Trust & Compliance

Built to audit-grade specifications.

We operate with security controls and engineering practices aligned to international financial-services standards. Every safeguard, certification and regulatory reference is documented here — designed to shorten partner due diligence from months to weeks.

Request due-diligence pack → Regulatory framework

Regulatory framework

Licensed, supervised, and structured to stay that way.

Bank of Tanzania NPS framework

ŌgiAfrica operates within the Bank of Tanzania's National Payment System framework. Supervisory details are shared with partners under NDA as part of the due-diligence pack.

Entity registration

OgiAfrica Company Limited, incorporated in the United Republic of Tanzania under registration number 191303946. Registered office in Dar es Salaam.

Custody model

ŌgiAfrica does not hold customer funds. A licensed EMI bank partner custodies all balances; we send routing and split instructions only. This is documented in every partner contract and reconciled daily.

Role vs. national infrastructure

ŌgiAfrica is a technology platform that sits above national rails — it is not a competitor to TIPS, a mobile money operator, or a bank. It extends their reach to partners who integrate once.

Certification roadmap

Where we are today. Where we will be by year-end.

2025 · Q4

Entity incorporated, BoT engagement initiated

Initial PSP application filed; legal counsel and compliance officer onboarded.

2026 · Q1

Platform in controlled operations

Controlled partner rollout with restricted transaction scope and enhanced supervision.

Active

2026 · Q2

ISO 27001 certification

Information security management system audit. Controls already implemented; external assessor appointed.

In progress

2026 · Q3

PCI DSS Level 1 compliance

Required for card acceptance at scale. Scope defined; QSA engaged; remediation on schedule.

Pre-audit

2026 · Q4

Full production rollout

Transition to full production operations upon successful supervisory and internal review.

Planned

2027

Regional expansion — KE, UG licences

CBK and BoU engagement underway in parallel to support the Ōgi Connect cross-border corridor.

Planned

Security controls

Defence in depth, end to end.

Encryption in transit

TLS 1.3 enforced on all public endpoints; mutual TLS for partner-to-partner links.

Encryption at rest

AES-256 for all persisted data; KMS-managed keys with quarterly rotation.

HSM key material

Signing and cryptographic key material held in FIPS 140-2 Level 3 hardware security modules.

Webhook signing

HMAC-SHA256 signatures on every outbound webhook with replay-window enforcement.

Idempotency

Every state-changing API call is idempotent. Built-in deduplication window prevents double-charges under retry.

Role-based access

Least-privilege RBAC for internal staff; SSO, MFA, and audited access reviews quarterly.

Data residency

Production data stored within Tanzania. Regional replicas added only where partner contracts require it.

Penetration testing

Annual third-party penetration test with remediation SLAs tied to finding severity.

Disaster recovery

Multi-zone replication, RPO ≤ 1 min, RTO ≤ 15 min on core transactional services.

AML, KYC & sanctions

Financial-crime controls, integrated at the rail.

Customer due diligence

Tiered KYC aligned to BoT onboarding categories. Biometric ID capture and liveness checks on every agent and merchant.

Sanctions & PEP screening

Real-time screening against OFAC, UN, EU, UK HMT, and local Tanzanian lists. Daily re-screening on active records.

Transaction monitoring

Rules and behavioural models flag structuring, velocity and geographic anomalies. Case management workflow built in.

Regulatory reporting

Pre-built BoT NPS reports; STR and CTR workflows aligned to FIU submission standards.

Data practices

Transparent handling. Documented sub-processors.

Lawful basis & purpose limitation

Customer data is processed only for the purposes set out in each partner contract and the publicly-available privacy policy. No secondary use.

Retention & deletion

Transaction records retained for the period required by BoT NPS regulation. Personal data beyond that period is deleted or anonymised on a documented schedule.

Sub-processor register

A current list of sub-processors — cloud hosting, KYC vendors, screening providers — is maintained under DPA and available to partners on request.

Incident response

24/7 on-call rotation; BoT notification within statutory windows; partner notification within 72 hours of incident confirmation.

Frequently asked

Due diligence shortcuts.

Does ŌgiAfrica hold customer funds?

No. ŌgiAfrica sends routing and split instructions only. A licensed EMI bank partner holds all balances. This boundary is contractually enforced and reconciled daily.

Are you supervised by the Bank of Tanzania?

Yes. We operate under the National Payment System Act with PSP licence reference . We are progressing to full production licence in Q4 2026.

How do I get the due-diligence pack?

Contact the Trust team via the form on this site, or email [email protected]. We send a signed NDA followed by the DDQ, DPA, and security whitepaper.

Are you certified to PCI DSS or ISO 27001?

Certification audits are scheduled through 2026. Controls are already implemented and internally audited; evidence is available under NDA ahead of external certification.

Where is customer data stored?

Production data is stored within Tanzania. Regional replicas are added only where partner contracts require it, and always subject to the relevant regulator's approval.

What happens in a security incident?

We operate 24/7 on-call. BoT notification happens within statutory windows; affected partners are notified within 72 hours of incident confirmation, with a full post-incident report to follow.

Due diligence, made short

Request the full compliance pack — DDQ, DPA, security whitepaper, sub-processor register.

Request pack →Email Trust team