Tender Asili Logo

Security & Data Protection

Effective date: 12 July 2026  ·  Version 1.0

Security and data protection are central to how we build and operate TenderAsili. This statement describes the technical and organizational measures we use to protect your data, in support of our obligations under the Kenya Data Protection Act, 2019. It complements our Privacy Policy and Cookie Policy.

1. Our Approach

We apply a defence-in-depth approach that combines secure infrastructure, secure engineering practices, strict access control, and continuous monitoring. Our controls are designed to protect the confidentiality, integrity, and availability of your data throughout its lifecycle.

2. Infrastructure and Hosting

TenderAsili runs on reputable cloud infrastructure, with documents held in secure object storage. Hosting providers maintain recognized security and availability certifications, and we architect our environment following cloud well-architected security principles, including network isolation and least-privilege service configuration.

3. Encryption

All traffic to and from the platform is encrypted in transit using TLS (HTTPS). Sensitive data is encrypted at rest, and access to stored documents is restricted to authenticated, authorized users. We enforce secure transport policies to prevent downgrade to insecure connections.

4. Access Control

The platform enforces role-based access control across its buyer, supplier, and administrator roles, so that users and staff can access only the data necessary for their function. We protect accounts with hashed credentials, session security, token-based authentication, and rate limiting on sensitive endpoints such as login. Staff access to production data is limited, logged, and granted on a need-to-know basis, and all personnel are bound by confidentiality obligations.

5. Application Security

We build the platform following secure-development practices and validate input at the boundaries of our services. Our defences include protection against common web attacks, including:

  • cross-site scripting (XSS);
  • cross-site request forgery (CSRF);
  • SQL injection;
  • clickjacking, through appropriate framing protections;
  • abuse and brute-force attempts, through rate limiting and monitoring.

6. Payment Security

Payments are processed by PCI-DSS-compliant payment partners. TenderAsili does not store full card details on its own systems. Card data is handled by the payment provider under industry-standard controls.

7. Logging, Monitoring, and Backups

We maintain audit logs of significant activity to support accountability and incident investigation, and we monitor for anomalous or malicious behaviour. Data is backed up regularly to support recovery, and we test our ability to restore service and data as part of our business-continuity planning.

8. Incident Response and Breach Notification

We maintain procedures to detect, contain, investigate, and remediate security incidents. Where a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner (ODPC) and, where required by the Data Protection Act, affected data subjects, without undue delay.

9. Data-Protection Compliance

TenderAsili is registered with the ODPC as a data controller and data processor, and we bind our service providers with data-processing agreements requiring equivalent protection. Our data-handling practices — including lawful basis, retention, and data-subject rights — are described in our Privacy Policy.

TenderAsili is committed to continual improvement of its security posture and aligns its controls with recognized information-security standards.

10. Your Role in Security

Security is a shared responsibility. Please use a strong, unique password, keep your login credentials confidential, ensure only authorized colleagues have access to your organization's account, and notify us immediately of any suspected unauthorized access.

11. Responsible Disclosure

If you believe you have found a security vulnerability in TenderAsili, we encourage you to report it responsibly to contact@tenderasili.com. Please give us a reasonable opportunity to investigate and remediate before any public disclosure. We appreciate and acknowledge good-faith reports.

12. Contact Us

For security or data-protection queries, contact us at contact@tenderasili.com. You can also reach us at +254 714 555 554 or TenderAsili Limited, Kunde Road, Nairobi, Kenya.

Questions about this document? Contact us at contact@tenderasili.com or +254 714 555 554.