Skip to main content

Data Protection Policy

Version 2 Effective: April 03, 2026 Last updated: April 25, 2026 Region: Kenya (KE)

Data Protection Policy

Effective Date: April 03, 2026 
Version: 2
Document owner: Data Protection Officer, Ctrl+Shift

This Data Protection Policy is our public-facing statement of the technical, organisational and governance measures we apply to personal data. The underlying internal Record of Processing Activities (RoPA) and Data Protection Impact Assessments (DPIAs) are maintained separately by the DPO and made available to supervisory authorities on lawful request.

1. Purpose and scope

This Data Protection Policy ("Policy") describes the technical, organisational and governance measures that Ctrl+Shift applies to its processing of personal data. It complements our Privacy Policy, which is the primary notice given to Data Subjects, and explains how we demonstrate accountability under the Kenya Data Protection Act, 2019 ("KDPA") and equivalent laws (GDPR Article 5(2)).

The Policy applies to all personal data processed by us as controller or as processor on behalf of a customer Organization, in every jurisdiction in which we operate.

2. Roles

  • Data Controller: Ctrl+Shift determines the purposes and means of processing personal data of Users who register directly with the Platform.
  • Data Processor: where a customer Organization uploads personal data about its employees or members into its tenant workspace, and we process that data only under the Organization's instructions, we act as a data processor for that Organization. A Data Processing Addendum (DPA) is available on request from legal@ctrlshiftapp.org.
  • Data Protection Officer (DPO): Sue, reachable at dpo@ctrlshiftapp.org, is responsible for overseeing compliance, advising on DPIAs, responding to Data Subject requests, and liaising with the Office of the Data Protection Commissioner ("ODPC").

3. Lawfulness, fairness and transparency

All processing is grounded in one or more of the lawful bases enumerated in KDPA §30 / GDPR Article 6. The mapping of purposes to lawful bases is set out in §4 of the Privacy Policy.

Where we rely on consent, consent is:

  • Specific to a clearly defined purpose (e.g. marketing emails);
  • Freely given — consent is not a condition of core service delivery;
  • Informed — with plain-language descriptions and a link to the relevant notice;
  • Unambiguous — captured via an active opt-in checkbox, never a pre-ticked box;
  • Withdrawable — as easy to withdraw as to give, via account preferences or dpo@ctrlshiftapp.org.

We maintain a consent register recording (a) the date of consent, (b) the scope consented to, (c) the wording shown at the time, and (d) any subsequent withdrawal.

4. Data minimisation, accuracy and storage limitation

  • We collect only the personal data necessary for the stated purpose. Forms capture nothing that is not used.
  • Users may view and correct their profile data at /profile/edit/. A quarterly notice prompts Users to refresh their profile where it has not been updated in the prior 12 months.
  • Retention periods are set per data category; see §7 of the Privacy Policy and the master Retention Schedule maintained by the DPO.
  • Backup copies are purged on the same schedule as the primary store, subject to a rolling 90-day encrypted backup window required for disaster recovery.

5. Security measures

We apply a layered defence model. The current baseline includes:

Application layer

  • HTTPS / TLS 1.2+ enforced in production.
  • CSRF middleware on every state-changing request.
  • Content sanitisation (nh3) on all user-generated HTML (profiles, courses, legal documents, broadcasts).
  • Server-side input validation on all forms.
  • Rate limiting on authentication, password-reset, and write-heavy API endpoints.
  • Cryptographically strong password hashing.
  • OTP and activation links are time-bound to 24 hours.

Access control

  • Role-based access control (RBAC) — each of Learner, Instructor, Moderator, Support, Sales, Admin and Organization roles has a least-privilege permission set.
  • Admin / Super Admin actions (user administration, role reassignment, legal document publication, communications broadcasts, navigation-item CRUD) are recorded in append-only audit tables.
  • Support and Sales agents cannot send broadcasts to Admins or to "All Users"; targeting is scope-filtered at both form and server level. Attempted escalation is logged.
  • The Communications Hub audit log captures sender, audience snapshot, resolved recipient IDs, denied IDs (where scope filtering dropped them), and actor IP for every broadcast.

Infrastructure layer

  • Hosting with a compliance-audited cloud provider.
  • Encryption at rest for database and object storage.
  • Periodic backups, with documented restore tests.
  • Vulnerability scanning and dependency-freshness monitoring on CI/CD.

Governance

  • Annual staff training on data protection and security awareness.
  • Quarterly access reviews.
  • Mandatory Multi-Factor Authentication for Staff with administrative privileges.
  • Incident-response playbook rehearsed annually.

6. Breach notification

A personal-data breach is any incident that results in the unlawful destruction, loss, alteration, disclosure or access to personal data. On detection, we will:

  1. Contain and document the incident within 24 hours.
  2. Assess risk to Data Subjects (type of data, volume, identifiability, likelihood of harm).
  3. Notify the ODPC within 72 hours where the breach is likely to result in a risk to Data Subject rights (KDPA §43).
  4. Notify affected Data Subjects without undue delay where the risk is high, describing the nature of the breach, likely consequences, measures taken, and contact points.
  5. Record the incident in our breach register regardless of notifiability.

7. Data Protection Impact Assessments (DPIAs)

A DPIA is conducted before any new processing that is likely to result in a high risk to Data Subjects — for example, processing of KYC data, large-scale profiling, or processing of children's data. DPIAs are signed off by the DPO and are filed internally. Where a DPIA identifies residual high risk, we consult the ODPC before commencing processing (KDPA §31).

8. Records of processing (RoPA)

We maintain an internal Record of Processing Activities per KDPA §24 / GDPR Article 30. The RoPA includes, for each processing operation: purpose, lawful basis, data categories, Data Subject categories, recipient categories, international transfer information, retention period and security measures. The RoPA is updated on the introduction of any new processing, change of sub-processor, or at least annually.

9. Sub-processors — Annex A

We engage sub-processors only where necessary. Every sub-processor is bound by a data-processing agreement that imposes obligations at least equivalent to those we owe our Data Subjects.

This is updated as sub-processors change. Organization customers receive 30 days' notice of new or changed sub-processors via email to the Organization admin contact and may object in writing within 14 days.

10. International transfers — Annex B

Where a sub-processor processes data outside Kenya, we rely on one or more of the safeguards in KDPA §§48–49:

  • Adequacy decisions by the Data Protection Commissioner;
  • Standard Contractual Clauses approved by the Commissioner;
  • Binding Corporate Rules of the recipient;
  • Explicit consent of the Data Subject, after being informed of the risks;
  • Necessity for the performance of a contract with the Data Subject.

A Transfer Impact Assessment (TIA) is performed for each transfer, documenting the receiving jurisdiction's surveillance laws and the supplementary measures applied.

11. Data Subject rights — operational procedure

The DPO receives Data Subject requests at dpo@ctrlshiftapp.org. We:

  • Acknowledge every request within 7 calendar days;
  • Verify the identity of the requester through at least one authenticated channel (logged-in session or email ownership confirmation);
  • Fulfil the request within 30 days (extendable by up to 60 days where complex, with reasons provided to the requester);
  • Provide responses free of charge, except where a request is manifestly unfounded or excessive, in which case a reasonable administrative fee may be charged;
  • Record every request and outcome in the Data Subject request register.

12. Staff responsibilities

  • All Staff sign a confidentiality undertaking on joining.
  • Role-specific data protection training is mandatory within the first week and refreshed annually.
  • Support and Sales agents have view-only access to the minimum personal data necessary to help the User; they cannot read private chat messages between Users and are restricted from selecting "Admins" or "All Users" audiences in the Communications Hub.
  • Admins with super-user privileges are subject to enhanced logging and periodic access reviews.
  • Any Staff suspicion of a data-protection incident must be reported to the DPO within 4 hours of discovery.

13. Audit and review

  • This Policy is reviewed at least annually and on any material change to our processing, legal landscape, or security posture.
  • External penetration testing is commissioned at least annually or on a material change to the architecture.
  • The DPO reports compliance status to the executive team quarterly.

14. Complaints and supervisory authority

Data Subjects who believe we have breached the KDPA may lodge a complaint with:

Office of the Data Protection Commissioner of Kenya, Britam Tower, Hospital Road, Upper Hill, Nairobi, Kenya Web: www.odpc.go.ke

EU/EEA residents may lodge a complaint with the supervisory authority of their habitual residence.

15. Contact

  • Data Protection Officer: Sue — dpo@ctrlshiftapp.org
  • Legal: legal@ctrlshiftapp.org
  • Registered office: {{ registered_office_address }}