1. Roles & subject matter

The Client is the Controller; Talyme is the Processor. Talyme processes personal data only to provide the Services described in the relevant SOW.

2. Talyme's obligations

Process personal data only on documented Client instructions.
Ensure persons authorised to process data are subject to confidentiality.
Implement appropriate technical and organisational measures (TOMs) — including encryption, MFA, access controls and audit logging.
Assist the Client in responding to data subject rights requests.
Notify the Client without undue delay (and in any event within 72 hours) of any personal data breach.
Delete or return all personal data at the end of the engagement.

3. Sub-processors

Talyme maintains a list of approved sub-processors. We give 30 days' notice of any new sub-processor; the Client may object on reasonable grounds.

4. International transfers

Where personal data is transferred outside Kenya, Talyme implements an appropriate transfer mechanism, including standard contractual clauses where required.

5. Audit

The Client may, on reasonable notice and no more than once per year, audit Talyme's compliance with this DPA, subject to confidentiality and reasonable cost recovery.

6. Liability

Liability under this DPA is subject to the limitation of liability in the master Services Agreement.

The full breadth of modern ICT, under one roof.

Led by Naftaly Muiru — CEO & Founder

Data Protection Addendum