Trust & Security

In a credit bureau,
trust is the product.

Every claim on this page describes systems that are built and testable today — not policy aspirations — and where a control is staged rather than live, we say so. Most of them you can verify yourself, from the public sandbox or your own dashboard.

02 · Revocation

Revoke one source, and it is gone from your very next score.

Consent at Sheba is not all-or-nothing. Each data source on a person's file — mobile money, savings, identity, education — carries its own consent link. Revoke one, and that source is excluded from the next score computed, while the sources you still consent to continue to count. There is no grace period and no queue.

The audit record of past queries is never rewritten to hide what happened — revocation changes the future, not the past. That distinction is what makes both the consent system and the audit trail trustworthy at the same time.

03 · Audit

Every query — approval or denial — is one immutable record.

Each credit query writes one row in an append-only, hash-chained audit log: who asked, for whom, for what purpose, under which consent, with what outcome. Each record carries a cryptographic hash of the one before it, so editing, deleting or inserting a record breaks the chain visibly.

The chain is recomputed live — partners see the current verdict in their portal's governance view, and consumers see it in their Trust Center. The audit log is treated as legal evidence: it is never edited, not even to correct a dispute — disputes are recorded alongside the original record instead.

Denials count too. A supervisor reviewing Sheba sees what was refused and why — not just what succeeded. Rate-limited, unconsented and thin-file refusals are all part of the permanent record.
04 · Identity

The scoring engine never sees your name.

Sheba's scorer and API operate on a pseudonymous subject reference — never a name, phone number, or Fayda ID. Identity verification works on a verify-and-discard basis: the Fayda national ID is checked at onboarding, and only a one-way cryptographic hash is kept. The raw ID is never stored.

Re-identifying a subject is a privileged, audited action reserved for narrow cases such as a consumer's own data-access request — it is not something a partner institution, or the scoring pipeline, can ever do.

No names in the scorerNo raw Fayda IDs storedNo phone numbers in the APIRe-identification: privileged & audited
05 · Scoring policy

Unknown is never scored as good.

The most dangerous thing a bureau can do in a thin-file market is make missing data look like good behaviour. Sheba's model enforces the opposite:

  • A thin file returns a low-confidence "building" status — never a fabricated healthy score. A truly empty file is refused outright rather than guessed at.
  • A known default is never treated as clean. The strict ordering — known default below unknown, unknown below clean — is enforced in the model and its test suite, and is staged to go live together with lender data reporting.
  • Every score is explainable, with reason codes in English and Amharic, because a decision that cannot be explained cannot be contested or audited.
  • Score weights are published openly and are labelled as pending actuarial validation — no output may drive a binding lending decision before that validation exists.
06 · Retention

Negative records expire. Good history endures.

Under NBE Directive CRB/02/2019 (art. 6.1.7), negative credit information is retained for a maximum of 7 years after full settlement, while positive history is kept for a minimum of 10 years. Sheba's retention schedule for credit information is built to the same standard — the law is deliberately on the side of your good record, and so are we.

A past default is not a life sentence; a decade of on-time payments is an asset that stays with you.

07 · Data protection

Built to Ethiopia's data-protection law — and your data is never sold.

Sheba is built to the Personal Data Protection Proclamation No. 1321/2024 (in force): data minimisation, purpose limitation, and consumer rights of access, correction and deletion. Credit information is used for exactly one thing — your credit file, under your consent.

  • See your own file — every consumer sees who searched their file, when, and why, and can dispute any inquiry.
  • Free to check — checking your own score is free, and your full credit report is available free of charge at least once every 12 months.
  • Correction — disputes are investigated and tracked; the contested record is preserved, never silently rewritten.
  • Never sold — institutions pay to query scores under consent. They cannot buy your data.
08 · Regulatory posture

Honest about where we stand.

Sheba Credit is pre-licence. It is not currently a licensed, regulated or approved credit bureau. The platform is built to comply with NBE Directive CRB/02/2019, and the company is building toward NBE licensing and will engage the National Bank directly and early — before anything scores for real.

Why we lead with this: a bureau's credibility starts with what it says about itself. Every figure shown to consumers today is clearly labelled illustrative until real, validated scoring is authorized — and nothing on our platform may drive a binding lending decision before then.
09 · Verify it yourself

Don't take our word for it.

  • Developers & institutions: the public sandbox returns a live, consent-gated, audited score on synthetic data in about two minutes — including the fail-closed behaviour when consent is missing.
  • Consumers: your dashboard's Trust Center shows your actual consents, the data sources they authorize, your file's access history and the live integrity verdict of the audit chain.
  • Partners: the partner portal's Governance view recomputes the audit chain on demand and shows consent and dispute telemetry — the same visibility we are building for the regulator.

Questions about any of this — including from compliance and risk teams — are welcome: get in touch.