Data Processing Agreement (DPA)
Last updated: February 26, 2026
This Data Processing Agreement (DPA), entered into by the Giyaent customer identified on the applicable ordering document for Giyaent services ("Customer") and Gi Yamo Enterprise ("Giyaent"), forms part of the Contract for Services ("Principal Agreement") and governs the processing of personal data that Customer uploads or otherwise provides Giyaent in connection with the services and the processing of any personal data that Giyaent uploads or otherwise provides to Customer in connection with the services. For the purposes of this DPA, Customer is the "Data Controller" and Giyaent is the "Data Processor" (together as the "Parties").
WHEREAS
(A) The Data Controller (you/your organisation) acts as a Data Controller of the content and personal data uploaded to the ma'kuu platform.
(B) The Data Processor (Giyaent) provides collaborative research and heritage management services (the "Services") which imply the processing of personal data on behalf of the Data Controller.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the Kenya Data Protection Act, and the General Data Protection Regulation (GDPR).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalised terms used in this Agreement shall have the following meaning:
1.1.1 "Agreement" means this Data Processing Agreement;
1.1.2 "Customer Personal Data" means any Personal Data Processed by the Data Processor on behalf of the Data Controller in connection with the Services;
1.1.3 "Data Protection Laws" means the Kenya Data Protection Act, the EU GDPR, and any other data protection or privacy laws applicable to the processing of data under this Agreement;
1.1.4 "Subprocessor" means any third party (e.g., Supabase, PostHog, Netlify) appointed by the Data Processor to process Personal Data on behalf of the Data Controller.
1.2 The terms "Controller", "Processor", "Data Subject", "Personal Data", and "Processing" shall have the meanings given to them in the Data Protection Laws.
2. Processing of Customer Personal Data
2.1 The Data Processor shall:
2.1.1 Comply with all applicable Data Protection Laws in the Processing of Customer Personal Data;
2.1.2 Process Customer Personal Data only on the Data Controller's documented instructions, including with regard to transfers of personal data to a third country.
2.2 The Data Controller instructs the Data Processor to process Customer Personal Data for the purpose of providing the Services as described in the Principal Agreement.
3. Processor Personnel
The Data Processor shall ensure that its personnel authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security
4.1 The Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption, access controls (Row-Level Security), and disaster recovery protocols as detailed in the Giyaent Data Security Policy.
4.2 In assessing the appropriate level of security, the Data Processor shall take into account the risks presented by the Processing, particularly from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of Customer Personal Data.
5. Subprocessing
5.1 The Data Controller authorises the Data Processor to appoint Subprocessors to provide the infrastructure and tools necessary for the Services (e.g., cloud hosting, database services).
5.2 A list of current Subprocessors is maintained in the Data Security Policy. The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Subprocessors.
6. Data Subject Rights
Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising Data Subject's rights.
7. Personal Data Breach
7.1 The Data Processor shall notify the Data Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data Breach affecting Customer Personal Data.
7.2 The notification shall provide the Data Controller with sufficient information to meet obligations to report the breach to the Office of the Data Protection Commissioner (ODPC) in Kenya or other relevant authorities.
8. Deletion or Return of Data
Upon cessation of the Services, the Data Processor shall, at the choice of the Data Controller, delete or return all Customer Personal Data, unless applicable law requires storage of the personal data.
9. Audit Rights
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
10. Data Transfers
The Data Processor may transfer Customer Personal Data outside of Kenya or the EEA provided that the transfer is to a country providing an adequate level of protection or is subject to appropriate safeguards (such as Standard Contractual Clauses) as required by Data Protection Laws.
11. Governing Law and Jurisdiction
11.1 This Agreement is governed by the laws of Kenya.
11.2 Any dispute arising in connection with this Agreement shall be submitted to the exclusive jurisdiction of the courts of Nairobi, Kenya.
12. CONTACT US
If you have any questions about this Privacy Policy or our data practices, please contact us at: privacy@giyaent.com