Last updated: May 2025 · Version 1.0
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the agreement between MobileSasa Limited (“Processor”) and the Subscriber (“Controller”) for the provision of the MobileSasa CSP Platform. It is incorporated by reference into the Terms of Service.
MobileSasa is registered as both a Data Processor and a Data Controller under the Kenya Data Protection Act 2019 (Office of the Data Protection Commissioner of Kenya).
1. Roles and Responsibilities
The Subscriber acts as the Data Controller with respect to the personal data of their End Users that is processed on the MobileSasa CSP Platform. MobileSasa acts as the Data Processor, processing such data only on the Controller's documented instructions.
2. Subject Matter and Nature of Processing
| Item | Detail |
|---|---|
| Subject matter | Provision of managed CSP infrastructure for SMS, USSD, and shortcode services |
| Duration | Duration of the active Subscription |
| Nature of processing | Storage, transmission, and logging of messaging data and contact information |
| Purpose of processing | Enabling the Controller to deliver SMS/USSD services to their End Users |
| Type of personal data | Phone numbers, message content, contact names, delivery statuses |
| Categories of data subjects | The Controller's End Users (members of the public in Kenya and other jurisdictions) |
3. Processor Obligations
MobileSasa (Processor) shall:
- Process personal data only on documented instructions from the Controller. These instructions are embodied in the Platform configuration set by the Controller.
- Ensure that persons authorised to process the data are bound by confidentiality obligations.
- Implement the technical and organisational measures described in clause 6 of this DPA.
- Not engage sub-processors without prior written authorisation from the Controller, except as listed in clause 5.
- Assist the Controller in responding to requests from data subjects exercising their rights under the Kenya Data Protection Act 2019, to the extent technically feasible.
- Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach involving the Controller's data.
- At the Controller's choice, delete or return all personal data upon termination of the subscription, and delete existing copies within 30 days unless retention is required by law.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow and contribute to audits conducted by the Controller or an auditor appointed by the Controller (with reasonable notice and at the Controller's cost).
4. Controller Obligations
The Controller shall:
- Ensure there is a valid legal basis for processing End User personal data before transmitting it through the Platform.
- Obtain all necessary consents and provide all required notices to End Users.
- Ensure that instructions given to MobileSasa comply with applicable law, including the Kenya Data Protection Act 2019 and any applicable sectoral regulations.
- Not instruct MobileSasa to process personal data in a manner that would violate applicable law.
5. Sub-Processors
The Controller grants MobileSasa general authorisation to engage the following sub-processors. MobileSasa will notify the Controller of any planned changes to this list with at least 14 days' notice:
| Sub-processor | Location | Purpose |
|---|---|---|
| Bare-metal server infrastructure | Kenya | Hosting Docker containers and databases |
| PesaPay | Kenya | Payment processing (billing data only) |
| Carrier networks (Safaricom, Airtel, Telkom, Equitel, Africa's Talking) | Kenya | SMS / USSD transmission (at Controller's direction) |
6. Technical and Organisational Measures
MobileSasa implements the following security measures:
- Encryption at rest — AES-256-GCM for all sensitive configuration values. PostgreSQL data resides on encrypted storage.
- Encryption in transit — TLS 1.2+ for all external connections. Inter-service communication uses isolated Docker networks.
- Access control — multi-tenant isolation via separate PostgreSQL schemas and Docker networks per Subscriber. Admin access requires authenticated sessions.
- Availability — automatic container restart policies. Deployment state tracked with full audit logs.
- Integrity — deployment logs and environment changes are immutable and timestamped.
- Physical security — servers are located in a physically secure data centre in Nairobi, Kenya.
7. Data Breach Notification
In the event of a personal data breach affecting the Controller's data, MobileSasa shall notify the Controller within 72 hours. The notification shall include, to the extent available:
- A description of the nature of the breach.
- The categories and approximate number of data subjects and records affected.
- Likely consequences of the breach.
- Measures taken or proposed to address the breach and mitigate its effects.
The Controller is responsible for notifying the Office of the Data Protection Commissioner of Kenya and affected data subjects where required by the Kenya Data Protection Act 2019.
8. Data Subject Rights Assistance
MobileSasa will assist the Controller in fulfilling requests from data subjects to exercise their rights (access, rectification, erasure, restriction, portability, and objection) within the Platform to the extent technically feasible, at the Controller's written request.
9. Data Deletion and Return
Upon termination or expiry of the Subscription, and at the Controller's election, MobileSasa will either return all personal data in a standard format or securely delete it, within 30 days of the Controller's written request. Backup copies will be purged within 30 days. MobileSasa will confirm deletion in writing.
10. Governing Law
This DPA is governed by the laws of Kenya, including the Kenya Data Protection Act 2019, the Kenya Information and Communications Act, and any regulations made thereunder.
11. Contact
Data protection queries should be directed to our DPO at [email protected].