BantuziBantuziLoans
Data Compliance

Built for Zambian data protection requirements

When you manage salary-advance loans, you handle sensitive borrower data — NRC numbers, salary information, employment records. BantuziLoans is designed to protect that data and help you meet your obligations under Zambian law.

Our Approach

Six data protection principles we live by

Zambia Data Protection Act (PDPB 2021)

BantuziLoans is designed with compliance to the Zambia Data Protection Act as a baseline requirement, not an afterthought. All personal data processing has a documented lawful basis.

Data Residency in Zambia

All Customer Data — including borrower profiles, NRC scans, and loan records — is stored on infrastructure hosted within the region. We never transfer data outside Zambia without your explicit written consent.

Audit Trails on Every Action

Every login, approval decision, document upload, and state change is recorded in an immutable audit log with actor identity, timestamp, and action. Logs cannot be modified or deleted.

Controller / Processor Separation

You (the lender) are the data controller for borrower data. BantuziLoans acts as your data processor. We process borrower data only on your instruction and in accordance with a formal Data Processing Agreement.

Encryption at Rest and in Transit

All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256. JWT session tokens are short-lived with rotating refresh tokens. No passwords are stored in plaintext.

Role-Based Access Controls

The platform enforces strict role-based access. Loan Officers see only what they need to originate loans. Approvers cannot modify borrower records. Administrators cannot approve loans. Segregation is enforced at the API layer.

Commitments

What we commit to — by default

These protections are active for every tenant on every plan, with no additional configuration required.

Data hosted in Zambia
No cross-border transfer without consent
Immutable audit log on every action
AES-256 encryption at rest
TLS 1.2+ in transit
JWT rotation + short-lived tokens
Role-based access enforced at API layer
PDPB 2021-compliant lawful processing basis
Breach notification within 72 hours
Data export on termination (30-day SLA)
Permanent deletion after 90 days post-term
Data Processing Agreement available on request
Data Processing Agreement

Need a formal DPA?

If your organisation requires a signed Data Processing Agreement (DPA) — for instance, to satisfy your own compliance obligations or an audit — we can provide one. Our standard DPA covers:

  • Subject matter, duration, and nature of the processing
  • Categories of personal data and data subjects
  • Obligations and rights of the controller (you)
  • Obligations of the processor (Bantuzi)
  • Sub-processor management and notifications
  • Data subject rights fulfilment assistance
  • Breach notification procedures
  • Return or deletion of data on termination
Request a DPA →

Related policies

Privacy Policy →Terms of Service →

Questions? Email us at info@bantuzi.com