Why self-hosting changes the compliance conversation

When you run workloads on AWS, Azure, or Google Cloud, a chunk of your "appropriate technical and organisational measures" obligation under Section 19 of POPIA is covered by the provider's own certifications (ISO 27001, SOC 2, etc.) for the infrastructure layer. When you self-host — your own servers, your own Nextcloud instance, your own database — that entire burden sits on your configuration choices. That's not a reason to avoid self-hosting (data sovereignty is often the whole point), but it does mean compliance has to be deliberate rather than assumed.

The technical checklist

Access control

Encryption

Logging and accountability

Backup and recovery

Patch and vulnerability management

"POPIA doesn't mandate a specific technology stack. It mandates that your measures are appropriate to the risk — which means a documented, defensible set of controls matters more than any single tool."

The organisational side (don't skip this)

Technical controls are half the picture. You also need an Information Officer registered with the Information Regulator, a documented PAIA manual, a data processing register noting what personal information you hold and why, and staff awareness training. None of that is solved by infrastructure — but infrastructure that can't produce an access log or prove encryption is in place will undermine even a well-written policy document the moment it's tested.

Where we usually start with clients

Most self-hosted environments we audit are missing two things first: centralised logging (so there's no real answer to "who accessed this") and a tested backup/restore process (so recovery time after an incident is unknown rather than documented). Both are foundational, both are fixable in days rather than months, and both directly support a POPIA defence if you're ever asked to demonstrate compliance.

Not sure where your environment stands?

Our security assessment maps your current controls against frameworks including POPIA, with a prioritised remediation list.

Get an Assessment →