| Legal basis & lawful processing |
Configurable consent, contract, legal obligation and legitimate interest bases; consent capture logged with timestamp, source, and version. |
Full Article 6 basis set supported. Sensitive data requires explicit consent workflow and separate audit trail. |
Processing conditions 1-8 supported through role scoping, purpose tags on data categories, and processing-purpose banners at capture. |
Lawful bases aligned to NDPA §25; sensitive personal data flows gated by explicit consent controls and additional access approvals. |
Minimum-necessary access enforced; PHI-flagged fields limited to authorised roles with justification-required access prompts. |
| Data subject rights (access, erasure, portability, objection) |
DSR intake queue routes access, correction, deletion and objection requests to your DPO with a 7/30-day SLA aligned to Section 26. |
Articles 15-22 workflows: subject access exports (CSV/JSON), rectification audit trail, erasure with downstream cascade, portability packages, restriction flag. |
Sections 23-25 data participation supported via the same DSR queue with POPIA-specific request templates and Information Officer routing. |
Rights under §34 mirrored in DSR queue with NDPC-oriented response templates; automated denials require Information Officer countersign. |
Individual access request (45 CFR 164.524) and amendment (164.526) supported through the same intake with PHI-specific chain of custody. |
| Cross-border transfer safeguards |
Transfers outside Kenya rely on adequacy determinations, appropriate safeguards, or explicit consent per Section 41; transfer register maintained per customer. |
Standard Contractual Clauses (2021 EU set, UK Addendum / UK IDTA) offered in the DPA; TIA guidance and supplementary measures documented. |
Section 72 supported via SCC-equivalent contractual protections or adequacy where recognised by the Information Regulator. |
Transfers under §41-42 covered by contractual safeguards and, where required, NDPC-notified mechanisms. |
Business Associate Agreement available for eligible use cases; onward disclosures logged and restricted to permitted purposes. |
| Data residency & hosting region |
Primary production data hosted in a region agreed with the customer at onboarding; residency addenda available for public-sector procurement. |
EU-only residency option for European customers; sub-processor list reflects only EU-region providers for that tenant. |
South Africa-serving tenants can request residency in an approved region with contractual location commitments. |
Residency commitment configurable for Nigerian public-sector customers per NDPC guidance. |
US-region hosting available for tenants processing PHI, with encryption keys segregated per tenant. |
| Breach notification timeline |
ODPC notified within 72 hours of becoming aware; affected data subjects notified without undue delay per Section 43. |
Supervisory authority notified within 72 hours (Article 33); data subject notification when high risk (Article 34). |
Information Regulator and affected data subjects notified as soon as reasonably possible after discovery (Section 22). |
NDPC notified within 72 hours where required; affected subjects informed without undue delay under §40. |
Notification of breaches of unsecured PHI within 60 days; annual summary for breaches under 500 individuals. |
| DPO / Information Officer support |
AWRA appoints a Data Protection Officer registered where required and supports your DPO with review-ready evidence packs. |
Article 37 DPO designation supported for your tenant; escalation contact provided in the DPA. |
Information Officer role model documented; deputy Information Officer appointment supported. |
DPO appointment supported for Data Controllers of Major Importance; contact routed to a named escalation owner. |
Privacy Officer and Security Officer roles mapped to AWRA governance owners for BA-scope engagements. |
| Records of Processing (RoPA) |
Processing register template pre-populated with AWRA-side processing purposes; customer extends with tenant-specific activities. |
Article 30 records template covering categories of data, recipients, retention, and transfer safeguards. |
Section 14/17 documentation supported via the same processing register with POPIA-specific fields. |
RoPA-equivalent documentation supported for NDPA §29 record-keeping obligations. |
Accounting of disclosures log available on request for PHI-tagged records (164.528). |
| DPIA / risk assessment support |
DPIA template covering high-risk operations aligned to Section 31 and ODPC guidance. |
Article 35 DPIA template with lawful basis mapping, necessity/proportionality reasoning, and mitigation matrix. |
Prior authorisation and risk assessment guidance for operations covered by Section 57. |
Data protection impact assessment guidance provided for high-risk processing under NDPA §28. |
Security Risk Assessment guidance aligned to 45 CFR 164.308(a)(1)(ii)(A). |
| Sub-processor governance |
Sub-processor register published and versioned; material changes notified with reasonable opt-out window. |
Article 28 sub-processor list with change notifications and objection process defined in the DPA. |
Operator obligations under Section 21 flowed down through contractual controls with each sub-processor. |
Downstream processor obligations flowed down; NDPC filings supported where the customer is designated a DCMI. |
Business Associate agreements maintained with each sub-processor handling PHI; downstream flow-down enforced. |
| Retention & deletion |
Retention schedules configurable per record category; hard delete workflows verified with dependency map and audit trail. |
Article 5(1)(e) storage limitation supported through per-object retention policies and automated purge jobs. |
Section 14 retention limits enforced through the same retention schedule with POPIA-tagged categories. |
Retention aligned to NDPA principles; customer-defined retention overrides logged with owner attribution. |
PHI retention aligned to state law and BA agreement; secure disposal follows 164.310(d)(2) media re-use controls. |
| Security controls (encryption, access, logging) |
TLS 1.2+ in transit, AES-256 at rest, role-based access with MFA, tamper-evident audit log covering user, admin, and system events. |
Article 32 measures documented in the Security Whitepaper; pseudonymisation supported at field-level for high-risk categories. |
Section 19 security safeguards implemented via technical controls, admin routines, and staff confidentiality obligations. |
Technical and organisational measures aligned to §39 with configurable admin controls per tenant. |
Administrative, physical, and technical safeguards mapped to 164.308/310/312 for BA-scope engagements. |
| Automated decisioning & profiling |
Automated decisions requiring human review are flagged and routed through an approval queue; opt-out available per Section 35. |
Article 22 human-review controls, meaningful information about logic, and objection workflow supported. |
Section 71 rights covering automated decision-making respected; manual intervention path documented. |
Automated processing safeguards aligned to §37 with review and objection paths available to data subjects. |
AI-assisted operational routines exclude PHI-driven adverse determinations without documented human review. |
| Special-category / sensitive data handling |
Sensitive personal data (Section 44) requires explicit consent workflow, elevated access approval, and category-specific audit tag. |
Article 9 special categories gated by explicit consent, safeguards, and separate audit trail. |
Section 26 special personal information gated by prohibition-then-exception workflow with elevated approval. |
Sensitive personal data (§30) requires explicit consent or another authorised basis with elevated logging. |
PHI-tagged fields restricted to minimum-necessary roles with justification-required access. |