Enterprise-Grade Compliance. Built In.
We operate a Security-First architecture built for regulated industries. ISO 27001-aligned controls, UK GDPR compliant, and legally watertight from day one.
Overview
How Treba Handles Cross-Border Data Compliance
Treba authorises UK-to-Kenya data transfers using the International Data Transfer Agreement (IDTA), the UK Government's approved post-Brexit mechanism. All client engagements include a signed IDTA, a Data Processing Agreement (DPA), and registration with Kenya's Office of the Data Protection Commissioner (ODPC). Our Nairobi facility operates ISO 27001-aligned controls including biometric access, network segmentation, and 24/7 CCTV monitoring.
Kenya's Data Protection Act 2019, administered by the Office of the Data Protection Commissioner (ODPC), is modelled on EU GDPR and provides dual-jurisdiction coverage. Treba is registered with the ODPC. Staff undergo DCI background checks, sign individual NDAs, and work inside biometric-controlled facilities with ISO 27001-aligned controls.
Standards
Standards and Frameworks in Place
The regulatory and certification foundations behind Treba's compliance infrastructure.
UK GDPR + IDTA
All UK-to-Kenya personal data transfers are governed by an International Data Transfer Agreement (IDTA) — the UK GDPR-approved mechanism for international transfers. A Data Processing Agreement (DPA) is executed per client. Annual compliance reviews are conducted.
Kenya DPA 2019
Kenya's Data Protection Act 2019 is modelled on EU GDPR and regulated by the Office of the Data Protection Commissioner (ODPC). Treba is registered with the ODPC and complies with both UK and Kenyan data protection regimes simultaneously.
ISO 27001-Aligned Controls
Treba's controls are mapped to ISO 27001 Annex A. This includes biometric access, CCTV monitoring, clean-desk enforcement, network segmentation by client, encrypted VPN/VDI connections, and documented incident response procedures.
Cyber Essentials
Cyber Essentials is a UK government-backed baseline cybersecurity certification covering firewalls, secure configuration, access control, malware protection, and patch management. Treba is certified and audited annually.
Architecture
Three Layers of Protection for Client Data and Operations
Every Treba engagement is protected by three distinct layers of controls — data, physical, and operational.
Layer 01 · Data protection
Encrypted, segmented, auditable
- IDTA executed per engagement for UK-Kenya data transfers
- DPA signed before any client data access
- Encrypted VPN/VDI — no data on local machines
- Client-segmented network architecture
- Annual penetration testing and vulnerability scans
Layer 02 · Physical security
Biometric, monitored, device-free
- Biometric access control at all entry points
- 24/7 CCTV monitoring with 90-day retention
- Clean-desk policy enforced across production floor
- No personal devices permitted in work areas
- Dual-fibre ISPs with UPS and generator backup
Layer 03 · Operational controls
Vetted staff, logged actions
- DCI background checks for all staff before onboarding
- Individual NDAs executed per engagement
- Activity logging and QA-based reporting
- Sector-specific compliance training programmes
- Documented incident response with 72-hour notification
By sector
Regulatory Awareness by Sector
Treba's compliance framework adapts to the regulatory requirements of each client's industry. Staff receive sector-specific training before accessing production systems.
Financial Conduct Authority
Staff trained on FCA Conduct Rules awareness, MLRO reporting protocols, and SAR documentation. KYC/AML procedures aligned to FCA guidance. Relevant for financial & legal services and fintech.
Solicitors Regulation Authority
Paralegals trained on SRA Accounts Rules, conflict-of-interest protocols, legal professional privilege requirements, and client money handling. Relevant for financial & legal services and professional services.
Care Quality Commission
Medical transcriptionists and coders trained on NHS protocols, ICD-10/CPT standards, and patient data confidentiality. Relevant for healthcare operations and healthcare industry.
Information Commissioner's Office
All staff trained on UK GDPR principles, lawful basis for processing, data subject rights, and breach reporting. IDTA and DPA governance across every engagement. Relevant for all services and technology.
Objections addressed
Why UK Compliance Teams Hesitate on Outsourcing — and What Resolves It
The three most common objections raised by compliance officers, general counsel, and DPOs — with the specific controls that address each.
“We can't send personal data outside the UK.”
You can — under the UK GDPR-approved IDTA.
- IDTA per engagement
- DPA signed
- Transfer Impact Assessment
- ICO guidance aligned
- Kenya DPA 2019
“We don't know what physical controls are in place.”
Every control is documented and auditable.
- Biometric access
- 24/7 CCTV · 90-day retention
- Clean-desk policy
- No personal devices
- Client-segmented network
- Tour any time
“Offshore staff won't understand our regulatory environment.”
Sector-specific training before any production access.
- FCA Conduct Rules
- MLRO reporting
- SAR documentation
- SRA Accounts Rules
- Legal professional privilege
- Auditable modules
Deep dives
Compliance Documentation in Depth
Detailed breakdowns of Treba's data protection and physical security controls.
Data Protection
IDTA framework, UK GDPR Article 28 compliance, Kenya DPA 2019, encryption standards, breach notification procedures, and Transfer Impact Assessment.
Read morePhysical Security
Biometric access, CCTV monitoring, clean-desk policy, network segmentation, dual-ISP redundancy, DCI vetting, and facility audit access.
Read moreEconomics
Compliance Infrastructure Included in Every Engagement
Choose your engagement model — every compliance control is included. No surcharges, no add-ons.
Included compliance controls — Employer of Record
Customer Support Agent
£35,000 → £8,400/yr
KYC / AML Analyst
£45,000 → £10,800/yr
Junior Accountant (ACCA)
£42,000 → £10,800/yr
3-Role Team Saving
£0/yr
UK loaded cost includes base salary, 13.8% employer NI (HMRC 2024/25), office, equipment, recruitment, and compliance overhead (CIPD 2024). Treba cost is all-inclusive monthly fee x 12. See role-by-role pricing →
Role economics
UK loaded cost vs Treba — role by role.
Every Treba fee includes salary, Nairobi office, equipment, compliance infrastructure, and private medical insurance. No hidden charges.
Remote from Nairobi
Audio Transcriptionist
Pre-vetted · Interview in 48hrs · Start in 7 days
UK Cost
£38,592
Treba Cost
£8,400/yr
You Save
£30,192/yr
FAQ
Frequently asked questions
Ready to Review the Compliance Framework?
Start with a 15-minute scoping call. Treba will walk through the IDTA structure, DPA terms, physical security controls, and sector-specific training relevant to your industry.