Article [ 01 ]
Our commitment.
HIMARK handles confidential commercial information for clients operating at the premium tier of their markets. The integrity of those engagements depends on the security of the information they entrust to us.
This Data Security Policy describes the technical, organisational, and procedural controls HIMARK applies to protect personal information and client confidential information against loss, unauthorised access, alteration, disclosure, and destruction. It is reviewed quarterly and operates in conjunction with our Privacy Notice and our obligations under POPIA.
Article [ 02 ]
Governance.
HIMARK has appointed an Information Officer responsible for security posture, compliance, and incident response. The Information Officer reports directly to the Chief Executive and operates with the authority to halt processing activity that creates unacceptable risk.
Security responsibilities are formally distributed across the leadership team:
- Information Officer — overall accountability, policy ownership, regulator liaison
- Chief Operations Officer — operational protocol, vendor due diligence, personnel access
- Chief Technology Officer — infrastructure, encryption, monitoring, technical incident response
Article [ 03 ]
Access control.
Access to personal information and client confidential information follows the principle of least privilege. No member of HIMARK has access to information they do not require to perform their specific role.
- Role-based access controls on every operational system, with quarterly review of access lists
- Multi-factor authentication required on all systems holding client or personal information
- Single sign-on through a centrally administered identity provider where supported
- Access revoked within twenty-four (24) hours of role change or departure
- Privileged access logged, monitored, and reviewed monthly
Article [ 04 ]
Encryption.
HIMARK applies encryption as a baseline control across all systems handling personal information or client confidential information.
- In transit — TLS 1.2 or higher on all web traffic, including the himark.co.za website, the Atlas assistant, and AIRaaS deployments
- At rest — AES-256 encryption on all storage systems holding client material, including engagement working files, application records, and operational databases
- Key management — encryption keys held in a managed key service with rotation on a defined cadence and access restricted to system principals
- Backups — encrypted at rest, geographically distributed, and validated through periodic restoration tests
Article [ 05 ]
Infrastructure.
HIMARK operates on cloud infrastructure provided by reputable, audited providers. The technology platform is designed for resilience, isolation, and observability.
- Network segmentation between public-facing services, internal operational systems, and storage layers
- Web application firewall on all public endpoints with rate limiting and signature-based threat detection
- Continuous logging of access events, with logs retained for security review
- Automated patch management for operating systems and supporting libraries
- Periodic vulnerability scans and remediation of findings within defined service levels
Article [ 06 ]
Personnel.
HIMARK is a small firm operating to a high standard of personal accountability. Every member of the firm is treated as a custodian of the information entrusted to us.
- Background verification proportionate to role at the point of engagement
- Confidentiality obligations binding on every member of the firm and continuing beyond departure
- Annual security awareness review, including phishing simulation and incident-response drilling
- Device security policy covering disk encryption, screen lock, and approved applications
- No personal devices used for client work without explicit policy approval and minimum control standards
Article [ 07 ]
Vendor management.
Where HIMARK relies on third-party services to deliver client engagements, those vendors are vetted before adoption and reviewed periodically thereafter.
- Documented due diligence covering security posture, certifications, and data residency
- Contractual obligations consistent with this policy and with our POPIA obligations
- Annual vendor review including any newly disclosed incidents, certification changes, or material control changes
- Termination procedures that include verified deletion of HIMARK and client information held by the vendor
[ No Advertising Vendors ]
HIMARK does not engage advertising networks, retargeting platforms, or marketing data brokers as part of its operational stack.
Article [ 08 ]
Incident response.
HIMARK maintains a defined incident response process. The objective is rapid containment, transparent communication, and structured remediation.
- Detection — monitoring across infrastructure with alerts to the Information Officer and Chief Technology Officer
- Containment — immediate isolation of affected systems and revocation of compromised credentials
- Assessment — determination of scope, affected data subjects, and likely impact
- Notification — affected data subjects and the Information Regulator notified in accordance with section 22 of POPIA where the breach creates a reasonable risk of harm
- Remediation — root-cause analysis, control improvement, and documented closure
Incident records are retained for review and to inform future control strengthening.
Article [ 09 ]
Continuous review.
Security posture is reviewed quarterly. The review covers control effectiveness, vendor changes, personnel changes, incident history, and external threat landscape changes. Findings are documented and translated into remediation actions with defined ownership and target dates.
The Information Officer presents a summary of the quarterly review to firm leadership. Where required, this Data Security Policy is updated and republished, with material changes communicated to active clients.
Article [ 10 ]
Reporting.
If you believe HIMARK has experienced a security incident, has compromised the confidentiality of information you have entrusted to us, or is operating outside the standards described in this policy, please contact the Information Officer directly:
[ Information Officer ]
HIMARK (Pty) Ltd
Attention: The Information Officer
Randburg, Gauteng, South Africa
Email: info@himark.co.za
HIMARK acknowledges all credible reports within forty-eight (48) hours and provides a substantive response within seven (7) working days.