s.42 compliance for every data processor in your supply chain
A structured register of every data processor and sub-processor, with s.42 clause checklists, third-party risk scoring, contract review cycles, and cross-border transfer documentation.
Why this matters
Built for your compliance outcomes
s.42 clause checklist
Know every contract is compliant
- Pre-built s.42 clause checklist
- Contract status per vendor
- Missing clause alerts
- Amendment workflow for gaps
Third-party risk scoring
Know your highest-risk processors
- Risk score per vendor
- Data sensitivity weighting
- Subprocessor chain visibility
- Risk-ranked vendor dashboard
Review cycle management
Scheduled reviews with reminders
- Annual review reminders
- Contract renewal alerts
- DPA update reviews triggered
- Review history logged
Transfer documentation
Cross-border transfers covered
- Transfer country and mechanism recorded
- s.48 safeguards documented
- ODPC adequacy decisions tracked
- Transfer impact assessment
Features
Everything you need, nothing you don't
Processor Register
Structured register of all data processors and sub-processors with status, contract details, and risk score.
s.42 Clause Checklist
Pre-built checklist of all required contractual clauses under s.42. Traffic-light status per vendor contract.
Risk Scoring
Automated third-party risk score based on data sensitivity, volume, sub-processor chain depth, and security posture.
Review Cycles
Scheduled review reminders for annual assessments, contract renewals, and DPA-update-triggered reviews.
Transfer Tracker
Documents cross-border transfers per vendor including destination country, legal mechanism, and safeguards under s.48.
ROPA Integration
Vendors linked directly to ROPA processing activities. See which activities each processor is involved in at a glance.
DPA alignment
Every feature maps to a DPA section
Dira is built from the Act, not retrofitted to it. Here's exactly how each capability addresses your Kenya DPA 2019 obligations.
| Product Feature | DPA 2019 Section | What it fulfils |
|---|---|---|
| Written processor agreement | s.42(1) | Documents existence and status of required written contract with each data processor |
| Contractual clause checklist | s.42(2) | Verifies all mandatory clauses are present: processing scope, duration, nature, controller instructions, confidentiality, security |
| Sub-processor controls | s.42 | Tracks sub-processors and verifies they are subject to the same obligations as the primary processor |
| Transfer documentation | s.48 | Records all cross-border transfers and applicable legal mechanisms or safeguards |
| Security requirements | s.42(2)(b) | Documents appropriate technical and organisational measures required from each processor |
| Review cycle | s.25 | Demonstrates ongoing accountability through regular processor relationship reviews |
How it works
Step-by-step workflow
Add your vendors
Enter each data processor and sub-processor. Import from CSV or add individually. Dira assigns a risk score automatically.
Check s.42 clauses
Run the s.42 clause checklist per vendor. Dira highlights missing clauses and provides a template amendment for gaps.
Document transfers
For vendors in other countries, record the transfer mechanism, destination jurisdiction, and applicable safeguards under s.48.
Set review cycles
Configure annual review reminders and contract renewal alerts. Dira notifies you before reviews fall due and logs completion.
FAQ
Common questions
What must a data processing agreement include under s.42?
Can I use sub-processors?
What are the rules for cross-border data transfers?
What happens if I don't have a DPA with a processor?
Start using Vendor / Processor Register today
30-day free trial. No credit card required. Full access to all Data Privacy products from day one.