UJUMAA PLATFORMS (UJU)


Privacy, Data Processing & API/Reseller Compliance Pack


Aligned with CAK & ODPC Audit Expectations (Kenya)




PART A: CAK & ODPC–ALIGNED PRIVACY POLICY (AUDIT-READY)


1. Regulatory Alignment Statement


Ujumaa Platforms ("Uju") processes personal data in compliance with:


  • Kenya Data Protection Act, 2019
  • Data Protection (General) Regulations, 2021
  • Communications Authority of Kenya (CAK) licensing and consumer protection requirements
  • Applicable mobile network operator (MNO) policies


Uju acts primarily as a Data Processor for Bulk SMS services and maintains documented policies, controls, and records of processing activities as required by the Office of the Data Protection Commissioner (ODPC).


2. Roles & Responsibilities (CAK/ODPC Requirement)


| Role          | Responsibility             |

| ------------------ --------| ------------------------------------ |

| Uju         | Data Processor & Technology Provider |

| Platform User  | Data Controller for recipient data  |

| MNOs / Aggregators | Sub-processors            |


Users determine the purpose, content, and recipients of SMS communications. Uju does not initiate, edit, or authorize message content.



3. Lawful Basis & Consent Controls


Uju requires users to:


  • Obtain explicit opt-in consent from recipients
  • Maintain consent records upon request
  • Provide opt-out mechanisms (STOP commands)


Uju implements technical controls to support opt-outs and may suspend accounts generating complaints or regulatory flags.



4. Records of Processing Activities (ROPA)


For audit purposes, Uju maintains records including:


  • Categories of data processed (phone numbers, SMS content, metadata)
  • Purpose of processing (message delivery)
  • Retention periods
  • Security measures
  • Sub-processors


These records are available to regulators upon lawful request.


5. Data Breach Management


In the event of a personal data breach:


  • Uju will assess impact and risk
  • Notify the relevant Data Controller without undue delay
  • Cooperate with ODPC reporting obligations
  • Take remedial action to mitigate harm


6. Data Retention (Audit-Compliant)


| Data Type       | Retention Period           |

| --------------------------- | -------------------------------------------- |

| Account data     | Duration of account + legal period |

| SMS logs & metadata | As required by law and CAK      |

| Billing records    | Minimum 7 years           |

| Support tickets    | Up to 24 months           |



7. Security Controls (ODPC Expectation)


Uju applies:


  • Role-based access control
  • Encrypted connections
  • Audit logs
  • Secure API authentication
  • Staff confidentiality agreements


PART B: DATA PROCESSING AGREEMENT (DPA)


This Data Processing Agreement forms part of the Terms of Use


1. Parties


Data Controller: The User of the Uju Platform

Data Processor: Ujumaa Platforms (Uju)


2. Subject Matter


Processing of personal data for the purpose of SMS message transmission, delivery reporting, and platform operation.


3. Duration


Processing continues for the duration of the service agreement and applicable legal retention periods.


4. Nature & Purpose of Processing


  • SMS routing and delivery
  • Sender ID management
  • Compliance monitoring
  • System logging


5. Categories of Data Subjects


  • Customers
  • Employees
  • Subscribers
  • Members
  • Clients of the User


6. Types of Personal Data


  • Mobile phone numbers
  • Message content
  • Sender ID information
  • Delivery metadata


7. Processor Obligations (Uju)


Uju shall:


  • Process data only on documented instructions
  • Ensure confidentiality
  • Implement appropriate security measures
  • Assist with data subject requests where applicable
  • Notify the Controller of data breaches
  • Allow audits where legally required


8. Controller Obligations (User)


The User shall:


  • Ensure lawful collection and consent
  • Provide transparent privacy notices
  • Handle opt-outs
  • Respond to data subject requests
  • Indemnify Uju against unlawful data use


9. Sub-Processing


The User authorizes Uju to engage sub-processors such as:


  • Mobile Network Operators
  • SMS aggregators
  • Cloud infrastructure providers


Uju remains responsible for sub-processor compliance.


10. International Transfers


Where data is transferred outside Kenya, appropriate safeguards shall be applied in line with ODPC requirements.


11. Termination & Data Deletion


Upon termination, Uju shall delete or anonymize personal data unless retention is required by law.


PART C: API-ONLY CLIENT & RESELLER PRIVACY ADDENDUM


1. API Clients


API-only clients acknowledge that:


  • They are full Data Controllers
  • Uju acts strictly as a Data Processor
  • API credentials must be secured
  • High-volume or automated traffic is monitored


2. Resellers & White-Label Partners


Resellers must:


  • Maintain their own privacy policy
  • Ensure downstream clients comply with law
  • Clearly disclose Uju or equivalent processing role
  • Assume liability for reseller traffic


Uju may require reseller compliance audits.


3. Traffic Monitoring & Enforcement


Uju reserves the right to:


  • Monitor API traffic patterns
  • Rate-limit or block abusive traffic
  • Suspend access for regulatory risk


4. Regulatory Cooperation


API clients and resellers agree to cooperate with:


  • CAK investigations
  • ODPC audits
  • Lawful information requests


PART D: GOVERNING LAW


These documents are governed by the laws of the Republic of Kenya.


PART E: CONTACT


All data protection and compliance inquiries must be submitted through official Uju support channels.