SECURITY & COMPLIANCE

Your data, handled responsibly.

DoubleDown AI builds and hosts AI automation for South African businesses. This page explains how we protect your data and how we comply with the Protection of Personal Information Act (POPIA).

Website Chatbot Security

Every chatbot we build for you — and every visitor who uses it — is protected by bank-level security controls, by default. Here is exactly what that means, in plain language:

BANK-LEVEL SECURITY & RATE LIMITINGEvery chatbot and dashboard sits behind hardened, rate-limited infrastructure. Automated abuse and flooding are throttled at the door, so your bot stays fast and available for real customers.

ANTI-CREDIT-WASTE / ABUSE DETECTIONThe AI detects and blocks repeated or spam messages from visitors so they cannot drain your monthly message allowance. Abusive messages are not counted against you.

OUT-OF-CREDITS GRACEFUL HANDLINGWhen your monthly messages run out, further visitor messages are politely paused and never charged. The visitor simply sees a friendly note to contact your business directly or wait until your limit resets.

TOPIC RESTRICTIONEach chatbot only answers questions about your business. It cannot be hijacked into off-topic tasks — no essays, no code, no general knowledge for strangers on your dime.

MODEL PRIVACYThe AI never reveals which AI model or provider powers it. Your competitive edge stays your own.

FILE & DATA SAFETYUploaded files are strictly validated by type, size and magic-byte sniffing. Executables, scripts, SVG and zip-bombs are rejected and never executed on our systems. Files never directly reach or run on our infrastructure.

NO DATA LEAKSStrict access controls mean no client can ever access another client's data. Every dashboard requires authentication on every login, with secure forgot-PIN recovery.

In short: your message allowance is protected from abuse, your visitors are handled gracefully, your data is isolated, and your AI stays on-topic and on-brand — all without you lifting a finger.

POPIA compliance & lawful basis

We process personal information in line with the Protection of Personal Information Act, 2013 (POPIA). We act as a responsible party for the data we collect to deliver and support your service, and as an operator when we process personal information on your behalf inside the AI systems we build for you.

Our lawful bases for processing include:

Contract — processing needed to build, deliver and run the service you signed up for.
Legitimate interest — securing our systems, preventing fraud and improving reliability.
Consent — where you or your end users explicitly opt in (for example, marketing or optional data collection).
Legal obligation — tax, accounting and other statutory record-keeping.

We collect only what we need, keep it only as long as needed, and never sell personal information.

Encryption

AT RESTStored data is encrypted using AES-256.

IN TRANSITAll traffic is encrypted with TLS 1.3 (HTTPS only).

Credentials, API keys and sensitive configuration are stored encrypted and are never exposed in client-side code or logs.

Hosting & data residency

Production systems and customer data are hosted on dedicated South-Africa-region infrastructure (Hostinger). Keeping data in South Africa supports POPIA cross-border requirements and lowers latency for SA users.

A limited number of trusted sub-processors (for example, AI model APIs and payment processing via PayFast) may process data strictly to deliver the service. We use only reputable providers and pass through only the minimum data required. A current list of sub-processors is available on request.

Backups & recovery

We run automated daily backups of customer data and configuration, with a rolling 30-day restore window. Backups are encrypted and access-controlled. This protects you against accidental loss, corruption or service disruption.

Data Processing Agreement (DPA)

For enterprise and any client who requires one, we provide a POPIA-aligned Data Processing Agreement covering processing scope, security measures, sub-processors, breach notification and data return/deletion on termination.

Request a DPA by emailing sales@doubledownai.co.za.

Your rights (data subjects)

Under POPIA, data subjects may request access to, correction of, or deletion of their personal information, and may object to certain processing. We will action valid requests within a reasonable period and free of charge in most cases.

For full details on what we collect and why, see our Privacy Policy | Unsubscribe. To exercise a right or raise a concern, contact us using the details below.

Incident response

If a security incident affects personal information, we will assess and contain it promptly and notify affected parties and the Information Regulator where POPIA requires it. Security questions and responsible-disclosure reports are welcome at sales@doubledownai.co.za.

Need a DPA, sub-processor list, or a security questionnaire completed?

We respond to security and compliance requests directly.

Email sales@doubledownai.co.za