Privacy Policy

1. Introduction

Synchplus Consulting (Pty) Ltd ("Synchplus", "the Company", "we", "us"), a company registered in the Republic of South Africa, is committed to protecting the personal information of our users and their managed tenants in accordance with the Protection of Personal Information Act, 2013 (POPIA). This Privacy Policy explains how we collect, use, store, and protect personal information processed through the VaultFuzion platform. VaultFuzion is a product of Kapardyn, a wholly-owned division of Synchplus Consulting.

2. Information We Collect

Account Information:

• Name, email address, organisation name, and role
• Authentication credentials (securely hashed with an industry-standard algorithm)
• Multi-factor authentication enrollment data (encrypted at rest)

Microsoft 365 Data (backed up on your behalf):

• Exchange mailbox content (emails, calendar, contacts)
• OneDrive files and folders
• SharePoint site content
• Teams channel messages and files
• Entra ID configuration snapshots

Endpoint Data (Kapsul8 EndpointBackup customers only — backed up on your behalf):

• Files and folders selected by your backup policy from Windows desktops, laptops, and servers
• Windows system state (registry hives, boot configuration, Active Directory database where applicable, IIS configuration where applicable)
• Endpoint metadata: hostname, OS version, hardware fingerprint, BitLocker status, agent version, last-seen timestamp, network type
• Backup job results, including success/failure status, file counts, byte counts, error messages
• Endpoint-side anomaly signals (file-modification rates, entropy patterns, extension patterns) used for ransomware detection alerting

All Endpoint Data is encrypted on the source machine before transmission. We never see plaintext file content. The Windows agent is code-signed with an Extended Validation certificate; we do not collect keystroke data, screen captures, browser history, microphone or camera content, or any data unrelated to backup operations. We do not deploy persistent surveillance tooling under any tier.

Platform Usage Data:

• Audit trail events (login, backup, restore, configuration changes)
• Threat detection verdicts and security scan results
• API access logs and session metadata

3. Purpose of Processing

We process personal information for the following purposes:

• Providing Microsoft 365 backup, restore, and protection services
• Entra ID configuration monitoring and drift detection
• Email authentication analysis (DMARC, SPF, DKIM)
• eDiscovery, legal holds, and compliance reporting
• Threat detection and phishing protection
• Account management, billing, and customer support
• Platform security, fraud prevention, and abuse detection
• Tamper-evident audit logging for legal and compliance purposes

4. Data Retention

Backup data is retained according to your configured retention policy, supporting configurable retention periods of up to 7 years — meeting POPIA retention requirements. Retention policies are configurable per tenant with daily, weekly, and maximum-age parameters.

Audit trail records are retained for the full subscription period plus 2 years, forming a tamper-evident hash chain from which any modification or deletion is cryptographically detectable.

Upon account termination, data is made available for export for 30 days, after which it is securely deleted with SHA-256 destruction certificates issued as proof of deletion.

5. Data Security

• AES-256-GCM encryption for all data at rest
• TLS 1.3 for all data in transit
• Per-tenant HKDF-derived encryption keys for cryptographic isolation
• Industry-standard password hashing with no plaintext storage
• Encrypted MFA secrets using platform master key
• MSP data isolation enforced at every API endpoint
• SHA-256 hash-chain audit trail for tamper detection

6. Rights of Data Subjects

Under POPIA, you have the right to:

• Request access to your personal information (Section 23)
• Request correction of inaccurate personal information (Section 24)
• Request deletion of your personal information (Section 24)
• Object to the processing of your personal information (Section 11(3))
• Lodge a complaint with the Information Regulator

To exercise any of these rights, contact our Information Officer at the details below.

7. Third-Party Sharing

We do not sell or share personal information with third parties for marketing purposes. We may share data with: Microsoft (to facilitate M365 API access), a South African-based cloud infrastructure operator that provides the data-centre hosting and compute on which the Service runs (acting as an operator/sub-processor under POPIA, with data held in South Africa), payment processors (Peach Payments) for billing, and law enforcement agencies when required by South African law or court order.

8. Cross-Border Data Transfers

Data is stored in data centres located in South Africa where possible. Where cross-border transfer is necessary (e.g., Microsoft Graph API calls), we ensure adequate protection in compliance with POPIA Section 72 through binding agreements and appropriate security measures.

9. Information Officer

Synchplus Consulting (Pty) Ltd's designated Information Officer can be contacted at:

10. Complaints

If you are not satisfied with our response to a privacy concern, you may lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.