Privacy and Data Protection Notice

This notice explains the intended data protection posture for ChangeControl instances. It is written to reduce confusion, not to replace customer-specific legal notices or processor agreements.

1. Roles

The MSP or instance owner normally decides why and how personal information is processed in the ChangeControl instance. That party is generally responsible for user notices, lawful basis, retention, access requests and customer agreements. Quesabyte IT Solutions (PTY) LTD processes limited support, licensing and maintenance information where needed to provide the software, updates and support.

2. Data Stored in the Application

• User names, email addresses, roles, company associations and authentication settings.
• Company records, approver details, change request content, comments, notes and audit history.
• Uploaded evidence and reports, which may contain customer-sensitive, personal, regulated or CUI-related information depending on MSP/customer use.
• Integration identifiers and configuration values required for Microsoft, ConnectWise, email and licensing workflows.

3. Security Measures Provided by the Application

• Role-based access controls and separation of MSP users from external client-side approvers.
• CSRF protection, prepared database statements, output escaping and server-side permission checks.
• MFA/TOTP enrollment with QR code and manual URI options.
• Audit logging for security-sensitive and workflow-sensitive actions.
• Protected runtime folders and update package validation designed for cPanel and Windows deployments.

4. MSP Responsibilities

• Configure HTTPS, backups, retention, least privilege roles and secure email delivery.
• Classify evidence before upload and avoid storing unnecessary secrets or unrelated personal information.
• Respond to customer or data subject requests according to the laws and contracts that apply to the MSP.
• Maintain required agreements with customers, processors, sub-processors and third-party integration providers.

5. Regulatory Alignment

ChangeControl includes controls that may support CMMC evidence workflows, DoD contractor governance, GDPR accountability, POPIA processing conditions and PAIA/records processes. It does not automatically make an organisation compliant, certified or legally authorised to process regulated data.

6. Official Reference Points

• DoD CMMC Program and CMMC Program final rule.
• European Commission GDPR legal framework.
• European Commission controller/processor guidance.
• Information Regulator South Africa for POPIA and PAIA resources.