Custodian LabsCustodian Labs

For Zimbabwean regulated enterprise

Trusted custody for Governance, Risk & Compliance.

Custodian GRC is the platform for the Cyber and Data Protection Act, RBZ, POTRAZ, and IPEC, mapped natively to ISO 27001, ISO 27701, and NIST CSF. One programme satisfies the local regulator and the international auditor.

Request a demoSee the framework library →
14
Frameworks · Day one
100%
CDPA Act 5 of 2021 coverage
1
Evidence base · Two audiences
13
Compliance modules · Universal

Engineer-built, evidence-led. Designed for the operating reality of Zimbabwean IT.

Built for banks, insurers, telcos, medical aid, and parastatalsRBZ · POTRAZ · IPEC · ISO 27001 · ISO 27701 · NIST CSF
01The problem

Compliance, privacy, and risk in Zimbabwe are run on spreadsheets, PDFs, and patience.

Every option a Zimbabwean second-line team has today fails differently. We sit in the seam between three weaker alternatives.

01 — Today’s option

Imported global GRC suites

Built around SOC 2 and HIPAA. They treat the Cyber and Data Protection Act as a custom framework the customer has to model on a Monday morning.

02 — Today’s option

Local consultancies

Deliver a deck and a spreadsheet, then leave. The second-line team rebuilds the audit pack from scratch every cycle, in their heads.

03 — Today’s option

In-house builds

Hold up for one audit, buckle on the second. Evidence is scattered across email threads, Sharepoint folders, and a senior manager who will eventually leave.

02Custodian GRC

The platform for the second line. One programme, every audience.

Custodian GRC turns the Zimbabwean statute book into a working programme: controls, evidence, owners, review cycles, and regulator-ready exports, modelled once and used everywhere.

See the platform →Request a demo
Custodian GRCCOMPLIANCE OVERVIEWQ2 · 2026FRAMEWORKCDPAISO 27001NIST CSFRBZIPECOVERALL SCORE78%142 controls in scope · 6 open findings7-WEEK TRENDNEXT REGULATOR REVIEWPOTRAZ Tier 4 · 28 daysOPEN FINDINGS · BY SEVERITY231CRITICAL · HIGH · MEDCONTROLS · TOP DUEs.18(2)DPO designation lodged with POTRAZM. ChibandaOKs.19Breach response runbook reviewedT. MoyoDUEs.27Processor register · CRM vendorR. SibandaOPENs.13Privacy notice generated and publishedL. NcubeOK

Product screen · Compliance overview

  • 01

    Local statute as the default

    CDPA, SI 155 of 2024, POTRAZ, RBZ, and IPEC ship as first-class control libraries. Forms DP1, DP2, and DP3 are filed from the same evidence the regulator reviews.

  • 02

    One programme, two audiences

    Local controls map natively to ISO 27001, ISO 27701, and NIST CSF. A single evidence base satisfies the Zimbabwean regulator and the international counterparty without parallel work.

  • 03

    Workflows built around the second line

    RoPA, DPIA, breach reporting, vendor and DPA management, retention scheduling, the whistleblower channel, and a privacy notice generator. The thirteen modules a controller actually runs.

  • 04

    Audit-grade by construction

    Every assessment, decision, sign-off, and timestamp is logged. The export an external auditor opens is the same one your DPO signed.

03Framework library

Local statute, international standards. One evidence base.

Frameworks ship pre-mapped on day one. The customer does not model them. We do the seam between regulator language and auditor language so a control written once shows up where it is read.

Local · primary

  • Cyber and Data Protection ActAct 5 of 2021
  • SI 155 of 2024POTRAZ regulations
  • RBZ cyber & operational riskBanks · MFIs
  • IPEC requirementsInsurers · Brokers
  • Public Entities Corporate GovernanceParastatals

International · alignment

  • ISO/IEC 27001ISMS
  • ISO/IEC 27701PIMS
  • NIST CSF 2.0Cyber framework
  • PCI DSS 4.0Where in scope
  • SOC 2On request
See every framework →
04Advisory practice

The platform sells the system. The practice runs it with you.

Most Zimbabwean controllers do not need a full-time DPO. They need an accountable, qualified DPO embedded into the business on a monthly cadence, with a system that holds up under scrutiny. We provide both.

  • DPOA named DPO accountable to your board, not a queue
  • DPORegulatory mapping, control review, and sign-off on a quarterly cadence
  • DPOForms DP1, DP2, and DP3 prepared, filed, and tracked through POTRAZ
  • DPOAwareness training for staff and tailored briefings for executives
See the practice →Talk to a DPO
05Built for the second line

The CISO, DPO, and Head of Risk. Inside Zimbabwe’s regulated economy.

One or two rungs below the C-suite, accountable to a board risk committee, supervised by a regulator that can fine or suspend the institution, and operating a tooling budget that has to be defended in USD. Custodian Labs is designed around their week.

  • Banks · MFIs

    RBZ-supervised

    Tier 4 · 2,500 USD/yr fee

  • Insurers · Brokers

    IPEC-supervised

    Tier 3 · 500 USD/yr fee

  • Telcos · ISPs

    POTRAZ-supervised

    Tier 4 · 2,500 USD/yr fee

  • Medical aid · HMOs

    Health regulator + IPEC

    Tier 3 · 500 USD/yr fee

  • Parastatals · Corporates

    PECG Act + sector regulators

    Tier 2–4

  • Fintech · Payments

    RBZ NPS + POTRAZ

    Tier 2–3

Ninety minutes · Your stack

A working session against your control catalogue and your last audit.

We bring Custodian GRC live, mapped to your frameworks. You bring the open items. We leave with a starting plan.

Request a demoEmail the team

Tendai Moyo · Head of Compliance Practice