PAIA Manual - TIS Holdings Pty Ltd

1. Introduction

1.1 Purpose of This Manual

This manual is compiled in accordance with Section 14 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000) ("PAIA") and the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) ("POPIA").

The purpose of this manual is to:

Foster a culture of transparency and accountability within TIS Holdings Pty Ltd
Give effect to the constitutional right of access to information
Provide information on the categories of records held by TIS Holdings
Outline the procedure for requesting access to records
Inform requesters of their rights and remedies

1.2 Legislative Framework

This manual is prepared in terms of:

The Constitution of the Republic of South Africa, 1996 (Section 32)
Promotion of Access to Information Act, 2000 (Act No. 2 of 2000)
Protection of Personal Information Act, 2013 (Act No. 4 of 2013)
Regulations made under PAIA

1.3 Definitions

Personal Information: Information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person.

Private Body: A natural person who carries or has carried on any trade, business, or profession, but only in such capacity; a partnership which carries or has carried on any trade, business, or profession; or any former or existing juristic person (such as TIS Holdings Pty Ltd).

Record: Any recorded information regardless of form or medium, including written, electronic, or any other form.

Requester: Any person making a request for access to a record of TIS Holdings.

2. Company Information

2.1 Company Details

Registered Name: TIS Holdings Pty Ltd

Registration Number: 2007/020605/07

Trading As: TIS-IntelliMat, ESG Navigator

Year Founded: 2007

Registered Office: 21 Woodlands Drive, Building 2, Woodmead, 2191

Phone: 011 258 8500

Email: compliance@tisholdings.com

Website: https://esgnavigator.ai

2.2 Nature of Business

TIS Holdings Pty Ltd is a leading provider of AI-powered Environmental, Social, and Governance (ESG) compliance solutions. The company specializes in:

ESG-GRC (Governance, Risk & Compliance) automation platforms
AI-driven supplier risk assessment and monitoring
ISO standards compliance (ISO 14001, 45001, 50001, 27001)
GISTM tailings management compliance
ISSB climate disclosure reporting
JSE sustainability requirements compliance
Mining sector ESG solutions
Data center sustainability assessments

2.3 Key Products and Services

TIS-IntelliMat ESG Navigator Platform: An AI-powered platform featuring 9 specialized agents for comprehensive ESG compliance management, supplier risk assessment, and regulatory reporting.

Strategic Partnerships:

IBM Business Partner Plus (IBM Watsonx AI orchestration)
Anthropic AI Partnership (Claude API integration)
ISO Standards4Sustainability (1 of 3 global organizations selected)
AWS Cloud Services (serverless infrastructure)
DRATA (SOC2 Type II compliance certification pathway)

3. Records Available Without Request

3.1 Company Registration Documents

Memorandum of Incorporation, Certificate of Incorporation, and company registration details are available from the Companies and Intellectual Property Commission (CIPC).

3.2 Privacy Policy

Available at: https://esgnavigator.ai/privacy.html

3.3 This PAIA Manual

Available at: https://esgnavigator.ai/paia.html

3.4 Terms of Service

Available on request and via the company website.

3.5 Marketing and Public Information

Product brochures, case studies, and public marketing materials are available on the company website and social media channels.

3.6 Corporate Governance Documents

Code of Conduct
Ethics Policy
Supplier Code of Conduct

3.7 Compliance Certifications

ISO certifications (where applicable)
SOC2 certification (in progress via DRATA)
B-BBEE certificates

3.8 Public Reports

ESG performance reports, sustainability disclosures, and thought leadership publications (as made publicly available).

3.9 Information Technology Records

System architecture documentation, access control policies, data security frameworks (publicly shareable versions only).

3.10 Financial Records

Annual financial statements (as required by law to be publicly available).

3.11 Human Resources Records

General employment policies, health and safety policies (employee-facing versions).

4. Records Available in Terms of Other Legislation

TIS Holdings maintains records as required by various South African legislation, including but not limited to:

Companies Act 71 of 2008

Memorandum of Incorporation
Minutes of Board and Shareholder meetings
Annual Financial Statements
Register of Directors and Officers
Share register and certificates
Securities register

Income Tax Act 58 of 1962

Tax returns and assessments
PAYE records
VAT records
Supporting financial documentation
Records of asset disposal

Value-Added Tax Act 89 of 1991

VAT registration certificates
Tax invoices and credit notes
VAT returns
Import and export documentation

Basic Conditions of Employment Act 75 of 1997

Employment contracts
Wage and salary records
Leave records
Disciplinary records
Termination documentation

Labour Relations Act 66 of 1995

Trade union agreements
CCMA documentation
Dispute resolution records
Collective bargaining records

Employment Equity Act 55 of 1998

Employment Equity Plans
EE Reports submitted to Department of Labour
Workforce profile analysis
Consultation records

Occupational Health and Safety Act 85 of 1993

Health and safety policies
Incident and accident reports
Risk assessments
Training records

Broad-Based Black Economic Empowerment Act 53 of 2003

B-BBEE certificates
Verification reports
Transformation charters
Equity ownership records

Electronic Communications and Transactions Act 25 of 2002

Electronic records and signatures
Data messages
Cybersecurity policies
Website terms and conditions

Protection of Personal Information Act 4 of 2013

Privacy policies
Processing operations register
Data subject consent records
Data processing agreements
Security safeguard documentation
Breach notification records

5. Request Procedure

5.1 Access Request Form

All requests for access to records must be made using the prescribed Form A as set out in Annexure A of the PAIA Regulations. The form is available:

On our website: https://esgnavigator.ai/paia.html
From the Information Officer upon request
At the South African Human Rights Commission (SAHRC) website

5.2 Submission of Request

Completed request forms must be submitted to:

Information Officer: Dr. Terry Ramabulana

TIS Holdings Pty Ltd

21 Woodlands Drive, Building 2, Woodmead, 2191

Email: compliance@tisholdings.com

Phone: +27 83 455 8115

5.3 Information Required in Request

To enable efficient processing, your request must include:

Sufficient detail to identify the record(s) requested
Your identity number or registration number
Postal address, email address, or fax number
The form in which access is required (inspection, copy, transcript)
If requesting on behalf of another person, proof of capacity to make the request
The right you are seeking to exercise or protect, and explanation of why the record is required

5.4 Processing Timeline

Day 0: Request received and logged

Day 1-3: Acknowledgment sent to requester

Day 4-15: Request assessment and verification

Day 16-25: Record compilation and fee calculation

Day 26-30: Decision communicated to requester

TIS Holdings will respond within 30 days from receipt of the request. This period may be extended by a further 30 days if necessary, with written notice to the requester.

5.5 Third-Party Notification

If the requested record contains information about a third party, TIS Holdings will notify that third party within 21 days of receiving the request, allowing them to make representations regarding access.

6. Fees

6.1 Request Fee

A non-refundable request fee of R50.00 is payable upon submission of the request (except for personal information requests by the data subject themselves).

6.2 Access Fees

If the request is granted, the following fees apply (as per PAIA regulations):

Service	Fee
Photocopies (per A4 page)	R1.10
Printed copies (per A4 page)	R0.75
Copies on CD/USB (per device)	R70.00
Transcription (per A4 page)	R20.00
Copy of visual images (per A4 page)	R60.00
Inspection of records (no fee)	Free
Postage/courier (actual cost)	Actual cost
Search and preparation time (per hour, after first hour)	R30.00

6.3 Payment Methods

Fees must be paid before access is granted. Accepted payment methods:

Electronic Fund Transfer (EFT) to TIS Holdings bank account
Bank-guaranteed cheque
Cash payment at registered office (by prior arrangement)

6.4 Fee Waiver

The Information Officer may waive fees if:

The requester is indigent and cannot afford the fee
The record contains information about human rights violations
It is in the public interest to waive the fee

7. Grounds for Refusal

TIS Holdings may refuse a request for access to records on the following grounds (as provided in PAIA):

7.1 Mandatory Protection of Privacy of Third Parties

If disclosure would involve the unreasonable disclosure of personal information about a third party (PAIA Section 63).

7.2 Mandatory Protection of Commercial Information

Trade secrets (Section 36)
Financial, commercial, scientific, or technical information that could harm competitive position (Section 36)
Information disclosed in confidence (Section 37)

7.3 Protection of Confidential Information

If disclosure would constitute breach of duty of confidence owed to third party (Section 37).

7.4 Safety of Individuals and Protection of Property

If disclosure could endanger life or physical safety of individuals or prejudice security of property (Section 38).

7.5 Protection of Certain Confidential Communications

Legal professional privilege (Section 39)
Legal proceedings (Section 40)

7.6 Commercial Information of Private Body

If disclosure would result in financial loss or gain to TIS Holdings (Section 68)
If disclosure would prejudice competitive position (Section 68)
If disclosure would prejudice contractual negotiations (Section 68)

7.7 Research Information

If disclosure would expose TIS Holdings or third party to serious disadvantage in research activities (Section 69).

7.8 Manifestly Frivolous or Vexatious Requests

If the request is manifestly frivolous, vexatious, or involves an unreasonable diversion of resources (Section 45).

7.9 Procedure When Refusing Request

If a request is refused:

TIS Holdings will provide written notice of refusal within 30 days
Notice will state adequate reasons for refusal
Notice will cite applicable provisions of PAIA
Notice will inform requester of remedies available (internal appeal, court application)

8. Remedies Available

8.1 Internal Appeal

If your request is refused, you may lodge an internal appeal:

Within: 60 days of notification of refusal
To: Chief Executive Officer, Dr. Terry Ramabulana
Address: Same as Information Officer contact details

The CEO will reconsider the decision and respond within 30 days.

8.2 Court Application

You may apply to Court for appropriate relief if:

Your request is refused
The internal appeal is unsuccessful
You are dissatisfied with the access fee charged
You believe the procedure was not followed correctly

Timeframe: Application must be made within 180 days of exhausting internal remedies.

8.3 South African Human Rights Commission (SAHRC)

You may also approach the SAHRC for assistance:

PAIA Unit - South African Human Rights Commission

PAIA Unit, Promotion of Access to Information Act

The Research and Documentation Department

Postal: Private Bag 2700, Houghton, 2041

Phone: +27 11 877 3600

Fax: +27 11 403 0625

Website: www.sahrc.org.za

Email: PAIA@sahrc.org.za

8.4 Information Regulator (for POPIA-related matters)

Information Regulator (South Africa)

SALU Building, 316 Thabo Sehume Street, Pretoria, 0002

Phone: 012 406 4818

Fax: 086 500 3351

Email: inforeg@justice.gov.za

Website: www.justice.gov.za/inforeg

9. Information Officer Contact Details

Information Officer

Dr. Terry Ramabulana

CEO & Managing Director

TIS Holdings Pty Ltd

Registration: 2007/020605/07

Contact Information:

Email: compliance@tisholdings.com

Phone: +27 83 455 8115

Physical Address: 21 Woodlands Drive, Building 2, Woodmead, 2191

Deputy Information Officer

Mathilda Ramabulana

Human Capital Director

TIS Holdings Pty Ltd

Contact Information:

Email: compliance@tisholdings.com

Phone: 011 258 8500

Physical Address: 21 Woodlands Drive, Building 2, Woodmead, 2191

Business Hours

Monday to Friday: 08:00 - 17:00 (South African Standard Time)

Closed: Weekends and South African public holidays

Response Time

Requests received will be acknowledged within 3 business days. Full responses will be provided within 30 days as required by PAIA.

10. Availability of This Manual

10.1 Online Access

This PAIA Manual is available for free download at:

https://esgnavigator.ai/paia.html

10.2 Physical Copy

A printed copy of this manual is available for inspection, free of charge, at the registered office of TIS Holdings during business hours.

10.3 Request for Copy

A copy of this manual may be requested from the Information Officer. A nominal fee may be charged for printing and delivery.

10.4 SAHRC Submission

This manual has been submitted to the South African Human Rights Commission as required by PAIA Section 14.

10.5 Updates and Revisions

This manual is reviewed annually and updated as necessary.

Current Version: 1.0

Effective Date: February 16, 2026

Last Review Date: February 16, 2026

Next Review Date: February 16, 2027

Appendix A: Processing Operations Register (POPIA Section 51)

Processing Activity	Purpose	Legal Basis	Data Categories	Data Subjects	Recipients	Retention Period
ESG Navigator Authentication	Platform access control and security	Consent + Legitimate Interest	Name, Email, Role, Company, Password Hash	Platform users (internal team)	Internal only	Account lifetime + 5 years
Supplier Risk Assessment	ESG compliance monitoring and due diligence	Contract + Legitimate Interest	Company name, contact details, compliance records, ESG scores	Supplier representatives	Client organizations (with consent)	Contract duration + 7 years
AI Agent Processing	Automated ESG compliance analysis	Consent + Legitimate Interest	ESG data, compliance reports, supplier information	Corporate clients, suppliers	IBM Watsonx (processor), Anthropic Claude (processor)	7 years (JSE requirement)
Client Engagement & CRM	Business development and relationship management	Legitimate Interest	Name, email, company, job title, interaction history	Prospects, clients, partners	Internal sales team only	3 years after last contact
Financial Transactions	Invoicing, payment processing, tax compliance	Contract + Legal Obligation	Client details, payment information, invoices, tax records	Clients, suppliers	Banks, auditors, SARS	7 years (tax law)
Employee Records	HR administration, payroll, performance management	Contract + Legal Obligation	Personal details, employment contracts, payroll, performance reviews	Employees, contractors	Payroll provider, pension fund, medical aid	Employment + 5 years
Website Analytics	Platform improvement and user experience	Legitimate Interest	IP addresses, browser type, page views, session duration	Website visitors	Analytics provider (anonymized)	2 years

Appendix B: Third-Party Data Processors

Processor	Service Provided	Data Shared	Location	Safeguards
IBM Watsonx	AI orchestration and machine learning	ESG data, compliance queries	USA (cloud)	Data Processing Agreement, SOC2, ISO 27001
Anthropic Claude	AI analysis and natural language processing	Compliance queries, document analysis	USA	Business Associate Agreement, Enterprise security
Amazon Web Services (AWS)	Cloud infrastructure and serverless computing	All platform data (encrypted)	EU/USA (selectable regions)	SOC2 Type II, ISO 27001, GDPR compliance
Neon PostgreSQL	Database services	All structured data	EU/USA	Encryption at rest/transit, SOC2
Railway	Backend hosting and deployment	API data, application code	USA/EU	Container isolation, encrypted environment
Vercel	Frontend hosting and CDN	User interface, static assets	Global CDN	DDoS protection, SSL/TLS
Cloudflare	Security and DDoS protection	Network traffic, DNS requests	Global	WAF rules, rate limiting, SSL
DRATA	SOC2 compliance automation	Security controls, audit logs	USA	SOC2 certified, access controls

Note: All third-party processors operate under signed Data Processing Agreements (DPAs) that ensure POPIA and GDPR compliance. Standard Contractual Clauses (SCCs) are in place for international data transfers.

Appendix C: Categories of Data Subjects and Personal Information

1. Employees and Contractors

Identity Data: Name, ID number, passport number, date of birth
Contact Data: Email, phone, physical address
Employment Data: Job title, department, employment contract, performance reviews
Financial Data: Bank details, salary, tax number, medical aid, pension fund
Special Personal Information: Health information (for medical aid), trade union membership

2. Clients and Prospects

Identity Data: Name, company name, job title
Contact Data: Email, phone, business address
Transaction Data: Purchase history, invoices, payment records
Communication Data: Email correspondence, meeting notes, CRM records

3. Suppliers and Business Partners

Company Data: Registration number, VAT number, B-BBEE status
Contact Data: Authorized representatives, email, phone
Compliance Data: ESG scores, ISO certifications, audit reports
Financial Data: Banking details, payment terms, invoices

4. Platform Users (ESG Navigator)

Account Data: Username, email, password hash, role assignment
Usage Data: Login history, feature usage, AI agent queries
Organization Data: Company affiliation, department, access permissions

5. Website Visitors

Technical Data: IP address, browser type, device information
Behavioral Data: Pages viewed, session duration, referral source
Cookie Data: Preference settings, analytics identifiers

Appendix D: Security Safeguards

Technical Safeguards

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
Authentication: JWT-based authentication, bcrypt password hashing
Access Control: Role-Based Access Control (RBAC) with least privilege principle
Network Security: Cloudflare WAF, DDoS protection, rate limiting
Database Security: Encrypted connections, parameterized queries, regular backups
Infrastructure: Serverless architecture (AWS Lambda), container isolation (Railway)

Organizational Safeguards

Data Governance: Data lineage tracking for all processing operations
Access Management: Regular access reviews, immediate revocation on termination
Training: Annual POPIA compliance training for all staff
Incident Response: 24-hour incident logging, 72-hour breach notification protocol
Vendor Management: Due diligence on all third-party processors, DPAs in place
Audit Trail: Immutable logs retained for 7 years, quarterly security reviews

Physical Safeguards

Office Security: Access control systems, visitor logs, secure document disposal
Device Management: Full disk encryption, remote wipe capability, screen lock policies
Data Center: Cloud providers with SOC2 Type II, ISO 27001 certification

Compliance Monitoring

SOC2 Pathway: DRATA-managed continuous compliance monitoring
Penetration Testing: Annual third-party security assessments
Vulnerability Management: Automated scanning, patch management protocols
Data Protection Impact Assessments: Conducted for high-risk processing

Manual Approval and Updates

This PAIA Manual has been approved by:

_________________________________

Dr. Terry Ramabulana

Chief Executive Officer & Information Officer

TIS Holdings Pty Ltd (2007/020605/07)

Date: February 16, 2026

Version: 1.0

Effective Date: February 16, 2026

Next Review Date: February 16, 2027

Revision History

Version	Date	Changes Made	Approved By
1.0	February 16, 2026	Initial PAIA Manual creation and publication	Dr. Terry Ramabulana