Custodian LabsCustodian Labs

Platform

Custodian GRC. The Cyber and Data Protection Act, in working order.

Thirteen compliance modules. Five regulators. Three international standards. One evidence base. Custodian GRC is the system the second-line team operates every day, and that the external auditor tests directly.

Hosted in Zimbabwe · Read replicas in South Africa · On-premise option for Enterprise

01Compliance modules

Every module ships on every plan. Compliance is not a paywall.

The CDPA and SI 155 require these modules. We refuse to gate them. What differs by plan is conventional levers: seats, integrations, audit-log retention, and branding.

  • RoPA

    CDPA s.18 · SI 155 r.7

    Records of Processing Activities

    A living record of every processing activity, with controllers, processors, lawful bases, and retention periods queryable from one place. Generates the export the regulator asks for.

  • DPIA

    CDPA s.18(7) · SI 155 r.10

    Data Protection Impact Assessments

    Triggered DPIAs for high-risk processing, with a structured assessment, mitigations, and a decision record. Reviewable by the DPO, signable, and exportable to PDF.

  • Form DP3

    CDPA s.19 · SI 155 r.16

    Breach reporting

    Incident triage, severity scoring, the 72-hour clock, regulator notification on Form DP3, and customer notification copy. The audit trail is the timeline.

  • Form DP2

    CDPA s.18(2) · SI 155 r.6

    DPO management

    DPO designation, the 14-day Authority-notice clock, and the artefact a controller files with POTRAZ. Renewals and changes track in the same register.

  • Form DP1

    SI 155 r.4 · §4(5)

    Data controller licensing

    POTRAZ-tier-aware licence application: Tier 1 through Tier 4, with the right fee schedule and the supporting evidence the Authority requests.

  • Processor register

    CDPA s.27 · SI 155 r.13

    Vendors and DPAs

    Processor register, DPA template, transfer assessments, and renewal calendar. Sub-processor changes are tracked, not assumed.

  • Public notice

    CDPA s.13 · SI 155 r.9

    Privacy notice generator

    A privacy notice generator that reads from the RoPA, so the public-facing notice and the internal record do not drift apart on the next audit.

  • Special category

    CDPA s.16 · SI 155 r.11

    Children’s data

    Age verification, guardian consent capture, and the additional safeguards required when processing data about subjects under 18.

  • Lifecycle

    CDPA s.18(4) · SI 155 r.14

    Retention scheduling

    A retention schedule that runs as code: rules per data class, automated review prompts, and the audit log of what was disposed and when.

  • Internal report

    CDPA s.20 · PECG Act

    Whistleblower channel

    A confidential channel for staff to raise concerns, with role-isolated triage and a record auditors can verify without seeing the underlying data.

  • Sector code

    CDPA s.30

    Code of conduct

    Sector codes of conduct supported as first-class artefacts, with controls inherited and the differences from the base CDPA framework called out.

  • Transfer register

    CDPA s.28 · SI 155 r.15

    Cross-border transfers

    Adequacy assessments, standard contractual clauses, and a transfer register that survives the next change to the Authority’s adequacy list.

  • Operational risk

    RBZ Op Risk · IPEC

    Risk register

    A risk register tied to the controls themselves: a risk maps to the control that mitigates it, the evidence behind it, and the owner accountable for the next review.

02Working surface

A second-line team’s working surface.

Compliance overview at a glance. Controls grouped by framework. Evidence one click away. Designed for the way Zimbabwean second-line teams actually work, small and frequently audited.

  • UIPer-framework dashboards: CDPA, ISO 27001, NIST CSF, RBZ
  • UIEvidence library tied to controls, not file folders
  • UIAudit-grade export of any view, with a hash and a timestamp
  • UIRole-aware home: platform admin, org admin, manager, employee
Custodian GRCSTANDARD CHARTERED ZIM · PRODOverviewFrameworksControlsEvidenceReports⌘K · SEARCHMCPROGRAMMEDashboardRoPADPIABreach · DP3DPO · DP2Licence · DP1VendorsPrivacy noticeRetentionWhistleblowerRisk registerINTEGRATIONSMicrosoft Entra · SSOOkta · SCIMAPI keysWebhooksOVERVIEW · Q2 · 2026Compliance overviewOVERALL SCORE78%+4 since Q1CONTROLS IN SCOPE142CDPA · ISO · NIST · RBZOPEN FINDINGS62 critical · 3 high · 1 medNEXT REVIEW28 dPOTRAZ Tier 4 · 27 May 26FRAMEWORK BREAKDOWNCyber and Data Protection ActAct 5 of 202192%SI 155 of 2024POTRAZ88%ISO/IEC 27001ISMS78%ISO/IEC 27701PIMS70%NIST CSF 2.0Cyber framework84%RBZ Cyber Risk GuidelinesBanks · MFIs66%AUDIT TRAIL · LAST 24H14:32M. ChibandaSigned Q2 review13:08T. MoyoClosed finding F-2026-01411:47systemGenerated Form DP3 draft09:22R. SibandaUpdated processor register08:14L. NcubeFiled Form DP1 with POTRAZ08:01systemRetention scan completeYesterdayM. ChibandaReviewed RBZ Op RiskCONTROLS · DUE THIS WEEKCODECONTROLOWNEREVIDENCESTATUSCDPA s.18(2)DPO designation lodged with POTRAZM. Chibanda4 filesOKCDPA s.19Breach response runbook reviewedT. Moyo2 filesDUEISO A.5.1Information security policiesR. Sibanda7 filesOKNIST GV.OC-2Internal stakeholder identificationL. Ncube1 fileOPENRBZ Op-Risk 4.2Third-party risk register updatedM. Chibanda5 filesOK

Compliance overview · Production

FRAMEWORKS› CYBER AND DATA PROTECTION ACTv 2026.04LIBRARY▾ Cyber and Data Protection Acts.13Privacy notices.16Children datas.18Records and DPOs.19Breach responses.27Vendorss.28Cross-border▸ SI 155 of 2024▸ ISO/IEC 27001▸ ISO/IEC 27701▸ NIST CSF 2.0▸ RBZ Cyber Guidelines▸ IPEC requirements+ ADD FRAMEWORKCDPA · S.18 · RECORDS AND DPORecords of Processing & Officer7 controls · 4 satisfied · 2 in review · 1 opens.18(1)Records of processing maintainedRoPAOKs.18(2)DPO designated and notified to POTRAZDP2DPOOKs.18(3)Lawful basis recorded per processingRoPAOKs.18(4)Retention periods set per data classRETENTIONREVIEWs.18(5)Records made available to AuthorityEXPORTOKs.18(7)DPIA performed for high-risk activityDPIAOPEN

Controls library

EVIDENCE · DPIA-2026-007SIGNED · LOCKEDDPIA · CUSTOMER CHURN ANALYTICSData Protection ImpactAssessmentOWNERM. Chibanda · DPOCREATED08 May 2026REVIEWED12 May 2026CDPA CLAUSEs.18(7)SUMMARYRISKS IDENTIFIED010203SIGN-OFF · CHAIN OF CUSTODYM. Chibanda · Data Protection Officer14:32 SAST · 12 MAY 2026 · SHA 9F2C·A4D7·E1B0

Evidence detail · DPIA

03Integrations and operations

Engineered to fit your stack, not the other way round.

  • Single Sign-On

    Microsoft Entra ID, Google Workspace, and Okta on the Enterprise plan. SAML 2.0 and OIDC supported.

  • SCIM provisioning

    Auto-sync users and group memberships from your identity provider. Joiners, leavers, and role changes propagate inside one cycle.

  • API and webhooks

    A public REST API and outbound webhooks. Pull RoPA exports into your data lake, push compliance events into your SIEM.

  • White-label and CNAME

    Branded domain, branded login, and exportable artefacts that read in your house style for parastatals and group operators.

See pricing →Request a demo

Ninety minutes · Your stack

A working session against your control catalogue and your last audit.

We bring Custodian GRC live, mapped to your frameworks. You bring the open items. We leave with a starting plan.

Request a demoEmail the team

Tendai Moyo · Head of Compliance Practice