Four-eyes on every data action - without the bottleneck
Enforce four-eyes approval on sensitive data processing actions. Per-action opt-out, delegated approval chains, escalation paths, and an immutable audit trail - governance without grinding operations to a halt.
Why this matters
Built for your compliance outcomes
Four-eyes enforcement
No single person can act alone
- Configurable per action type
- Approval required before execution
- Reject with mandatory reason
- Re-submission workflow on rejection
Per-action opt-out
Governance without grinding ops
- Enable only where risk justifies
- Exclude routine low-risk actions
- Risk-based configuration by role
- Audited single-owner bypass
Risk-based approval policies
Right scrutiny on the right actions
- Policies by action type and risk
- Pending approvals queue with badge
- Approval SLA with escalation
- Rejected items return with notes
Immutable audit trail
Every action, logged forever
- Who made the request
- Who approved or rejected
- Timestamp and IP logged
- Cannot be altered or deleted
Features
Everything you need, nothing you don't
Four-Eyes Enforcement
Configurable approval requirement per action type. No action executes without the required approver sign-off.
Action Configuration
Enable maker-checker per action type. Exclude low-risk routine actions. Risk-based opt-in rather than blanket requirement.
Approval Policies
Approval requirements configured per action type and risk. Pending approvals queue with badge counts. Rejections return to the submitter with notes.
Approval SLAs
Set time limits on approvals. Automatic escalation to next level if approval SLA is missed. No action left pending indefinitely.
Immutable Audit Log
Every maker, checker, approval, rejection, and override logged immutably. Full action history for ODPC inspection.
Single-Owner Mode
Sole-operator organisations proceed with an audited bypass note. Once a second member joins, four-eyes enforcement applies automatically.
DPA alignment
Every feature maps to a DPA section
Dira is built from the Act, not retrofitted to it. Here's exactly how each capability addresses your Kenya DPA 2019 obligations.
| Product Feature | DPA 2019 Section | What it fulfils |
|---|---|---|
| Four-eyes enforcement | s.25 | Implements technical and organisational measure demonstrating accountability for processing decisions |
| Immutable audit trail | s.25(1)(e) | Maintains documented record of processing decisions and their authorisation chain |
| Access controls | s.41 | Ensures appropriate technical controls restrict who can initiate and who can approve sensitive processing actions |
| Approval chains | s.25 | Demonstrates that processing decisions go through appropriate governance before execution |
| Emergency override logging | s.25 | Documents exception circumstances with enhanced audit evidence for accountability |
| Rejection workflow | s.25 | Captures and records instances where processing actions were reviewed and refused |
How it works
Step-by-step workflow
Configure action types
Choose which actions require maker-checker. Enable for high-risk actions: bulk erasure, consent withdrawal overrides, sensitive data exports.
Set approval chains
Define who can approve each action type. Configure single or multi-level chains. Set up delegation rules for absences.
Enable and communicate
Activate maker-checker. Notify teams of actions that now require approval. Dira generates a summary of all affected workflows.
Monitor and refine
Review approval metrics - approval times, rejection rates, bottlenecks. Adjust configuration to balance governance and operational speed.
FAQ
Common questions
What types of actions should require maker-checker?
Won't maker-checker slow everything down?
What if my organisation has only one user?
Can I configure approvals differently per action type?
Start using Maker-Checker Approvals today
30-day free trial. No credit card required. Full access to all Data Privacy products from day one.