Data Processing Register (ROPA)
Record of Processing Activities - Complete inventory of how Larasoft processes personal information
About This Register
This register documents all personal information processing activities at Larasoft, as required by the Protection of Personal Information Act (POPIA). It shows what data we collect, why we collect it, how we protect it, and how long we keep it.
Client Onboarding
Collecting client company information during signup
Data Categories
Business contact info, Company registration details
Data Subjects
Business clients (companies)
Purpose of Processing
To establish client relationship and provide services
Legal Basis
Contract performance
Storage Location
Azure South Africa North
Retention Period
7 years after contract ends (tax law requirement)
Security Measures
Encryption at rest
Transborder Transfers
Access controls
Data Recipients
Internal CRM/database
Owner
None (SA only)
View Specific Data Fields
Company name, Registration number, VAT number, Contact person name, Email, Phone, Physical address, Billing address
Xero Integration - Financial Data Sync
Connecting to clients' Xero accounts to sync financial data
Data Categories
Financial transactions, Invoice data, Payment records, Account balances
Data Subjects
Business clients and their end-customers
Purpose of Processing
To provide accounting automation and financial reporting services
Legal Basis
Contract performance + Legitimate interest
Storage Location
Xero (global - likely Australia/US), Our DB: Azure SA
Retention Period
Transactional data: 7 years (tax law)
Security Measures
API authentication tokens encrypted
Transborder Transfers
Data encrypted in transit (TLS)
Data Recipients
Xero (processor) + Our application database
Owner
Yes - Xero servers (Australia/US/EU depending on client's Xero region)
View Specific Data Fields
Transaction IDs, Amounts, Dates, Invoice numbers, Customer names (from client's customers), Payment methods, Bank account numbers (masked), GL codes
CIN7 Integration - Inventory Data Sync
Syncing inventory and order data from CIN7
Data Categories
Inventory records, Sales orders, Purchase orders, Product data
Data Subjects
Business clients and their suppliers/customers
Purpose of Processing
To provide inventory management automation
Legal Basis
Contract performance
Storage Location
CIN7 servers (global), Our DB: Azure SA
Retention Period
3 years after order completion
Security Measures
API authentication encrypted
Transborder Transfers
TLS encryption
Data Recipients
CIN7 (processor) + Our application database
Owner
Yes - CIN7 servers (likely US/Australia)
View Specific Data Fields
Product SKUs, Quantities, Prices, Order numbers, Supplier names, Customer names (from client's customers), Timestamps
FTP/SFTP File Transfers
Secure file transfer service for client document exchange
Data Categories
Business documents, Financial files, Reports
Data Subjects
Business clients
Purpose of Processing
To provide secure file transfer service
Legal Basis
Contract performance
Storage Location
AWS S3 Cape Town (af-south-1) + Azure SA (VM)
Retention Period
Configurable per client (default: 90 days post-processing)
Security Measures
AES-256 encryption at rest
Transborder Transfers
TLS in transit
Data Recipients
AWS S3 (processor)
Owner
Audit logs
View Specific Data Fields
File names, File contents (varies - invoices statements payroll etc), Upload/download timestamps, Client usernames, IP addresses
Application Logging and Monitoring
Logging user activity and system events for troubleshooting and security
Data Categories
Access logs, Error logs, API call logs
Data Subjects
Business clients (users of our platform)
Purpose of Processing
Security monitoring + System troubleshooting + Legal compliance
Legal Basis
Legitimate interest
Storage Location
Azure South Africa North
Retention Period
90 days (rolling)
Security Measures
Encrypted storage
Transborder Transfers
Access restricted to tech team only
Data Recipients
Internal log storage + possibly Azure Monitor
Owner
LOW
View Specific Data Fields
Usernames, IP addresses, Timestamps, Actions performed, Error messages
Customer Support Communications
Email and support ticket correspondence
Data Categories
Support tickets, Email communications
Data Subjects
Business clients
Purpose of Processing
To provide customer support
Legal Basis
Contract performance
Storage Location
Local server or email provider (TBD - need to document)
Retention Period
2 years
Security Measures
Email encryption (TLS)
Transborder Transfers
Access controls
Data Recipients
Internal ticketing system (or email)
Owner
LOW
View Specific Data Fields
Client contact name, Email address, Phone (if provided), Issue descriptions, Resolution notes
Invoicing and Billing
Generating invoices and processing payments via Xero
Data Categories
Billing information, Payment records
Data Subjects
Business clients
Purpose of Processing
To bill for services and maintain financial records
Legal Basis
Contract performance + Legal obligation (tax)
Storage Location
Xero servers (global)
Retention Period
7 years (tax law)
Security Measures
Xero's security controls
Transborder Transfers
TLS for data sync
Data Recipients
Xero (processor)
Owner
MEDIUM
View Specific Data Fields
Company name, VAT number, Billing address, Invoice amounts, Payment status, Bank details (Xero holds these)
Employee/Contractor Information (Internal)
Managing information about the 2 founders/team members
Data Categories
HR records, Payroll, Contact info
Data Subjects
Employees (the 2 founders)
Purpose of Processing
HR administration + Payroll + Tax compliance
Legal Basis
Legal obligation + Contract
Storage Location
Depends on payroll provider
Retention Period
6 years after employment ends (tax law)
Security Measures
Need to document security measures
Transborder Transfers
Depends on provider
Data Recipients
Payroll provider (TBD - need to document)
Owner
HR/Finance
View Specific Data Fields
Names, ID numbers, Tax numbers, Bank details, Contact details, Employment contracts
Website Analytics
Tracking website visitors for analytics
Data Categories
Website usage data, IP addresses, Browser info
Data Subjects
Website visitors
Purpose of Processing
To analyze website performance and improve user experience
Legal Basis
Legitimate interest
Storage Location
Google servers (global)
Retention Period
14 months (configurable)
Security Measures
Google's security + cookie consent
Transborder Transfers
Yes - Google servers (US/EU)
Data Recipients
Google Analytics or similar
Owner
Marketing
View Specific Data Fields
Page views, Session duration, Referrer URLs, Device type, Location (city level), IP addresses
Data Backups
Backing up client data for disaster recovery
Data Categories
All data categories above
Data Subjects
All data subjects above
Purpose of Processing
Business continuity and disaster recovery
Legal Basis
Legitimate interest
Storage Location
TBD - need to document
Retention Period
30 days (daily backups)
Security Measures
Encrypted backups
Transborder Transfers
Secure storage
Data Recipients
Backup storage provider (TBD - Azure Backup? Local?)
Owner
Depends on backup location
View Specific Data Fields
All fields from above activities
Excel Data Import/Export
Processing client data via Excel spreadsheets for bulk operations
Data Categories
Financial data, Inventory data, Transaction records
Data Subjects
Business clients
Purpose of Processing
To facilitate bulk data operations and reporting
Legal Basis
Contract performance
Storage Location
Local devices + OneDrive/SharePoint (if Microsoft 365)
Retention Period
Transient processing (deleted after import) + Exports retained per client needs
Security Measures
File encryption if Microsoft 365
Transborder Transfers
Local disk encryption
Data Recipients
Microsoft Excel (local/cloud) + Our application
Owner
Possibly (if using Microsoft 365 cloud)
View Specific Data Fields
Transaction details, Product info, Customer names, Amounts, Dates
SQL Database Operations
Storing and querying all application data in Azure SQL
Data Categories
All client data categories
Data Subjects
All business clients
Purpose of Processing
Core application data storage and retrieval
Legal Basis
Contract performance
Storage Location
Azure South Africa North
Retention Period
Varies by data type (see retention policy)
Security Measures
TDE encryption at rest
Transborder Transfers
TLS in transit
Data Recipients
Azure SQL Database
Owner
Automated backups
View Specific Data Fields
All application data fields (financial, inventory, transactions, user accounts)
CSV Data Processing
Importing and exporting data via CSV files
Data Categories
Financial data, Inventory data, Transaction records
Data Subjects
Business clients
Purpose of Processing
To enable data portability and integration
Legal Basis
Contract performance
Storage Location
Temporary processing in memory + Azure SA storage
Retention Period
Transient (deleted after processing)
Security Measures
In-memory processing
Transborder Transfers
Input validation
Data Recipients
Our application (internal processing)
Owner
No (local processing)
View Specific Data Fields
Varies by CSV type - transactions, products, customers, invoices
GAAP Reporting Integration
Processing financial data for GAAP compliance reporting
Data Categories
Financial transactions, Account balances, Journal entries
Data Subjects
Business clients
Purpose of Processing
To provide GAAP-compliant financial reporting
Legal Basis
Contract performance + Legal obligation
Storage Location
TBD - need to document
Retention Period
7 years (tax/audit requirement)
Security Measures
TBD - depends on implementation
Transborder Transfers
TBD - depends on vendor
Data Recipients
GAAP service provider (if third-party - TBD)
Owner
Tech Team
View Specific Data Fields
GL codes, Transaction amounts, Account balances, Period dates, Entity info
Lightspeed POS Integration
Syncing point-of-sale and retail data from Lightspeed
Data Categories
Sales transactions, Inventory, Customer purchase data
Data Subjects
Business clients and their retail customers
Purpose of Processing
To provide retail operations automation and reporting
Legal Basis
Contract performance
Storage Location
Lightspeed servers (Canada/US), Our DB: Azure SA
Retention Period
3 years after transaction
Security Measures
API tokens encrypted
Transborder Transfers
TLS encryption
Data Recipients
Lightspeed (processor) + Our application database
Owner
Audit logs
View Specific Data Fields
Transaction IDs, Sale amounts, Product SKUs, Customer names (from client's customers), Payment methods, Timestamps, Store locations
Zoho CRM Integration
Managing client relationship and sales pipeline data
Data Categories
Contact information, Communication history, Deal pipeline, Notes
Data Subjects
Business clients (as CRM subjects)
Purpose of Processing
To manage client relationships and business development
Legal Basis
Legitimate interest + Contract performance
Storage Location
Zoho data centers (India/US/EU - verify)
Retention Period
3 years after relationship ends
Security Measures
Zoho's security controls
Transborder Transfers
TLS encryption
Data Recipients
Zoho CRM
Owner
MFA
View Specific Data Fields
Client company names, Contact persons, Email addresses, Phone numbers, Meeting notes, Deal values, Communication logs
Deel Contractor Management
Managing international contractor/employee information
Data Categories
HR records, Contract data, Payment info, Tax documents
Data Subjects
Employees and contractors
Purpose of Processing
HR administration + Payroll + Compliance
Legal Basis
Legal obligation + Contract performance
Storage Location
Deel servers (US/EU multi-region)
Retention Period
7 years after contract ends (legal requirement)
Security Measures
Deel's security (ISO 27001 SOC 2)
Transborder Transfers
Encryption at rest/transit
Data Recipients
Deel platform
Owner
Yes - Deel servers (US/EU)
View Specific Data Fields
Full names, ID/passport numbers, Addresses, Bank details, Tax numbers, Contract terms, Payment history, Visa/work permit info
PaySpace Payroll Processing
Processing payroll for South African employees/contractors
Data Categories
Payroll data, Tax information, Banking details
Data Subjects
Employees (founders + any SA contractors)
Purpose of Processing
Payroll processing + Tax compliance + Banking
Legal Basis
Legal obligation + Contract performance
Storage Location
PaySpace South Africa data center
Retention Period
7 years (tax law requirement)
Security Measures
PaySpace security (ISO 27001)
Transborder Transfers
Encryption
Data Recipients
PaySpace
Owner
Audit trails
View Specific Data Fields
Full names, ID numbers, Tax numbers, Bank account details, Salary amounts, Leave balances, Tax certificates
SimplePay Payroll Processing
Alternative/additional payroll processing system
Data Categories
Payroll data, Tax information, Banking details
Data Subjects
Employees (founders + any SA contractors)
Purpose of Processing
Payroll processing + Tax compliance
Legal Basis
Legal obligation + Contract performance
Storage Location
SimplePay South Africa data center
Retention Period
7 years (tax law requirement)
Security Measures
SimplePay security (ISO 27001)
Transborder Transfers
Encryption
Data Recipients
SimplePay
Owner
SARS integration
View Specific Data Fields
Full names, ID numbers, Tax numbers, Bank account details, Salary amounts, Tax submissions
Harvest Time Tracking
Tracking billable hours and project time for invoicing
Data Categories
Time tracking data, Project information, Invoicing data
Data Subjects
Employees/contractors + Business clients
Purpose of Processing
Time tracking for billing + Project management + Invoice generation
Legal Basis
Contract performance + Legitimate interest
Storage Location
Harvest servers (United States)
Retention Period
3 years after project completion
Security Measures
Harvest security (SOC 2 Type II)
Transborder Transfers
TLS encryption
Data Recipients
Harvest (Forecasting LLC)
Owner
MFA available
View Specific Data Fields
Employee/contractor names, Time entries (hours/dates), Project names, Client names, Hourly rates, Task descriptions, Invoice amounts, Expense records
Wherehouse Marketplace Management
Managing multi-channel eCommerce operations for clients
Data Categories
Order data, Customer information, Inventory records, Pricing data, Invoice data, Sales analytics
Data Subjects
Business clients and their end-customers
Purpose of Processing
To provide marketplace management automation across multiple sales channels
Legal Basis
Contract performance
Storage Location
Wherehouse servers (South Africa - verify location)
Retention Period
3 years after order completion
Security Measures
TLS encryption
Transborder Transfers
API authentication
Data Recipients
Wherehouse platform + Our integration services
Owner
Audit logs (verify Wherehouse security certifications)
View Specific Data Fields
Order IDs, Customer names, Delivery addresses, Email addresses, Phone numbers, Order amounts, Payment methods, Product SKUs, Inventory quantities, Prices, Invoice numbers, Marketplace transaction IDs, Sales metrics
Questions About Data Processing?
If you have questions about how we process your personal information, please contact our Information Officer:
hello@larasoft.global | +27 82 457 8390