🛡️ Built for South African compliance
Generate your complete compliance pack — policies, evidence vault, risk register, and IO registration guide — in under an hour, then turn it into verifiable proof with independently verified evidence.
Built for SA companies in Fintech, Legal, Healthcare, and Professional Services
Two scores. One truth.
What you declare. What you can prove. Most organisations can't prove what they claim — that's the gap KomplyZA closes.
Generate it. Then prove it.
Most platforms stop at documentation. KomplyZA verifies what you can actually defend.
R44.1M
Average SA breach cost (IBM 2025)
R5M
Largest POPIA fines issued to date
72 hours
To notify the Information Regulator after a breach
Free
Forever for individual SA companies
⚖️ Legal verification
Every policy and evidence item is reviewed by a qualified South African legal practitioner. If it's not verified, it doesn't count.
Verification covers the existence and legal adequacy of documentation relative to POPIA requirements.
Three moments when SA companies need compliance — fast.
Enterprise buyers are requiring POPIA compliance packs from all SA vendors. Share one verified trust profile URL — a live, evidence-backed compliance profile — instead of a 200-row spreadsheet.
Generate your compliance pack →The 72-hour notification clock has started. KomplyZA guides you through every step of the POPIA and Cybercrimes Act breach response — from containment to regulator notification.
Start breach response →Cyber insurers now require POPIA evidence before underwriting. Generate your complete evidence pack automatically — policies, risk register, IO documentation. Evidence that's independently verified — the difference between a folder of PDFs and proof you can present to an underwriter.
Generate evidence pack →Statutory documents, security policies, and live compliance tools — everything typically requested by buyers and insurers.
🛡️
Your self-assessed and evidence-verified scores side by side, IO appointment tracker, 8 conditions checklist. Know exactly where you stand — and what you can prove.
⏱️
Two simultaneous countdown clocks — POPIA to the Information Regulator, Cybercrimes Act to SAPS. Never miss a deadline.
📄
24 POPIA-compliant policies grounded in verified statutory text from POPIA, RICA, PAIA, and the Cybercrimes Act.
🤖
82% of SA companies using AI tools are violating POPIA. Find out if you are one of them.
📊
SA-specific risk rules, automated scoring, and evidence collection — audit-ready.
🗓️
AI-generated, personalised compliance roadmap prioritising your highest legal obligations first.
Your POPIA work already covers up to 40% of ISO 27001 requirements — we map your controls so you don't start from scratch.
SA companies pay R100K–R500K for ISO 27001 consultants. KomplyZA builds a comparable foundation from the POPIA work you've already done.
KomplyZA prepares you for ISO 27001 certification. Actual certification requires an accredited external audit body.
01 — Complete your baseline
Answer 14 questions about your business. KomplyZA identifies your POPIA gaps and risks.
02 — Generate your documents
AI generates your Privacy Policy, IO letter, breach procedure, and full policy library.
03 — Track and remediate
Dashboard score, risk register, evidence vault, and 90-day plan keep you audit-ready.
Build, implement, and prove your compliance — policies generated, evidence collected, controls verified. Generation is the foundation; verification is the proof.
No account. No data stored.
No account required. Built for South African companies.
Real-time enforcement actions and guidance from the Information Regulator. KomplyZA monitors regulatory sources every 6 hours so you do not miss a deadline.
Source: Information Regulator (South Africa)
All public and private bodies must submit their PAIA Annual Reports to the Information Regulator by 30 June 2026. Reports can be submitted via the IR website or through CIPC BizPortal.
The IR issued an enforcement notice against CJC TVET College after an Acting CFO accidentally attached employee verification reports (qualifications and criminal records) to an email meant to contain finance policies. Three violations: no registered…
Source: Information Regulator
Reminder that data breaches require parallel 72-hour notifications to both the IR (POPIA) and SAPS (Cybercrimes Act).
Source: Information Regulator
IR clarified that the 30-day DSAR response period begins from date of receipt, not verification.
Source: Information Regulator
New guidance on when prior authorisation from the IR is required for Special PI processing.
Sources: Information Regulator, Werksmans, Webber Wentzel — monitored every 6 hours
See all regulatory updates →Pro subscribers get the full intelligence feed with email alerts when enforcement actions are published.
Compliance, you can prove.
Evidence-verified POPIA scoring that helps organisations demonstrate compliance posture to clients, insurers, and auditors.
“AI can generate a policy in seconds. It cannot tell you whether your organisation operates in accordance with it.”
Verified
Every document reviewed by a named SA legal practitioner — not just AI-generated
Tracked
Every piece of evidence tracked with SHA-256 chain of custody from upload to approval
Self-Improving
Every legal partner correction improves the platform for all future clients automatically
KomplyZA doesn't just generate policies — it proves you follow them. Evidence vault, implementation scoring, and legal partner verification prove your controls are operating, not just documented.
Self-Assessed / Declared posture
What you've told us — your own assessment, not independent proof.
Evidence-Verified / Proven posture
Backed by real evidence, verified by independent legal partners.
Uploading a document doesn't move this number — a partner verifying it does. No half-credit. Proven or not.
The gap between them is your roadmap. Close it by getting evidence verified — that's the score you put in front of a regulator, an insurer, or a client.
Only the verified score should be used externally.
Self-Assessed 60%Evidence-Verified 25%Gap: 35 points
Most organisations start with a large gap. Closing it is the work — and the proof.
Most platforms make you audit-ready. KomplyZA makes you proof-ready.
Most compliance platforms accept documents at face value. KomplyZA only counts what has been independently verified. No verification, no credit.
The only platform that speaks SA law
SOLO
R0/month
Forever free
Start Free →PRO
R999/month
Billed annually (R11,988/year)
POPIA SPRINT
R29,500
90-day compliance deployment with 12 months Pro included. Engineer a living POPIA system — not a shelf document pack.
See what's included →Get started90-day compliance deployment. We engineer your complete POPIA compliance system — not a document pack that sits on a shelf.
R29,500 (50% upfront, 50% on completion)
Includes 12 months KomplyZA Pro (R11,988 value)
What you get
Target outcome: 70%+ verified POPIA score with signed compliance pack within 90 days.
That's the evidence-verified score — independently proven, not self-graded. The threshold for a POPIA Framework Alignment Attestation.
After 90 days, your compliance system runs itself. No consultants to re-engage. No binders on shelves. A living, monitored, evidence-backed compliance posture.
Timeline — 12 weeks, 6 phases
Phase 1 · Weeks 1–2
Discovery & baseline
Kick-off, 14-step assessment, risk register, POPIA Hub setup
Phase 2 · Weeks 3–4
Governance & policies
IO appointment, core policies drafted and reviewed with legal
Phase 3 · Weeks 5–6
Email & technical controls
DMARC/SPF/DKIM, evidence vault, security baselines
Phase 4 · Weeks 7–8
Vendors & breach readiness
Operator agreements, breach notification procedure, tabletop
Phase 5 · Weeks 9–10
Remediation sprint
Close critical gaps, Jira-tracked tasks, weekly check-ins
Phase 6 · Weeks 11–12
Audit pack delivery
Board compliance pack, King IV report, handover to your team
Already doing POPIA? Your existing work covers up to 40% of ISO 27001 requirements. Pro subscribers get full access to the ISO 27001 Hub with mandatory clause tracking and ISMS document generation.
See full pricing details →Manage multiple clients from one dashboard. Generate policies, track compliance, and deliver board-ready reports for every client. Founding member pricing available.
Join founding waitlist →POPIA isn't only a legal requirement — it's a security one. KomplyZA verifies both: legal governance (policies, rights, accountability) and operational safeguards (security controls, breach readiness, vendor controls). Because a policy doesn't stop a breach — controls do.
Enterprise-grade practices for a platform built on POPIA and SA law.
AES-256 at rest and TLS 1.3 in transit between your browser and KomplyZA.
KomplyZA uses KomplyZA — we eat our own cooking on POPIA governance and safeguards.
Application data and evidence files hosted in AWS af-south-1 (Cape Town) — your data on South African soil. Authentication services via Supabase (EU) covered by Section 72 Transfer Agreement.
Contractual safeguards with Supabase, Anthropic, Resend, Paystack, and related vendors.
See who processes what — no hidden vendors. Summarised on our Security & trust page.
Your organisational compliance data is not for resale. We use it only to run the service you signed up for.
Free for individual use. Your compliance pack in under an hour. Verified over time.
Get started free →No credit card · Free forever · Your full compliance pack in under an hour
KomplyZA is an educational and informational compliance tool. Compliance scores and risk assessments are estimates — not legal advice. See our Terms of Service.