Data Policy | Edge by Citrus

Effective Date: January 11th, 2025

Last Reviewed: February 17th, 2025

Version: 1.2

This policy establishes clear guidelines for the collection, processing, storage, and protection of personal data within the SaaS webapp "Edge by Citrus." It aligns with Kenya's Data Protection Act, No. 24 of 2019 (and any subsequent amendments and regulations as of 2025), ensuring that data is managed lawfully, securely, and transparently.

1. Data Collection and Processing

Lawful Basis

Data collection and processing are carried out only on a lawful basis—by obtaining explicit consent, fulfilling contractual obligations, complying with legal requirements, or pursuing legitimate interests directly related to the operation of "Edge by Citrus."

Transparency and Purpose Limitation

Data is collected solely for specific, explicit, and legitimate purposes. Users are informed of the nature and extent of the data collected, and no data is processed beyond what is necessary for the intended functionality.

Data Minimization

Only the minimum personal data necessary for the provision and improvement of the service is collected. Unnecessary or excessive data collection is strictly prohibited.

Fair Processing

Personal data is processed fairly and in a manner that respects the rights and expectations of data subjects. Information on data collection methods and processing purposes is readily available to users.

2. Data Subjects' Rights

Access and Portability

Users have the right to access their personal data held by "Edge by Citrus" and request data portability in a structured, commonly used, and machine-readable format.

Correction and Deletion

Users may request the correction of inaccurate or incomplete data. Requests for deletion (right to erasure) will be honored when there is no overriding legal obligation to retain the data.

Restriction and Objection

Data subjects can request the restriction of processing in situations where data accuracy is contested, or processing is unlawful. Objections to processing will be considered and acted upon promptly.

Exercise of Rights

All requests to exercise these rights must be submitted through designated channels provided by the company. The Data Protection Officer (DPO) will ensure that such requests are handled within the timeframes mandated by law.

3. Data Security

Confidentiality, Integrity, and Availability

Robust technical and organizational measures are implemented to safeguard personal data. This includes encryption, secure storage, role-based access controls, and regular security assessments.

Protection Against Unauthorized Access

Systems are designed to prevent unauthorized access, disclosure, or modification of data. Regular audits, intrusion detection systems, and continuous monitoring ensure ongoing protection.

Breach Prevention and Mitigation

Preventative measures are in place to detect and mitigate potential breaches. In the event of a breach, predefined procedures are activated immediately to contain and remediate the issue.

4. Accountability and Governance

Data Protection Officer (DPO)

A qualified DPO is appointed to oversee data protection strategies, ensure regulatory compliance, and serve as the point of contact for data subjects and regulatory authorities.

Regular Audits and Reviews

Scheduled internal and external audits are conducted to assess compliance with data protection requirements. Audit results inform continuous improvements and corrective actions.

Governance Structure

Clear responsibilities and accountability mechanisms are established within the organization. Senior management is directly involved in ensuring adherence to this policy.

5. Data Transfers

Cross-Border Transfers

Personal data may be transferred internationally only when the recipient country or organization ensures an adequate level of data protection as defined by Kenyan law. Approved transfer mechanisms, such as standard contractual clauses, are employed.

Documentation and Approval

All international data transfers are documented and reviewed by the DPO to ensure that they comply with applicable legal standards and best practices.

6. Compliance and Enforcement

Regulatory Compliance

"Edge by Citrus" complies fully with the Data Protection Act, No. 24 of 2019, and any subsequent amendments. Internal procedures are established to monitor compliance continuously.

Enforcement Mechanisms

Non-compliance is subject to internal sanctions, and regulatory authorities may impose penalties as stipulated by law. An incident tracking system is maintained to document any breaches of this policy.

Reporting and Remediation

Any breach of compliance must be reported immediately to the DPO, who will coordinate with regulatory bodies and oversee remediation efforts.

7. Training and Awareness

Mandatory Training Programs

All employees and contractors undergo mandatory data protection training upon onboarding and receive regular updates on new policies, threats, and best practices.

Continuous Awareness

Ongoing internal communications, workshops, and refresher courses are provided to ensure that data protection principles remain top-of-mind across the organization.

Documentation of Training

Training attendance and outcomes are documented and reviewed regularly to assess the effectiveness of the data protection awareness program.

8. Incident Response

Breach Response Protocol

A detailed incident response plan is in place to address data breaches swiftly. This includes immediate containment, investigation, and assessment of the breach's impact.

Notification Requirements

In the event of a data breach, affected individuals and the relevant regulatory authority will be notified within 72 hours, in compliance with legal requirements.

Post-Incident Review

Following a breach, a thorough investigation is conducted to determine causes and implement measures to prevent future incidents. Lessons learned are documented and incorporated into policy updates.

9. Contact Information

This policy is mandatory for all employees, contractors, and third-party service providers associated with "Edge by Citrus." Compliance is monitored continuously, and deviations will be addressed with immediate corrective actions.

For any queries or to exercise your data protection rights, please contact the Data Protection Officer at:

legal@citruslabs.co.ke

Citrus Labs Headquarters, Nairobi, Kenya

+254 123 456 789