Continuous POPIA, B-BBEE, SARS, and FSCA compliance monitoring for South African businesses. One subscription, four modules, monitored continuously, reported monthly.
Covers
POPIA
B-BBEE
SARS
FSCA
The four modules are live. Onboarding the first 25 pilot tenants free · Built by a CA(SA) in Cape Town
Monitored continuously, reported monthly. Reports land in your dashboard and email. Cross-module flags surface where a finding in one regulator affects another.
01POPIA
POPIA Compliance
POPIA compliance scan. Foundational, always runs. SEO, AI-search visibility, security, performance and accessibility checks are included in every Pro and Enterprise scan.
SEO, GEO, Security, Performance and Accessibility checks included in every Pro and Enterprise scan
Regulatory changes tracked and surfaced in your dashboard
02B-BBEE
B-BBEE Scorecard
Auto-calculate your Generic, QSE, or EME scorecard with EME / QSE / Generic auto-classification, priority sub-minimum knock-down, and Modified Flow-Through (MFT) ownership. Pro tier adds gap analysis, sector benchmark, and audit-ready PDF evidence.
Gap analysis — smallest-cost lever to the next level
Indicative sector benchmark (13 sectors, from the B-BBEE Commission Status & Trends 2024 report, reviewed quarterly)
Audit-ready PDF evidence package
03SARS
SARS Submissions
VAT201 + EMP201 + EMP501 readiness scoring against your books before the deadline. Catches missing supplier VAT numbers, payroll anomalies, IRP5 reconciliation gaps, and the 2026 SARS TRN-rejection rule pre-submission. Tracks every VAT refund's 21-day SLA and auto-drafts SARS / Ombud escalation at the 60- and 90-day thresholds.
Score your FAIS readiness across CPD, complaints, conflicts of interest, fit-and-proper, and Joint Standard 2 of 2024 cyber. v2.0 adds the audit-prep automation suite — Komply drafts the artefacts external COs charge R5-15k/yr to produce.
Per-Key-Individual / per-Representative (KI / Rep) CPD ledger (BN 194 § 12 hours target by class count)
Complaints register with GCC § 19 working-day SLA clock
Annual Internal Compliance Monitoring Programme (ICMP) report generator — Komply drafts; human signs off (Pro+)
FAIS Ombud response bundler with 6-week countdown (Pro+)
FSCA debarred-register check at every hire + Pro+ weekly re-check
FAIS § 11 material change notification letter — auto-detect + PDF
COI Management Policy generator + sign-off + supersedes-chain (Pro+)
§02The stakes
The compliance landscape moved in 2025. If your last audit was annual, you're already behind.
Three ways to buy. The full Compliance OS bundle, a single module if you only need one regulator, or a once-off audit pack for one cycle. Annual prepay on subscriptions gets two months free. Cancel any time — access continues to the end of the paid period.
Starter
POPIA + B-BBEE + SARS + FSCA basics. For SMBs under R20M revenue.
R750/ month
excl. VAT
POPIA monthly compliance scan (1 domain)
B-BBEE Scorecard Calculator with EME / QSE / Generic auto-classification
All prices excl. VAT. Annual prepay: 2 months free, no setup fee. Pilot pricing: free during the pilot for the first 25 tenants — the once-off R5,000 setup fee is waived. Standard pricing applies after the pilot; monthly non-pilot plans then include a once-off R5,000 setup fee on the first month, also waived on annual plans.
Or by module
Need just one regulator?
Subscribe to a single module at full Pro feature depth. All four à la carte add up to R7,800/mo. The Pro bundle above gets you the same modules for R3,500 — a 55% saving if you need more than one regulator covered.
+ once-off R5,000 setup fee on first month — waived for pilot tenants and on annual plans.
POPIA
POPIA
R1,500/ month
excl. VAT · Pro feature depth
Monthly scan across 5 domains + remediation artefact generator + regulatory changes tracked in your dashboard. Pro feature depth on the single module.
A once-off pack with a defined deliverable. Pay once, get 90 days of Pro access, decide on a subscription after.
FSCA·Once-off
FSCA ICMP 2026
Generate your annual ICMP, draft FAIS Ombud responses, produce your COI Management Policy, register your KIs, and run debarred-register checks. External compliance officers charge R5,000–R15,000/year just for the ICMP — Komply's audit-prep automation handles it in one workspace, then leaves the door open to convert to a Pro subscription.
The four modules — POPIA, B-BBEE, SARS, and FSCA — are live. Komply is onboarding the first 25 pilot tenants free: join the waitlist and we'll invite you in order. Standard pricing applies after the pilot; the R5,000 setup fee is waived for pilot tenants.
02What does the POPIA scan check?
Privacy policy presence and accessibility, cookie consent semantics, data-subject rights notice, Information Officer designation, mail-server DNS hygiene (SPF / DKIM / DMARC), TLS configuration, server response headers, and third-party tracker enumeration. Findings cite POPIA section numbers and link to the Information Regulator's published guidance.
03What are the website-audit add-ons?
SEO (meta tags, structured data, sitemap), GEO (Generative Engine Optimisation — JSON-LD and AI-agent crawlability), Security (headers, exposed files, server hygiene), Performance (HTTP/2, response time, render-blocking scripts), and Accessibility (alt text, form labels, heading hierarchy, language declaration). These checks are included in every Pro and Enterprise scan.
04Does Komply fix POPIA findings for me?
Pro and Enterprise tenants can generate ready-to-paste remediation artefacts directly from each finding card — privacy-policy section text, cookie-consent banner code, data-subject-rights notice, and Information Officer designation block. Each artefact is a deterministic template citing the Information Regulator's Code of Conduct; review with your legal advisor before publishing. Enterprise additionally surfaces a "Book a CA(SA) remediation session" deep-link for hands-on review.
05What FAIS obligations does the FSCA module cover?
Continuous Professional Development (BN 194 § 12), complaints management (GCC § 19 — 5 working days to acknowledge, 20 to resolve), conflicts of interest (GCC § 3A) including the parent COI Management Policy, fit-and-proper file currency (BN 194 §§ 6, 11), cyber incident logging per Joint Standard 2 of 2024, the FAIS § 11 material change notification (15 calendar days), the FSCA debarred-persons register check at every hire, the annual ICMP report (FAIS § 17(1)(d) + Conduct Standard 4/2024), and the FAIS Ombud response package (6-week deadline). Out of scope in v2.0: suitability assessment record-keeping (GCC § 8), the Representative Register XML helper (v2.1), and the cyber prescribed-window timer (v2.1, when the Determination on Notification Requirements is gazetted).
06Does Komply draft my annual ICMP report?
Pro tenants get a Komply-drafted Internal Compliance Monitoring Programme report covering the prior 12 months across CPD, complaints, COI, fit-and-proper, and cyber. Each section is composed from the live register data; with ANTHROPIC_API_KEY configured, narrative paragraphs are LLM-drafted in a restrained junior-compliance-analyst voice (Claude Haiku 4.5) — without the key, deterministic templates ship. You edit every section before sign-off; the FSP principal owns the submitted document. External COs charge R5,000-R15,000/year for the same artefact.
07Can Komply bundle my FAIS Ombud response?
Yes — Pro tenants get a one-click "Generate Ombud response" inline on any escalated complaint. Komply composes a 6-page package: chronology from the existing register, FSP narrative (LLM-augmented or deterministic), supporting-evidence list (the rep's CPD records, prior complaints touching the same KI, COI disclosures), and a Komply audit-trail certificate. The 6-week submission window counts down on the response detail page. You review, edit, and submit to the FAIS Ombud — Komply doesn't auto-submit.
08Does Komply check the FSCA debarred-persons register at hire?
Yes — on every new Key Individual or Representative you add via /dashboard/fsca/key-individuals/new. Komply mirrors the FSCA debarred register weekly and fuzzy-matches the candidate name + (optional) SA-ID last 4. Strong matches (same name + same ID4) block creation unless you tick the override box and provide a written reason. Possible matches (name only, no ID confirmation) surface for review but don't auto-block — common surname duplicates would otherwise create false rejections. Pro tenants additionally get a weekly re-check across the active roster with an email alert when a new match surfaces.
09Does Komply submit to the FSCA on my behalf?
No. The FSCA's submission surfaces (FAIS Online, SmartReg, the Representative Register XML upload) are FSP-credentialed — there's no third-party API. Komply keeps your CPD ledger, complaints register, COI matrix and fit-and-proper file current, generates the audit-ready PDF, and surfaces deadlines. You still upload to the FSCA portals yourself.
10How is the FSCA module different from Moonstone?
Moonstone is consulting + training + tooling bundled. Komply is the tool — a continuous readiness dashboard you keep current between Moonstone's audits or your in-house Compliance Officer's reviews. Komply scores your readiness against published obligations; it doesn't replace the Compliance Officer's professional judgment.
11Who is Komply for?
Built for SA businesses from ~R10M revenue: Starter suits sub-R20M, Pro and Enterprise scale with you. The fit is strongest where there's government procurement exposure, regulated-industry status (financial services, health, telecoms, education), or significant personally-identifiable customer data. Decision-makers are CFOs, COOs, Compliance Officers, or owner-operators.
12How do the four modules work together?
Single tenant dashboard, single subscription, single login. Each module is monitored continuously and reported monthly. Cross-module flags surface where one regulator's finding affects another — a POPIA cookie violation that affects a BEE submission, a SARS anomaly that ties to a FSCA disclosure. One source of truth for your compliance posture.
13What about my existing compliance tools?
Komply replaces fragmented per-regulator tooling with one platform. Enterprise onboarding includes an audit of your existing compliance stack to identify consolidation opportunities. We don't ask you to throw away what works — we ask you to stop maintaining five separate tools and twenty separate logins.
14Is my data secure?
Yes. Per-tenant Row-Level Security on every table. Encryption at rest and in transit. POPIA-compliant Data Processing Agreement signed at onboarding. Compliance evidence stored under per-tenant Supabase Storage buckets with RLS policies.
15Why not just hire a compliance consultant?
Consultants are excellent for one-off audits, regulatory opinions, and complex remediation. Komply is built for the other 50 weeks of the year — continuous monitoring at a price and frequency human consultants cannot match. Most tenants run both: Komply for monitoring, a consultant for the heavy lifts.