Data Processing Agreement (DPA) for Uzabiz
Effective Date: June 30, 2025
Last Updated: June 30, 2025
This Data Processing Agreement (“DPA”) forms part of the Uzabiz Terms of Service and applies when Uzabiz processes personal data on behalf of its customers (the “Customer”) as a processor.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation performed on Personal Data (e.g., collection, storage, use).
- “Data Controller” means the party that determines the purposes and means of the processing.
- “Data Processor” means the party that processes personal data on behalf of the controller.
- “Applicable Laws” refers to any laws applicable to personal data protection, including the Kenyan Data Protection Act 2019 and the General Data Protection Regulation (GDPR) where applicable.
2. Scope and Roles
- The Customer acts as the Data Controller.
- Uzabiz, owned and operated by BridgApp Ltd, acts as the Data Processor.
3. Nature and Purpose of Processing
Uzabiz processes personal data only to provide WhatsApp and Telegram messaging services, including:
- Contact management
- Automation of outreach
- Campaign analytics and reporting
No processing will be done beyond what is necessary for delivering the services.
4. Types of Personal Data
May include:
- Contact names
- Phone numbers
- Campaign messages
- IP addresses
- User interaction metrics
Special category data (e.g., health, religion) should not be uploaded or processed unless explicitly agreed in writing.
5. Sub-Processors
Uzabiz may use third-party sub-processors for hosting, analytics, and communications (e.g., Twilio, AWS). A current list of sub-processors can be provided upon request.
- Uzabiz ensures that all sub-processors are bound by data protection obligations equivalent to those in this DPA.
- The Customer will be notified of any changes to sub-processors.
6. Security Measures
Uzabiz agrees to implement appropriate technical and organizational measures to protect personal data, including:
- Data encryption at rest and in transit
- Access controls and role-based permissions
- Regular audits and vulnerability testing
More details are available in our Security Policy.
7. Data Subject Rights
Uzabiz will:
- Assist the Customer in responding to data subject requests (e.g., access, deletion)
- Promptly relay any request from a data subject to the Customer
8. Data Breach Notification
In the event of a confirmed data breach affecting Customer Data:
- Uzabiz will notify the Customer without undue delay (within 72 hours)
- Include all relevant details, including nature, scope, and remedial actions taken
9. Data Retention and Deletion
Upon termination of the contract:
- Uzabiz will delete or return all personal data upon written request, unless retention is required by law.
- Routine data purging policies apply for unused or expired accounts.
10. Audit and Compliance
- Uzabiz will make available audit logs or documentation upon request.
- Uzabiz will cooperate with supervisory authorities as required.
11. International Transfers
If personal data is transferred outside Kenya or the EEA:
- Appropriate safeguards (e.g., Standard Contractual Clauses) will be in place.
- The Customer will be notified in advance of such transfers.
12. Liability
Each party shall remain liable for their respective obligations under this DPA. Uzabiz shall not be liable for compliance failures due to incorrect or unlawful data input by the Customer.
13. Governing Law
This DPA is governed by the laws of the Republic of Kenya, and where applicable, international data protection regulations.
📩 Contact
For privacy-related inquiries, email: privacy@uzabiz.africa
