Data Processing Agreement

Last updated June 01, 2026

This Data Processing Agreement ('DPA') forms part of, and is subject to, the Terms of Service or other written or electronic agreement between the parties governing access to and use of the Services (the 'Principal Agreement'). It governs the Processing of Personal Data carried out by DairyBook KE Limited on behalf of the Customer.

This DPA is entered into between:

• DairyBook KE Limited, a company registered in Kenya at Mosop A Farm, Berur Village, Uasin Gishu County, Eldoret 30100 ('Processor', 'we', 'us', or 'our'); and
• the customer that has accepted the Principal Agreement (the 'Customer' or 'Controller', 'you').

Each is a 'Party' and together the 'Parties'. Where the Customer accepts the Principal Agreement, the Customer also accepts this DPA. In the event of a conflict between this DPA and the Principal Agreement on the subject of data protection, this DPA prevails.

TABLE OF CONTENTS

• 1. DEFINITIONS
• 2. ROLES AND SCOPE OF PROCESSING
• 3. PROCESSING INSTRUCTIONS
• 4. PROCESSOR OBLIGATIONS
• 5. CONFIDENTIALITY
• 6. SECURITY MEASURES
• 7. SUB-PROCESSORS
• 8. DATA SUBJECT RIGHTS
• 9. PERSONAL DATA BREACH
• 10. ASSISTANCE AND IMPACT ASSESSMENTS
• 11. INTERNATIONAL DATA TRANSFERS
• 12. RETURN AND DELETION OF DATA
• 13. AUDIT RIGHTS
• 14. LIABILITY
• 15. TERM AND TERMINATION
• 16. GOVERNING LAW
• 17. CONTACT
• ANNEX 1 — DETAILS OF PROCESSING
• ANNEX 2 — TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
• ANNEX 3 — APPROVED SUB-PROCESSORS

1. DEFINITIONS

Capitalised terms not defined in this DPA have the meaning given in the Principal Agreement. For the purposes of this DPA:

• 'Applicable Data Protection Law' means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the Kenya Data Protection Act, 2019 and its subsidiary regulations, and, where applicable to the Customer, the EU General Data Protection Regulation (Regulation (EU) 2016/679) and any other equivalent law of any jurisdiction.
• 'Controller', 'Processor', 'Data Subject', 'Personal Data', 'Processing', and 'Personal Data Breach' have the meanings given to them under Applicable Data Protection Law.
• 'Customer Personal Data' means any Personal Data that we Process on behalf of the Customer in the course of providing the Services.
• 'Services' means the DairyBook App and any related products and services provided under the Principal Agreement.
• 'Sub-processor' means any third party engaged by us to Process Customer Personal Data.
• 'Supervisory Authority' means the Office of the Data Protection Commissioner of Kenya or any other regulatory body with authority over a Party's Processing of Personal Data.

2. ROLES AND SCOPE OF PROCESSING

The Parties acknowledge that, with respect to Customer Personal Data, the Customer is the Controller and we are the Processor acting on the Customer's behalf. Where the Customer is itself acting as a processor for a third-party controller, the Customer warrants that it is authorised to instruct us in accordance with this DPA.

We Process Customer Personal Data only for the purpose of providing the Services and only to the extent necessary to do so. The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex 1.

The Customer is responsible for ensuring that it has a lawful basis for the collection and Processing of Customer Personal Data and for the accuracy, quality, and legality of the Customer Personal Data and the means by which it was acquired.

3. PROCESSING INSTRUCTIONS

We will Process Customer Personal Data only on documented instructions from the Customer, including the instructions set out in this DPA and the Principal Agreement, unless required to do otherwise by a law to which we are subject. In such a case, we will inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

We will inform the Customer if, in our opinion, an instruction infringes Applicable Data Protection Law. We are not obliged to carry out an independent legal review of the lawfulness of the Customer's instructions.

4. PROCESSOR OBLIGATIONS

In carrying out the Processing, we will:

• Process Customer Personal Data only as set out in Section 3;
• implement and maintain the technical and organisational security measures described in Section 6 and Annex 2;
• ensure that persons authorised to Process Customer Personal Data are bound by an obligation of confidentiality as set out in Section 5;
• not engage a Sub-processor except in accordance with Section 7;
• assist the Customer in fulfilling its obligations to respond to Data Subject requests as set out in Section 8;
• assist the Customer in ensuring compliance with its security, breach notification, and impact assessment obligations as set out in Sections 6, 9, and 10, taking into account the nature of the Processing and the information available to us; and
• make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA, as set out in Section 13.

5. CONFIDENTIALITY

We will treat all Customer Personal Data as confidential. We will ensure that any person we authorise to Process Customer Personal Data, including our employees, agents, and contractors, has committed to confidentiality or is under an appropriate statutory obligation of confidentiality, and that access is limited to those who need it to provide the Services.

6. SECURITY MEASURES

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of Data Subjects, we will implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk. These measures are described in Annex 2 and may be updated from time to time, provided that any update does not materially reduce the overall level of security.

The Customer is responsible for the security of any equipment, accounts, credentials, and configurations within its control, including keeping account passwords confidential and managing user access within the Services.

7. SUB-PROCESSORS

The Customer provides general authorisation for us to engage Sub-processors to Process Customer Personal Data, subject to this Section. A current list of approved Sub-processors is set out in Annex 3.

Where we engage a Sub-processor, we will impose data protection obligations on that Sub-processor that are no less protective than those set out in this DPA, by way of a written contract. We remain fully liable to the Customer for the performance of each Sub-processor's obligations.

We will give the Customer reasonable prior notice of any intended addition or replacement of a Sub-processor. If the Customer reasonably objects to a new Sub-processor on legitimate data protection grounds, the Parties will work in good faith to resolve the objection; if no resolution is reached, the Customer may terminate the affected Services as its sole remedy.

8. DATA SUBJECT RIGHTS

Taking into account the nature of the Processing, we will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

If we receive a request directly from a Data Subject relating to Customer Personal Data, we will, where legally permitted, promptly forward the request to the Customer and will not respond to the request ourselves except on the Customer's documented instructions or as required by law.

9. PERSONAL DATA BREACH

We will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent available to us, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

We will take reasonable steps to mitigate the effects of, and to minimise any damage resulting from, the Personal Data Breach. The Customer is responsible for any notification to a Supervisory Authority or to affected Data Subjects where required by Applicable Data Protection Law.

10. ASSISTANCE AND IMPACT ASSESSMENTS

Taking into account the nature of the Processing and the information available to us, we will provide reasonable assistance to the Customer with any data protection impact assessments and any prior consultations with a Supervisory Authority that the Customer is required to carry out under Applicable Data Protection Law in relation to the Processing of Customer Personal Data.

11. INTERNATIONAL DATA TRANSFERS

The Services are hosted in Kenya. We will not transfer Customer Personal Data to a country outside the country of origin unless such transfer is permitted under Applicable Data Protection Law and is subject to appropriate safeguards, such as adequacy determinations, standard contractual clauses, or the Data Subject's explicit consent, where required. Where we engage a Sub-processor located outside the country of origin, we will ensure that an appropriate transfer mechanism is in place.

12. RETURN AND DELETION OF DATA

Upon termination or expiry of the Principal Agreement, or at any time on the Customer's written request, we will, at the Customer's choice, return or delete all Customer Personal Data, and delete existing copies, unless retention is required by a law to which we are subject. We will carry out such return or deletion within a reasonable period, after which the Customer's access to the Customer Personal Data will cease.

Where Customer Personal Data is retained in routine backup archives, it will be isolated from further active Processing and deleted in accordance with our backup retention cycle.

13. AUDIT RIGHTS

We will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. To the extent permitted by Applicable Data Protection Law, the Parties will agree the scope, timing, and reasonable cost of any audit in advance, audits will take place during normal business hours on reasonable prior notice, and the Customer will minimise disruption to our operations and the operations of our other customers.

14. LIABILITY

Each Party's liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Principal Agreement. Nothing in this DPA excludes or limits either Party's liability where such exclusion or limitation is not permitted by Applicable Data Protection Law.

15. TERM AND TERMINATION

This DPA takes effect on the date the Customer accepts the Principal Agreement and continues for as long as we Process Customer Personal Data on the Customer's behalf. The provisions of this DPA that by their nature should survive termination, including those relating to confidentiality, return and deletion of data, and liability, will survive termination or expiry of this DPA.

16. GOVERNING LAW

This DPA is governed by and construed in accordance with the laws of Kenya, without prejudice to any mandatory provisions of Applicable Data Protection Law that apply to the Customer. The courts of Kenya have exclusive jurisdiction to resolve any dispute arising in connection with this DPA, subject to any dispute resolution provisions in the Principal Agreement.

17. CONTACT

For any questions about this DPA or to exercise rights under it, please contact us at:

DairyBook KE Limited

Mosop A Farm, Berur Village, Uasin Gishu County, Kenya

Eldoret 30100

Kenya

[email protected]

ANNEX 1 — DETAILS OF PROCESSING

Subject matter and duration

The Processing of Customer Personal Data necessary for the provision of the Services under the Principal Agreement, for the duration of the Principal Agreement and any period thereafter required to return or delete data in accordance with Section 12.

Nature and purpose of Processing

To provide, maintain, secure, and support the DairyBook farm management Services, including account creation and authentication, storage and synchronisation of farm records, delivery of features requested by the Customer, troubleshooting, and internal analytics and reporting in connection with the operation of the Services.

Categories of Data Subjects

• The Customer's authorised users and account holders.
• The Customer's employees, workers, and farm staff.
• Any other individuals whose Personal Data the Customer chooses to enter into the Services.

Categories of Personal Data

• Identification and contact data, including names, usernames, phone numbers, and email addresses.
• Account credentials, including passwords (stored in hashed form).
• Geolocation data, where the Customer or its users enable location-based features.
• Any other Personal Data contained within farm records and other content that the Customer chooses to enter into the Services.

Special categories of Personal Data

We do not require special or sensitive categories of Personal Data to provide the Services and do not intentionally Process them. The Customer should not enter special category data into the Services except where strictly necessary and lawful.

ANNEX 2 — TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

We maintain technical and organisational measures appropriate to the risk, which include, as applicable:

• Access control: role-based access to systems and data, individual user accounts, and the principle of least privilege for personnel.
• Authentication: storage of account passwords using salted one-way hashing, and protection against unauthorised account access.
• Encryption: encryption of data in transit using current transport-layer security protocols, and encryption of data at rest where appropriate.
• Tenant isolation: logical separation of Customer data so that each Customer's data is segregated from that of other customers.
• Resilience and backups: regular backups, with restoration procedures designed to restore availability and access to Personal Data in a timely manner following an incident.
• Network and infrastructure security: firewalls, reverse-proxy controls, and hardened server configurations.
• Logging and monitoring: monitoring of systems for security-relevant events and operational issues.
• Confidentiality obligations: confidentiality commitments binding on personnel with access to Personal Data.
• Incident response: procedures for detecting, reporting, and responding to Personal Data Breaches.

ANNEX 3 — APPROVED SUB-PROCESSORS

We engage the following categories of Sub-processors to support the provision of the Services. The specific providers within each category are to be confirmed and maintained by us, and the Customer will be notified of changes in accordance with Section 7.

• Cloud hosting and infrastructure: provision of server, storage, and network infrastructure on which the Services run.
• Email and messaging: delivery of transactional emails, notifications, and SMS communications.
• Application monitoring and crash reporting: collection of diagnostic and error data to maintain the security and reliability of the Services.
• Payment processing: processing of subscription payments, where applicable.