Data Processing Agreement
How we process data in compliance with applicable laws
Last Updated: March 15, 2025
Data Protection Compliance
This Data Processing Agreement ("DPA") forms part of our Terms of Service and outlines how EVSpot processes personal data in compliance with applicable data protection laws, including the Data Protection Act of Kenya (2019).
Introduction
This Data Processing Agreement ("DPA") applies to and regulates the processing of personal data by EVSpot Kenya ("we", "us", "our", or the "Data Processor") on behalf of users and businesses ("you", "your", or the "Data Controller") in connection with our services as defined in our Terms of Service.
This DPA applies when personal data processed by us:
- Is processed in the context of the activities of an establishment of the Data Controller in Kenya; or
- Relates to data subjects who are in Kenya; or
- Is otherwise subject to Kenyan data protection laws, including the Data Protection Act of 2019.
By using our services, you acknowledge and agree that you have read and understood this DPA and agree to be legally bound by it.
Applicable Law
This DPA is subject to the laws of Kenya, particularly the Data Protection Act of 2019 and any accompanying regulations or guidelines issued by the Office of the Data Protection Commissioner of Kenya.
Definitions in this DPA shall have the same meaning as in the Data Protection Act of 2019, unless otherwise specified.
Legal Compliance
Both parties acknowledge their respective obligations to comply with the provisions of the Data Protection Act of 2019 and ensure that their activities under this DPA shall not put the other party in breach of such obligations.
Roles and Responsibilities
For the purposes of this DPA:
The Data Controller (You)
As the Data Controller, you determine the purposes and means of processing personal data. You are responsible for establishing the legal basis for processing personal data and ensuring that all processing instructions you give to us comply with applicable data protection laws.
The Data Processor (EVSpot)
As the Data Processor, we process personal data only on your documented instructions, including regarding transfers of personal data to other countries or international organizations, unless required to do so by law.
Data Processing Details
Subject Matter and Duration
The subject matter of the processing is the provision of our services related to mapping and verifying EV charging stations across Kenya. The processing will continue for the duration of our service agreement with you.
Nature and Purpose of Processing
We process personal data to:
- Provide our services, including maintaining user accounts
- Enable users to submit and verify charging station information
- Display user contributions, ratings, and reviews
- Analyze usage patterns to improve our services
- Ensure the security and proper functioning of our services
- Comply with legal obligations
Types of Personal Data
The types of personal data we process include:
- Contact information (name, email address, phone number)
- Account details (username, password)
- Profile information (profile picture, biography)
- User contributions (submitted stations, reviews, ratings)
- Usage data (app/website usage, preferences)
- Location data (when permitted by users)
- Device information (IP address, browser type, device type)
Categories of Data Subjects
- Users of our platform
- Representatives of businesses that register charging stations
- Individuals mentioned in user reviews or comments
Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Encryption
We use industry-standard encryption for data in transit and at rest.
Access Controls
We implement strict access controls and authentication mechanisms to prevent unauthorized access.
Regular Testing
We regularly test, assess, and evaluate the effectiveness of our security measures.
Staff Training
Our staff are trained on data protection requirements and bound by confidentiality obligations.
Incident Response
We have procedures for detecting and responding to data breaches.
Sub-processing
By accepting this DPA, you provide general authorization for us to engage sub-processors to process personal data. A current list of sub-processors is available upon request.
We will inform you of any intended changes concerning the addition or replacement of sub-processors, giving you the opportunity to object to such changes.
We shall impose on all sub-processors the same data protection obligations as set out in this DPA. We remain fully liable to you for the performance of the sub-processor's obligations.
International Transfers
We may transfer personal data to countries outside Kenya only:
- With your prior written consent;
- To countries deemed to have adequate data protection laws by the Data Protection Commissioner of Kenya;
- Subject to appropriate safeguards, such as standard contractual clauses; or
- Under one of the exceptions provided by the Data Protection Act of 2019.
We will document any such transfers and provide information about them upon request.
Data Breach Notification
In the event of a personal data breach, we will notify you without undue delay after becoming aware of the breach. We will provide you with sufficient information to allow you to meet any obligations to report the breach to the relevant supervisory authorities or data subjects.
We will take reasonably necessary measures to contain the breach, mitigate its effects, and prevent its recurrence.
Contact Information
For any questions about this DPA or to exercise your rights, please contact:
This Data Processing Agreement was last updated on March 15, 2025.
We may update this DPA from time to time. We will notify you of any changes by posting the new DPA on this page and updating the "Last Updated" date.
You are advised to review this DPA periodically for any changes. Changes to this DPA are effective when they are posted on this page.