Legal

Legal and Privacy Policy

How Convergly protects Customer Data, complies with Kenya's Data Protection Act, and operates as a trusted processor for your association.

Data Protection and Privacy

The following provisions govern how Convergly processes Customer Data as a service provider under applicable Kenyan data protection law.

1

Compliance with Data Protection Act, 2019

Both parties shall comply with all applicable obligations under the Data Protection Act, 2019 (Kenya), the Data Protection (General) Regulations, 2021, and any other applicable data protection legislation.

2

Data Controller / Processor Relationship

For the purposes of this Agreement:

  • The Customer is the Data Controller of Customer Data, responsible for determining the purposes and means of processing of Personal Data.
  • The Provider is the Data Processor, processing Personal Data only on documented instructions from the Customer and solely for the purposes of providing the Service.
3

Infrastructure and Hosting Disclosure

The Provider's primary database and platform infrastructure is hosted on Supabase, a managed cloud database and backend provider. The primary database is located in the West EU (Ireland) region, operating on Amazon Web Services infrastructure in the eu-west-1 zone. All Customer Data is stored within this infrastructure environment. The Provider shall notify the Customer in writing not less than thirty (30) days in advance of any material change to the hosting provider or the geographic location of primary data storage.

The Provider uses the following categories of standard infrastructure sub-processors to deliver the Service:

  • Supabase — primary database hosting and backend services (West EU, Ireland)
  • Vercel — application hosting and content delivery
  • SendGrid (Twilio) — transactional email delivery

The Customer acknowledges and consents to the engagement of the above sub-processors. Where the Provider proposes to engage any additional or replacement sub-processor, it shall notify the Customer in writing not less than fourteen (14) days in advance, and the Customer may object in writing within that period if the proposed sub-processor would result in a material change to the data processing arrangements.

4

Provider's Data Processing Obligations

The Provider shall:

  • Process Customer Data only in accordance with the Customer's instructions and this Agreement;
  • Implement appropriate technical and organisational security measures to protect Customer Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage;
  • Not transfer Customer Data outside Kenya without the Customer's prior written consent and in compliance with the Data Protection Act, 2019. The parties acknowledge that the current hosting location in Ireland constitutes a cross-border data transfer and the Customer's execution of this Agreement constitutes prior written consent for that specific transfer;
  • Notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting Customer Data;
  • Assist the Customer, at the Customer's request and cost, in meeting its obligations to data subjects under the Data Protection Act, 2019 (including access requests and data subject rights);
  • Delete or return all Customer Data upon termination of this Agreement, as instructed by the Customer; and
  • Not engage additional sub-processors beyond those identified in Clause 3 without the Customer's prior written consent.
5

AI Admin Assistant — Data Use Restrictions

The AI Admin Assistant feature operates solely by querying the Customer's own data within the Service to generate responses for authorised users. The Provider warrants that:

The Customer's prior written consent is required before Customer Data may be used for any purpose beyond the provision of the Service.

  • Customer Data shall not be used to train, fine-tune, or improve any artificial intelligence or machine learning model, whether operated by the Provider or any third party;
  • Customer Data shall not be disclosed to any third-party AI service provider for any purpose other than processing the specific query submitted by the Customer's authorised user in real time;
  • Any third-party AI inference provider used to power the AI Admin Assistant shall be bound by equivalent confidentiality and data protection obligations; and
  • The Provider shall notify the Customer in writing of any change to the AI model provider or the AI processing arrangements not less than thirty (30) days before such change takes effect.
6

Customer's Data Obligations

The Customer shall:

  • Ensure it has a lawful basis for processing all Personal Data submitted to the Service;
  • Ensure all data subjects have been informed of, and consented to (where required), the processing of their Personal Data on the platform; and
  • Comply with any privacy notices and policies applicable to its members.
7

Data Retention and Export

Customer Data will be retained for the duration of the active subscription. Upon termination, Customer Data will be available for export for thirty (30) days from the termination date. The Provider shall make Customer Data available for export in the following standard formats: CSV, Microsoft Excel (.xlsx), and PDF, as applicable by data type. After the thirty (30) day export window, Customer Data will be securely deleted from the Provider's systems within a further thirty (30) days, unless longer retention is required by applicable Kenyan law.

Upon written request from the Customer made prior to or within the export window, the Provider shall provide reasonable technical cooperation and migration assistance to facilitate the Customer's transition to an alternative provider, at no additional charge for standard data extraction.

8

Backup and Disaster Recovery

The Provider warrants that it maintains automated backup systems and disaster recovery infrastructure adequate to protect and restore Customer Data in the event of system failure or operational disruption. Specifically:

  • Customer Data is backed up on a regular automated basis by Supabase's managed infrastructure, with point-in-time recovery capabilities;
  • Backups are stored within the same geographic region as the primary database (West EU, Ireland);
  • The Provider maintains disaster recovery procedures designed to restore Service availability within commercially reasonable timeframes following a critical system failure; and
  • The Provider shall notify the Customer of any material degradation in its backup or disaster recovery capabilities within seventy-two (72) hours of becoming aware of such degradation.
9

Security Measures

The Provider shall maintain reasonable security measures including, but not limited to:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest;
  • Role-based access controls within the platform;
  • Regular security assessments and vulnerability management;
  • Secure software development lifecycle practices; and
  • Maintenance of access logs recording Provider personnel access to Customer Data environments, which shall be retained for not less than twelve (12) months and made available to the Customer upon reasonable written request.
10

Audit Rights

The Customer shall have the right, upon not less than thirty (30) days' written notice and no more than once per calendar year, to request written confirmation and evidence of the Provider's compliance with its security and data protection obligations under this Agreement. The Provider shall respond to such requests within fifteen (15) business days and shall provide reasonable documentary evidence of its security controls, backup systems, and data processing arrangements. Where the parties agree, such audit rights may be satisfied by the Provider supplying a current third-party security assessment or equivalent compliance attestation.

11

Incident Response Obligations

Upon discovery of a personal data breach or security incident affecting Customer Data, the Provider shall, in addition to the notification obligation in Clause 4:

  • Immediately isolate affected systems to contain the breach and prevent further unauthorised access or data loss;
  • Preserve all forensic evidence relating to the incident and refrain from destroying or altering logs or records without the Customer's prior written consent;
  • Within five (5) business days of initial notification, provide the Customer with a written incident report setting out the nature of the breach, the categories and approximate volume of Customer Data affected, the likely consequences, and the measures taken or proposed to address the breach;
  • Engage qualified security or forensic specialists to investigate the incident where the nature or scale of the breach warrants such engagement;
  • Provide the Customer with ongoing written updates on the progress of investigation and remediation at intervals of not more than five (5) business days until the incident is fully resolved; and
  • Take all reasonable steps to remedy the cause of the breach and prevent recurrence, and provide the Customer with a final written remediation report upon closure of the incident.

Questions about this policy?

Contact us at info@convergly.app for data protection enquiries.

Back to home