JamiiCore
Back to JamiiCore

Data Protection

Data Protection Policy

This policy sets out JamiiCore Cloud's data-processing obligations, security commitments, and compliance approach under Kenyan law.

Effective date: 1 June 2025

Governed by the laws of Kenya

Issuer & Contact

Issued by
Nexus Forge Africa Limited
Platform
JamiiCore Cloud - jamii.cloud
Address
90 Degrees by Tsavo, Nairobi, Kenya
Legal enquiries
legal@nexusforgeafrica.com
Data protection
privacy@nexusforgeafrica.com
Telephone
+254 715 676 878
Governing law
Laws of Kenya

3.1 Principles of Data Processing

This Data Protection Policy sets out the specific obligations of Nexus Forge Africa Limited as a Data Processor and, where applicable, Data Controller, under the Data Protection Act 2019 (Kenya) ("the Act"). This Policy is binding on all employees, contractors, and agents of the Company who process personal data in connection with the JamiiCore Cloud platform.

All personal data processed in connection with the Platform must be:

  • Processed lawfully, fairly, and in a transparent manner (lawfulness, fairness, and transparency).
  • Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes (purpose limitation).
  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (data minimisation).
  • Accurate and, where necessary, kept up to date (accuracy).
  • Kept in a form that permits identification of data subjects for no longer than is necessary (storage limitation).
  • Processed in a manner that ensures appropriate security of personal data (integrity and confidentiality).

3.2 The Company as Data Processor

In relation to Member data uploaded by Organizations, the Company acts as a Data Processor. In this capacity, we:

  • Process personal data only on documented instructions from the Organization as Data Controller.
  • Ensure that persons authorized to process the personal data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organizational security measures.
  • Assist Organizations in responding to data subject rights requests.
  • Delete or return all personal data to the Organization at the end of the service relationship.
  • Provide all information necessary to demonstrate compliance with data protection obligations.

3.3 The Company as Data Controller

In relation to Administrator account data and technical usage data, the Company acts as Data Controller and is responsible for compliance with the Act in respect of such data.

3.4 Organizations as Data Controllers

Organizations are Data Controllers in respect of their Members' personal data. Organizations are responsible for ensuring they have a lawful basis for collecting and uploading Member data, for responding to Member data subject rights requests, and for compliance with the Act in their use of the Platform.

3.5 Data Processing Agreement

By accepting the Terms and Conditions and using the Platform, Organizations enter into a Data Processing Agreement (DPA) with the Company, the material terms of which are set out in this Data Protection Policy and the Privacy Policy. The DPA incorporates the obligations set out in the Third Schedule of the Data Protection Act 2019.

3.6 Special Categories of Data

The Platform may, in some configurations, process special categories of personal data as defined in Section 46 of the Data Protection Act 2019, including health information (for example, medical details of members where relevant to the Organization). The processing of special categories of data requires explicit consent from the data subject or another specific legal basis under the Act. Organizations must not upload special category data without ensuring an appropriate legal basis exists and documenting that basis.

3.7 Next-of-Kin Data

The Platform enables Organizations to record next-of-kin information for Members, including name, relationship, and contact number. This data is processed as personal data of a third party. Organizations must:

  • Inform next-of-kin contacts that their details are being recorded and the purpose for which they are held.
  • Collect and record only the minimum necessary information.
  • Ensure next-of-kin data is accessible only to authorized Administrators.
  • Delete next-of-kin data promptly when a Member leaves the Organization or requests its removal.

3.8 Data Breach Management

In the event of a suspected or confirmed personal data breach, the Company will:

  • Contain the breach and assess the risk to individuals as a matter of urgency.
  • Notify the ODPC within 72 hours of becoming aware of a breach that poses a risk to individual rights.
  • Notify affected Organizations without undue delay where the breach is likely to result in a high risk to their Members.
  • Maintain a record of all data breaches, including those not required to be notified to the ODPC.
  • Conduct a post-incident review and implement remedial measures.
  • Organizations must notify us immediately at privacy@nexusforgeafrica.com if they become aware of any actual or suspected breach involving their account or Member data.

3.9 Data Protection Impact Assessments

The Company will conduct Data Protection Impact Assessments (DPIAs) where proposed processing activities are likely to result in a high risk to the rights and freedoms of individuals, as required by the Data Protection Act 2019. DPIAs will be carried out prior to implementing significant new features involving personal data processing.

3.10 Staff Training and Awareness

All Company personnel with access to personal data receive data protection training upon onboarding and annually thereafter. Access to personal data is restricted to those with a legitimate need, and access levels are reviewed quarterly.

3.11 Registration with the ODPC

The Company will comply with all registration and notification requirements imposed by the Office of the Data Protection Commissioner as required under the Data Protection Act 2019, including registration as a Data Processor and Data Controller where applicable.

Need more detail?

Talk to the JamiiCore Cloud team about your organization.

We can walk you through onboarding, security, pricing, and the modules that fit your association, SACCO, or community platform.

Book a DemoRequest Deployment