The Privacy Policy Statement

WORKPAY AFRICA LIMITED (and where applicable its subsidiaries or holding companies or successors in title) (“we” or “us” or “our”) recognises the provisions of the laws on data protection. We acknowledge the importance of confidentiality and privilege duty owed to our clients’ information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you enjoy our services. We are limited to use your personal information to offer you our products and services.

We invite you to read this policy carefully. If you use our website on behalf of others, you are responsible for ensuring that the others are aware of the content of this Privacy Policy and are in agreement with you supplying their personal data to use to enjoy our services. We will take all reasonable steps necessary to ensure your data is treated securely and in accordance with this privacy policy.

Definitions

“You” means the person who subscribes to, uses or purchases any of our products and services or accesses our websites and includes any person who accesses any of the products and services you have subscribed to.

“Workpay”, “we” or “us”, “our” and “ours” means Workpay Africa Limited and any of its subsidiaries, holding companies or successors in title.

Our mandate to Protect your Data

Workpay strictly adheres to the applicable laws that relate to the protection of data.

We also take into cognisance the principles of lawfulness, fairness and transparency, accuracy, integrity and confidentiality (security) and accountability whilst conducting data collection and processing.

Therefore, our mandate to you includes:

holding your data secure and private;
sharing the data only in instances when you agree to such sharing;
using your data to tailor the services we provide you and also improving our services; and
putting you in control by allowing you to update, delete and access your data.

The Nature of Data or Personal Information we collect

Type of personal information	Description
Personal information	This includes your name, address, email address, telephone number, date of birth, passport or national identification number, driver’s licence, photographs or birth certificate, residential address or billing address.
Transactional	Details about the transactions and payments made using our software.
Payments	Bank account, mobile number, cards and virtual cards.
Contractual	Details about the products or services we provide to you.
Location	Details that we get about where you are. This may come from where you connect a computer to the internet.
Behavioural	Data on how you use our Services and Site.
Technical	Details on the devices, software and technology you use.
Documentary data	Data about you, your work, salary, working hours, terms of work, contract duration, employers, length of service, stored in documents in different formats, or copies of them.
Communications	Data from communications between us.
Public and third-party records	Details about you that are in public records and information about you that is publicly available on the internet. We also collect information about you which we receive from other companies, such as (without limitation) credit reference or fraud protection agencies.
Usage data	Other data about how you use our products and services.
Consents	Any permissions, consents or preferences that you give us.
Sensitive personal data	Such as information concerning medical conditions, disabilities, religious beliefs, race, marital status, children details, spouse details, next of kin, medical data, financial data including pensions, saving schemes, loans, deductions.

Lawful Processing of Data

We will process your data for any of the lawful purposes stipulated below:

for the performance of a contract to which you are a party;
for compliance with any legal obligation to which we are is subject;
in order to protect your vital interests or that of another natural person;
for the legitimate interests pursued by the us or by a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to your rights and freedoms or legitimate interest; or
for the purpose of historical, statistical, journalistic, literature and art or scientific research.

Data Minimization

We are committed to respecting your privacy and ensuring that we collect only the data strictly necessary for the specified purposes outlined in this policy. We will not collect any additional information beyond what is required for the specific services we provide. All personal data we collect is for legitimate purposes as stipulated in this policy and will only be used in accordance with the terms of this policy.

Utilisation of Your Information

We may use your information to:

Fulfil our contract with you and/or deal with your transaction.

We use your information when processing payments, contract, payroll processing, processing payments including business expenses, or other details relating to our services.
Manage our relationship with you or your business.

Improving our business

Operating our business in an efficient and proper way, including managing our financial position, business capability, planning, adding and testing systems and processes, managing communications, corporate governance, and audit.
Carrying out our obligations and exercising our rights as set out in our terms and conditions.
Improving the products and services offered through our Software.
Testing new products.
Testing our systems, maintaining our software infrastructure, developing and training our software and measuring performance of our software.
Keeping our records up to date.
Managing how we work with other companies that provide services to us.
Developing new ways to meet our client’s needs and grow our business.
Working out which of our products and services may interest you and telling you about them.
Developing products and services, our pricing for them, and types of clients that may want to use them.
Asking for your consent when we need it to contact you.

Managing our operations

Delivering Workpay’s products and services.
Making and managing payments.
Managing fees and charges due from our clients.
Collecting and recovering money that is owed to Workpay.

Marketing and events-related communications

Developing and carrying out marketing activities.
Studying how our customers use our products and services.
Communicating with you about our products and services.
Conducting customer satisfaction surveys so that we can obtain a better understanding of how we can continue to improve the products and services we offer or help us to create new ones. During these surveys we may collect personal information from you relating to your thoughts/comments about your experience with us.
Marketing our products and services to you.
Communicating Workpay’s products and services.
Inviting you to participate in events or surveys, or otherwise communicate with you for marketing purposes with the consent requirements of applicable law.

Crime prevention and managing risks

Reporting under the applicable Anti Money Laundering Framework.
Reporting Fraud.
Reporting Suspicious Financial Activities.

Where we collect personal information

We may collect personal information about you or your businesses from any of these sources:

Data we collect when you use our services.
Payment and transaction data.
Profile and usage data.
We also use cookies and other internet tracking software to collect data while you are using our website or mobile apps (or any other device as described in more detail below.

Data from third parties

Companies and business partners that introduce you to us.
Our service partners, such as bank and PSP partners.
Our third-party vendors, including (without limitation) those that help us authenticate your identity.
Social networks and other technology providers (for instance, when you click on one of our Facebook or Google adverts).
Fraud prevention agencies.
Other financial services companies (to fulfil a payment or other service as part of a contract [which they have] with you, or to help prevent, detect and prosecute unlawful acts, money laundering, and fraudulent behaviour).
Public information sources such as (without limitation) Companies Registry, Embassy and Consular offices, National Identity Databases and Tax Agencies.
Third-party agents, suppliers, sub-contractors and advisers.
Market researchers.
Firms providing data services.
Government, law enforcement agencies, authorities and regulatory bodies to help Workpay comply with its legal obligations;

Sharing your personal information with third parties

We may share your personal information to third parties in the manner and for the purposes of rendering a quality service. We will only share your information with the third parties listed below for the purposes described above in the “Utilization of Your Information” Section, unless otherwise noted at the point of collection:

To improve the services we offer or help us to create new ones for marketing, profiling and analytics as detailed below and for the purposes described in this policy.

With third parties who help us manage our business and deliver our services. These third parties have agreed to confidentiality obligations and use any personal information we share with them or which they collect on our behalf solely for the purposes of providing the contracted service to us. These third parties include service providers who help manage our IT and back-office systems, detect fraudulent transactions and security incidents, provide customer service centre support, manage communications and tailor marketing and advertising; verify payments such as banks and payment card companies; provide internet services; host our facilities and conduct research that assists us with understanding consumer interests.
Governments agencies and taxing authorities as required by law to generally comply with all applicable laws, regulations and rules.

With third party advertising and social media website to provide advertising.

Bank and payment providers to authorise and complete payments.

With third parties whose products or services you are purchasing through our website such as Insurance carriers and other third parties.

Legal and financial advisors and auditors.

The following third-parties under the circumstances described below:

we may share business or personal information with credit bureaus, and we may share information with certain companies, banks and organizations for purposes such as fraud prevention or determining eligibility for the Service;

if there is a sale of Workpay (including, without limitation, a merger, stock acquisition, sale of assets or reorganization), or in the event that Workpay liquidates or dissolves, we may sell, transfer or otherwise share some or all of our assets, which could include your information, to the acquirer;

from time to time, we may share reports with the public that contain anonymized, aggregate, de-identified information and statistics; and

we may share your information with certain other third parties with whom you, your Client, or your Client’s accountant partner expressly authorize us to share your information.

Communications

We may contact you with newsletters and other marketing information that may be of interest to you. You may opt out of receiving any, or all, of these marketing communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us.

Managing Marketing Ads

To protect your privacy and to ensure you have control over how we manage marketing with you and provided that you have indicated that you would like to receive advertisements, we will:

take steps to limit direct marketing to a reasonable level; and
only send you communications which we believe may be of interest or relevance to you and at all times in line with your permissions, which, as appropriate, may include informing you about developments in the products and services available through us.

You can click the “unsubscribe” link that you will find at the bottom of our emails which you receive from us, or you can unsubscribe by contacting us or changing your account settings which will remove you from the relevant marketing list.

You can request that we stop sending you marketing advertisements.

Protection of your Personal Information

We have in place appropriate technical and organisational security measures, and procedures designed to protect the personal information that you share with us and safeguard the privacy of such information. The measures are further described below:

Data and Infrastructure Security

Infrastructure	How it is designed
Secure infrastructure provider	Workpay hosts all of its data in the secure Google Cloud facilities based in the United Kingdom. Hosting its services on Google Cloud gives the Supplier the ability to remain resilient globally even if one location goes down. The Google Cloud services we use—including VPCs, load balancers, and S3 storage—span multiple availability zones to ensure resiliency in the event of most failure scenarios, including natural disasters and system failures. Workpay performs continuous backups of critical data using Google cloud storage replication capabilities across multiple regions. Our production database clusters are shared across multiple availability zones, and snapshots of their data are constantly backed up in Google Cloud. All backups are encrypted in transit and at rest using strong encryption tactics.
Data encryption in transit & at rest process	All data sent to or from the Software is encrypted using Transport Layer Security TLS, and all customer data is encrypted using AES-256 encryption standard. The Supplier further secures sensitive data using industry best practices to salt and repeatedly hash data before it is stored in the database.
Data redundancy and resiliency	Workpay’s infrastructure has been designed to be fault tolerant. All databases operate in a cluster configuration and the application tier scales using load balancing technology that dynamically meets demand.
Strict access controls	Access to all Workpay’s systems is managed through our identity provider, which automates user provisioning, enforces 2FA, and logs all activity. Workpay Systems have an audit trail functionality where all user system activities are trailed for audit. The Supplier’s Software uses role based access control where different users are provided with different privileges. These roles and privileges are created by the Client. To ensure that such rights and privileges are not abused, the Software operates audit logging protocols to record what each user does on the Software and on the Account.
Server security and monitoring	All servers are configured using a documented set of security guidelines, and images are managed centrally. Changes to the company’s infrastructure are tracked, and security events are logged appropriately. We also have a data breach and incident management policy that includes among other provisions, the criteria for informing clients of breaches or incidence that may affect their data or their systems.
Reviews	Before any new product is launched on the Supplier’s software, internal security reviews are conducted. Additionally, on an ongoing basis, continuous internal and external security tests are conducted to ensure that the Software is impregnable.
Vulnerability management	The Vulnerability Management program establishes how Workpay identifies, responds, and triages vulnerabilities against our platform. The program includes the following initiatives: • Continuous automated scans on library dependencies used by Workpay’s Application; • Vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process; and • Remediation service-level agreements (SLAs) defined according to the severity associated with the vulnerabilities discovered.
Penetration testing and bug bounties	We regularly partner with reputable security companies to perform penetration tests on the Software and the infrastructure. We run internal pen tests and partner with reputable security firms to run external pen tests. Additionally, our bug bounty program allows anyone to test our system and report bugs.
Application monitoring and protection	We have deployed an array of solutions to monitor and protect our applications, including: • a Web Application Firewall (WAF) and a Runtime Application Self-Protection (RASP) agent to gain visibility into our application security, identify attacks, and respond quickly to a data breach; • technologies to monitor exceptions and detect anomalies in our applications; • collection and storage of application logs to provide an audit trail of our application activity; • a runtime protection system that identifies and blocks Open Web Application Security Project (OWASP) Top 10 and business logic attacks in real time; and • security headers to protect our users from attacks.

Personnel Security

Our employees are constantly reminded of the great responsibility and trust bestowed on them by our clients. They are constantly trained on confidentiality and data protection obligations. Our employees are held accountable and are required to operate in accordance with high standards of confidentiality and data protection, as a bare minimum. In this regard, the following procedures and processes has been established in respect of personnel security:

Procedure	Why it is there
Formal security policies and incident response plan	Workpay maintains a set of comprehensive security policies that are kept up to date to meet the changing security environment. These materials are made available to all employees during training and through the Supplier’s knowledge base.
Strict onboarding and offboarding process	Every new hire must pass a thorough background check and attend a “Legal and Security” training course at least, once a year. We instantly disable departing employee’s devices, apps, and access during offboarding.
Continuous security training	The Workpay Security Team provides continuous education on emerging privacy and security threats, performs phishing and security awareness campaigns, and communicates with employees regularly.
Office security	Workpay manages visitors, office access, and overall office security via a formal office security program.Access to Workpay’s offices is managed by a biometric system that tracks who enters and leaves the office. Using this system, we are able to ascertain and hold our employees accountable in the event of any unauthorised access to our office. Logs of successful and unsuccessful entry attempts are maintained for three months. Workpay’s office security is further enhanced by camera surveillance.
Device Security	All the employee devices are secured using passwords of sufficient length and complexity. In addition, for employees to access their devices and company systems remotely, there is a multifactor authentication required to ensure maximum security for both the Supplier’s devices and the Supplier’s systems.
Endpoint security	All our employee devices are installed with anti-malware protection software programs. The Supplier even goes a notch higher to provide our engineers with macOS laptops with built-in antivirus technology to provide more protection. We also do not allow any employee to bring their own devices or to use their own devices for work purposes. We have policies in place and do continuous monitoring for patching that ensures all devices in use allow system updates. This patch management policy is further enforced by our anti-malware technology.

Software Development

The very lifeblood of our Software is to provide a safe and secure platform for human resource and payroll management. It is therefore imperative that data security is at the forefront of the development of the Software and our engineers keep this commitment in mind as they develop this cutting edge solution. Below is a summary of the key development stages and how data security is kept at the forefront.

Process	What Workpay does
Secure Software Development Life Cycle Process	From a high level perspective, the Software Development Life Cycle involves Planning, Analysis, Design, Implementation and maintenance with data security at the core of the process. Our engineers are trained regularly on secure coding practices. We segregate development environments into development, staging and production. Developers use development and staging. QA uses staging. Production is used by customers. We never replicate the production environment. Static code analysis is part of development. Further, we do test driven development, QA does integration and end to end tests then finally we do customer acceptance testing before going to production.
Account Security	The Supplier monitors authentication events and alerts the internal security team of possible compromised accounts. Moreover, we protect users against data breaches by monitoring and automatically blocking brute-force attacks. The Client can add another layer of security to their accounts by enforcing multifactor authentication to access the Software. Through the ongoing awareness of vulnerabilities, incidents, and threats, the Supplier can quickly respond and mitigate accordingly. Workpay leverages a comprehensive collection of application, infrastructure, and software-as-a-service (SaaS) log sources to identify and triage possible security events.
Development and change management process	Code development is done through a documented SDLC process, and every change is tracked via Gitlab. Automated controls ensure changes are peer-reviewed and pass a series of tests before being deployed to production.
Third-party vendor security review process	We ensure that all of our third-party apps and providers meet our security data protection standards before using them.

Right to Access Personal Information.

As our visitor, you have a right to request that we provide you with a copy of your personal information that we hold and you have the right to be informed of: the source of your personal information; the purposes, legal basis and methods of processing; the data controller’s identity; and the businesses or categories of businesses to whom your personal information may be transferred.

Right to Rectify or Erase Inaccurate Personal Information

You have a right to request that we rectify inaccurate personal information about you. We may seek to verify the accuracy of the personal information before rectifying it.

You can also request that we erase your personal information in limited circumstances where:

it is no longer needed for the purposes for which it was collected; or
you have withdrawn your consent (where the data processing was based on consent); or
following a successful right to object; or
it has been processed unlawfully; or
the personal information must be erased for compliance with a legal obligation.

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary:

for compliance with a legal obligation; or
for the establishment, exercise or defence of legal claims.

Right to obtain a copy of personal information safeguards used for transfers outside your jurisdiction

You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of your country.

We may redact data transfer agreements to protect commercial terms.

Right to restrict the processing of your personal information

You can ask us to restrict your personal information, but only where:

its accuracy is contested, to allow us to verify its accuracy; or
the processing is unlawful, but you do not want it erased; or
it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal information following a request for restriction, where:

we have your consent; or
to establish, exercise or defend legal claims; or
to protect the rights of another natural or legal person.

You have a right to lodge a complaint with the Office of the Data Protection Commissioner if you have concerns about how we are processing your personal information.

How long we keep your personal information

We will keep your personal information as long as you are a User of Workpay’s software.

We will retain your personal information for as long as you are a user of Workpay’s software. Once you cease to be a client, we will only retain your personal data for as long as is necessary to fulfill the specific purposes for which it was collected, or to comply with our legal obligations. In some cases, we may retain your personal information after you stop being a customer for the following reasons:

To respond to a question or complaint, or to demonstrate that we treated you fairly; or
To comply with legal rules that require us to maintain certain records.

When your personal data is stored for such reasons mentioned, appropriate safeguards shall be implemented to ensure your rights and freedoms are protected, including data minimization and pseudonymization, where possible. Whenever possible, further processing may be carried out in a way that no longer permits the identification of data subjects.

Update of this Policy

This Policy is subject to changes, renewals, amendments and revision. You are expected to check this page from time to time to take notice of any changes we have made, as they are binding on you. If we make any substantial changes, using your personal information we shall notify you by posting a prominent notice on our website.

In case of any query regarding this policy, or if you have any comments or want to opt-out of receiving marketing communications from us or to complain about our use of your personal data kindly contact us through legal@myworkpay.com.

Workpay is subject to oversight by the Kenya Office of Data Protection Commissioner. ODPC is the Kenyan-based independent organization responsible for reviewing and resolving complaints about our data protection and privacy compliance — free of charge to you. We ask that you first submit any such complaints directly to us via legal@myworkpay.com . If you aren't satisfied with our response, please contact ODPC at https info@odpc.go.ke . In the event your concern still isn't addressed by ODPC you may be entitled to binding arbitration.

Page |

Data and Infrastructure Security

Personnel Security

Software Development