Legal

Data Processing Agreement

Drafted July 04, 2026 · This agreement is currently under legal review and will be finalized shortly.

This Data Processing Agreement ("DPA") forms part of the agreement between a client business ("Controller") and Vapor Technologies Ltd, operating as Force HRM ("Processor"), and sets out how Force HRM processes personal data on the Controller's behalf under the Data Protection Act, 2019 (Kenya).

1. Roles

The Controller determines the purposes and means of processing its employees' personal data. The Processor (Force HRM) processes that data solely on the Controller's documented instructions, for the purpose of providing payroll and statutory compliance services.

2. Categories of data

Employee names, national ID and KRA PIN numbers, bank details, compensation and salary data, attendance and leave records, and contact information, as necessary to run payroll and file statutory returns.

3. Processor obligations

  • Process data only on the Controller's documented instructions.
  • Maintain appropriate technical and organizational security measures, including encryption in transit and at rest, and role-based access control.
  • Ensure personnel with access to Controller data are bound by confidentiality obligations.
  • Assist the Controller in responding to data subject requests under the Data Protection Act 2019.
  • Notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller's data.
  • Delete or return Controller data at the end of the service relationship, subject to statutory retention requirements.

4. Sub-processors

Force HRM may engage sub-processors (for example, payment or SMS delivery providers) strictly to the extent necessary to provide the service, and will ensure any sub-processor is bound to data protection obligations at least equivalent to those in this DPA.

5. Data location

Data is hosted in a manner consistent with the Data Protection Act 2019. Data is not transferred outside Kenya except to a sub-processor bound by equivalent data protection obligations.

6. Audit rights

The Controller may request reasonable evidence of Force HRM's compliance with this DPA, including relevant security documentation, on reasonable notice.

7. Contact

Questions about this DPA can be sent to info@forcehrm.com.

WhatsApp Start Free Trial