Compliance & legal information

The Electronic Communications and Transactions Act 25 of 2002 (ECTA) governs electronic signatures and electronic transactions in South Africa. Geteken is designed to satisfy the requirements of section 13 of ECTA for advanced electronic signatures where the parties choose to use this platform.

Section 13(1): Where the signature of a person is required by law, that requirement is met by an advanced electronic signature. Geteken captures the signatory's identity (OTP-verified email or SMS), timestamp, IP address, and a SHA-256 hash of the document at the moment of signing.

Section 13(2): An electronic signature is not without legal force and effect merely because it is in electronic form. Signatures collected on this platform are legally effective under ECTA.

Section 13(3)-(4) / Reasonable reliability standard: Geteken satisfies the reasonable-reliability standard by: (a) linking the signature uniquely to the signatory via OTP verification; (b) recording the IP address, user-agent, and timestamp in an append-only audit log; (c) applying an RSA-PSS-SHA256 cryptographic seal over the final document; and (d) generating an immutable audit certificate attached to the signed PDF.

Every completed envelope produces a PDF audit certificate that records: envelope reference, document SHA-256 hash (pre- and post-signing), each signatory's identity, OTP method, signed-at timestamp, IP address, the RSA-PSS-SHA256 digital signature over the final document, and the platform public key fingerprint. The certificate is appended to the signed document and independently verifiable offline.

Sample audit certificate (PDF) — available after account creation.

The Protection of Personal Information Act 4 of 2013 (POPIA) commenced fully on 1 July 2021. As a responsible party under POPIA, Geteken (Pty) Ltd processes personal information only for the purposes set out below.

Geteken's Information Officer is responsible for ensuring POPIA compliance within the organisation. Contact: compliance@geteken.co.za. The Information Officer is registered with the Information Regulator of South Africa.

[PLACEHOLDER — Information Officer name and registration number to be inserted before public launch.]

Geteken processes personal information on the following lawful bases under POPIA section 11: (a) performance of a contract — to deliver the signing service you have contracted for; (b) legitimate interest — to maintain security logs and prevent fraud; (c) legal obligation — where retention is required by applicable law.

Signed documents and audit logs are retained for the period specified in your account settings (default: 7 years, configurable). After expiry, data is permanently deleted from production storage within 30 days. Backups are purged on their scheduled rotation cycle (maximum 90 days from deletion request).

Under POPIA, you have the right to: (a) request access to personal information we hold about you; (b) request correction of inaccurate information; (c) request deletion, subject to legal retention obligations; (d) object to processing; (e) lodge a complaint with the Information Regulator of South Africa (inforeg.org.za). Submit requests to compliance@geteken.co.za. We respond within 30 days.

In the event of a security compromise involving personal information, Geteken will notify affected data subjects and the Information Regulator within the timeframes required by POPIA section 22 (as soon as reasonably possible). Breach notifications will be sent to the contact address on your account.

Customer data is stored in the South African region where available, with encrypted replication for disaster recovery. Requests are served through a global edge network, so request metadata may transiently traverse international nodes. We apply POPIA section 72 transfer controls and require that recipients provide an adequate level of protection for personal information.

All document signatures use RSA-PSS with SHA-256 (PSS parameters: MGF1-SHA256, saltLen=32). This is the RSA-PSS-SHA256 scheme as specified in PKCS #1 v2.2 / RFC 8017.

The current platform public key fingerprint (SHA-256 of DER-encoded SubjectPublicKeyInfo) is published at /sign/verify-pubkey and in every audit certificate. Relying parties may independently verify the document signature using standard OpenSSL tooling.

Platform signing keys are rotated on a defined schedule and immediately on any suspicion of compromise. Audit certificates embed the key fingerprint at the time of signing, so historical documents remain verifiable after rotation. Retired public keys remain published at the verify-pubkey endpoint.

Customer data is stored with a tier-1 cloud provider certified under ISO 27001 and SOC 2 Type II, in the South African region. All data at rest is encrypted using AES-256 and all data in transit uses TLS 1.2+. Our full sub-processor list is available in the security pack (under NDA).

The application is delivered through a global edge network operated by a provider certified under ISO 27001 and SOC 2 Type II, serving requests from the location closest to the requester. Detailed architecture documentation is shared with customers under NDA — contact security@geteken.co.za.

Signed document PDFs: per account configuration (default 7 years). Audit logs: same as document retention. Signing OTPs: purged within 24 hours of use or expiry. Session tokens: 30-day rolling. Payment records: 5 years (SARS requirement).

Geteken maintains an incident response plan covering detection, containment, eradication, recovery, and post-incident review. Security incidents affecting customer data are triaged within 4 hours of detection. Critical incidents trigger immediate notification to affected account owners. Notify us of suspected security issues at compliance@geteken.co.za.

For compliance, privacy, or data-subject-rights enquiries: compliance@geteken.co.za. For general support, use the in-app help channel.