Platform How it works Trust Pricing About
Sign in Get started

Trust Center

Security, privacy, and resilience — by design.

Every document your business entrusts to us is protected by enterprise-grade controls, audited compliance, and a platform engineered for continuous operation. Built on Microsoft Azure — the cloud trusted by governments, financial institutions, and regulated industries worldwide.

African compliance Certifications & frameworks Your data & rights Contact the security team

Security

  • AES-256 encryption at rest; TLS 1.3 in transit
  • Zero-trust access — MFA required
  • Role-based access with least-privilege enforcement
  • Isolated environments for sensitive workloads
  • 24×7 monitoring by Microsoft’s global security operations
  • AI-driven threat defense via Azure

Privacy

  • Data minimization — we collect only what is needed
  • Purpose limitation — never used for anything you didn’t agree to
  • No selling of personal data, ever
  • Region-scoped storage in Azure datacenters
  • Clear privacy notices — no hidden clauses
  • Full GDPR, CCPA, and global-rights support

Resilience

  • Redundant Azure regions with automated failover
  • Defense-in-depth across every architectural layer
  • Continuous vulnerability scanning
  • Regular independent penetration testing
  • Documented incident response procedures
  • Transparent uptime and service-health reporting

Africa

Built for African compliance.

Our platform is designed to help businesses and the professionals who serve them meet the specific data protection, privacy, and electronic-transaction obligations they operate under across the continent — from the African Union’s continental framework down to country-level statutes.

Continental framework

AU Malabo Convention

Adopted 2014 · In force since 2023

African Union Convention on Cyber Security and Personal Data Protection — the binding continental instrument setting a common baseline for cybersecurity obligations, personal-data handling, and electronic-transaction law across member states.

Cross-border trade

AfCFTA Digital Trade Protocol

Adopted 2024

The protocol under the African Continental Free Trade Area governing lawful cross-border data flows, e-transactions, and digital commerce — unlocking a $3.4 trillion single market for verified, interoperable business documentation.

Common denominator

Nine requirements that apply across the continent.

GDPR alignment covers most of this floor. The items below flag the obligations every African data-protection regime expects you to meet — and mark the places where local rules reach further.

  1. 01

    Lawful basis

    A documented legal ground for every processing activity — consent, contract, legitimate interest, or statutory authority.

  2. 02

    Minimization & purpose

    Collect only what is needed; use it only for the purposes the data subject was informed of.

  3. 03

    Data-subject rights

    Access, correction, deletion, objection — plus portability in most jurisdictions — with a time-bound response window.

  4. 04

    Security measures

    Technical and organizational controls scaled to the risk — encryption, access control, monitoring, resilience.

  5. 05

    Breach notification

    Notify the regulator within 48–72 hours depending on jurisdiction; notify affected subjects when risk is high.

  6. 06

    Sensitive-data consent

    Explicit, separable, revocable consent for health, biometric, financial, and other special-category data.

  7. 07

    Cross-border transfer

    Adequacy, explicit consent, or regulator approval — with data-localization duties in Nigeria, Kenya, Rwanda, and Egypt.

  8. 08

    Regulator registration

    Mandatory controller and processor registration in most West, East, and Southern African jurisdictions.

  9. 09

    Accountability artifacts

    Records of processing, DPIAs for high-risk flows, DPO where thresholds apply, and documented internal policies.

GDPR parity Items 01–06 are satisfied by GDPR-aligned controls. Items 07–09 are where African regimes most often extend beyond GDPR — data localization, mandatory regulator registration, and local representatives for non-resident controllers.

Data residency

Stored in Johannesburg, transferred with explicit consent.

Primary storage is Microsoft Azure South Africa North — Microsoft’s enterprise datacentre region in Johannesburg. For data subjects outside South Africa this is a cross-border transfer, and the platform is engineered to treat it as such.

Default posture

Azure South Africa North

Johannesburg · Microsoft Azure

  • ISO 27001, SOC 2, HIPAA, and GDPR aligned at the region level
  • Explicit cross-border-transfer consent captured at account creation
  • POPIA-equivalent safeguards — recognised by most African regimes as adequate protection
  • Data Processing Agreement with Microsoft; standard Azure DPA in force
  • Records of processing documenting purpose, lawful basis, and receiving entity

Additional arrangements

In-country options

Where local rules reach beyond consent

  • Nigeria — local representative and in-country replica for payment and banking data (CBN requirement)
  • Egypt — prior transfer authorisation via the Personal Data Protection Centre
  • Rwanda — NCSA authorisation or layered explicit consent for regulated categories
  • Francophone jurisdictions — DPA transfer filings where required (Algeria, Tunisia, Morocco, West-African regimes)
  • Enterprise customers can request a jurisdiction-specific architecture review

Country-level data protection

National statutes the platform is designed to support.

Algeria

Law No. 18-07 on Personal Data Protection (2018)

National Authority for Personal Data Protection (ANPDP)

Angola

Personal Data Protection Law No. 22/11 (2011)

Data Protection Agency (APD)

Benin

Digital Code — Law No. 2017-20 (2017)

Personal Data Protection Authority (APDP)

Botswana

Data Protection Act No. 32 of 2018

Information and Data Protection Commission

Burkina Faso

Law No. 010-2004/AN on Personal Data Protection (2004)

Commission de l’Informatique et des Libertés (CIL)

Cape Verde

Law No. 133/V/2001 on Personal Data Protection

National Data Protection Commission (CNPD)

Chad

Law No. 007/PR/2015 on Personal Data Protection

National Agency for IT Security and Electronic Certification

Congo (Brazzaville)

Law No. 29-2019 on Personal Data Protection

ARPCE

Côte d’Ivoire

Law No. 2013-450 on Personal Data Protection

ARTCI

DR Congo

Digital Code — Law No. 23/010 (2023)

Ministry of Digital Affairs

Egypt

Personal Data Protection Law No. 151 (2020)

Personal Data Protection Centre

Eswatini

Data Protection Act No. 5 of 2022

Eswatini Communications Commission

Gabon

Law No. 001/2011 on Personal Data Protection

CNPDCP

Ghana

Data Protection Act (2012)

Data Protection Commission

Guinea

Law L/2016/037/AN on Cybersecurity & Personal Data (2016)

National Cybersecurity Authority

Kenya

Data Protection Act (2019)

Office of the Data Protection Commissioner

Lesotho

Data Protection Act (2011)

Data Protection Commission

Madagascar

Law No. 2014-038 on Personal Data Protection

Malagasy Commission for Informatics & Liberties (CMIL)

Malawi

Data Protection Act (2024)

Malawi Communications Regulatory Authority

Mali

Law No. 2013-015 on Personal Data Protection

Personal Data Protection Authority (APDP)

Mauritania

Law No. 2017-020 on Personal Data Protection

National Data Protection Authority

Mauritius

Data Protection Act (2017)

Data Protection Office

Morocco

Law 09-08 on Personal Data Protection

CNDP

Niger

Law No. 2017-28 on Personal Data Protection

High Authority for Personal Data Protection (HAPDP)

Nigeria

Nigeria Data Protection Act (2023)

Nigeria Data Protection Commission

Rwanda

Law N° 058/2021 on Personal Data Protection

National Cyber Security Authority

São Tomé & Príncipe

Law No. 03/2016 on Personal Data Protection

National Data Protection Commission

Senegal

Law No. 2008-12 on Personal Data Protection

Commission for Personal Data Protection

Seychelles

Data Protection Act (2003)

Data Protection Commissioner

South Africa

POPIA — Protection of Personal Information Act (2013)

Information Regulator

Tanzania

Personal Data Protection Act (2022)

Personal Data Protection Commission

Togo

Law No. 2019-014 on Personal Data Protection

Personal Data Protection Authority (IPDCP)

Tunisia

Organic Law No. 2004-63 on Personal Data Protection

National Authority for Personal Data Protection (INPDP)

Uganda

Data Protection and Privacy Act (2019)

Personal Data Protection Office

Zambia

Data Protection Act (2021)

Office of the Data Protection Commissioner

Zimbabwe

Cyber and Data Protection Act (2021)

POTRAZ

The platform is designed to support every African jurisdiction with a ratified national data protection statute. Where draft legislation is pending (e.g. Namibia, Mozambique) we track enactment and add coverage as laws come into force. We’re happy to provide a jurisdiction-specific compliance brief on request.

Certifications & frameworks

Aligned with the standards regulated industries require.

Our infrastructure inherits Microsoft Azure’s comprehensive compliance portfolio — backed by Microsoft’s $1B+ annual security investment and 10,000+ cybersecurity experts — and we layer our own controls on top so your obligations are met without chasing paperwork.

ISO 27001

Information security management

SOC 1 · 2 · 3

Security, availability, confidentiality

GDPR

EU data protection regulation

HIPAA

Health information privacy

PCI DSS

Payment card data security

FedRAMP High

US federal cloud security (via Azure)

Your data

Under your control, always.

Every right a modern privacy framework grants — backed by clear self-service tools and human support when you need it.

  • Access — see exactly what we hold
  • Correction — update inaccurate information
  • Deletion — request removal of your data
  • Portability — export your records anytime
  • Objection — control how your data is used

Governance

Run by discipline, not promises.

The internal controls behind the platform — applied every day, not every quarter.

  • Comprehensive audit logging of every access
  • Strict change-management & peer review
  • Configurable retention & deletion policies
  • Regular internal and independent audits
  • Time-bound sharing with immediate revocation
99.9%
Service uptime target
24×7
Security operations monitoring
AES-256
Encryption at rest
TLS 1.3
Encryption in transit

Questions?

Our security team answers questions about posture, compliance, and data handling for companies evaluating the platform.

Talk to our security team