Physical Security & Office Infrastructure
Our Westlands facility operates ISO 27001-aligned controls built for regulated industries. Biometric access, 24/7 CCTV, dual-ISP redundancy, and business continuity systems.
Overview
What Physical Security Controls Are in Place?
Treba's operational office in Westlands, Nairobi, implements physical security controls aligned to ISO 27001 Annex A.11 (Physical and Environmental Security). These controls are designed for organisations processing regulated UK data — including personal data under UK GDPR, financial data under FCA requirements, and health data under NHS IG standards. Physical security is not an add-on. It is a baseline condition of every Treba engagement. No client data is processed outside the secured office environment, and no personal devices are permitted in production areas for sensitive engagements.
The facility is a dedicated commercial office in Westlands, Nairobi — not a coworking space, not a serviced office. It is exclusively occupied by Treba staff working on Treba client engagements, with biometric entry, 24/7 CCTV, network segmentation, and clean desk enforcement as baseline conditions.
Key facts
Physical security and infrastructure at a glance.
The operational facts behind Treba's Westlands facility.
Office location
Westlands, Nairobi — dedicated commercial office (not coworking)
Access control
Biometric fingerprint entry at building and floor level. Mantrap entry. No tailgating.
Surveillance
24/7 CCTV — all entry points, workstations, and common areas. 90-day footage retention.
Personal devices
Not permitted on production floor. Stored in lockers at entry.
USB ports
Disabled on all workstations. No removable media permitted.
Clean desk policy
Enforced daily. No paper, notes, or personal items on desks at end of shift.
Network
Client-segmented VLANs. Firewall between segments. No cross-client data access.
Primary ISP
Safaricom fibre — dedicated business line
Secondary ISP
Zuku fibre — independent last-mile route. Automatic failover < 30 seconds.
Power backup
UPS for immediate protection. Diesel generator for extended outages. 48-hour fuel reserve.
Staff vetting
DCI clearance, credit checks, NDA, reference verification — all completed before first day.
Visitor policy
Pre-approved visitors only. Photo ID required. Escorted at all times. Visitor log maintained.
Incident response
Documented plan. Client notification within 72 hours for data incidents. Annual tabletop exercises.
Addressing concerns
The Office You Cannot See — and How We Make It Visible
The most common objection from UK compliance teams evaluating outsourcing providers: “How do I know the office is real? How do I know it's secure?” The answer is transparency — we invite every client to audit our facility, virtually or in person.
Virtual Audit
Available within 48 hours of request. Live video walkthrough of the facility — entry points, biometric systems, workstations, CCTV placement, server room, and common areas. Conducted by a Treba operations lead with Q&A throughout.
In-Person Visit
Open to prospective and current clients at any time. Meet the team, inspect the security controls, and verify everything on this page with your own eyes. Several clients have sent their CISO or Head of Compliance before signing.
What differentiates Treba
Dedicated Office, Not Coworking
Many outsourcing providers operate from coworking spaces, serviced offices, or allow staff to work from home. This creates fundamental security gaps: shared entry points, no biometric control, no CCTV on workstations, no network segmentation, and no clean desk enforcement.
Treba's facility is a dedicated commercial office exclusively occupied by Treba staff. Every physical security control described on this page is under Treba's direct management — not delegated to a landlord or coworking operator.
This is not a differentiator we market lightly — it is the reason regulated UK firms trust us with their data.
Controls
Security Controls — Layer by Layer
Five layers of physical and personnel security, each independently auditable.
Access Control
- Biometric fingerprint entry at building and floor level
- Mantrap entry — no tailgating
- Staff badges with photo ID at all times
- Visitor logs maintained. Escorted access only.
Surveillance
- 24/7 CCTV — all entry points, workstations, common areas
- 90-day footage retention
- Remote viewing for client audits
Network Security
- Client-segmented VLANs with firewall rules
- No cross-client data access
- USB ports disabled on all workstations
- VPN/VDI-only access. No local storage.
Clean Desk Policy
- No paper, notes, or personal items on desks
- Auto-lock at 2 minutes of inactivity
- No personal devices in production areas
- Shredding bins. Daily compliance checks.
Personnel Security
Every hire undergoes comprehensive background checks before client access. No exceptions.
DCI Clearance
Criminal Investigations certificate — no criminal record
Credit Check
Licensed Kenyan credit bureau for financial roles
NDA Execution
Project-specific NDAs before any data access
Reference Verification
Min. 2 professional references verified
Additional Checks
Sector-specific (FCA, SRA) as required
Resilience
Business Continuity & Disaster Recovery
Redundancy built into every layer. No single point of failure for connectivity, power, or incident response.
Connectivity
Primary ISP
Safaricom fibre — dedicated business line
Secondary ISP
Zuku fibre — independent last-mile route
Failover
Automatic, under 30 seconds
Uptime SLA
99.9% — backed by dual-ISP architecture
Power
UPS
Immediate battery backup for all workstations and networking equipment
Generator
Diesel generator — automatic transfer switch, kicks in within seconds
Fuel reserve
48-hour supply maintained on-site at all times
Testing
Monthly generator and UPS testing. Results logged.
Incident Response
Plan
Documented incident response procedure — classification, escalation, resolution
Notification
Client notified within 72 hours for any data incident (aligned to UK GDPR)
Exercises
Annual tabletop exercises simulating breach scenarios
Post-incident
Root cause analysis and corrective action report provided to affected clients
Escalation path
On-call operations lead 24/7. Treba management notified within 1 hour.
Visit us
See the Office for Yourself
We invite every client to tour our Nairobi facility — virtually or in person. Virtual tours are available within 48 hours of request. In-person visits can be arranged at any time.
See the biometric entry system, CCTV placement, workstation layout, server room, and common areas. Meet the operations team. Verify every control described on this page.
Start a PilotEconomics
Physical Security Infrastructure Included in Every Engagement
Toggle items to see what you'd pay to build this yourself. With Treba, every control is included — no add-ons, no separate invoices.
7/7 selected
Treba: All included
£0
extra
DIY Cost
£0
With Treba
£0 extra
Junior KYC Analyst
£38,640 → £10,800/yr
Customer Support Agent
£34,260 → £8,400/yr
Data Annotator
£32,460 → £8,400/yr
DIY costs are mid-range estimates for Nairobi commercial office infrastructure. UK loaded cost = base salary + 13.8% employer NI + office/equipment + recruitment/compliance. See role-by-role pricing →
Role spotlight
UK loaded cost vs Treba — security infrastructure included.
Fully loaded comparison — Treba cost includes salary, Nairobi office, equipment, physical security, IT infrastructure, and full compliance. No hidden fees.
Remote from Nairobi
Audio Transcriptionist
Pre-vetted · Interview in 48hrs · Start in 7 days
UK Cost
£38,592
Treba Cost
£8,400/yr
You Save
£30,192/yr
FAQ
Frequently asked questions
Ready to See the Facility?
Start with a scoping call. We'll walk you through the security controls, answer your compliance team's questions, and schedule a virtual or in-person tour.