Oracle Cloud comes to Johannesburg: Meeting compliance obligations in South Africa

January 18, 2022 | 5 minute read
Alex Cruft
Principal Program Manager
Elizabeth Hernandez
Senior Program Manager, Compliance
Text Size 100%:

The wait is over! We’re incredibly excited to say that the Oracle Cloud region in Johannesburg is now live and ready for action.

You might have heard the recent announcement that Oracle Cloud Infrastructure (OCI) is building 14 new regions over the next year. With our scaled approach to region builds, we’re working to quickly expand the benefits of OCI to new countries, including South Africa. A lot goes into building an OCI region, whether the site planning, construction, or actual deployment. We need to anticipate customers’ needs specific to that region, especially for extra regional compliance requirements.

To support customers with regulated workloads, OCI regions are delivered to commercial compliance standards like the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and Service Organization Control (SOC) and others. For more information on OCI’s compliance attestations, visit the Oracle Cloud Compliance page.

Oracle has made an effort to understand how OCI services can help customers meet their local compliance requirements in South Africa. OCI customers are responsible for their regulatory compliance in their use of Oracle Cloud services. The following sections provide a few examples of regulatory considerations for South African customers evaluating cloud infrastructure.

Supporting data privacy requirements in South Africa

One local compliance program that we’ve considered and provided documentation on is the Protection of Personal Information Act (POPIA). POPIA is a South African law intended to promote the protection of personal information processed by public and private bodies. POPIA sets general conditions for public and private entities to lawfully process South African data subjects’ personal information.

Let’s look at “Condition 7: Security Safeguards” of Chapter 3 Part A as an example:

“A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent— (a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information.”

Customers are responsible for determining the suitability of a cloud service in the context of this requirement. You must ensure that your use of the cloud service and business processes meet these requirements.

OCI offers the following services and features that can help you meet these requirements:

  • Cloud Guard is a cloud native service that helps customers monitor, identify, achieve, and maintain a strong security posture on Oracle Cloud. Use the service to examine your OCI resources for security weakness related to configuration, and your OCI operators and users for risky activities. When it detects a weakness, Cloud Guard can suggest, assist, or take corrective actions, based on your configuration. For more information, see the Cloud Guard documentation.

  • Oracle Vulnerability Scanning service helps improve your security posture by routinely checking your cloud resources for potential security risks. The service generates reports with metrics and details about these vulnerabilities. For more information to get started, see the Vulnerability Scanning documentation.

With the publication of the advisory, Oracle Cloud Infrastructure and the South African Protection of Personal Information Act, 2013 (POPIA), Oracle provides specific information to help customers determine the suitability of using OCI services in the context of POPIA.

Assisting financial services companies in their digital transformation

Regulated entities in the financial industry face unique requirements when using cloud computing to power their digital transformation strategies. For South African financial institutions, guidelines published by the South African Reserve Bank (SARB) must be considered when evaluating a cloud service provider.

SARB is responsible for regulating cross-border transactions, preventing the abuse of the financial system, and supporting financial institution regulations in Africa. For example, SARB’s Outsourcing of Functions within Banks Guidelines, Guidance Note 5 of 2014 (G5/2014) in the SARB Guidelines provides guidelines financial institutions should consider when evaluating a cloud service provider. The SARB Guidelines provide factors regarding risks and responsibilities related to the outsourcing of material business activities and functions for banks, controlling companies, eligible institutions, and auditors of banks to consider.

As another example, Chapter 6.5 “Outsourcing Contracts” paragraph 6.5.1 addresses contracting practices for financial institutions in Africa when outsourcing material business activities and functions by stating:

“The importance of a comprehensive outsourcing agreement, including SLAs cannot be overemphasized and all outsourcing arrangements should be contained in a documented, legally binding agreement or contract.”

Oracle’s cloud contract structure supports financial institutions in meeting these SARB Guidelines. Oracle offers the Oracle Financial Services Addendum (FSA) as an add-on to the Cloud Service Agreement, which covers various topics typically required for financial institutions, such as audit rights for customers and their regulators, termination rights, exit provisions and transition services, business continuity, and sub-outsourcing obligations. OCI service level agreements (SLAs) are covered in Section 3 of the Oracle Cloud Hosting and Delivery Policies, which provides contractual commitments for SLAs, covering availability, manageability, and performance.

Oracle offers a complete suite of solutions created for financial services institutions. This suite brings cloud capabilities to your core platforms while complying with data residency and security constraints and can assist you in meeting your SARB requirements. To learn more about our financial services tools, see Cloud Infrastructure for Financial Services.

Demonstrating a commitment to equality

Another important regulation for Oracle and its customers to consider is the Broad-Based Black Economic Empowerment (B-BBEE) Act. B-BBEE provides a mandate for the transformation of South Africa’s economy. The fundamental objective of the B-BBEE Act “is to advance economic transformation and enhance the economic participation of black persons in the South African economy.”

The B-BBEE Act provides a legislative framework for the promotion of BEE by empowering the minister of trade and industry to issue Codes of Good Practice. The latest Codes of Good Practice on BEE were published in the Government Gazette No. 36928, 11 October 2013, which provides the framework for companies to be rated. “The South African Government’s approach is that BEE must be an inclusive process and not an exclusive process. No economy can grow by excluding any part of its people and an economy that is not growing cannot integrate all of its citizens in a meaningful way." (South Africa’s Economic Transformation: A Strategy for Broad-Based Black Economic Empowerment-2003; p13)

As a global company, we operate all over the world. What unites us across countries and helps us achieve our goals is our shared values: Integrity, mutual respect, teamwork, communication, innovation, customer satisfaction, quality, fairness, compliance, and ethics. To demonstrate this, Oracle Corporation in South Africa has achieved Level 2 B-BBEE Contributor Status for the second consecutive year. Level 2 status demonstration Oracle’s commitment and investment into the South African economy.

Investing in new regions

With the new Johannesburg Oracle Cloud data region, our customers in South Africa and neighbouring countries can harness the power of OCI to unlock innovation and drive business growth.

OCI continues to invest in features and services to help our customers address their security and compliance needs. For more information about OCI compliance programs, see Oracle Cloud Compliance. To request copies of our compliance reports, use the Compliance Documents service in the Oracle Cloud Console.

We’re deeply committed to making our customers successful in the cloud. For more information on using Oracle Cloud in South Africa, contact one of our representatives.

Alex Cruft

Principal Program Manager

Elizabeth Hernandez

Senior Program Manager, Compliance

Previous Post

No more duplicating machine learning training datasets with OCI Block Volumes multiattach feature

Pinkesh Valdria | 6 min read

Next Post

Announcing Oracle Visual Builder on OCI Availability

Shay Shmeltzer | 3 min read