Practical AI governance and compliance — built for South African small businesses, grounded in POPIA and the Cybercrimes Act, and delivered by people who understand both law and technology.
Your employees are already using ChatGPT, Google Gemini, and WhatsApp automation — often without any guidance on what they can and cannot share. Without a policy, every use of a free AI tool is a potential POPIA exposure waiting to happen.
Free versions of ChatGPT, Gemini, and Copilot may store user inputs and use them to train AI models. Anything your employees type — including client names, financial records, or contract details — could be retained by an overseas platform. Under POPIA, this is a transborder data transfer with serious legal implications.
Without a documented AI usage policy and signed employee acknowledgements, your business has no legal defence if a data breach occurs. POPIA requires you to notify the Information Regulator within 72 hours of a breach — but without a system, you may not even know one has happened.
South Africa's National AI Policy Framework has completed public consultation and is approaching Cabinet approval. A dedicated AI Act is expected to follow. Businesses that build governance frameworks now will face significantly lower disruption and compliance cost when formal regulation arrives.
From foundational compliance to ongoing advisory — every tier is customised for your industry, your team size, and the tools you actually use.
Everything a small business needs to establish a defensible, POPIA-aligned AI compliance baseline — delivered in a single engagement.
A complete governance infrastructure — policy documents, risk tools, breach protocols, and practical AI fluency training for your staff.
Continuous compliance support as AI tools evolve and South African regulation develops — so your business stays ahead of change.
Most AI governance services are designed for large enterprises or built for international markets. We focus on small and medium South African businesses — with the legal grounding, plain language, and practical delivery that actually makes a difference.
Our team spans legal (specialising in cyber law and cybersecurity), enterprise IT management, and actuarial risk — the exact disciplines AI governance requires. Most competitors bring only one of these. We bring all three.
Our frameworks are grounded in SA law, written in plain language, and calibrated for businesses without dedicated legal or IT departments. Not international templates repurposed for local use — built from scratch for this context.
We provide governance frameworks and responsible use training — clearly distinguished from legal opinions. This distinction protects both parties and keeps our service accessible and affordable for growing businesses.
We do not hand over a folder and leave. Your engagement ends with trained staff, signed acknowledgements, and a functioning compliance system. Everything is customised to your business, your tools, and your industry.
You do not need to wait for a dedicated AI Act to face legal obligations. POPIA, the Cybercrimes Act, and King V Corporate Governance principles already apply to how your business uses AI. Most small businesses are non-compliant today — not through negligence, but because no one has explained what compliance looks like in practice.
From first contact to signed acknowledgements — a structured process designed to be low-friction for busy business owners.
We assess your current AI tool use, team size, industry context, and data exposure to understand exactly what your business needs.
We tailor your policy documents, approved tools list, and training content to your specific business, industry, and team.
We facilitate the training session in person, walk employees through the policy, and collect signed acknowledgement forms.
Ongoing advisory available via retainer as regulation evolves and your AI tool use grows.
We operate from Pietermaritzburg and serve businesses across KwaZulu-Natal and nationally. Sessions can be delivered in person or remotely. Engagements typically take two to three weeks from initial contact to training completion.
Whether you are starting from scratch or looking to build on existing policies, we will give you a clear picture of your current compliance gaps and what it takes to address them.