AWRA OpsHub Search

Compliance Matrix

One page. Five regulatory regimes. A shared source of truth.

A side-by-side view of how AWRA OpsHub supports customers subject to the Kenya Data Protection Act, GDPR & UK GDPR, POPIA, the Nigeria NDPA, and HIPAA-aligned safeguards for operational health data.

Built for procurement leads, DPOs, Information Officers, and internal legal reviewers who need to compare posture across jurisdictions without stitching together five separate documents.

Regional compliance shield

How to read this page

Rows describe common regulatory obligations. Columns describe how AWRA supports customers under each regime. Where regulators impose different timelines or artefacts, the matrix shows the most stringent applicable path.

Where AWRA is positioned

AWRA OpsHub is a processor for tenant-owned records and a controller for account and platform-level data. The DPA sets out both roles; this matrix maps the operational realities that reviewers usually verify.

Legend

  • Platform-supported — AWRA provides tooling, evidence, or contractual mechanisms out of the box.
  • Configurable — the platform supports the requirement when configured for your tenant.
  • Customer-owned — you own the underlying decision; AWRA provides the audit trail.

Regulatory frameworks

Five regimes reviewers ask about most.

Each framework below links to the sections most often cited during due diligence. If you operate under a different regime — Uganda DPPA, Rwanda Data Protection Law, Tanzania PDPA, Egypt PDPL — the same controls extend with region-specific templates.

KE-DPA

Kenya Data Protection Act 2019

Kenya · ODPC oversight

Governs personal data collected or processed in Kenya, enforced by the Office of the Data Protection Commissioner. Applies to controllers and processors regardless of where they are established when the data subject is in Kenya.

EU-UK-GDPR

GDPR & UK GDPR

EU / EEA · United Kingdom

The general regulation for EU/EEA data subjects and the UK equivalent, supervised by national DPAs and the UK ICO. Applies to any organisation processing EU or UK personal data, including via extraterritorial reach.

ZA-POPIA

POPIA (South Africa)

South Africa · Information Regulator

The Protection of Personal Information Act 4 of 2013, enforceable since July 2021. Introduces an Information Officer duty, mandatory processing conditions, and cross-border transfer safeguards.

NG-NDPA

Nigeria NDPA 2023

Nigeria · NDPC oversight

The Nigeria Data Protection Act 2023 replaces the 2019 regulation. Establishes the Nigeria Data Protection Commission, mandates DPO appointments for major processors, and formalises data subject rights and breach reporting.

US-HIPAA

HIPAA-aligned safeguards

United States · Health data

AWRA OpsHub is a business-operations platform, not a HIPAA-covered clinical system. We provide HIPAA-aligned safeguards for customers processing limited protected health information in operational, procurement, or administrative workflows and support Business Associate discussions on request.

Side-by-side matrix

Obligations mapped to how AWRA supports them.

Scroll horizontally to compare regimes. Reviewers commonly copy this table into vendor risk assessments — the matrix is designed to answer procurement, DPO, and Information Officer questions in one pass.

Control area KE-DPA Kenya Data Protection Act 2019 EU-UK-GDPR GDPR & UK GDPR ZA-POPIA POPIA (South Africa) NG-NDPA Nigeria NDPA 2023 US-HIPAA HIPAA-aligned safeguards
Legal basis & lawful processing Configurable consent, contract, legal obligation and legitimate interest bases; consent capture logged with timestamp, source, and version. Full Article 6 basis set supported. Sensitive data requires explicit consent workflow and separate audit trail. Processing conditions 1-8 supported through role scoping, purpose tags on data categories, and processing-purpose banners at capture. Lawful bases aligned to NDPA §25; sensitive personal data flows gated by explicit consent controls and additional access approvals. Minimum-necessary access enforced; PHI-flagged fields limited to authorised roles with justification-required access prompts.
Data subject rights (access, erasure, portability, objection) DSR intake queue routes access, correction, deletion and objection requests to your DPO with a 7/30-day SLA aligned to Section 26. Articles 15-22 workflows: subject access exports (CSV/JSON), rectification audit trail, erasure with downstream cascade, portability packages, restriction flag. Sections 23-25 data participation supported via the same DSR queue with POPIA-specific request templates and Information Officer routing. Rights under §34 mirrored in DSR queue with NDPC-oriented response templates; automated denials require Information Officer countersign. Individual access request (45 CFR 164.524) and amendment (164.526) supported through the same intake with PHI-specific chain of custody.
Cross-border transfer safeguards Transfers outside Kenya rely on adequacy determinations, appropriate safeguards, or explicit consent per Section 41; transfer register maintained per customer. Standard Contractual Clauses (2021 EU set, UK Addendum / UK IDTA) offered in the DPA; TIA guidance and supplementary measures documented. Section 72 supported via SCC-equivalent contractual protections or adequacy where recognised by the Information Regulator. Transfers under §41-42 covered by contractual safeguards and, where required, NDPC-notified mechanisms. Business Associate Agreement available for eligible use cases; onward disclosures logged and restricted to permitted purposes.
Data residency & hosting region Primary production data hosted in a region agreed with the customer at onboarding; residency addenda available for public-sector procurement. EU-only residency option for European customers; sub-processor list reflects only EU-region providers for that tenant. South Africa-serving tenants can request residency in an approved region with contractual location commitments. Residency commitment configurable for Nigerian public-sector customers per NDPC guidance. US-region hosting available for tenants processing PHI, with encryption keys segregated per tenant.
Breach notification timeline ODPC notified within 72 hours of becoming aware; affected data subjects notified without undue delay per Section 43. Supervisory authority notified within 72 hours (Article 33); data subject notification when high risk (Article 34). Information Regulator and affected data subjects notified as soon as reasonably possible after discovery (Section 22). NDPC notified within 72 hours where required; affected subjects informed without undue delay under §40. Notification of breaches of unsecured PHI within 60 days; annual summary for breaches under 500 individuals.
DPO / Information Officer support AWRA appoints a Data Protection Officer registered where required and supports your DPO with review-ready evidence packs. Article 37 DPO designation supported for your tenant; escalation contact provided in the DPA. Information Officer role model documented; deputy Information Officer appointment supported. DPO appointment supported for Data Controllers of Major Importance; contact routed to a named escalation owner. Privacy Officer and Security Officer roles mapped to AWRA governance owners for BA-scope engagements.
Records of Processing (RoPA) Processing register template pre-populated with AWRA-side processing purposes; customer extends with tenant-specific activities. Article 30 records template covering categories of data, recipients, retention, and transfer safeguards. Section 14/17 documentation supported via the same processing register with POPIA-specific fields. RoPA-equivalent documentation supported for NDPA §29 record-keeping obligations. Accounting of disclosures log available on request for PHI-tagged records (164.528).
DPIA / risk assessment support DPIA template covering high-risk operations aligned to Section 31 and ODPC guidance. Article 35 DPIA template with lawful basis mapping, necessity/proportionality reasoning, and mitigation matrix. Prior authorisation and risk assessment guidance for operations covered by Section 57. Data protection impact assessment guidance provided for high-risk processing under NDPA §28. Security Risk Assessment guidance aligned to 45 CFR 164.308(a)(1)(ii)(A).
Sub-processor governance Sub-processor register published and versioned; material changes notified with reasonable opt-out window. Article 28 sub-processor list with change notifications and objection process defined in the DPA. Operator obligations under Section 21 flowed down through contractual controls with each sub-processor. Downstream processor obligations flowed down; NDPC filings supported where the customer is designated a DCMI. Business Associate agreements maintained with each sub-processor handling PHI; downstream flow-down enforced.
Retention & deletion Retention schedules configurable per record category; hard delete workflows verified with dependency map and audit trail. Article 5(1)(e) storage limitation supported through per-object retention policies and automated purge jobs. Section 14 retention limits enforced through the same retention schedule with POPIA-tagged categories. Retention aligned to NDPA principles; customer-defined retention overrides logged with owner attribution. PHI retention aligned to state law and BA agreement; secure disposal follows 164.310(d)(2) media re-use controls.
Security controls (encryption, access, logging) TLS 1.2+ in transit, AES-256 at rest, role-based access with MFA, tamper-evident audit log covering user, admin, and system events. Article 32 measures documented in the Security Whitepaper; pseudonymisation supported at field-level for high-risk categories. Section 19 security safeguards implemented via technical controls, admin routines, and staff confidentiality obligations. Technical and organisational measures aligned to §39 with configurable admin controls per tenant. Administrative, physical, and technical safeguards mapped to 164.308/310/312 for BA-scope engagements.
Automated decisioning & profiling Automated decisions requiring human review are flagged and routed through an approval queue; opt-out available per Section 35. Article 22 human-review controls, meaningful information about logic, and objection workflow supported. Section 71 rights covering automated decision-making respected; manual intervention path documented. Automated processing safeguards aligned to §37 with review and objection paths available to data subjects. AI-assisted operational routines exclude PHI-driven adverse determinations without documented human review.
Special-category / sensitive data handling Sensitive personal data (Section 44) requires explicit consent workflow, elevated access approval, and category-specific audit tag. Article 9 special categories gated by explicit consent, safeguards, and separate audit trail. Section 26 special personal information gated by prohibition-then-exception workflow with elevated approval. Sensitive personal data (§30) requires explicit consent or another authorised basis with elevated logging. PHI-tagged fields restricted to minimum-necessary roles with justification-required access.

This matrix reflects platform posture at time of publication and is provided for information purposes. It is not legal advice — consult your DPO, Information Officer, or external counsel for jurisdiction-specific determinations.

Africa adjacency

Beyond the core five.

Our regional customers frequently operate across multiple African jurisdictions. The following regimes are supported with the same operational controls plus region-specific templates and escalation contacts.

  • Uganda DPPA 2019

    Aligned to Kenya DPA controls; Uganda-serving tenants use the same DSR queue with UG-specific templates.

  • Rwanda Law No. 058/2021

    RURA-oriented residency and DPO support available on request for Rwandan public-sector engagements.

  • Tanzania Personal Data Protection Act 2022

    Data protection commission notification workflow supported through the same breach playbook.

  • Egypt PDPL 2020

    Cross-border transfer safeguards and residency options extended to Egyptian customers on request.

Cross-border compliance evidence review

Cross-jurisdiction default

When a tenant operates under multiple regimes, AWRA applies the most stringent applicable rule at each control area — the highest bar becomes the floor.

DSR SLAs default to the shortest window in scope. Retention defaults to the shortest retention permitted by any applicable regime.

Breach playbooks default to the fastest notification requirement across regulators the tenant is subject to.

Reviewer workflow

Use the matrix without duplicating effort.

The most efficient procurement teams treat multi-regime compliance as a single control library, not four parallel audits. Here is how our customers typically operationalise the matrix in the first thirty days.

First-thirty-days path

Turn the matrix into a rollout plan.

01

Identify jurisdictions in scope

List every region where you collect, store, or process personal data — including customer, employee, and supplier records.

02

Map controllers, processors and sub-processors

Confirm which party is the controller and where AWRA sits in each flow; align contractual duties.

03

Set residency and transfer posture

Decide hosting region, transfer mechanisms, and any residency addenda required by your regulator.

04

Configure DSR, retention and breach playbooks

Tailor timelines, escalation contacts, and audit tags to match the most stringent applicable regime.

Need a targeted regional response?

We provide tailored compliance packs for procurement teams evaluating AWRA against a specific regulator's questionnaire. Share your framework and jurisdictions, and we will assemble the mapped evidence.

Request a Regional Compliance Pack

Help Center

Need a quick answer while you read?

Run inventory, procurement, assets, sales, and field work with approved AWRA guidance for setup, migration, integrations, security, pricing, and support.

Search all approved AWRA public help articles.

Open Help Center