Built around the rules Kenyan schools have to follow
You're responsible for student and parent data. We're your processor. Here's exactly what that means in practice.
Data Protection Act 2019
Your school is the data controller. Elimusmart is the data processor. We process student and parent data only on your school's instructions and only for the operations the school has enabled.
Where data lives
Hosted on tier-3 cloud infrastructure with daily encrypted backups retained for 30 days. Application traffic is TLS 1.3 only. Database backups are AES-256 encrypted at rest.
Who can see what
Role-based access (Super Admin, School Admin, Teacher, Bursar, Parent, Student) plus an immutable audit log of every privileged action. Two-factor authentication available on every staff account.
M-Pesa Daraja
Native integration with Safaricom's daraja API. STK pushes go school → Safaricom → parent directly. Elimusmart never touches the parent's M-Pesa PIN, and we don't hold funds — payments settle to your school's paybill.
Data portability
Export students, fees, attendance, and reports as CSV / PDF at any time, no waiting period. On termination we return your full database within 14 days and purge our copy within 30.
Incident response
Defined procedure for security incidents. Notification to your school within 72 hours of confirmed breach as required by DPA 2019, with timeline of what we know and what we're doing.
Want the detail?
We share our DPA, processor agreement, and security architecture summary on request. Talk to us.