ISO Assistant

Mercator Projects PAIA Manual

Effective date: 16 July 2026Version: 2026-07-16

This manual is prepared for Mercator Projects Pty Ltd in terms of section 51 of the Promotion of Access to Information Act 2 of 2000, as amended (PAIA). It also describes relevant processing of personal information under the Protection of Personal Information Act 4 of 2013 (POPIA).

1. Private body and Information Officer

  • Private body: Mercator Projects Pty Ltd
  • Registration number: 2019 / 008222 / 07
  • Information Officer and head of the private body: Eugene van der Watt
  • Physical address: 23 Cape Point Main Rd, Castle Rock, Simon’s Town, 7975, South Africa
  • Telephone: +27 (0)83 226 6899
  • Email for PAIA and POPIA requests: info@isoassistant.com
  • Website: https://app.isoassistant.com

2. Purpose of this manual

This manual explains what records Mercator Projects holds, which records are readily available, how to request access, the categories and purposes of personal-information processing, recipients and cross-border flows, and the general safeguards used to protect information.

3. Information Regulator PAIA guide

The Information Regulator publishes a guide explaining how to use PAIA and POPIA, available in the official languages and accessible through the Regulator’s website at https://inforegulator.org.za/paia-guidelines/ or from the Information Officer on request.

4. Records available without a formal PAIA request

  • Published Privacy Policy, Terms and Conditions, Data Processing Addendum, Subprocessor list, and this PAIA manual.
  • Public website descriptions, pricing or service information, and publicly released company or product information.
  • Information that Mercator Projects has already made publicly available or that a requester is legally entitled to receive without using PAIA.

5. Records maintained under legislation

  • Corporate and statutory records under the Companies Act 71 of 2008.
  • Tax, VAT, accounting, and supporting records under applicable tax and financial legislation.
  • Electronic transaction and customer records under the Electronic Communications and Transactions Act 25 of 2002.
  • Consumer records where the Consumer Protection Act 68 of 2008 applies.
  • PAIA manuals and request records under PAIA, and privacy records under POPIA.
  • Contracts, invoices, payment records, intellectual-property records, and records required by other applicable South African law.

6. Subjects and categories of records

  • Corporate governance: incorporation, ownership, resolutions, statutory filings, policies, and insurance.
  • Finance and tax: accounts, invoices, expenses, bank and payment references, budgets, and tax records.
  • Customers and service delivery: contracts, subscriptions, account administration, support, communications, and customer-controlled ISO Assistant content.
  • Suppliers and operators: contracts, due diligence, invoices, service records, security information, and data-processing terms.
  • Technology and security: system configuration, access records, sessions, logs, incidents, backups, continuity, vulnerability, and change records.
  • People: director, contractor, applicant, and personnel records if and when applicable.
  • Legal and compliance: PAIA requests, privacy requests, processing records, incidents, complaints, disputes, and professional advice.

7. How to request access

A requester must submit the prescribed request form to info@isoassistant.com with enough detail to identify the record, the requester, the right being exercised or protected, and the preferred form of access. Identity and authority may be verified.

Prescribed request and access fees may apply. Access may be refused on a ground permitted by PAIA, including protection of third-party privacy, confidential commercial information, safety, legal privilege, or information that cannot lawfully be disclosed.

The Information Regulator’s current forms and fee information are available at https://inforegulator.org.za/paia-guidelines/.

8. Personal-information processing

  • Purposes: providing and securing ISO Assistant, customer administration, billing, support, communications, legal compliance, fraud prevention, and customer-instructed processing.
  • Data subjects: users, customer personnel and contacts, suppliers, clients, visitors, incident participants, support contacts, payment contacts, and other persons whose information customers lawfully record.
  • Information: identity, contact, account, employment, training, audit, incident, safety, health, supplier, billing, support, communications, technical, and security information.
  • Recipients: authorised customer users, Vercel, Neon, Resend, PayFast, OpenAI when an AI feature is requested, professional advisers, and lawful authorities.

9. Cross-border processing

Some hosting, database, email, support, AI, backup, or provider operations may occur in the United Kingdom, European Economic Area, United States, South Africa, or other locations. Mercator Projects uses contractual and organisational measures intended to meet POPIA section 72 and other applicable transfer requirements.

10. General security safeguards

  • Role, permission, membership, and tenant-scoped access controls.
  • Password hashing, secure sessions, re-authentication for destructive actions, and login abuse protection.
  • Encrypted transport, provider encryption at rest, private attachment storage, authenticated delivery, and backup controls.
  • Security headers, selected audit records, restricted provider access, incident handling, and periodic control review.

11. Availability and updates

This manual is available on the ISO Assistant website, from the Information Officer by email, and for inspection at the physical address by prior appointment during normal business hours. Reasonable prescribed copying fees may apply.

Mercator Projects will review this manual periodically and update it when its records, processing, contact details, law, or operations materially change.