Security and privacy at SyncPoint Notify
SyncPoint Notify helps South African schools send SMS notices to parents and guardians. Because that involves the personal information of children and their guardians, we designed the platform to support POPIA-aligned processing and to keep each school's data strictly separate.
Last updated: 10 July 2026
Per-school data isolation
Every school is a separate tenant. Learner, guardian, message and staff records are tagged to a school, and our database access rules only ever return rows belonging to the signed-in user's own school. A user at one school cannot read, create, change, delete or export another school's data through the app, the API, or database functions.
This isolation is enforced at the database layer (row-level security), not just in the interface, and we maintain automated tests that attempt cross-school access and confirm it is denied.
Encryption
Data is encrypted in transit (HTTPS/TLS) between your browser and our platform, and encrypted at rest on the underlying managed cloud infrastructure. We do not claim end-to-end encryption of message content.
Access control
Access to a school's workspace requires an account, sign-in, and approval by that school's administrator. Roles (administrator vs. staff) determine who can send messages and change settings. Roles are stored separately from user profiles to prevent privilege escalation, and leaked-password protection is enabled on sign-up and password changes.
Data minimisation & children's information
We only need enough information to deliver SMS notices: a learner's name, grade/class, an optional admission number, and guardian name and phone number. Our importer is built to protect children's personal information — it automatically ignores sensitive columns commonly found in SA-SAMS and similar exports and never stores them, including:
- national ID numbers and identity documents,
- medical, health or disability information,
- home / residential / postal addresses,
- marks, results and assessment records, and
- disciplinary or conduct records.
If a spreadsheet contains these columns, they are excluded from the import rather than saved.
Auditing sensitive actions
Sensitive administrative actions and exports of learner/guardian data are recorded in a per-school audit log — for example approving or removing a team member, changing school settings, deleting records, running an import, and exporting a recipient list. Only that school's administrators can view their own audit log.
Opt-out & suppression
Guardians can opt out, and opted-out numbers are automatically excluded from future sends. Unsubscribe and suppression are respected across the platform.
Subprocessors
We use a small number of trusted service providers to run the platform — managed cloud hosting and database, and an SMS delivery provider (BulkSMS) to transmit your messages. These providers process data on our and your school's behalf to provide the service.
Security incidents
We maintain a documented process for handling suspected security incidents: containment, assessment of what data may be affected, notification of impacted schools without undue delay so they can meet their own obligations, and remediation. Report a suspected issue to info@syncpointsolutions.co.za.
Certifications
We are honest about our current status: SyncPoint Notify does not hold formal certifications such as ISO 27001 or SOC 2. We describe the platform as designed to support POPIA-aligned processing; this is not a guarantee of full legal compliance and is not an independent certification.
Questions, or a privacy / data-subject request? Contact info@syncpointsolutions.co.za.
SyncPoint Notify is built and operated by SyncPoint Digital Solutions (Pty) Ltd.
