Sibasi Ltd ("Sibasi", "we", "us", or "our") is committed to protecting personal data, respecting privacy, and maintaining the confidentiality, integrity, and availability of information entrusted to us.

This Privacy Policy ("Policy") explains how Sibasi collects, uses, discloses, stores, transfers, and protects personal data in connection with our business activities, including:

• Cloud-based software services (SaaS)
• On-premise and hybrid enterprise systems
• Intelligent business platforms
• Advisory, consulting, professional, and managed services
• Implementation, support, training, and operations services
• Marketing, events, and business development activities

This Policy is designed to meet global data protection standards. The primary governing law is the Data Protection Act, 2019 of the Republic of Kenya, without prejudice to mandatory rights under other applicable laws.

In case of ambiguity, terms shall be interpreted in accordance with applicable law and Sibasi's contractual agreements. Nothing in this Policy creates additional contractual rights.

Legal Entity: Sibasi Ltd, a company incorporated in Kenya

Registered Office: P.O. Box 37602-00100, Nairobi, Kenya

Privacy Contact:[email protected]

Unless otherwise stated in a written agreement, Sibasi acts as the Data Controller for personal data processed under this Policy. Where Sibasi processes personal data solely on documented instructions from a client, Sibasi acts as a Data Processor.

This Policy applies to personal data processed by Sibasi relating to:

• Website visitors
• Prospective and existing customers
• Users of systems we deploy or manage
• Client representatives and employees
• Partners, vendors, and contractors
• Event participants and marketing contacts

This Policy does not replace or override contractual agreements, including Data Processing Agreements (DPAs), Master Services Agreements (MSAs), Statements of Work (SOWs), and client-specific privacy notices.

This Policy is written to comply with globally recognized privacy principles, including:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

It is intended to satisfy applicable data protection and privacy laws worldwide, including those governing individuals in Africa, Europe, the United Kingdom, North America, South America, and other jurisdictions. Where multiple laws apply, Sibasi applies the highest standard of protection.

5.1 When Sibasi Acts as Data Controller

Examples include:

• Website analytics and cookies
• Sales and marketing communications
• Event registration and participation
• Vendor and partner management
• Account administration

5.2 When Sibasi Acts as Data Processor

Examples include:

• Client SaaS environments
• On-premise or hybrid enterprise systems
• Managed services and system administration
• Support, maintenance, and monitoring activities

In such cases, the client remains the Data Controller, and processing is governed by contract.

6.1 Identification and Contact Data

• Name, job title, organization
• Email address, phone number
• Business address

6.2 Account and Authentication Data

• User identifiers
• Access credentials (securely stored)
• Roles, permissions, and audit metadata

6.3 Technical and Usage Data

• IP addresses
• Device and browser information
• Log files and telemetry data
• Security and access records

6.4 Client-Controlled Data

Any personal data entered, uploaded, generated, or stored within systems operated or managed on behalf of clients.

Sibasi does not intentionally process sensitive or special-category personal data unless explicitly required and lawfully instructed.

Personal data may be collected:

• Directly from individuals
• From client organizations
• Through websites, systems, and applications
• Through cookies and similar technologies
• From authorized third parties
• From publicly available business sources

Personal data is processed only where legally permitted, including for:

8.1 Contractual Necessity

• Delivering services
• Implementing and operating systems
• Providing support and maintenance
• Billing and account management

8.2 Legal and Regulatory Obligations

• Compliance with applicable laws
• Lawful disclosures
• Audit and reporting requirements

8.3 Legitimate Business Interests

• Security monitoring and fraud prevention
• Service improvement and quality assurance
• Business continuity and risk management

8.4 Consent

• Marketing communications
• Optional cookies
• Event participation

Consent may be withdrawn at any time.

9.1 Technologies Used

We may use cookies, pixels, SDKs, and similar technologies to ensure system functionality, improve performance, analyze usage, and support marketing activities where permitted.

9.2 Cookie Categories

• Strictly Necessary: required for system operation
• Preferences: remember user settings
• Analytics: improve services
• Marketing: subject to user consent

9.3 Cookie Management

Users may manage cookie preferences through browser settings or consent tools. Disabling cookies may affect functionality. Some third party analytics or advertising cookies operate as independent data controllers under their own privacy terms.

Sibasi uses leading global cloud service providers to deliver secure, resilient, and scalable solutions, including:

• Microsoft Azure
• Amazon Web Services (AWS)
• Google Cloud Platform (GCP)

10.1 Security Characteristics

• Enterprise-grade physical and logical security
• Encryption at rest and in transit
• Redundancy and fault tolerance
• Continuous monitoring

10.2 Data Location

Data may be hosted in different geographic regions depending on service architecture, client requirements, and regulatory considerations.

Personal data may be transferred across borders. Sibasi implements appropriate safeguards, including contractual, technical, and organizational measures, to ensure lawful and secure transfers. Data is only transferred to jurisdictions with adequate data protection laws, we rely on Standard Contractual Clauses (SCCs) and adequate supplementary measures to ensure the data remains protected to GDPR standards (for EEA and UK).

Sibasi does not sell personal data nor share personal data for cross context behavioural advertising.

We may disclose personal data to:

• Cloud and infrastructure providers
• Authorized subcontractors: For specialized support or implementation tasks (bound by DPA)
• Payment processors: For secure billing
• Professional advisers: Auditors, lawyers, and insurers
• Regulatory or law-enforcement authorities: When required by law or valid court order

All third parties are bound by confidentiality and data protection obligations.

Personal data is retained only for as long as necessary to fulfill contractual obligations, comply with legal requirements, resolve disputes, and enforce rights.

Client-controlled data retention is governed by contract or client instructions and the Data Processing Agreement.

Marketing Data: Retained until the individual opts out or withdraws consent.

Subject to applicable law, individuals may have rights to:

• Access personal data
• Correct inaccuracies
• Request deletion
• Restrict or object to processing
• Data portability
• Non-Discrimination
• Withdraw consent
• Lodge a Complaint

Requests may be submitted to [email protected]. Identity verification may be required.

15.1 Security Measures

Sibasi implements appropriate administrative, technical, and organizational safeguards designed to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, alteration, disclosure, or access.

These safeguards are implemented proportionate to the nature, scope, context, and purposes of processing and include, but are not limited to, the following:

• Encryption: Use of industry-standard encryption technologies to protect data in transit, where technically and commercially feasible.
• Access Controls: Role-based access controls, authentication mechanisms, and least-privilege principles to restrict access to personal data to authorized personnel only.
• Secure Development Practices: Adoption of secure software development lifecycle (SDLC) practices, including code reviews, vulnerability management, and security testing, where applicable.
• Monitoring and Logging: Continuous monitoring, logging, and audit mechanisms to detect, investigate, and respond to security events or anomalous activity.
• Backup and Disaster Recovery: Regular backups, redundancy measures, and disaster recovery procedures designed to ensure data availability and resilience in the event of system failures or incidents.

While Sibasi takes reasonable steps to secure systems and data, no method of transmission or storage is completely secure, and absolute security cannot be guaranteed.

15.2 Internal Governance

Sibasi maintains internal governance frameworks and controls to support confidentiality, integrity, and accountability, including:

• Mandatory Confidentiality Obligations: All employees, contractors, and authorized personnel are subject to confidentiality and data protection obligations as a condition of engagement.
• Staff Training and Awareness: Periodic training and awareness programs relating to information security, data protection, and responsible handling of information.
• Segregation of Client Environments: Logical and technical segregation of client environments where applicable to prevent unauthorized cross-access between customers.
• Internal Policies and Standards: Compliance with internal policies covering information security, acceptable use, ethical conduct, environmental responsibility, and operational controls.

15.3 Sensitive and High-Risk Data Clarification

Sibasi does not intentionally collect, request, or require the processing of sensitive or special-category personal data, including but not limited to national identification numbers, biometric identifiers, health data, financial account credentials, or data revealing racial or ethnic origin, religious beliefs, political opinions, or sexual orientation.

Where clients choose to store, process, or transmit such data within systems provided, deployed, or managed by Sibasi, the client remains solely responsible for establishing a lawful basis for processing, implementing appropriate safeguards, and ensuring compliance with all applicable laws.

15.4 Client Responsibilities

Where Sibasi provides SaaS, on-premise, hybrid, advisory, consulting, or managed services, clients remain responsible for their own compliance obligations under applicable data protection and privacy laws.

Without limitation, clients are responsible for configuring systems, obtaining valid consent, ensuring data accuracy and lawfulness, defining user access rights, securing client-managed infrastructure, and providing lawful, clear, and documented instructions to Sibasi where Sibasi acts as a data processor.

15.5 Third-Party Integrations and Client-Enabled Services

Sibasi platforms and services may support integration with third-party applications, services, or systems selected or enabled by clients. Third-party services are governed by their own privacy policies and terms. Sibasi does not control and is not responsible for third-party data processing activities.

15.6 Profiling and Automated Processing

Sibasi may perform limited profiling or automated processing in connection with service improvement, security monitoring, aggregated analytics, and marketing communications (where permitted). Such processing does not produce legal or similarly significant effects on individuals and is subject to appropriate safeguards. Individuals may object to or opt out of marketing-related profiling at any time.

Sibasi maintains incident response procedures designed to:

• Detect and contain security incidents
• Assess risk and impact
• Notify affected parties and authorities where legally required
• Prevent recurrence

Sibasi does not engage in automated decision-making that produces legal or similarly significant effects on individuals unless explicitly agreed and lawfully permitted.

Our services are intended for business use. We do not knowingly collect personal data from children without lawful authorization.

To the maximum extent permitted by law:

• Services are provided "as is" and "as available"
• Sibasi disclaims all implied warranties
• Sibasi is not liable for indirect, incidental, or consequential damages
• Clients remain responsible for lawful use of systems under their control

Nothing in this Policy limits liability where such limitation is prohibited by law.

This Policy is governed by the laws of the Republic of Kenya, without prejudice to mandatory rights under applicable foreign laws.

Sibasi may update this Policy periodically. Material changes will be communicated appropriately.