Custodian LabsCustodian Labs

About

Building a custodian, not a vendor.

Custodian Labs is a Zimbabwean cybersecurity and data protection company. We build Custodian GRC, our flagship platform, and we run the advisory practice that sits alongside it. Our customers are CISOs, DPOs, and Heads of Risk in Zimbabwean banks, insurers, telcos, medical aid societies, and parastatals.

Founded · Harare · Zimbabwe

01Positioning

Custodian Labs is a Zimbabwean cybersecurity and data protection company. We build Custodian GRC, our flagship platform for governance, risk, and compliance, and we provide advisory services that help regulated enterprises put privacy and security into daily practice. Our customers are CISOs, DPOs, and Heads of Risk in Zimbabwean banks, insurers, telcos, medical aid societies, and parastatals who have to satisfy local regulators and international counterparties at the same time. The platform is engineer-built and grounded in Zimbabwean reality: the Cyber and Data Protection Act, POTRAZ, RBZ, and IPEC requirements, mapped natively to ISO 27001, ISO 27701, and NIST CSF. We are the long-term custodian of our customers’ security and compliance posture, today in Zimbabwe and, as the practice scales, across SADC and the rest of the continent.

02Values

Five values that make every later decision easier.

If a design choice, a line of copy, or a product behaviour does not express at least two of these values, it is wrong, regardless of taste.

  1. 01

    Stewardship over salesmanship

    We hold something on behalf of someone else: their data, their controls, their reputation with a regulator. Every screen, email, and contract should feel like custody, not conversion. We earn renewals by being the reason an audit went quietly, not by being the loudest brand in the room.

  2. 02

    Local fluency, regional ambition

    We speak the regulator’s language: RBZ, POTRAZ, IPEC, the Cyber and Data Protection Act, the way a Zimbabwean compliance officer speaks it day to day. We design every artefact so it reads just as fluently to a counterpart in Lusaka, Gaborone, or Lagos.

  3. 03

    Engineer-built, evidence-led

    We were not assembled out of a consulting deck. Every claim we make in the product, on the website, and in a sales conversation is backed by something demonstrable: a control, a log, an artefact, a screenshot. If we cannot show it, we do not say it.

  4. 04

    Composed under audit

    Security and compliance work happens on bad days. The brand should lower the temperature in the room, not raise it. Confident sentences, generous whitespace, predictable interfaces, and no theatre.

  5. 05

    Practical, not idealistic

    We design for forex constraints, capped cloud budgets, intermittent links, and local data residency expectations. The brand never pretends our customers operate in San Francisco. It treats the realities of running IT in Zimbabwe as a design input, not an apology.

03Frequently asked

What buyers ask before the second meeting.

Where is our data hosted?+

Custodian GRC is hosted in-country on Zimbabwean infrastructure, with read replicas in South Africa for failover. Enterprise customers can elect on-premise deployment behind their own perimeter; the same Docker image runs in either configuration.

How is your platform different from a consultancy?+

A consultancy delivers a deck and a spreadsheet. We deliver a system the second-line team operates every day and an external auditor can test against directly. Our advisory practice runs on top of the same evidence the platform records.

Do we still need a Data Protection Officer?+

Yes. The Cyber and Data Protection Act and SI 155 of 2024 require an accountable, designated officer. Most Zimbabwean controllers do not need a full-time DPO. The Custodian Labs DPO-as-a-Service is built around that reality.

How are international auditors handled?+

CDPA, POTRAZ, RBZ, and IPEC controls map natively to ISO 27001, ISO 27701, and NIST CSF. The same evidence base satisfies the local regulator and the international counterparty. The customer runs one programme, not two.

Ninety minutes · Your stack

A working session against your control catalogue and your last audit.

We bring Custodian GRC live, mapped to your frameworks. You bring the open items. We leave with a starting plan.

Request a demoEmail the team

Tendai Moyo · Head of Compliance Practice