Legal

Compliance Posture

Last updated: June 26, 2026

SectID is engineered for regulated African institutions operating under CBK (Central Bank of Kenya), ODPC (Office of the Data Protection Commissioner), CBN (Central Bank of Nigeria), CMA (Capital Markets Authority), and peer supervisory frameworks. The platform implements tenant isolation, RBAC, append-only audit logs, and AES-256-GCM encryption at rest.

1. Regulatory Alignment

We align with the following regulatory frameworks:

  • Kenya: Central Bank of Kenya (CBK) Prudential Guidelines, Data Protection Act 2019, Proceeds of Crime and Anti-Money Laundering Act (POCAMLA)
  • Nigeria: Central Bank of Nigeria (CBN) AML/CFT Regulations, Data Protection Act 2023
  • Uganda: Bank of Uganda AML Guidelines, Data Protection and Privacy Act 2019
  • Rwanda: National Bank of Rwanda (NBR) AML/CFT Directives, Law N°058/2021 on Data Protection
  • Ghana: Bank of Ghana AML Directive, Data Protection Act 2012 (Act 843)
  • South Africa: FICA, POPIA alignment

2. Decision Support Only

Risk scores, rule attribution, and recommended actions are decision-support outputs. Your compliance officers record the final regulatory determination in the case management module. SectID provides technology and analytics; regulatory decisions remain the sole responsibility of your institution.

3. Certifications and Audits

  • SOC 2 Type II: In progress — target Q4 2026. Independent audit of security, availability, and confidentiality controls.
  • ISO 27001: Aligned — information security management system controls implemented and continuously monitored.
  • ODPC Registration: Registered — Office of the Data Protection Commissioner, Kenya.
  • Penetration Testing: Annual third-party penetration tests conducted by certified security firms.

4. Security Controls

Our platform implements the following security controls:

  • AES-256-GCM encryption at rest for PII and documents
  • Tenant isolation with organization-scoped queries
  • RBAC with least-privilege role matrix
  • Append-only audit log with hash chaining
  • Signed webhooks with HMAC-SHA256
  • API key hashing with pepper
  • Session cookies: HttpOnly, Secure, SameSite
  • TLS 1.3 for all communications
  • Multi-factor authentication (MFA) support
  • Real-time anomaly detection and alerting

5. Data Residency

We offer data residency options for the following regions:

  • Kenya (primary): Default data residency for KE tenants. Data stored in AWS af-south-1 and local data centers.
  • EU: Available on enterprise plans. Data stored in AWS eu-west-1 with GDPR alignment.
  • South Africa: Roadmap — planned for Q3 2026 via AWS af-south-1.

6. Incident Response

Security incidents are triaged within 4 hours for enterprise customers. We maintain a comprehensive incident response plan including:

  • 24/7 security monitoring and alerting
  • Defined escalation procedures
  • Customer notification within 24 hours of confirmed breaches
  • Post-incident reviews and remediations

Contact security@sectid.com for coordinated response.

7. Audit and Reporting

Enterprise customers receive access to compliance documentation including: SOC 2 bridge letters, DPIA templates, subprocessor lists, and penetration test summaries. These are available for download from the in-app trust center.

8. Contact

For compliance-related enquiries, contact our compliance team:

Email: compliance@sectid.com
Address: SectID Ltd, Nairobi, Kenya