Multi-jurisdiction compliance architecture for a licensed African investment platform.
Compliance-first AWS architecture satisfying CMA Uganda and CMA Kenya, with architecture designed to onboard new jurisdictions in days not months.
Key Outcomes
2 Regulators + Extensible
CMA Uganda and CMA Kenya mapped, with architecture ready for any new African jurisdiction
100% Data Isolation
Per-jurisdiction data residency with dedicated KMS keys, VPCs, and database instances
Zero Audit Failures
Continuous compliance evidence generated automatically across both jurisdictions
500K+ Investors
Live platform serving over half a million investors across Uganda and Kenya
"The Stratus team operate at a level we rarely see outside of tier-1 institutions. They understood our regulatory environment from day one and delivered without a single production incident."
Aéko Ongodia, CFA · Founder & CEO, Xeno Investment Management~4mo
Engagement length
2+
African jurisdictions (Uganda, Kenya) — extensible
CMA/DPPA/DPA
Compliance frameworks mapped and enforced
100%
Infrastructure as Code — Terraform & GitOps delivery
Live
In production — serving 500,000+ investors
Executive Summary
Two regulators, one architecture, zero compromises. Designed for the continent.
Xeno Investment Management is a licensed fund manager regulated by CMA Uganda and CMA Kenya, serving 500,000+ investors across East Africa. Each jurisdiction demands its own data residency, audit evidence, and compliance controls. We designed a multi-account AWS architecture that satisfies both regimes by default, not by process.
| Capability | Before (Single-Country Setup) | After (Multi-Jurisdiction Architecture) |
|---|---|---|
| Data Residency | All investor data in a single region with no jurisdictional boundaries | Per-country AWS accounts. Investor data isolated per jurisdiction, enforced by SCPs. |
| Regulatory Compliance | Spreadsheet-based evidence collection for CMA Uganda only | Automated compliance. Config rules mapped to DPPA 2019, DPA 2019, and both CMA frameworks. |
| Encryption & Key Management | Shared encryption keys with no jurisdictional separation | Per-jurisdiction KMS. Dedicated keys per country. No cross-border key access. |
| Access Control | Flat IAM structure with no jurisdictional boundaries | IAM Identity Centre. Jurisdiction-scoped roles. Uganda ops cannot access Kenya data. |
| Audit Readiness | Weeks of manual evidence gathering before each audit | Always audit-ready. On-demand compliance packs per jurisdiction with immutable logs. |
Strategic Architecture Overview
Multi-Jurisdiction Compliance Architecture
Per-country accounts enforce data residency at the infrastructure level. SCPs prevent cross-jurisdiction access. Centralised observability maintains a single operational view.
Data Sovereignty
Each country has its own AWS account, VPC, KMS keys, and database. No investor data crosses jurisdictional boundaries.
Central Governance
Organisation-wide SCPs, aggregated CloudTrail, and centralised Config rules. Compliance inherited, not bolted on.
Extensible by Design
New jurisdiction = deploy a Terraform module. Account, VPC, KMS, Config rules provisioned automatically.
flowchart TB
subgraph Mgmt ["Management Account"]
direction TB
SCPs["Service Control\nPolicies (SCPs)"]
CT["AWS CloudTrail\n(Org Trail)"]
Config["AWS Config\n(Aggregator)"]
IAM_IC["IAM Identity\nCentre"]
end
subgraph UG ["Uganda Account"]
direction TB
UG_VPC["VPC\n(Uganda Region)"]
UG_KMS["AWS KMS\n(Uganda Keys)"]
UG_Aurora[("Aurora PostgreSQL\nMulti-AZ")]
UG_ECS["ECS Fargate\n(Uganda)"]
UG_VPC --> UG_ECS
UG_ECS --- UG_Aurora
UG_KMS -.->|"Encrypts"| UG_Aurora
end
subgraph KE ["Kenya Account"]
direction TB
KE_VPC["VPC\n(Kenya Region)"]
KE_KMS["AWS KMS\n(Kenya Keys)"]
KE_Aurora[("Aurora PostgreSQL\nMulti-AZ")]
KE_ECS["ECS Fargate\n(Kenya)"]
KE_VPC --> KE_ECS
KE_ECS --- KE_Aurora
KE_KMS -.->|"Encrypts"| KE_Aurora
end
subgraph Future ["Future Jurisdictions"]
direction TB
FJ["New Country\nAccount"]
FJ_Note["Deploy Terraform\nModule"]
FJ --> FJ_Note
end
SCPs -->|"Enforce"| UG
SCPs -->|"Enforce"| KE
SCPs -.->|"Enforce"| Future
CT -->|"Audit"| UG
CT -->|"Audit"| KE
Config -->|"Compliance"| UG
Config -->|"Compliance"| KE
IAM_IC -->|"Access"| UG
IAM_IC -->|"Access"| KE
style SCPs fill:#6b21a8,stroke:#7c3aed,color:#fff
style CT fill:#1a1a2e,stroke:#7c3aed,color:#fff
style Config fill:#1a1a2e,stroke:#7c3aed,color:#fff
style IAM_IC fill:#6b21a8,stroke:#7c3aed,color:#fff
style UG_VPC fill:#1a1a2e,stroke:#7c3aed,color:#fff
style UG_KMS fill:#4c1d95,stroke:#7c3aed,color:#fff
style UG_ECS fill:#4c1d95,stroke:#7c3aed,color:#fff
style UG_Aurora fill:#1a1a2e,stroke:#7c3aed,color:#fff
style KE_VPC fill:#1a1a2e,stroke:#7c3aed,color:#fff
style KE_KMS fill:#4c1d95,stroke:#7c3aed,color:#fff
style KE_ECS fill:#4c1d95,stroke:#7c3aed,color:#fff
style KE_Aurora fill:#1a1a2e,stroke:#7c3aed,color:#fff
style FJ fill:#1a1a2e,stroke:#475569,color:#fff,stroke-dasharray: 5 5
style FJ_Note fill:#1a1a2e,stroke:#475569,color:#fff,stroke-dasharray: 5 5
← Scroll to explore diagram →
Architecture Overview
The Compliance Architecture Stack
Every tool earns its place by solving a specific regulatory requirement across both jurisdictions.
Governance Layer
The Compliance Engine
- AWS Organizations & SCPs Preventative guardrails blocking cross-jurisdiction data access, public resource creation, and logging bypass.
- AWS Config Conformance Packs Mapped to DPPA 2019, DPA 2019, and CMA requirements. 40+ rules per account, evaluated continuously.
- AWS KMS — Per-Jurisdiction Keys Dedicated keys per country. Key policies enforce jurisdictional boundaries at the cryptographic level.
Platform Layer
The Application Platform
- Amazon ECS Fargate Serverless containers per jurisdiction. No EC2 patching. Images scanned on every deployment.
- Aurora PostgreSQL Multi-AZ Automated failover. Per-country database instances ensure investor data never co-mingles.
- AWS IAM Identity Centre Federated SSO with jurisdiction-scoped permission sets. Least-privilege access, fully logged.
Operating Model
From manual compliance to automated governance
Compliance inherited by default, not assembled before each audit. Every regulatory obligation codified into infrastructure that enforces itself.
What changed operationally
- Compliance by Default Terraform modules encode DPPA, DPA, and CMA requirements. Every resource is compliant from provisioning.
- Jurisdictional Autonomy Each country operates independently. Regulatory changes in Uganda do not force re-architecture in Kenya.
- Designed for Expansion New African jurisdiction = deploy a Terraform module. New country in days, not months.
Deliverables
- Multi-account AWS Organizations with SCPs and automated account vending.
- Terraform module library encoding regulatory compliance as reusable components.
- Config Conformance Packs — 40+ rules mapped per jurisdiction.
- Per-jurisdiction KMS strategy and operational runbooks.
- New-country onboarding playbook — compliant jurisdiction in under a week.
Compliance Automation
Audit-ready across two regulators, continuously
Uganda's DPPA 2019 classifies financial data as sensitive. Kenya's DPA 2019 mandates ODPC registration and cross-border safeguards. Both CMA regulators demand audit evidence on demand. The architecture satisfies all of it automatically.
Regulatory Controls Enforced
- DPPA 2019 (Uganda) Financial data isolated per jurisdiction. PDPO registration satisfied. Cross-border transfers blocked at the SCP level.
- DPA 2019 (Kenya) ODPC safeguard requirements met via automated Config rules. Sensitive data transfers require explicit consent controls.
- CMA Audit Evidence On-demand compliance packs per jurisdiction. Config snapshots, CloudTrail logs, and encryption status generated in minutes.
Outcome
- Zero audit failures Passed CMA Uganda and CMA Kenya assessments on first submission with automated evidence packs.
- Weeks to minutes Audit preparation reduced from weeks of manual evidence gathering to automated report generation.
- Continuous, not periodic Compliance posture evaluated every 15 minutes, not once per audit cycle. Drift detected and flagged in real time.
Multi-Market Compliance
Is Your Multi-Market Architecture
Audit-Ready?
The CRRI™ assessment maps your infrastructure controls to regulatory obligations across every market you operate in. Identify compliance gaps before the auditors do.