Last updated: 9 March 2026

Privacy Policy

This Privacy Policy describes how Mobisec Cloud (Pty) Ltd, developer of the OmniTrust Identity Platform and the OmniLock Mobile Device Management suite (collectively "OmniTrust", "we", "us", or "our"), collects, uses, and protects your personal information. This policy is aligned with the Protection of Personal Information Act, 4 of 2013 (POPIA) of South Africa.

By accessing or using the OmniTrust platform at https://sts.mobisec.cloud, you agree to the collection and use of information in accordance with this Policy.

1. Who We Are

Responsible Party (as defined under POPIA):

2. Information We Collect

2.1 Identity & Account Data

When you register or are enrolled on the OmniTrust platform, we may collect:

  • Full name and email address
  • Hashed password (never stored in plain text)
  • Phone number (for MFA / OTP delivery)
  • Organisation / tenant association

2.2 Device Data (OmniLock MDM)

For devices enrolled in the OmniLock Mobile Device Management solution, the following device-level information is collected for management and security purposes:

  • Device identifiers (IMEI, serial number, hardware ID)
  • Device manufacturer, model, and operating system version
  • Enrolled application list (for policy compliance)
  • Active compliance and policy status
  • Device geofence status (if enabled by your organisation)

Device content, personal messages, calls, or photos are never accessed or stored by OmniLock.

2.3 Usage & Audit Data

We automatically collect security audit data to protect your account and detect fraudulent activity, including:

  • IP address of login attempts
  • Browser type and user agent string
  • Timestamp and outcome of authentication events
  • MFA challenge outcomes (pass / fail)

3. Cookies

OmniTrust uses strictly necessary session cookies to authenticate users and maintain secure sessions. We do not use advertising or marketing cookies.

  • Session Cookies: Required to keep you logged in during your session. Deleted when you close your browser.
  • Persistent Authentication Cookies: Set only when you select "Remember Me". Expires after 14 days.
  • Anti-Forgery Tokens: Required for form security (CSRF protection). Session-scoped.

You may disable cookies in your browser settings, but this will prevent you from logging in to the platform.

4. How We Use Your Information

  • Authentication & Access Control: To verify your identity and grant secure access to connected applications.
  • Multi-Factor Authentication (MFA): To deliver OTP codes via email or Telegram to verify your identity.
  • Device Management: To apply compliance policies to enrolled devices via OmniLock.
  • Security Monitoring: To detect brute-force attacks, unusual login patterns, and account takeover attempts.
  • Legal Obligations: To retain audit logs as required by applicable South African law.

5. Sharing of Personal Information

We do not sell your personal information. We may share information only in the following limited circumstances:

  • With Your Organisation: Your employer or tenant administrator can view the accounts and devices they manage under their OmniLock subscription.
  • Infrastructure Providers: We use cloud infrastructure providers (e.g., Oracle Cloud) who process data on our behalf under strict data processing agreements.
  • Legal Compliance: We may disclose information if required to do so by a South African court, law enforcement authority, or regulatory body.

6. Data Retention

  • Account Data: Retained for the duration of the active account, plus 12 months after account deactivation.
  • Audit & Security Logs: Retained for 24 months.
  • Device Enrolment Records: Retained until the device is actively unenrolled and the retention period lapses (12 months).

7. Your Rights Under POPIA

As a data subject under POPIA, you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of your personal information (subject to legal retention obligations).
  • Object to the processing of your personal information.
  • Lodge a complaint with the Information Regulator of South Africa at www.justice.gov.za/inforeg.

To exercise any of these rights, contact us at support@mobisec.cloud.

8. Security

OmniTrust employs industry-standard security controls including TLS 1.2+ encryption in transit, bcrypt password hashing, rate limiting, audit logging, and zero-trust device access policies through OmniLock. No method of transmission over the internet is 100% secure; we continuously work to improve our security posture.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users via email and by updating the "Last updated" date above. Continued use of the Service after changes constitutes your acceptance of the revised Policy.

Terms of Service

These Terms of Service ("Terms") govern your access to and use of the OmniTrust Identity Server and OmniLock MDM platforms operated by Mobisec Cloud (Pty) Ltd. By using the Service, you agree to be bound by these Terms. If you do not agree, you must not use the Service.

1. Definitions

  • "Service" — The OmniTrust Identity Server (accessible at https://sts.mobisec.cloud) and the OmniLock MDM platform.
  • "Tenant" — An organisation that subscribes to OmniTrust/OmniLock and manages its users and devices within the platform.
  • "User" — An individual who authenticates via OmniTrust, whether an end-user or an administrator.
  • "Device" — A mobile or computing device enrolled into OmniLock by a Tenant.

2. Acceptable Use

You agree not to:

  • Attempt to gain unauthorised access to any account, system, or network connected to OmniTrust.
  • Reverse-engineer, decompile, or otherwise attempt to extract the source code of the platform.
  • Use the Service to transmit malicious code, conduct phishing, or launch denial-of-service attacks.
  • Share, sell, or sub-license access to your OmniTrust credentials.

3. Tenant Responsibilities (OmniLock)

Tenants who use OmniLock for Mobile Device Management agree that:

  • They have obtained valid informed consent from all enrolled device users as required by POPIA.
  • They will only apply policies that are proportionate, lawful, and communicated to the device user.
  • They bear full responsibility for the lawfulness of the MDM policies they configure and enforce.

4. Service Availability

We strive to maintain high availability of the OmniTrust platform. However, we do not guarantee uninterrupted access. Scheduled maintenance windows will be communicated in advance where practicable. We are not liable for losses arising from planned or unplanned downtime.

5. Limitation of Liability

To the maximum extent permitted under South African law, Mobisec Cloud (Pty) Ltd shall not be liable for any indirect, incidental, special, or consequential damages arising from your use of or inability to use the Service, including but not limited to loss of data, loss of revenue, or security breaches caused by third-party actors.

6. Governing Law

These Terms are governed by and construed in accordance with the laws of the Republic of South Africa. Any disputes arising from these Terms shall be subject to the exclusive jurisdiction of the South African courts.

7. Contact

For questions about these Terms or to report a security concern, please contact us at: