Insurance compliance, rebuilt from first principles.
A multi-tenant risk management platform for South African insurance brokers. POPIA-compliant and FSCA-audit-ready.
The challenge
Mitig8's existing platform had been built under deadline pressure with no compliance architecture. POPIA requirements were handled at the application layer without schema-level enforcement. Multi-tenancy was incomplete — shared tables with organisation-level filtering created data isolation risk. The FSCA audit was 90 days away.
Our approach
We started with a full schema audit. Every table containing personal information was identified, mapped to its ROPA entry, and assessed for RLS coverage. We found 14 tables with inadequate tenant isolation and 6 with missing audit trails.
The migration was executed in parallel with live operations — no downtime. We introduced Entra B2C for identity, Azure Container Apps for all application services, and a new audit log architecture that captured every write to regulated tables with actor, timestamp, and before/after state.
POPIA consent management was rebuilt as a first-class schema feature. Each data subject has a consent record with timestamp and version. Deletion requests cascade via database trigger to all related tables.
The outcome
Platform passed FSCA audit on first submission. Zero findings on POPIA data isolation. Audit log coverage reached 100% on all regulated records. The engineering team reduced from 6 contractors to 2 full-time engineers on retainer.
Building something similar?
30 minutes. We'll tell you what we think.