Legal

Data Security

Last updated: February 1, 2026

Your fleet data is the backbone of your operations. We treat its security with the same seriousness you would. This page outlines the technical and organisational measures Tanka employs to protect your data.

Infrastructure Security

Cloud Hosting

Hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certified providers, multi-region redundancy, and 99.99% infrastructure uptime.

Network Security

Web Application Firewall (WAF), DDoS protection, intrusion detection and prevention systems, and network segmentation between customer environments.

Database Isolation

Multi-tenant architecture with logical data isolation. Each customer's data is stored in isolated schemas, preventing cross-tenant data access.

Automated Backups

Continuous database backups with point-in-time recovery capability for up to 30 days. Backups are encrypted and stored in geographically separate locations.

Encryption

🔒

In Transit

All data transmitted between your devices and our servers is encrypted using TLS 1.3 with strong cipher suites. We enforce HTTPS on all endpoints with HSTS headers.

🗄️

At Rest

All stored data, including database records, file uploads, and backups, is encrypted using AES-256 encryption. Encryption keys are managed through dedicated key management services and rotated regularly.

🔑

Key Management

Encryption keys are stored separately from encrypted data using hardware security modules (HSMs). Keys are never exposed in application logs or error reports.

Access Controls

  • Role-Based Access Control (RBAC): Users within your organisation are assigned roles with specific permissions. Administrators control who can view, edit, or export data across modules.
  • Authentication: Secure password hashing (bcrypt), session management with automatic timeout, and support for single sign-on (SSO) on Enterprise plans.
  • Audit Logging: All access to sensitive data is logged with timestamps, user identity, and action performed. Audit logs are immutable and available to account administrators.
  • Internal Access: Tanka staff access to customer data is restricted to authorised support and engineering personnel only, requires multi-factor authentication, and is logged. Access is granted on a least-privilege, need-to-know basis.

Application Security

  • Secure Development: We follow OWASP secure development guidelines. All code changes go through peer review and automated security scanning before deployment.
  • Dependency Management: Automated monitoring for known vulnerabilities in third-party dependencies with rapid patching processes.
  • Input Validation: All user inputs are validated and sanitised to prevent SQL injection, cross-site scripting (XSS), and other injection attacks.
  • API Security: All API endpoints require authentication tokens, enforce rate limiting, and validate request integrity.

Incident Response

We maintain a documented incident response plan that covers detection, containment, eradication, recovery, and post-incident analysis. In the event of a data breach:

  • Affected customers will be notified within 72 hours of confirmed breach discovery
  • A detailed incident report will be provided including scope, root cause, and remediation steps
  • Applicable regulatory authorities will be notified as required by law

Compliance

Kenya Data Protection Act

We comply with the Kenya Data Protection Act (2019) including requirements for data processor registration, consent management, and cross-border data transfer safeguards.

Industry Standards

Our security practices align with ISO 27001 information security management principles and SOC 2 trust service criteria for security, availability, and confidentiality.

Regulatory Readiness

The platform is designed to support your compliance with NTSA and EPRA regulatory requirements through built-in audit trails and documentation management.

Data Processing Agreements

We provide Data Processing Agreements (DPAs) to Enterprise customers that specify data handling obligations, sub-processor lists, and security commitments.

Business Continuity

We maintain a business continuity plan that covers infrastructure failover, data recovery procedures, and communication protocols. Our recovery time objective (RTO) is 4 hours and our recovery point objective (RPO) is 1 hour. Disaster recovery procedures are tested quarterly.

Security Inquiries

If you have questions about our security practices, need to report a security vulnerability, or require a more detailed security assessment for your procurement process, please contact us:

Tanka Technologies Inc.

Security Team: security@tanka.africa

Responsible Disclosure: security@tanka.africa with subject line “Vulnerability Report”

Need a detailed security review?

Enterprise customers can request a detailed security questionnaire, penetration test results, and on-call security briefing during evaluation.

Book a Security Briefing →