TRUST CENTER
We hold ourselves to the standard we sell
A live status page, a published disclosure policy, and an incident-response methodology built on recognised standards. This is what operational transparency looks like.
OUR PRACTICES
How we protect ourselves
Internal red team
Annual full-scope adversary simulation against our own environment. Findings disclosed in our annual report.
Learn moreZero Trust architecture
Identity-based access with hardware-key MFA for all staff. No standing privileged access.
Learn moreVendor risk management
All vendors assessed under our risk programme. Continuous monitoring. Concentrated risk avoided.
Learn moreDisclosure policy
Post-mortems published for major internal incidents within 30 days of resolution.
Learn moreBug bounty
Active responsible-disclosure programme for our public-facing infrastructure and products.
Learn moreStatus page
Live status for the services we operate — independent of production infrastructure.
Learn moreMETHODOLOGY
Incident response, by the book
Our incident-response practice is built on internationally recognised standards — so the way we handle an incident is predictable, auditable, and consistent, whatever the scenario.
ISO/IEC 27035
Information security incident management — the framework our detection, triage, and response workflow follows end to end.
NIST SP 800-61r2
Computer security incident handling guide — the lifecycle (preparation, detection, containment, eradication, recovery) our playbooks are built around.
DATA HANDLING
How your data is handled
The controls below govern the personal and client data we hold. For the full detail, read the Privacy Policy.
Personal data is processed under the Kenya Data Protection Act, 2019, with OpasSecure registered as both controller and processor.
Data is encrypted in transit (TLS) and access is governed by identity-based controls with no standing privileged access.
We do not sell personal data and do not use third-party advertising trackers.
Subprocessors (e.g. cloud hosting, CRM, email delivery) are engaged only under data processing agreements and assessed through our vendor risk programme.
Data is not transferred outside Kenya except where adequate safeguards are in place.
RADICAL TRANSPARENCY
Transparency, annually
Our annual report covers our own security posture, red-team findings, and progress against the standards we hold ourselves to — ISO/IEC 27035 and NIST SP 800-61r2. We publish it because we ask our clients to hold us to the same standard we hold them.