Security

Authentication

Users must authenticate with a verified email address and password. Passwords are hashed using industry-standard algorithms and are never stored in plain text. Session tokens are securely managed, expire after a period of inactivity, and are invalidated on logout. Failed login attempts are rate-limited to prevent brute-force attacks.

Role-based access

Your administrator assigns roles that determine what each user can access across the platform. Common roles include Employee, Manager, HR Admin, and System Admin. Roles control which modules, settings, and administrative functions are visible and available to each user.

Item-level permissions

Each file, project, request, and other item has its own permission settings. You control exactly who can view, comment, edit, or manage each item you create. When you share an item, the recipient receives only the access level you specify — and you can change or revoke it at any time.

Audit logging

All significant actions are logged with timestamps and user information. Administrators can review the activity history on any item to see who accessed, modified, or shared it. Audit logs are retained for compliance purposes and cannot be modified or deleted by users.

Cloud hosting

Datar is hosted on Amazon Web Services (AWS), which provides world-class physical security, network protection, and compliance certifications including ISO 27001, SOC 2, and CSA STAR. Data centres are staffed 24/7 with multi-factor physical access controls.

Network isolation

The platform runs in isolated network environments with firewalls and security groups that restrict access to only necessary services. Backend services are not directly accessible from the public internet. All traffic is routed through managed load balancers with DDoS protection.

Content delivery network

Static assets and the web application are served through a global content delivery network (CDN) with edge locations worldwide. This improves performance for users regardless of their location and provides an additional layer of DDoS mitigation at the network edge.

Auto-scaling

The platform automatically scales compute and database resources in response to demand. This ensures consistent performance during peak usage periods and prevents service degradation when traffic increases unexpectedly.

Monitoring and alerts

Automated monitoring watches for unusual activity, error spikes, and performance anomalies around the clock. Security alerts are investigated and addressed promptly by the operations team. Structured logging ensures that operational events are traceable and auditable.

Uptime commitment

Datar targets 99.9% platform availability. Planned maintenance windows are communicated in advance and scheduled during off-peak hours. In the event of an unplanned outage, the operations team follows established incident response procedures to restore service as quickly as possible.

POPIA compliance

As a South African platform, Datar is designed to comply with the Protection of Personal Information Act (POPIA). We process personal information lawfully, collect only what is necessary, and ensure that data subjects' rights are respected. Your organisation remains the responsible party for its data, while Datar acts as an operator processing data on your behalf in accordance with your instructions.

Data sovereignty

Data is stored in the cloud region configured for your organisation. For South African customers, this means your data resides within the Africa (Cape Town) region by default. This helps you meet local data residency and sovereignty requirements, ensuring that your organisation's information does not leave the jurisdiction without your explicit consent.

Right to erasure

In accordance with POPIA, data subjects have the right to request the deletion of their personal information. Upon receiving a verified erasure request, Datar will remove the relevant personal data from active systems and backups within 30 days. Administrators can initiate erasure requests through the platform or by contacting the support team.

Data privacy

Your organisation's data belongs to your organisation. Datar does not sell, share, or use your data for advertising or profiling purposes. Data processing follows your organisation's policies and the terms of our data processing agreement. We do not access your data except when necessary to provide the service or when required by law.

Retention policies

Deleted items go to trash and are retained for a configurable period before permanent deletion. Administrators can adjust retention periods to meet their organisation's record-keeping requirements. When data is permanently deleted, it is removed from all active storage and will be purged from backups within the normal backup rotation cycle.

Data export

Your organisation can request a full export of its data at any time. This supports data portability requirements under POPIA and ensures you are never locked in. Contact your administrator or the Datar support team for assistance with data exports.

1. Detection

Automated monitoring systems, anomaly detection, and user reports are used to identify potential security incidents. Alerts are triaged by the operations team and escalated based on severity.

2. Assessment

Once an incident is identified, the team assesses its scope, severity, and potential impact. Incidents are classified as low, medium, high, or critical based on the nature of the data involved and the number of users affected.

3. Containment

Immediate steps are taken to contain the incident and prevent further exposure. This may include revoking compromised credentials, isolating affected systems, or temporarily disabling specific functionality until the threat is neutralised.

4. Communication

Affected organisations are notified promptly with clear, factual information about the incident, its impact, and recommended actions. For incidents involving personal information, notifications are issued within the timeframes required by POPIA and other applicable regulations.

5. Resolution

The root cause is identified and remediated. Fixes are deployed, affected systems are restored to normal operation, and any compromised data or credentials are rotated. The incident is formally closed once all remediation steps are complete.

6. Post-mortem

After every significant incident, a blameless post-mortem review is conducted. The team documents what happened, why it happened, and what changes will be made to prevent recurrence. Lessons learned are incorporated into platform improvements and updated security procedures.

Email

Send security reports to security@datar.co.za. Include detailed steps to reproduce the issue and any relevant screenshots or logs. Please do not include sensitive credentials in unencrypted emails.

Response time

We aim to acknowledge security reports within 24 hours and provide an initial assessment within 72 hours. Critical issues are prioritised immediately and escalated to the security team for urgent review.

Use a strong password

Choose a unique password that is at least 12 characters long and includes a mix of letters, numbers, and symbols. Do not reuse passwords from other services. Consider using a password manager to generate and store strong passwords.

Share carefully

Only share files and items with people who need access. Use the minimum permission level necessary — for example, give Viewer access if someone only needs to read a document. Review your shared items periodically and revoke access that is no longer needed.

Log out on shared devices

If you access Datar from a shared or public computer, always log out when you are finished. Do not save your password in shared browsers. Close all browser tabs to ensure your session is fully terminated.

Report suspicious activity

If you notice anything unusual — unexpected changes, unfamiliar logins, or suspicious messages — report it to your IT administrator immediately. Prompt reporting helps contain potential incidents before they escalate.