Data Processing Addendum
The terms that govern HakiSuite's processing of personal data on behalf of its customers.
Draft — pending legal review. This page is a structural scaffold and should be reviewed and completed by qualified counsel before relying on it as a binding addendum.
Last updated: 11 May 2026
1. Scope and roles
This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Controller”) and HakiSuite (“Processor”) under which the Processor provides the Service. It applies where the Processor processes personal data on behalf of the Controller in connection with the Service.
2. Definitions
Terms such as “personal data”, “processing”, “data subject”, “controller”, and “processor” have the meaning given to them in the Kenya Data Protection Act, 2019, and where applicable any other data protection law that applies to the Controller’s processing.
3. Processing details
The subject matter, duration, nature, and purpose of the processing, the categories of personal data, and the categories of data subjects are set out in Annex A. The Processor will only process personal data on the documented instructions of the Controller.
4. Confidentiality
The Processor ensures that personnel authorised to process personal data are bound by appropriate obligations of confidentiality.
5. Security
The Processor implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure, as set out in Annex B.
6. Sub-processors
The Controller authorises the Processor to engage sub-processors listed in Annex C. The Processor will provide notice of any intended addition or replacement of sub-processors and will impose data protection terms on each sub-processor that are substantially similar to those set out in this DPA.
7. International transfers
Where personal data is transferred outside Kenya, the Processor relies on the safeguards set out in Part VI of the Kenya Data Protection Act, 2019, and any additional safeguards required by law applicable to the Controller.
8. Assistance to the Controller
Taking into account the nature of the processing, the Processor assists the Controller in responding to data subject requests, in carrying out data protection impact assessments, and in meeting other obligations under data protection law.
9. Personal data breaches
The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA.
10. Audit
The Processor makes available to the Controller information reasonably necessary to demonstrate compliance with this DPA, and allows for and contributes to audits conducted by the Controller or another auditor mandated by the Controller, subject to reasonable confidentiality and operational conditions.
11. Return and deletion
On termination of the Service, the Processor will, at the choice of the Controller, return or delete all personal data, except to the extent storage is required by applicable law.
12. Contact
Questions about this DPA can be sent to info@hakisuite.com.