Startups & Business Tech in Kenya

The KE Compliance Stack Every SaaS Founder Underestimates

S
Samuel Kimani
May 03, 2026 3 min read

The naive plan

A founder building a Kenyan SaaS typically plans for two compliance items: register the company and integrate M-Pesa. Once revenue is real, two more show up unannounced, KRA tax filings (which now means eTIMS) and the Office of the Data Protection Commissioner. By the time you've built enough product to have customers, the compliance surface is wider than the original plan accounted for.

This is not a "here's how to comply" post, your lawyer and accountant exist for that. This is the mental model we use to know what we don't know.

M-Pesa is the easiest layer to underestimate

Daraja onboarding is a multi-week process even when everything goes well. A production paybill or till requires Safaricom to do KYC on your business, sign you up for the correct product (C2B, B2C, M-Pesa Express), and issue you a shortcode and passkey. Founders who plan for "M-Pesa integration" without budgeting weeks for the paperwork are surprised when the technical work finishes before the paybill is live.The deeper trap is the customer-facing side. If your customer is paying via your shortcode, Safaricom may regard them as your end-customer, which has implications for chargebacks and dispute handling. If your customer is paying via their own shortcode and you're only routing notifications, the model and the contracts are different. Decide early which side of this line you're on.

eTIMS is non-optional for almost every SaaS

KRA expanded eTIMS coverage in 2024-2025 to include almost every business that issues invoices, including services. Whether or not you charge VAT, the invoice you issue likely needs to go through eTIMS to be a valid input for your customer's expense claims. A SaaS that doesn't issue compliant invoices puts its B2B customers in an awkward position at audit time.The pragmatic timeline: get a KRA PIN, get an iTax account, choose OSCU or VSCU, find a vendor or build the integration. From start to first compliant invoice is realistically 4-6 weeks. Plan accordingly.

Data protection is real now, not later

The Office of the Data Protection Commissioner started taking enforcement seriously in 2024. Fines are real, registration as a data controller is required for almost any SaaS, and the timeline to register-then-comply is longer than founders plan for. The deeper requirement, meaningful data-handling practices, breach notification, and the ability to fulfill a subject access request, is more engineering than paperwork.Build for it from day one. A SaaS that can't produce a full export of one user's data within a sprint is going to struggle when the first request arrives. We bake export-on-request into every model that holds personal data, and route deletes through a soft-delete-then-purge job that's auditable.

The forgotten layers

If your product handles money flows you don't own (e.g. paying out to riders, agents, or merchants), you're very likely brushing up against the Central Bank of Kenya's Payment Service Provider rules. If you store communication records, the Communications Authority cares about your SMS sender ID and how you obtained consent. If you serve users in EU/UK, GDPR still applies extraterritorially. None of these are dealbreakers, but each is a slow conversation with a regulator and a paperwork project.The pattern that keeps showing up: compliance isn't a sprint, it's an operating cost. Budget for it as a percentage of revenue, not a one-time setup, and you'll route around the worst surprises.

Related posts

May 11, 2026

How M-Pesa C2B Reconciliation Actually Fails in Production
May 11, 2026

KRA eTIMS API: A Survival Guide for Kenyan SaaS
May 10, 2026

Building Konnekted: Subscriber Billing Infrastructure for Kenyan WISPs

Need software built?

Tell us what you need. We respond within 24 hours with a realistic quote.

Start Your Project Chat on WhatsApp