Cloud Policy
Effective Date: 30 June 2025
This Cloud Policy outlines Uzabiz’s principles, responsibilities, and practices for using cloud services in a secure, compliant, and efficient manner.
1. Purpose
The purpose of this policy is to define the rules and responsibilities for using cloud platforms to ensure data protection, regulatory compliance, and operational efficiency.
2. Scope
This policy applies to all employees, contractors, and third parties who use or manage cloud-based resources for Uzabiz, including infrastructure, platforms, and software services.
3. Approved Cloud Providers
Only approved and vetted cloud service providers may be used. Currently approved providers include:
- Amazon Web Services (AWS)
- Google Cloud Platform (GCP)
- Microsoft Azure
- Cloud services integrated via official Uzabiz APIs
4. Data Classification & Storage
All data stored in the cloud must be classified according to Uzabiz’s Data Classification Policy. Sensitive and personal data must be encrypted both in transit and at rest using strong encryption standards (e.g., AES-256).
5. Access Management
- Access to cloud services must be based on the principle of least privilege.
- All access must be authenticated using strong methods such as multi-factor authentication (MFA).
- Service accounts must be monitored and rotated periodically.
6. Backup and Recovery
Cloud-hosted data must be backed up regularly. Backup plans must be tested periodically to ensure recoverability in case of system failure or disaster.
7. Monitoring and Logging
All cloud environments must implement logging and monitoring tools. Logs must be retained securely for a minimum of 90 days and reviewed for unauthorized access or unusual activity.
8. Compliance and Legal
All cloud services used by Uzabiz must adhere to applicable laws and industry standards, including GDPR, Kenya Data Protection Act, and contractual obligations.
9. Vendor Management
Vendors providing cloud services must undergo a security and compliance review before onboarding. Their SLAs, data processing agreements, and security practices must be documented and reviewed annually.
10. Incident Management
Any cloud-related security incident must be reported immediately and managed under the Uzabiz Incident Response Policy.
11. Policy Violations
Any violation of this policy may result in access revocation, disciplinary action, or legal consequences, depending on severity.
12. Contact
For questions regarding this policy or cloud services, contact the Uzabiz IT Security Team at security@uzabiz.africa.
