Data Privacy and Kenya DPA
ODPC registration, DSARs, consent, data localisation, breach notification, sub-processors — Kenya's DPA in practice.
Data Privacy and Kenya DPA
Where is my data stored?
For Kenyan tenants, data is stored on infrastructure within East Africa (Kenya / regional). Document file storage uses tenant-isolated containers; database is multi-tenant with strict logical separation.
Is Papyrus registered with the ODPC?
Yes — Papyrus.io's operator Fabtech Solutions is registered as both Data Controller and Data Processor with Kenya's Office of the Data Protection Commissioner.
How do I fulfil a DSAR (Data Subject Access Request)?
Run a tenant-wide search for the subject's identifying metadata (name, ID, email, KRA PIN). Compile relevant documents (excluding ones outside scope). Export as a signed bundle. Send via secure external share link. The DPA gives you 30 days; Papyrus typically lets you do it in hours.
Where do I record consent?
Each consent collected (HR onboarding, customer registration, marketing opt-in) is stored as a ConsentRecord with: subject identity, purpose, lawful basis, timestamp, IP, mechanism. Withdrawals are tracked too.
What about cross-border transfers?
The DPA requires “appropriate safeguards” for transfers outside Kenya. Papyrus's standard tenant infrastructure stays in-region; cross-border transfers (e.g., to upstream AI providers for AI processing) are governed by our Data Processing Addendum and the Adequacy framework where applicable.
What happens in a breach?
Papyrus's incident response process: detection → containment → forensics → tenant notification within 72 hours (per DPA) → ODPC notification (if required) → post-incident review. Tenants are also responsible for notifying their affected data subjects.
Can I sign a Data Processing Agreement?
Yes — every paying tenant is offered a DPA at contract time. We use a standard template aligned with DPA Article 9 requirements. Custom clauses negotiable for Enterprise tenants.
Is there a list of sub-processors?
Yes, published at papyrus.io/legal/sub-processors. Includes our cloud provider, AI providers, email delivery, and payment processors. Changes announced 30 days in advance.
Do I have to register my organisation with the ODPC?
If you process personal data in a non-trivial way, yes — and the timeline is short. Registration is currently a few KES thousand and takes a couple of weeks. Don't put it off.