Data Protection and Privacy Policy

The Privacy Policy Statement

WORKPAY AFRICA LIMITED (and where applicable its subsidiaries or holding companies or successors in title) (“we” or “us” or “our”) recognises the provisions of the laws on data protection. We acknowledge the importance of confidentiality and privilege duty owed to our clients’ information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you enjoy our services. We are limited to use your personal information to offer you our products and services.

We invite you to read this policy carefully. If you use our website on behalf of others, you are responsible for ensuring that the others are aware of the content of this Privacy Policy and are in agreement with you supplying their personal data to use to enjoy our services. We will take all reasonable steps necessary to ensure your data is treated securely and in accordance with this privacy policy. 

Our mandate to Protect your Data

Our company strictly adheres to the applicable European and Kenyan laws that relate to the protection of data. 

We also take into cognisance the principles of lawfulness, fairness and transparency, accuracy, integrity and confidentiality (security) and Accountability whilst conducting data collection and processing.

Therefore, our mandate to you includes:

• holding your data secure and private;
• sharing the data only in instances when you agree to such sharing;
• using your data to tailor the services we provide you and also improving our services; and
• putting you in control by allowing you to update, delete and access your data.

The Nature of Data or Personal Information we collect

Type of personal information

Description

Personal information

This includes your name, address, email address, telephone number, date of birth, passport or national identification number, driver’s licence, photographs or birth certificate, residential address or billing address.

Transactional 

Details about the transactions and payments made using our software.

Payments

Bank account, mobile number, cards and virtual cards.

Contractual

Details about the products or services we provide to you.

Location

Details that we get about where you are. This may come from where you connect a computer to the internet.

Behavioural

Data on how you use our Services and Site.

Technical

Details on the devices, software and technology you use.

Documentary data

Data about you, your work, salary, working hours, terms of work, contract duration, employers, length of service, stored in documents in different formats, or copies of them.

Communications

Data from communications between us.

Public and third-party records

Details about you that are in public records and information about you that is publicly available on the internet. We also collect information about you which we receive from other companies, such as (without limitation) credit reference or fraud protection agencies.

Usage data

Other data about how you use our products and services.

Consents

Any permissions, consents or preferences that you give us.

Sensitive personal data

Such as information concerning medical conditions, disabilities, religious beliefs, race, marital status, children details, spouse details, next of kin, medical data, financial data including pensions, saving schemes, loans, deductions.

Utilisation of Your Information 

We may use your information to:

1. Fulfil our contract with you and/or deal with your transaction.

• We use your information when processing payments, contract, payroll processing, processing payments including business expenses, or other details relating to our services. 
• Manage our relationship with you or your business.

1. Improving our business 

• Operating our business in an efficient and proper way, including managing our financial position, business capability, planning, adding and testing systems and processes, managing communications, corporate governance, and audit.
• Carrying out our obligations and exercising our rights as set out in our terms and conditions.
• Improving the products and services offered through our Software.
• Testing new products.
• Testing our systems, maintaining our software infrastructure, developing and training our software and measuring performance of our software.
• Keeping our records up to date.
• Managing how we work with other companies that provide services to us.
• Developing new ways to meet our client’s needs and grow our business.
• Working out which of our products and services may interest you and telling you about them.
• Developing products and services, our pricing for them, and types of clients that may want to use them.
• Asking for your consent when we need it to contact you.

1. Managing our operations 

• Delivering  Workpay’s products and services.
• Making and managing payments.
• Managing fees and charges due from our clients.
• Collecting and recovering money that is owed to Workpay.

1. Marketing and events-related communications 

• Developing and carrying out marketing activities.
• Studying how our customers use our products and services. 
• Communicating with you about our products and services.
• Conducting customer satisfaction surveys so that we can obtain a better understanding of how we can continue to improve the products and services we offer or help us to create new ones. During these surveys we may collect personal information from you relating to your thoughts/comments about your experience with us.
• Marketing our products and services to you.
• Communicating Workpay’s products and services.
• Inviting you to participate in events or surveys, or otherwise communicate with you for marketing purposes with the consent requirements of applicable law.

1. Crime prevention and managing risks 

• Reporting under the applicable Anti Money Laundering Framework.
• Reporting Fraud.
• Reporting Suspicious Financial Activities. 

Where we collect personal information

We may collect personal information about you or your businesses from any of these sources:

• Data we collect when you use our services.
• Payment and transaction data.
• Profile and usage data.
• We also use cookies and other internet tracking software to collect data while you are using our website or mobile apps (or any other device as described in more detail below.

Data from third parties

• Companies and business partners that introduce you to us.
• Our service partners, such as bank and PSP partners. 
• Our third-party vendors, including (without limitation) those that help us authenticate your identity.
• Social networks and other technology providers (for instance, when you click on one of our Facebook or Google adverts).
• Fraud prevention agencies.
• Other financial services companies (to fulfil a payment or other service as part of a contract [which they have] with you, or to help prevent, detect and prosecute unlawful acts, money laundering, and fraudulent behaviour).
• Public information sources such as (without limitation) Companies Registry, Embassy and Consular offices, National Identity Databases and Tax Agencies.
• Third-party agents, suppliers, sub-contractors and advisers.
• Market researchers.
• Firms providing data services.
• Government, law enforcement agencies, authorities and regulatory bodies to help  Workpay comply with its legal obligations;

Sharing your personal information with third parties

We may share your personal information to third parties in the manner and for the purposes of rendering a quality service. We will only share your information with the third parties listed below for the purposes described above in the “Use of Your Information” Section, unless otherwise noted at the point of collection:

1. To improve the services we offer or help us to create new ones  for marketing, profiling and analytics as detailed below; and for the purposes described in this policy.

1. With third parties who help us manage our business and deliver our services. These third parties have agreed to confidentiality obligations and use any personal information we share with them or which they collect on our behalf solely for the purposes of providing the contracted service to us.  These third parties include service providers who help manage our IT and back-office systems, detect fraudulent transactions and security incidents, provide customer service centre support, manage communications and tailor marketing and advertising; verify payments such as banks and payment card companies; provide internet services; host our facilities and conduct research that assists us with understanding consumer interests.
2. 
   
3. Governments agencies and taxing authorities, as required to provide the Service, including but not limited to the, state and local tax agencies, border control agencies, regulators, law enforcement and others as permitted or required by law to generally comply with all applicable laws, regulations and rules.
4. 
   
5. Third-party agents, partners, and service providers who are only permitted to use your information as we allow, which may include contacting you on your behalf, and are required under law or contract to keep your personal information confidential. Information is shared to help us provide the Service.

1. With third party advertising and social media website to provide advertising.
2. Bank and payment providers to authorise and complete payments.

1. With third parties whose products or services you are purchasing through our website or offices, or otherwise such as Insurance carriers and other third parties.

1. Certain parties as necessary to respond in good faith to legal process where required to do so by law or subpoena or if we believe that such action is necessary to comply with the law and the reasonable requests of law enforcement or to protect the security or integrity of our Service.

1. Legal and financial advisors and auditors.

1. The following third-parties under the circumstances described below:
2. we may share business or personal information with credit bureaus, and we may share information with certain companies, banks and organizations for purposes such as fraud prevention or determining eligibility for the Service;
3. if you participate in a referral program, the referral email and referral link sent to any Referred Leads may include your first name;
4. if there is a sale of Workpay (including, without limitation, a merger, stock acquisition, sale of assets or reorganization), or in the event that Workpay liquidates or dissolves, we may sell, transfer or otherwise share some or all of our assets, which could include your information, to the acquirer;
5. we may share de-identified personal information with academic institutions to perform research, under controls that are designed to protect your privacy—including requiring such institutions to operate under confidentiality agreements and mandating that published findings contain only de-identified and aggregated data;
6. from time to time, we may share reports with the public that contain anonymized, aggregate, de-identified information and statistics; and
7. we may share your information with certain other third parties with whom you, your Client, or your Client’s accountant partner expressly authorize us to share your information

Communications

We may contact you with newsletters and other marketing information that may be of interest to you. You may opt out of receiving any, or all, of these marketing communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us. Please note that we may still send you transactional or administrative messages related to the Service even after you have opted out of receiving marketing communications.

Managing Marketing Ads

To protect your privacy and to ensure you have control over how we manage marketing with you and provided that you have indicated that you would like to receive advertisements, we will:

• take steps to limit direct marketing to a reasonable level; and 
• only send you communications which we believe may be of interest or relevance to you and at all times in line with your permissions, which, as appropriate, may include informing you about developments in the products and services available through us.

You can click the “unsubscribe” link that you will find at the bottom of our emails which you receive from us, or you can unsubscribe by contacting us or changing your account settings which will remove you from the relevant marketing list.

You can request that we stop sending you marketing advertisements.

Protection of your Personal Information

We have in place appropriate technical and organisational security measures, and procedures designed to protect the personal information that you share with us and safeguard the privacy of such information.  The measures are further described below:

Data and Infrastructure Security

Infrastructure

How it is designed

Secure infrastructure provider

Workpay hosts all of its data in the secure Google Cloud facilities based in the United Kingdom.

Hosting its services on Google Cloud gives the Supplier the ability to remain resilient globally

even if one location goes down. The Google Cloud services we use—including VPCs, load balancers, and S3 storage—span multiple availability zones to ensure resiliency in the event of most failure scenarios, including natural disasters and

system failures.

Workpay performs continuous backups of critical data using Google cloud storage replication capabilities across multiple regions. Our production database clusters are shared across multiple availability zones, and snapshots of their

data are constantly backed up in Google Cloud. All backups are encrypted in transit and at rest using strong encryption tactics.

Data encryption in transit & at rest process

All data sent to or from the Software is encrypted using Transport Layer Security TLS, and all customer data is encrypted using AES-256 encryption standard. The Supplier further secures sensitive data using industry best practices to salt and repeatedly hash data before it is stored in the database.

Data redundancy and resiliency

Workpay’s infrastructure has been designed to be fault tolerant. All databases operate in a cluster configuration and the application tier scales using load balancing technology that dynamically meets demand.

Strict access controls

Access to all Workpay’s systems is managed through our identity provider, which automates user provisioning, enforces 2FA, and logs all activity. 

Workpay Systems have an audit trail functionality where all user system activities are trailed for audit. 

The Supplier’s Software uses role based access control where different users are provided with different privileges. These roles and privileges are created by the Client. To ensure that such rights and privileges are not abused, the Software operates audit logging protocols to record what each user does on the Software and on the Account. 

Server security and monitoring

All servers are configured using a documented set of security guidelines, and images are managed centrally. Changes to the company’s infrastructure are tracked, and security events are logged appropriately.

We also have a data breach and incident management policy that includes among other provisions, the criteria for informing clients of breaches or incidence that may affect their data or their systems.

Reviews

Before any new product is launched on the Supplier’s software, internal security reviews are conducted. Additionally, on an ongoing basis, continuous internal and external security tests are conducted to ensure that the Software is impregnable.

Vulnerability management

The Vulnerability Management program establishes how Workpay identifies, responds, and triages vulnerabilities against our platform. The program includes the following initiatives:

• Continuous automated scans on library dependencies used by Workpay’s Application;

• Vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process; and

• Remediation service-level agreements (SLAs) defined according to the severity associated with the vulnerabilities discovered.

Penetration testing and bug bounties

We regularly partner with reputable security companies to perform penetration tests on the Software and the infrastructure. We run internal pen tests and partner with reputable security firms to run external pen tests. Additionally, our bug bounty program allows anyone to test our system and report bugs.

Application monitoring and protection

We have deployed an array of solutions to monitor and protect our applications, including:

• a Web Application Firewall (WAF) and a Runtime Application Self-Protection (RASP) agent to gain visibility into our application security, identify attacks, and respond quickly to a data breach;

• technologies to monitor exceptions and detect anomalies in our applications;

• collection and storage of application logs to provide an audit trail of our application activity;

• a runtime protection system that identifies and blocks Open Web Application Security Project (OWASP) Top 10 and business logic attacks in real time; and

• security headers to protect our users from attacks.

Personnel Security

Our employees are constantly reminded of the great responsibility and trust bestowed on them by our clients. They are constantly trained on confidentiality and data protection obligations. Our employees are held accountable and are required to operate in accordance with high standards of confidentiality and data protection, as a bare minimum. In this regard, the following procedures and processes has been established in respect of personnel security:

Procedure

Why it is there

Formal security policies and incident response plan

Workpay maintains a set of comprehensive security policies that are kept up to date to meet the changing security environment. These materials are made available to all employees during training and through the Supplier’s knowledge base.

Strict onboarding and offboarding process

Every new hire must pass a thorough background check and attend a “Legal and Security” training course at least, once a year. We instantly disable departing employee’s devices, apps, and access during offboarding. 

Continuous security training

The Workpay Security Team provides continuous education on emerging privacy and security threats, performs phishing and security awareness campaigns, and communicates with employees regularly. 

Office security

Workpay manages visitors, office access, and overall office security via a formal office security program.Access to Workpay’s offices is managed by a biometric system that tracks who enters and leaves the office. Using this system, we are able to ascertain and hold our employees accountable in the event of any unauthorised access to our office.

Logs of successful and unsuccessful entry attempts are maintained for three months.

Workpay’s office security is further enhanced by camera surveillance.

Device Security

All the employee devices are secured using passwords of sufficient length and complexity. In addition, for employees to access their devices and company systems remotely, there is a multifactor authentication required to ensure maximum security for both the Supplier’s devices and the Supplier’s systems.

Endpoint security

All our employee devices are installed with anti-malware protection software programs. The Supplier even goes a notch higher to provide our engineers with macOS laptops with built-in antivirus technology to provide more protection.

We also do not allow any employee to bring their own devices or to use their own devices for work purposes.

We have policies in place and do continuous monitoring for patching that ensures all devices in use allow system updates. This patch management policy is further enforced by our anti-malware technology.

Software Development

The very lifeblood of our Software is to provide a safe and secure platform for human resource and payroll management. It is therefore imperative that data security is at the forefront of the development of the Software and our engineers keep this commitment in mind as they develop this cutting edge solution. Below is a summary of the key development stages and how data security is kept at the forefront.

Process

What Workpay does

Secure Software Development Life Cycle Process

From a high level perspective, the Software Development Life Cycle involves Planning, Analysis, Design, Implementation and maintenance with data security at the core of the process. Our engineers are trained regularly on secure coding practices. We segregate development environments into development, staging and production. Developers use development and staging. QA uses staging. Production is used by customers. We never replicate the production environment.

Static code analysis is part of development. Further, we do test driven development, QA does integration and end to end tests then finally we do customer acceptance testing before going to production.

Account Security

The Supplier monitors authentication events and alerts the internal security team of possible compromised accounts. Moreover, we protect users against data breaches by monitoring and automatically blocking brute-force attacks.

The Client can add another layer of security to their accounts by enforcing multifactor authentication to access the Software.

Through the ongoing awareness of vulnerabilities, incidents, and threats, the Supplier can quickly respond and mitigate accordingly. Workpay leverages a comprehensive collection of application, infrastructure, and software-as-a-service (SaaS) log sources to identify and triage possible security events.

Development and change management process

Code development is done through a documented SDLC process, and every change is tracked via Gitlab. Automated controls ensure changes are peer-reviewed and pass a series of tests before being deployed to production.

Third-party vendor security review process

We ensure that all of our third-party apps and providers meet our security data protection standards before using them.

Right to Access Personal Information.

As our visitor, you have a right to request that we provide you with a copy of your personal information that we hold and you have the right to be informed of: the source of your personal information; the purposes, legal basis and methods of processing; the data controller’s identity; and the businesses or categories of businesses to whom your personal information may be transferred.

Right to Rectify or Erase Inaccurate Personal Information

You have a right to request that we rectify inaccurate personal information about you. We may seek to verify the accuracy of the personal information before rectifying it.

You can also request that we erase your personal information in limited circumstances where:

• it is no longer needed for the purposes for which it was collected; or
• you have withdrawn your consent (where the data processing was based on consent); or
• following a successful right to object; or
• it has been processed unlawfully; or
• the personal information must be erased for compliance with a legal obligation.

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary:

• for compliance with a legal obligation; or
• for the establishment, exercise or defence of legal claims.

I

Right to obtain a copy of personal information safeguards used for transfers outside your jurisdiction

You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of your country.

We may redact data transfer agreements to protect commercial terms.

Right to restrict the processing of your personal information

You can ask us to restrict your personal information, but only where:

• its accuracy is contested, to allow us to verify its accuracy; or
• the processing is unlawful, but you do not want it erased; or
• it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
• you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal information following a request for restriction, where: 

• we have your consent; or
• to establish, exercise or defend legal claims; or
• to protect the rights of another natural or legal person.

You have a right to lodge a complaint with the Office of the Data Protection Commissioner if you have concerns about how we are processing your personal information.

How long we keep your personal information

We will keep your personal information as long as you are a User of Workpay’s software.

We may keep your personal information for up to 15 years after you stop being a customer. The reasons we may do this are:

• To respond to a question or complaint, or to show whether we gave you fair treatment; or
• To study customer data as part of our own research; or
• To comply with legal rules that apply to us about keeping records. For example, the Money Laundering Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 require us to retain certain data for a minimum of 5 and a maximum of 10 years.

We may also keep your data for longer than 10 years if certain laws mean that we cannot delete it for legal, regulatory or technical reasons.

Security

The security of your Personal Information is important to us. However, please be aware that no method of transmission over the internet, or method of electronic storage is 100% secure and we are unable to guarantee the absolute security of the Personal Information we have collected from you. You are also a key stakeholder in making sure that your Personal Information is protected. If you become aware of any breach of security or privacy, please contact us immediately.

International Transfer

Information collected while you use the Site and/or Service, including your Personal Information, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those from your jurisdiction. If you are located outside Kenya  and choose to provide information to us, please note that we transfer the information, including your Personal Information, to Kenya and Google Cloud Servers in the United Kingdom and process it there. Your consent to this Privacy Policy followed by your submission of such Personal Information represents your agreement to that transfer.

Children's Privacy

We do not knowingly collect Personal Information from Children under 18. If you are a parent or guardian and you learn that your Children have provided us with Personal Information, please contact us. If we become aware that we have collected Personal Information from a child under age 18 without verifiable parental consent, we will take steps to remove that information from our servers.

Links to Other Websites

This policy only extends to our website, which is owned and operated by us. We do not therefore, extend to your use of, provision of information to and collection of information on any website not connected to us to which you may link by using the hypertext links within our website. If you click on a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over, and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Update of this Policy

This Policy is subject to changes, renewals, amendments and revision. You are expected to check this page from time to time to take notice of any changes we have made, as they are binding on you.  If we make any substantial changes, using your personal information we may notify you by posting a prominent notice on our website.

In case of any query regarding this policy, or if you have any comments or want to opt-out of receiving marketing communications from us or to complain about our use of your personal data kindly contact us through [email protected]. 

FOR EU RESIDENTS:

We collect, process, use and are responsible for certain personal information about you. When we do so, we are regulated under the General Data Protection Regulation (EU) 2016/679 (GDPR) which applies across the European Union and EEA (including in the UK), and the Data Protection Act 2018 (together with the DPA).

For individuals residing in the EU please contact our EU Representative with any requests you may have either by emailing [email protected] 

EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield

When transferring data from the European Union, the European Economic Area, and Switzerland, Workpay relies upon a variety of legal mechanisms, including contracts with our Users.

Workpay complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Workpay commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

Workpay is subject to oversight by the Kenya Office of Data Protection Commissioner. ODPC is the Kenyan-based independent organization responsible for reviewing and resolving complaints about our data protection and privacy compliance — free of charge to you. We ask that you first submit any such complaints directly to us via [email protected] . If you aren't satisfied with our response, please contact ODPC at https [email protected] . In the event your concern still isn't addressed by ODPC you may be entitled to binding arbitration.

Within the scope of our authorization to do so, and in accordance with our commitments under this policy, Workpay will provide individuals access to personal data about them. Workpay also will take reasonable steps to enable individuals to correct, amend, or delete personal data that is demonstrated to be inaccurate.

We may ask you for additional data to confirm your identity and for security purposes, before disclosing data requested to you. We reserve the right to charge a fee where permitted by law. We may also decline to process requests that jeopardize the privacy of others, are extremely impractical, or would cause us to take any action that is not permissible under applicable laws. Additionally, as permitted by applicable laws, we may need to retain certain personal information for a limited period of time for record-keeping, accounting and fraud prevention purposes.