Edscon Logo
Privacy Terms Login
Security & Compliance

Built with
Security First

How the Thamani platform by Edscon Investment LTD protects your data, secures financial transactions, and meets applicable Kenyan regulations.

HTTPS / TLS Encrypted
Kenya Data Protection Act 2019
Role-Based Access Control
No Card Data Stored
256-bit

TLS Encryption

5

User Role Tiers

0

Card Numbers Stored

7yr

Audit Data Retention

Platform Security

TLS / HTTPS Encryption

All data transmitted between your browser and Thamani servers uses 256-bit TLS encryption. Plain HTTP connections are automatically redirected to HTTPS.

Password Security

User passwords are never stored in plain text. We use industry-standard hashing algorithms (PBKDF2) with salting. Password reset flows use time-limited, single-use tokens.

CSRF & XSS Protection

The platform uses Django's built-in CSRF token validation on all forms and XSS sanitization on all user-supplied inputs to prevent common web attack vectors.

Secure Database

Database access is restricted to the application layer only — no direct public exposure. Credentials are stored as environment variables, never in source code or version control.

Session Management

User sessions are automatically invalidated after periods of inactivity. Session tokens are cryptographically signed and stored securely.

Security Patching

The platform runs on Django LTS releases. Security patches and dependency updates are applied on a regular maintenance schedule. Vulnerabilities are prioritised for immediate remediation.

Access Control

Thamani uses a strict Role-Based Access Control (RBAC) model. Every user is assigned exactly one role, and each role has precisely defined permissions. No user can access modules or data outside their role scope.

Role Scope Data Access
Administrator Full platform All modules & reports
Waste Collector Assigned collection points only Own collections
Kitchen Manager Assigned biodigesters only Kitchen & digester data
Distributor Distribution module only Cylinder & delivery records
Customer Personal account only Own accruals & orders

Data Protection

Data Minimisation

We only collect data that is directly necessary for platform operations. Fields are reviewed regularly to ensure no unnecessary data is captured or retained.

Access Segregation

Personal data is only visible to users with a legitimate operational need. Administrators cannot access customer passwords; all sensitive fields are protected at the model level.

Data Portability

Upon request, users can receive an export of their personal data in a structured, machine-readable format. Contact our team to initiate a data export.

Right to Erasure

Subject to legal retention requirements (e.g., carbon audit records), you may request deletion of your personal data. Requests are processed within 30 days.

Payment Security

No Credit or Debit Card Data — Ever

The Thamani platform does not process, store, or transmit credit card or debit card information of any kind. All financial transactions on the platform use:

  • M-Pesa — Kenya's Central Bank-regulated mobile money network. Card data is never involved; only M-Pesa phone numbers are recorded where applicable.
  • Cash — recorded as a payment type only; no sensitive data transmitted.
  • Accruals — internal credit system tracked within the platform.
  • Bank Transfer — payment reference recorded only; no card data involved.

Because no cardholder data is ever in scope, PCI DSS does not apply to this platform — and we do not make that claim. This is a transparency commitment: we will never overstate our compliance posture.

M-Pesa Integration

M-Pesa transactions are initiated through Safaricom's regulated API infrastructure. Edscon Investment does not store full M-Pesa transaction PINs or wallet credentials.

Transaction Integrity

All payment transactions are recorded with timestamps, user IDs, and payment status. Records are immutable after creation — corrections require a new audit-trail entry.

Compliance Framework

Kenya Data Protection Act, 2019

Compliant

Our data practices — collection, storage, processing, retention and user rights — are designed in accordance with Kenya's primary data protection legislation, administered by the Office of the Data Protection Commissioner (ODPC).

Central Bank of Kenya — Mobile Money Regulations

Applicable

M-Pesa transactions facilitated through the platform are subject to Safaricom's CBK-regulated mobile money framework. We do not operate as a payment service provider — we record payment outcomes only.

PCI DSS (Payment Card Industry Data Security Standard)

Not Applicable

PCI DSS applies to organisations that store, process, or transmit credit/debit card data. Thamani does not handle any card data — all transactions use M-Pesa, cash, or bank transfer. This standard is therefore not applicable, and we do not claim certification.

ISO/IEC 27001 (Information Security Management)

On Roadmap

We are working toward aligning our information security management practices with ISO 27001 principles — including risk assessment, security policies, and continuous monitoring — as part of our long-term security roadmap.

Carbon Credit Traceability & Audit Integrity

Implemented

Thamani's traceability data is designed to meet the audit requirements of carbon credit verification bodies. Waste lifecycle records are immutable after submission and retained for a minimum of 7 years for third-party audit access.

IoT & Device Security

Where IoT sensors are deployed at biodigester sites and collection points, the following security practices apply:

  • Sensor data is transmitted over encrypted channels to the Thamani backend
  • IoT devices are provisioned with unique credentials — no shared default passwords
  • Sensor readings are validated server-side before being written to the database
  • Physical device access is restricted to authorised Edscon Investment field technicians
  • Device firmware updates are managed and verified by the technical team

IoT data is attributed to operational units (biodigesters, collection points), not directly to individuals, minimising personal data exposure at the device layer.

Incident Response

In the event of a confirmed data security incident, Edscon Investment follows a structured response process:

  • Detect & Contain — Immediate isolation of affected systems to limit exposure
  • Assess — Determine the scope, nature, and impact of the incident
  • Notify — Affected users are informed within 72 hours of confirmed breach discovery, in line with the Kenya Data Protection Act
  • Report — Material incidents are reported to the Office of the Data Protection Commissioner (ODPC) as required by law
  • Remediate — Root cause analysis and corrective action to prevent recurrence
  • Review — Post-incident review to improve response procedures

Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities from security researchers and members of the public. If you believe you have discovered a security issue in the Thamani platform, please:

  • Do not exploit, modify, or publicly disclose the vulnerability before we have had the opportunity to address it
  • Email us at info@edsconinvestment.com with the subject line "Security Disclosure"
  • Include a detailed description of the vulnerability and steps to reproduce it
  • We will acknowledge receipt within 3 business days and aim to resolve verified issues within 30 days

We do not currently offer a monetary bug bounty programme, but we commit to acknowledging meaningful contributions and working transparently with researchers throughout the remediation process.

Security Contact

Security Email

info@edsconinvestment.com

Subject: Security Disclosure

Phone

+254 722 290 417

+254 733 454 944

Office

Edscon Investment LTD

Kisumu, Kenya