Enterprise-Grade Compliance. Built In.
We operate a Security-First architecture built for regulated industries. ISO 27001-aligned controls, UK GDPR compliant, and legally watertight from day one.
Overview
How Treba Handles Cross-Border Data Compliance
Treba authorises UK-to-Kenya data transfers using the International Data Transfer Agreement (IDTA), the UK Government's approved post-Brexit mechanism. All client engagements include a signed IDTA, a Data Processing Agreement (DPA), and registration with Kenya's Office of the Data Protection Commissioner (ODPC). Our Nairobi facility operates ISO 27001-aligned controls including biometric access, network segmentation, and 24/7 CCTV monitoring.
Kenya's Data Protection Act 2019, administered by the Office of the Data Protection Commissioner (ODPC), is modelled on EU GDPR and provides dual-jurisdiction coverage. Treba is registered with the ODPC. Staff undergo DCI background checks, sign individual NDAs, and work inside biometric-controlled facilities with ISO 27001-aligned controls.
Key facts
Compliance facts behind every Treba engagement.
Everything UK compliance teams need to verify before engaging.
Data transfer mechanism
International Data Transfer Agreement (IDTA) under UK GDPR
Data processing
DPA executed per client before any data access begins
Kenya data law
Data Protection Act 2019 — modelled on EU GDPR, administered by ODPC
Security standard
ISO 27001-aligned controls across all operations
Cyber certification
Cyber Essentials — UK government-backed baseline, audited annually
Physical security
Biometric access, 24/7 CCTV, clean-desk policy, no personal devices
Staff vetting
DCI Certificate of Good Conduct — Kenya's equivalent of DBS check
NDAs
Individual NDAs signed per engagement before data access
Network security
Client-segmented networks, encrypted VPN/VDI, no local data storage
Infrastructure
Dual-fibre ISPs, UPS + generator backup, 99.9% uptime target
Incident response
72-hour client notification per UK GDPR Article 33
Audit access
In-person or virtual facility audit available on request
Standards
Standards and Frameworks in Place
The regulatory and certification foundations behind Treba's compliance infrastructure.
UK GDPR + IDTA
All UK-to-Kenya personal data transfers are governed by an International Data Transfer Agreement (IDTA) — the UK GDPR-approved mechanism for international transfers. A Data Processing Agreement (DPA) is executed per client. Annual compliance reviews are conducted.
Kenya DPA 2019
Kenya's Data Protection Act 2019 is modelled on EU GDPR and regulated by the Office of the Data Protection Commissioner (ODPC). Treba is registered with the ODPC and complies with both UK and Kenyan data protection regimes simultaneously.
ISO 27001-Aligned Controls
Treba's controls are mapped to ISO 27001 Annex A. This includes biometric access, CCTV monitoring, clean-desk enforcement, network segmentation by client, encrypted VPN/VDI connections, and documented incident response procedures.
Cyber Essentials
Cyber Essentials is a UK government-backed baseline cybersecurity certification covering firewalls, secure configuration, access control, malware protection, and patch management. Treba is certified and audited annually.
Architecture
Three Layers of Protection for Client Data and Operations
Every Treba engagement is protected by three distinct layers of controls — data, physical, and operational.
Layer 1: Data Protection
- IDTA executed per engagement for UK-Kenya data transfers
- DPA signed before any client data access
- Encrypted VPN/VDI — no data on local machines
- Client-segmented network architecture
- Annual penetration testing and vulnerability scans
Layer 2: Physical Security
- Biometric access control at all entry points
- 24/7 CCTV monitoring with 90-day retention
- Clean-desk policy enforced across production floor
- No personal devices permitted in work areas
- Dual-fibre ISPs with UPS and generator backup
Layer 3: Operational Controls
- DCI background checks for all staff before onboarding
- Individual NDAs executed per engagement
- Activity logging and QA-based reporting
- Sector-specific compliance training programmes
- Documented incident response with 72-hour notification
By sector
Regulatory Awareness by Sector
Treba's compliance framework adapts to the regulatory requirements of each client's industry. Staff receive sector-specific training before accessing production systems.
Financial Conduct Authority
Staff trained on FCA Conduct Rules awareness, MLRO reporting protocols, and SAR documentation. KYC/AML procedures aligned to FCA guidance. Relevant for financial & legal services and fintech.
Solicitors Regulation Authority
Paralegals trained on SRA Accounts Rules, conflict-of-interest protocols, legal professional privilege requirements, and client money handling. Relevant for financial & legal services and professional services.
Care Quality Commission
Medical transcriptionists and coders trained on NHS protocols, ICD-10/CPT standards, and patient data confidentiality. Relevant for healthcare operations and healthcare industry.
Information Commissioner's Office
All staff trained on UK GDPR principles, lawful basis for processing, data subject rights, and breach reporting. IDTA and DPA governance across every engagement. Relevant for all services and technology.
Objections addressed
Why UK Compliance Teams Hesitate on Outsourcing — and What Resolves It
The three most common objections raised by compliance officers, general counsel, and DPOs — with the specific controls that address each.
"We can't send personal data outside the UK."
You can — with appropriate safeguards. The IDTA is the UK GDPR-approved mechanism for international data transfers. Treba executes an IDTA per engagement, supplemented by a DPA and Transfer Impact Assessment. Kenya's Data Protection Act 2019 provides additional local-law protections. The ICO's own guidance confirms that IDTA-governed transfers are lawful.
"We don't know what physical controls are in place."
Treba's Westlands office operates biometric access at all entry points, 24/7 CCTV with 90-day retention, a clean-desk policy, and a no-personal-devices rule on the production floor. Network segmentation isolates each client's environment. Clients can audit the facility in person or via video tour at any time.
"Offshore staff won't understand our regulatory environment."
Every Treba hire completes sector-specific compliance training before accessing production systems. For FCA-regulated clients, this covers Conduct Rules awareness, MLRO reporting, and SAR documentation. For legal services, it covers SRA Accounts Rules and legal professional privilege. Training modules are documented and auditable.
Deep dives
Compliance Documentation in Depth
Detailed breakdowns of Treba's data protection and physical security controls.
Data Protection
IDTA framework, UK GDPR Article 28 compliance, Kenya DPA 2019, encryption standards, breach notification procedures, and Transfer Impact Assessment.
Read morePhysical Security
Biometric access, CCTV monitoring, clean-desk policy, network segmentation, dual-ISP redundancy, DCI vetting, and facility audit access.
Read moreEconomics
Compliance Infrastructure Included in Every Engagement
Choose your engagement model — every compliance control is included. No surcharges, no add-ons.
Included compliance controls — Employer of Record
Customer Support Agent
£35,000 → £8,400/yr
KYC / AML Analyst
£45,000 → £10,800/yr
Junior Accountant (ACCA)
£42,000 → £10,800/yr
3-Role Team Saving
£0/yr
UK loaded cost includes base salary, 13.8% employer NI (HMRC 2024/25), office, equipment, recruitment, and compliance overhead (CIPD 2024). Treba cost is all-inclusive monthly fee x 12. See role-by-role pricing →
Role economics
UK loaded cost vs Treba — role by role.
Every Treba fee includes salary, Nairobi office, equipment, compliance infrastructure, and private medical insurance. No hidden charges.
Remote from Nairobi
Audio Transcriptionist
Pre-vetted · Interview in 48hrs · Start in 7 days
UK Cost
£38,592
Treba Cost
£8,400/yr
You Save
£30,192/yr
FAQ
Frequently asked questions
Ready to Review the Compliance Framework?
Start with a 15-minute scoping call. Treba will walk through the IDTA structure, DPA terms, physical security controls, and sector-specific training relevant to your industry.