Ogowkey v1
← All articles
8 min read Ogowkey team

On-continent data residency for African fintechs: what it actually means

Data residency requirements for African fintechs in 2026 - what regulators require, where to host, the cost of compliance, and the patterns that actually work.

data-residencyafricacomplianceinfrastructure

Data residency has moved from an enterprise-architecture topic to a regulatory one across most of Africa in the last three years. For fintechs operating in East Africa, the question "where is your customer data physically stored?" is no longer rhetorical - regulators ask, banking partners diligence, and customers increasingly care. This guide walks through what residency actually requires in 2026, what the cost and operational implications are, and how to think about it without over-engineering.

What "data residency" actually means

The term gets used loosely. Three distinct concepts:

Data residency - your customer data is physically stored within a specified jurisdiction.

Data sovereignty - your data is subject to the laws of a specific jurisdiction, not extraterritorial laws. Sovereignty is broader than residency; it depends on the host operator's nationality and any cross-border legal claims (e.g. the US CLOUD Act).

Data localisation - a stronger form requiring not just storage but processing within a jurisdiction. Some regulators require localisation; some accept residency-only.

For most African fintech use cases, residency is what regulators specify. Sovereignty becomes a concern when your data is hosted by a US cloud provider whose headquarters are subject to extraterritorial legal demands - relevant for sensitive PII but often a tier-two priority.

The regulatory landscape in 2026

A snapshot of the relevant regimes:

Kenya - Data Protection Act 2019

The Act regulates personal data, with the Office of the Data Protection Commissioner as enforcer. Cross-border transfers are permitted with safeguards (adequacy decisions, standard contractual clauses) but require notification for large-scale transfers. The Central Bank of Kenya separately requires fintechs to store core operating data within Kenya for licensed payment service providers - a stronger localisation rule than the DPA itself.

Uganda - Data Protection and Privacy Act 2019

Similar overall framework to Kenya's. Cross-border transfer requires either the recipient country having "adequate" protection or the data subject's explicit consent. The Bank of Uganda's regulatory framework for mobile-money operators is increasingly explicit about local hosting requirements.

Tanzania - Personal Information Protection Act 2022

A more recent framework, with the Information and Communication Technologies Commission as the supervisory authority. Localisation is encouraged but not yet uniformly required across all sectors.

Rwanda - Data Protection and Privacy Law (Law N° 058/2021)

Comprehensive, modelled on GDPR. Cross-border transfer requires either adequacy, consent or appropriate safeguards. The National Cyber Security Authority has issued sector-specific guidance for financial services that pushes toward local hosting.

Ethiopia - Personal Data Protection Proclamation (in progress)

A national proclamation was passed in 2024 and is being operationalised. Sector regulators have issued interim guidance.

Somalia - sector-specific

There is no comprehensive Somali data-protection law yet. The Central Bank of Somalia, however, has issued circulars to licensed financial institutions requiring that customer KYC data, transaction records and audit logs be stored within Somalia or, where infeasible, within East Africa with explicit notification. This is a softer regime than Kenya's, but it is tightening, and the policy direction is clear.

What "within Somalia" actually means

For Somalia specifically, "within Somalia" is hard. There is no AWS region in Mogadishu, no Azure region, no GCP region. The realistic options are:

  • Self-hosted in Somalia. A few telcos and large banks operate data centres in Mogadishu, Hargeisa or Garowe. Realistic only if you have the operational capacity to manage hardware in those environments.
  • Hosted with a regional African provider. Companies like Liquid Intelligent Technologies, Raxio, Africa Data Centres and a few smaller specialists operate facilities in Nairobi, Cape Town, Lagos, Johannesburg. From the CBS framework, hosting in Nairobi or Hargeisa is generally acceptable as long as the data does not leave the continent.
  • Hosted in a major cloud's African region. AWS has af-south-1 in Cape Town; Azure has South Africa North; GCP has africa-south1. All three are on-continent and meet most regulators' on-continent requirements, though some country-specific localisation rules require more than that.

The Ogowkey approach is to operate primary infrastructure in Nairobi and a secondary in Cape Town, with replication policies that keep customer data on-continent. Specific customers in regulated sectors get a residency commitment in writing as part of the data processing agreement.

The cost of residency

Hosting in African cloud regions is not free of trade-offs:

  • Pricing. AWS af-south-1 is roughly 15–25% more expensive than us-east-1 for equivalent capacity. The gap has narrowed over the last three years.
  • Service availability. Not every AWS service is available in af-south-1. Specifically, newer ML services (Bedrock, SageMaker Studio) are sometimes limited or absent. Plan for either local stand-ins or carefully-scoped cross-region access.
  • Latency. From Mogadishu or Hargeisa, latency to Cape Town is 80–120ms one-way; to Nairobi, 30–50ms. Either is fine for web APIs; the latter is preferable for synchronous KYC operations.
  • Operational maturity. The African cloud regions are newer than the flagship US/EU ones, which translates to occasional reliability blips. Build retry and degradation handling assuming the region is reliable but not bulletproof.

The financial cost is small relative to the business cost of being unable to onboard regulated customers because your data is sitting in Virginia.

The architecture pattern

A residency-aware architecture for an East African fintech looks roughly like this:

Tier 1: customer data

KYC documents, biometric templates, personal identifiers, transaction records - these stay on-continent, full stop. Primary region in Nairobi or Cape Town; replicate to a secondary on-continent region for resilience. No cross-region replication outside Africa.

Tier 2: operational metadata

Application logs, performance metrics, error traces - useful for engineering but not personal data in the regulatory sense. These can live anywhere your observability stack runs. If you use Datadog or New Relic, that means typically US or EU.

But: scrub personal data from logs before they leave the region. Most regulatory incidents involving "data leaving the country" are not architectural; they're somebody printf-debugging PII into a log stream that ships to a US-hosted observability provider.

Tier 3: model training

If you train ML models on customer data - face match, fraud detection, anything - the training pipeline must run on-continent. Pre-trained models can come in from elsewhere; the training on your customers' data is a regulated operation.

Tier 4: backups

Backups must inherit the residency of the primary data. Backing up Tier 1 to a different continent's bucket "for safety" defeats the policy. Use cross-region within Africa, with explicit lifecycle rules.

Pitfalls

Four patterns we see fintechs run into:

Defaulting to us-east-1

The single biggest mistake. A team builds quickly in us-east-1 because it's the cheapest and most familiar region, with full intent to migrate "later." Migration is invasive - every S3 bucket, every database, every queue, every secret has to move. The right time to put infrastructure in the right region is at day zero.

Mixed-residency teams

A team in San Francisco operating on a local dev environment, then a staging environment in us-east-1, then a production environment in Cape Town. The staging environment ends up with real customer data because nobody refreshed the seed-data process when production moved. Build the residency policy into your environment topology from the start, with hard guards against PII leaking up the chain.

Third-party SaaS

You're hosting on-continent, but your CRM is HubSpot, your support tool is Zendesk, your analytics is Mixpanel - all of which sit in US data centres. Every time a customer support ticket is created, customer data crosses the border. Either contract with on-continent equivalents (some exist for major workflows) or carefully scope what data the SaaS receives.

"Strong residency" performative wording

Stating residency in your marketing copy without actually achieving it. This is the worst-case outcome: you have the audit risk and the customer-trust risk if it comes out. If you say "data stays in Africa," confirm it operationally and provide it in writing in your DPA.

What the auditor asks

When a banking partner or regulator audits your residency posture, the questions are concrete:

  • Where physically is the primary copy of customer KYC data stored?
  • Where are backups stored?
  • Where are logs containing personal data sent?
  • Where does ML training run, on what data?
  • Which third-party processors receive customer data, and where do they host it?
  • What contractual residency commitments do you make to customers?
  • How do you enforce the policy technically? (IAM, network controls, regional KMS keys.)

A documented answer to each - with evidence - wins the audit. Vague answers lose.

Ogowkey's residency commitment

Ogowkey hosts all customer data in Nairobi (primary) and Cape Town (secondary), with replication confined to those regions. Encryption keys for customer data live in regional KMS. Logs are scrubbed of PII before any cross-region transit. We commit to this in every DPA. If you require Somalia-only residency for a specific contract, we work with regional partner facilities - get in touch and we'll structure it.

For the broader picture of what a Somali fintech compliance posture looks like, our KYC in Somalia guide is the entry point. For AML specifics, see AML compliance for East African fintechs.

Closing

Data residency is not architectural showmanship. It's an operational discipline that compounds - every infrastructure decision either reinforces it or quietly erodes it. The teams who do this well treat residency as a first-class invariant from day one, not a migration project for later. The marginal cost is small. The downside of getting it wrong, once you have customers and a regulator, is large.

[Get in touch](mailto:olow304@gmail.com?subject=Ogowkey%20 - %20data%20residency) if you want to talk through your own architecture.