The Mantis Model (Pty) Ltd (registration number 2018/198006/07, VAT 4450291812), trading as underwriting.life ("we", "us" or "our"), operates a secure underwriting-intelligence platform used by life insurers, reinsurers and their authorised intermediaries (our "Clients") in South Africa. The platform helps a Client assess an insurance application by retrieving and combining identity, medical, pathology and financial-crime screening information about the individual applying for cover (the "Applicant" or "data subject").
This Policy explains how we collect, use, share, secure and retain personal information, and the rights you have. It is published in line with the Protection of Personal Information Act 4 of 2013 ("POPIA") and read together with our Manual under the Promotion of Access to Information Act 2 of 2000 ("PAIA").
1. Our role: responsible party and operator
POPIA distinguishes between a responsible party (which decides why and how personal information is processed) and an operator (which processes on behalf of, and on the instruction of, a responsible party). Depending on the activity, we act in both capacities.
We act as an operator when we process Applicant information on a Client's instruction to return an underwriting result for that Client's specific application. The Client is the responsible party for its underwriting decision and for the consent obtained from the Applicant.
We act as a responsible party in our own right when we decide which data sources to query, how to verify, structure, aggregate and present results, how long to retain records, and how to secure our platform. We hold our own contracts with the third-party data sources described below.
Where we act as an operator, we process personal information only with the Client's authorisation, treat it as confidential, and apply the safeguards described below, as required by sections 20 and 21 of POPIA.
2. Information Officer
We have registered an Information Officer with the Information Regulator (registration number 2026-019341).
11 Blackenfen Crescent, Bryanston, 2191
Email: admin@underwriting.life · Telephone: 083 441 4745
3. Whose information we process and what we collect
Insurance Applicants. We do not collect this information directly from the Applicant, and Applicants do not have accounts on the platform. We receive identifying details from the Client and use them to query the data sources below. Depending on the products selected, this may include:
- Identity and contact details: full name, identity or passport number, date of birth and similar identifiers (IDV product, via Home Affairs verification).
- Health and medical information (special personal information): medical scheme claims history and pathology / laboratory results (MED and LAB products).
- Financial-crime screening: sanctions, politically-exposed-person (PEP) and adverse-media screening against the Applicant's name (AML product).
Client users. Names, work email addresses, telephone numbers, role, authentication data (including two-factor authentication secrets), and audit logs of actions taken on the platform.
Website visitors. Limited technical data (such as IP address and basic usage logs) needed to keep the site secure and functioning.
We process the minimum information necessary for each purpose and do not use Applicant information for marketing.
4. Sources of information
Applicant information is sourced from the Client and from regulated third-party data providers we query on the Client's behalf:
- Identity verification: Department of Home Affairs records, accessed through our partner OmniCheck.
- Sanctions / PEP / adverse-media screening: accessed through VerifyID.
- Medical scheme claims and pathology results: accessed through Altron Mediswitch.
We query a source only when the relevant product has been selected for a specific application and the consent conditions below are met.
5. Why we process personal information
We process personal information to: verify an Applicant's identity; retrieve and present medical, pathology and financial-crime screening information relevant to an insurance underwriting decision; produce underwriting-intelligence reports for the Client; bill Clients for checks performed; maintain the security, integrity and auditability of the platform; comply with our legal obligations; and operate and support Client accounts.
6. Lawful basis and consent
Underwriting relies on the Applicant's consent and the legitimate interests of the insurer in assessing risk under sections 11 and 27 of POPIA. Because medical and pathology information is special personal information concerning health (section 26 of POPIA), it is processed on the basis of the Applicant's consent and the authorisation in section 32 of POPIA permitting processing of health information by, or for, parties involved in insurance, subject to confidentiality obligations.
Consent is obtained by the Client from the Applicant as part of the insurance application. For medical and pathology queries, our Client maintains a signed consent authorisation that is attached to each request to the medical data source. We will not run a medical or pathology query for a Client that does not have the required consent authorisation on file. Clients warrant that they have obtained valid consent and the necessary authority before submitting an Applicant for screening.
7. Sharing of personal information
- with the Client that requested the screening, as an underwriting-intelligence report;
- with the third-party data sources above, to the extent needed to perform a requested query;
- with service providers (operators) who host or support the platform under written confidentiality and POPIA-compliant security obligations, principally our cloud hosting provider; and
- where required by law, a court order, or a lawful request from a competent authority.
We do not sell personal information and do not share it for third-party marketing.
8. Security safeguards
We maintain technical and organisational measures appropriate to the sensitivity of the information, as required by section 19 of POPIA: encryption in transit (TLS 1.2/1.3) and at rest; role-based access control on a least-privilege basis; mandatory two-factor authentication and a strong password policy for Client users; session timeouts and account-lockout controls; IP whitelisting and strict transport security on sensitive integrations; a tamper-evident audit log of access and processing activity; daily cost and volume caps; and segregation of production data. Before processing live Applicant data at scale, we subject the platform to independent security testing.
If a security compromise affecting personal information occurs, we will notify the Information Regulator and affected parties as required by section 22 of POPIA.
9. Data residency and cross-border transfers
The platform and its databases are hosted in South Africa, in Amazon Web Services' Cape Town (af-south-1) region, to support local data residency. We do not transfer personal information outside South Africa in the ordinary course of operating the service. Any future cross-border processing will only occur on a basis permitted by section 72 of POPIA, and we will update this Policy accordingly.
10. Retention and deletion
We retain personal information only as long as necessary to fulfil the purposes above, to meet record-keeping requirements applicable to insurance and financial-crime screening, and to defend or establish legal claims. Underwriting records and audit logs are retained for the periods required by law and by our Client agreements. When no longer required, information is deleted or de-identified securely. Applicant records are treated as immutable for audit integrity during their retention period and are then disposed of per our retention schedule.
11. Your rights as a data subject
Subject to POPIA, you have the right to: be notified that your information is collected or has been accessed in a compromise; request confirmation of and access to information we hold (via the PAIA process in our PAIA Manual); request correction or deletion of information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained; object on reasonable grounds to processing; not be subject to a decision based solely on automated profiling with legal or similarly significant effects; withdraw consent where processing is based on consent; and lodge a complaint with the Information Regulator.
Because we usually process Applicant information as an operator for an insurer, the most direct route for an Applicant to exercise these rights over an insurance application is through the insurer (our Client). We assist Clients in responding to such requests and action requests that fall to us as responsible party.
12. Children's information
We process information relating to a minor only where permitted under section 35 of POPIA, including with the consent of a competent person (such as a parent or guardian) obtained by the Client, or where otherwise authorised by law. We apply additional care to any such information.
13. Complaints
If you believe we have not handled your personal information in line with POPIA, please contact our Information Officer first so we can try to resolve the matter. You also have the right to complain directly to the Information Regulator:
Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191 · P.O. Box 31533, Braamfontein, 2017
Email: POPIAComplaints@inforegulator.org.za · enquiries@inforegulator.org.za
Telephone: 010 023 5200 · Toll free: 0800 017 160
14. Changes to this Policy
We may update this Policy to reflect changes in our processing, our data sources, or the law. The current version and effective date appear at the top of this page. Material changes will be communicated to Clients.
15. How to contact us
11 Blackenfen Crescent, Bryanston, 2191
Email: admin@underwriting.life · Telephone: 083 441 4745 · Web: underwriting.life