5 Confidentiality and Need-to-Know Processing

Licentia processes personal information on a need-to-know basis.

This means that personal information is accessed, viewed, used, or shared only where reasonably necessary for:

• service execution;
• regulatory compliance;
• governance oversight;
• lawful financial administration;
• legal oversight or enforcement;
• dispute resolution; or
• system support and operational continuity.

All persons processing information within the Licentia governance framework are expected to maintain confidentiality and to refrain from unauthorised disclosure or use.

9.6 Inspection Media, Field Devices, and Temporary Capture

Licentia’s operations may involve temporary capture of information, photographs, or videos on authorised field devices during inspections, consultations, or compliance processes.

Where such information is captured on mobile devices or temporary platforms:

• it must be treated as confidential;
• it must be transferred into the controlled Licentia system or record environment as part of the official client file; and
• it remains subject to Licentia’s security, retention, and deletion controls.

Licentia applies governance controls to reduce exposure associated with temporary device-level capture and subsequent transfer into central records.

9.7 Third-Party Operators, Service Providers, and External Professionals

Where Licentia uses third-party operators, hosting providers, developers, external professionals, or specialist service providers, Licentia requires that such parties maintain confidentiality and apply appropriate safeguards in relation to any personal information processed on Licentia’s behalf or disclosed to them for lawful service execution.

Licentia will take reasonable steps to ensure that third-party processing occurs within the authorised scope and under appropriate confidentiality, security, and governance controls.

9.8 Security Reviews, Risk Identification, and Corrective Measures

Licentia may periodically review its safeguards, systems, and processing practices in order to:

• identify risks and vulnerabilities;
• improve controls and operational practices;
• address governance failures or non-compliance;
• strengthen security over time; and
• respond to changing legal, technical, and operational requirements.

Where weaknesses, irregularities, or incidents are identified, Licentia may implement corrective, remedial, or restrictive measures, including escalation to internal governance, the Information Officer, or the Legal Department.

9.9 Lawful Basis

The implementation and maintenance of security safeguards is carried out on the basis of:

• legal and regulatory obligations applicable to the responsible party; and
• lawful interests in protecting personal information, preventing misuse, preserving evidence, maintaining operational continuity, and ensuring governance integrity across the Licentia network.