South Africa Legal Framework

Managed IT and AI,
documented properly.

CloudMonkey's public legal framework aligns managed cloud, IT, voice, security, Microsoft 365 administration, and AI services with South African e-commerce, privacy, consumer, tax, and electronic contracting requirements.

Commercial Boundaries

Service orders define users, devices, support channels, response windows, exclusions, setup work, and recurring fees so managed services do not become unlimited support obligations.

ECTA Contracting

Online orders must give customers a review and correction step, clear supplier disclosures, cooling-off notices, and explicit consent where immediate provisioning starts before the statutory period ends.

POPIA Operations

Where CloudMonkey processes personal information for a customer, the customer remains the Responsible Party and CloudMonkey acts as Operator under a written data protection addendum.

AI Governance

AI agents are documented as probabilistic tools that require human review for material decisions, sensitive data handling, and any workflow that may affect legal rights.

Operating Model

The core compliance pillars

These controls are designed to keep the commercial promise measurable, the platform compliant, and the customer relationship enforceable.

Commercial Boundaries

Service orders define users, devices, support channels, response windows, exclusions, setup work, and recurring fees so managed services do not become unlimited support obligations.

ECTA Contracting

Online orders must give customers a review and correction step, clear supplier disclosures, cooling-off notices, and explicit consent where immediate provisioning starts before the statutory period ends.

POPIA Operations

Where CloudMonkey processes personal information for a customer, the customer remains the Responsible Party and CloudMonkey acts as Operator under a written data protection addendum.

AI Governance

AI agents are documented as probabilistic tools that require human review for material decisions, sensitive data handling, and any workflow that may affect legal rights.

Built-In Signatures

CloudMonkey will operate its own in-platform signature workflow and audit trail instead of routing customer agreements through a third-party signing provider.

SLA Enforcement

The SLA separates response targets from resolution targets, classifies incidents by severity, and limits availability remedies to proportionate service credits.

Required Documents

Documentation architecture

The legal document set CloudMonkey should use for public onboarding, admin-generated quotes, service orders, and signed customer agreements.

Website Terms & E-Commerce Policy

Open

ECTA sections 43 and 44, CPA direct marketing rules, VAT Act section 65.

Defines online contracting, supplier disclosures, review and correction, cooling-off treatment, immediate provisioning consent, price and tax display, electronic notices, and acceptable website use.

Master Services Agreement

Common law contract principles, CPA fixed-term constraints where applicable.

Governs the long-term customer relationship, payment terms, fixed terms, renewal notices, service orders, intellectual property, liability caps, suspension, termination, and dispute handling.

Service Order / Scope Schedule

Plain-language and scope certainty controls.

Turns each quote into measurable scope: seat counts, devices, supported systems, ticket allowance, included onboarding, excluded projects, minimum term, setup fees, and dependencies.

Service Level Agreement Matrix

Commercial SLA terms and Conventional Penalties Act proportionality.

Sets S1 to S4 severity definitions, response targets, escalation paths, maintenance exclusions, customer-caused outage exclusions, service credits, and chronic failure termination rights.

Data Protection Addendum

Open

POPIA sections 19, 20, 21, and 22.

Documents CloudMonkey's Operator obligations, confidentiality, security safeguards, breach notice process, subprocessors, retention, deletion, and assistance with data subject requests.

Cross-Border Transfer Addendum

POPIA section 72.

Discloses cloud, security, email, voice, and AI regions where personal information may be processed and requires POPIA-equivalent controls for foreign recipients and onward transfers.

AI Services Addendum & Acceptable Use Policy

ECTA electronic agent rules, POPIA automated decision-making controls.

Defines human-in-the-loop requirements, AI output review, prohibited sensitive uses, data hygiene, customer ownership of inputs, and CloudMonkey ownership of integration workflow IP.

First-Party Signature Certificate

Open

Electronic contracting and evidentiary audit trail controls.

Records signer identity, account, timestamp, IP address, user agent, document version, acceptance text, document hash, and provisioning consent without using a third-party signature service.

SLA Matrix

Severity, response, and remedies

Availability and support commitments must be measurable. Customer-caused incidents, upstream provider failures, planned maintenance, and force majeure events are excluded from downtime calculations.

Level
Operational impact
Target
Handling
S1 Critical
Complete service outage, major privacy incident, catastrophic data loss, or multiple users unable to perform core work.
15 minutes
Continuous engineering effort, escalation, and vendor coordination until a workaround or restoration path exists.
S2 High
Material degradation or one critical system unavailable while business can still operate in a limited way.
30 to 60 minutes
Priority troubleshooting by senior support with active updates during the incident window.
S3 Medium
Minor service impact with a workaround available or a non-critical system affected.
4 business hours
Handled during standard support hours through the normal engineering queue.
S4 Low
Informational request, cosmetic issue, planned maintenance request, or change with no operational impact.
24 business hours
Scheduled into routine maintenance, change control, or the next appropriate work cycle.
First-party execution

CloudMonkey signatures stay inside CloudMonkey.

CloudMonkey will use a built-in signature and acceptance workflow for quotes, service orders, MSAs, DPAs, AI addendums, and provisioning consent. No third-party e-signature platform is required for this workflow.

Each signed record should preserve signer account, email address, timestamp, IP address, user agent, document version, acceptance wording, SHA-256 document hash, and the final immutable PDF or HTML snapshot used for acceptance.

View signature policy
Document status: This public framework describes CloudMonkey's operating controls for customer onboarding, service scope, privacy, support, AI services, and first-party signatures. It is maintained with the customer Terms of Service, Privacy & POPIA Notice, service orders, SLA, DPA, and AI addendum.