Arkova is a compliance audit automation platform in early access, built on top of a production-grade, cryptographically-anchored evidence layer. The audit-automation product — scorecard, gap detection, remediation, regulatory-change alerts, PDF export — is being built and refined with pilot customers.

How much faster is an audit with Arkova going to be vs. the manual process?

Typical compliance audits take weeks: compiling evidence across many tools, mapping it to controls, and producing a report. Arkova is designed to map evidence to the rules in your operating regimes automatically, rank gaps by severity and penalty risk, and produce an audit-ready export. Our pilot target is collapsing weeks of audit prep into hours.

Which regulations are on the roadmap?

US federal (FERPA, HIPAA, SOX, FCRA, GLBA, ADA, FLSA, GINA), EU/UK GDPR, Kenya DPA, Australia APP, Canada PIPEDA, Singapore PDPA, Japan APPI, India DPDP, South Africa POPIA, Nigeria NDPR, Colombia Law 1581, Thailand PDPA, and Malaysia PDPA. Prioritized by pilot-customer footprint.

What will the scorecard show?

A per-jurisdiction posture score and breakdown, a severity-ranked gap list, a prioritized remediation plan, a regulatory-change feed, and an audit-ready export. Designed for GRC leads, CISOs, internal audit, and outside counsel.

Is the evidence chain auditor-grade?

The evidence layer is cryptographic and independently verifiable: every anchor is a SHA-256 fingerprint committed to a public network, and lifecycle events are in an append-only audit log. Our own SOC 2 Type II and ISO 27001 work is in progress.

Is my data safe? Do you see our documents?

No. Documents never leave your device. Fingerprinting is client-side. Only PII-stripped metadata flows to our systems. Even if we were breached, your documents remain private because we never had them.

Join the waitlist on arkova.ai. We reach out to scope pilots — the best fits right now are compliance teams operating across multiple jurisdictions who are tired of the quarterly audit fire drill.

Compliance · Kenya Data Protection Act

KenyaPrivate Beta · Building

Kenya DPA evidence the ODPC can verify without trusting your vendor.

The Data Protection Act, 2019 made Kenya one of the first East African jurisdictions with a comprehensive privacy law. The Office of the Data Protection Commissioner (ODPC) actively enforces. Arkova anchors the records that prove your processing was lawful and your breach response was timely.

Request Early Access All frameworks

What it is

Kenya Data Protection Act in plain English.

The Data Protection Act, 2019 (Act No. 24 of 2019) is Kenya's primary privacy framework. It is administered by the Office of the Data Protection Commissioner (ODPC), established in November 2020. The Act is supplemented by Data Protection (General) Regulations 2021 and Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021.

Kenya's DPA closely tracks GDPR in structure: lawful bases for processing, data-subject rights, breach notification, cross-border transfer rules, and a supervisory authority with enforcement powers. The framework has been actively enforced since 2022, with the ODPC issuing penalty notices and conducting compliance audits across sectors.

Penalties under the DPA reach up to KES 5 million or 1% of annual turnover, whichever is lower, for serious infringements. Registration with the ODPC is mandatory for most data controllers and processors above small-scale thresholds.

Key requirements

What Kenya Data Protection Act actually asks of you.

Registration with the ODPC

Mandatory registration for data controllers and processors handling personal data above prescribed thresholds. Annual renewal. Registration certificate evidencing scope of processing must be maintained.

Lawful basis for processing (Section 30)

Processing requires consent, contract, legal obligation, vital interest, public function, or legitimate interest. Documented evidence of basis required for every processing activity.

Data-subject rights

Rights to be informed, to access, to object to processing, to correction or deletion, to data portability. Documented response within statutory timelines.

Cross-border data transfer (Section 48)

Transfer to a country, entity, or international organization outside Kenya requires adequate safeguards: ODPC approval, Standard Contractual Clauses, Binding Corporate Rules, or specific data-subject consent.

Data Protection Impact Assessment (Section 31)

Required where processing is likely to result in high risk to rights and freedoms. Documented DPIA, including measures to address risks, must be retrievable.

Breach notification (Section 43)

Personal data breaches must be notified to the ODPC within 72 hours of awareness where feasible, and to affected data subjects without undue delay where high risk. Documented assessment + timeline required.

How Arkova fits

Where Arkova adds an independent layer.

Most ODPC enforcement turns on documentation of timing: when the controller became aware of a breach, when notification was sent, what version of the privacy notice was in effect at the alleged collection date. Arkova anchors each of these records to a public ledger with cryptographic timestamps. The ODPC examiner verifies the timestamp against the public ledger directly, without depending on Kenyan-jurisdiction trust in any single vendor.

For cross-border transfer evidence under Section 48, anchored Standard Contractual Clauses and the date they were executed remove disputes about which version was in force when a specific transfer occurred. Useful for African operators with a meaningful global SaaS footprint.

Layer cryptographic evidence on top of your Kenya Data Protection Act program.

If you operate in Kenya under the DPA and want privacy evidence with timestamps the ODPC can verify independently, we'd like to discuss an early-access pilot.

Arkova is in private beta. Features described on this page are being built and refined with pilot customers right now. Some controls and integrations are live today; others are in active development. Talk to us about the parts most relevant to your workload.

Request Early Access