Uncompromising Compliance
Dockria is built from the ground up to satisfy the technical requirements of the world's most stringent regulatory frameworks — with particular focus on Kenya and East African regulatory environments.
Covering 40+ compliance standards across data privacy, records management, information security, encryption, electronic signatures, legal discovery, access governance, and AI automation governance.
Data Privacy & Protection
Kenya Data Protection Act (KDPA 2019)Primary framework for Kenya
Full support for Data Subject Access Requests (DSAR) with 30-day deadline tracking, breach logging with 72-hour notification countdown, consent management records, and data anonymization tools as mandated by the ODPC.
General Data Protection Regulation (GDPR)
Complete data subject rights management (access, erasure, rectification, portability, opt-out), breach notification tracking, right-to-erasure tools with comprehensive data anonymization, and data portability exports.
California Consumer Privacy Act (CCPA/CPRA)
Opt-out request tracking, consumer rights management, configurable 45-day response deadlines, and documented consent records for California residents.
HIPAA
Technical safeguards to protect Protected Health Information (PHI) with bank-grade encryption, sensitivity labels, class-level access controls, comprehensive audit trails, and periodic access reviews.
PCI DSS
Strict tracking and monitoring of all access to sensitive data (Requirement 10), unique user identification with strong authentication (Requirement 8), and need-to-know access controls (Requirement 7).
Consent Management (GDPR Art. 6-7 / KDPA Sec. 32)
Auditable consent records tracking individual decisions with purpose, status, timestamps, and basis for processing.
External Data Collection via Forms (GDPR Art. 13-14 / KDPA Sec. 25-28)
Public-facing forms present clear privacy notices to every external submitter, with configurable retention periods for collected submissions and the same data subject rights — access, correction, erasure — extended to people outside your organisation.
Sub-processor Management and Notice (GDPR Art. 28(2) / KDPA Sec. 42)
A published, always-current sub-processor list, change-notice prompts delivered to administrators ahead of any update, and an acknowledgement audit trail evidencing that controllers were informed and accepted each change.
Privacy by Design — Custom Domain (GDPR Art. 25 / KDPA Sec. 25)
Share links, signature requests, and notification emails are issued from your organisation's own URLs, with seamless redirection from any legacy address so external recipients always experience secure browsing on a domain they already trust.
Records Management
ISO 15489 — Records Management
Hierarchical file plans, automated retention and disposition policies, disposition logs providing a defensible certificate of destruction, and WORM protection for declared records.
Kenya National Archives Guidelines (KNA)
Classification schemes aligned with KNA-recommended structures, approved retention schedules, controlled disposition, vital records identification, and WORM immutability.
DoD 5015.02 — Electronic Records Management
Full record lifecycle (Draft, Active Record, Semi-Active, Archived, Destroyed), WORM enforcement on declared records, vital records flagging, file plan hierarchy, and complete audit trails.
SEC Rule 17a-4 — Financial Records Retention
WORM storage for non-rewriteable, non-erasable records, configurable retention periods (3-6 years), permanent retention flags, searchable record indices, and full access audit trails.
Automated Retention & Lifecycle
Configurable retention policies with automated enforcement, legal hold override protection, full record lifecycle progression, permanent retention support, and immutable disposition logs.
Information Security
ISO/IEC 27001:2022
Security incident management lifecycle (detect, investigate, contain, resolve, close), comprehensive audit logging, role-based access control, periodic access reviews, bank-grade encryption, and automated security alerts.
SOC 2 Type II Readiness
Controls established for Security, Availability, and Confidentiality trust service principles. Comprehensive audit logging, access reviews, encryption at rest, and documented security policies.
NIST SP 800-53 — Security Controls
Access enforcement (AC), audit and accountability controls (AU), security assessment (CA), identification and authentication (IA), and system/communications protection (SC).
NIST SP 800-63B — Digital Identity
Strong password policies (minimum length, complexity, history), account lockout mechanisms, multi-factor authentication (TOTP), secure session management, and backup code recovery.
NIST SP 800-61 — Incident Handling
Structured security incident lifecycle from detection through resolution, incident categorization and severity tracking, evidence documentation, and root cause analysis.
NIST SP 800-61 — Security Incident Handling
A structured incident lifecycle that walks every event through detect, investigate, contain, resolve, and close, with a complete evidence trail at every stage so security teams can demonstrate a disciplined response to auditors and regulators.
Multi-Factor Authentication
Optional second-factor verification for sign-in, configurable per user or enforced organisation-wide, with a one-time email code fallback so account security can be strengthened without disrupting day-to-day access.
Secure Integrations & Webhook Security
Outbound event delivery is signed so receiving systems can verify authenticity, integration access is granted through scoped keys limited to only what each connection needs, and every integration event is captured in a full audit trail.
Audit Log Retention & Disposition
A tamper-evident audit history with configurable retention periods and controlled disposition, ensuring activity records are preserved for as long as your policies and regulators require — and disposed of only through an approved, fully documented process.
Encryption & Cryptography
FIPS 140-2 — Cryptographic Standards
Encryption at rest meeting validated cryptographic module standards. Secure key management with lifecycle tracking and rotation support.
NIST Key Management Guidelines
Key lifecycle management covering generation, distribution, storage, rotation, and destruction with documented audit trails.
Data Encryption at Rest
All documents encrypted with bank-grade encryption before storage. Unique initialization vectors per file. Independently verifiable document integrity through cryptographic hashing.
Encryption Key Lifecycle Management (NIST SP 800-57 / ISO 27001 A.10.1.2 / PCI DSS 3.6)
Scheduled key rotation on a cadence you define, a complete lifecycle history of every key from creation through retirement, business continuity preserved throughout each rotation so users experience no interruption, and a full audit record of every rotation event for inspection by auditors and regulators.
Electronic Signatures
Kenya Information & Communications Act
Cryptographic signatures compliant with Kenyan legal requirements for advanced electronic signatures, with compliance stamps and verification.
eIDAS — EU Electronic Identification
Support for simple, advanced, and qualified electronic signatures meeting EU standards for cross-border recognition and legal validity.
ESIGN Act — US Electronic Signatures
Legally binding electronic signatures with comprehensive audit trails, signer identity verification, and timestamp documentation.
FDA 21 CFR Part 11
Electronic records and signatures for life sciences with identity verification at signing, complete signature audit trails, and tamper-evident controls.
Legal & eDiscovery
EDRM — Electronic Discovery Reference Model
Support for the full eDiscovery lifecycle: identification, preservation (legal holds), collection, processing, review, and production with defensible production sets.
Federal Rules of Civil Procedure (FRCP)
Legal hold capabilities preventing spoliation of evidence, custodian-based holds, matter management, and production set generation for litigation response.
Access Governance
SOX Section 404 — Internal Controls
Periodic access review campaigns, segregation of duties through role-based controls, comprehensive audit trails, and documented access decisions.
ISO 27001 A.9.2.5 — Access Rights Review
Scheduled access review campaigns with reviewer assignment, documented approve/revoke/modify decisions, and campaign completion tracking.
Role-Based Access Control (RBAC)
Granular permissions at document class and property levels, group-based inheritance, individual user overrides, and permission audit reporting.
AI & Automation Governance
Human-in-the-Loop AI Controls
All AI-generated metadata suggestions pass through a structured review queue before application. Designated reviewers approve, edit, or override every recommendation, ensuring human oversight at every stage.
Confidence-Based Auto-Confirm Policies
Configurable confidence thresholds per document class allow low-risk, high-confidence suggestions to be auto-confirmed while high-risk categories require explicit human approval. Every auto-confirmed action is fully logged.
AI Decision Audit Trail
Complete audit logging of every AI suggestion, including the confidence score, the reviewing user's decision (approved, edited, or overridden), and the final metadata values applied to the document.
ISO/IEC 42001 — AI Management System Alignment
Dockria's AI features are designed to meet the principles of the ISO/IEC 42001 standard for responsible AI management, including transparency of AI-assisted decisions, documented oversight processes, and continuous monitoring of AI output quality.
See how compliance works in your industry
Compliance-critical features
Need a detailed security whitepaper?
Request a demo to receive our comprehensive security and compliance documentation, including audit-ready reports for your specific regulatory requirements.
Request a Compliance Demo