Legal

Data Processing Agreement.

How PrimeStart Consultant processes, stores, and protects personal data under Kenya DPA 2019 and GDPR.

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the engagement terms between PrimeStart Consultant Ltd. (“Processor”) and the client (“Controller”). It is governed by the Kenya Data Protection Act, 2019 (“DPA 2019”) and, where applicable, the EU General Data Protection Regulation (“GDPR”).

1. Roles and Scope

The Client is the Data Controller. PrimeStart Consultant is the Data Processor. PrimeStart processes personal data on behalf of the Client only as documented in the engagement letter and this DPA. PrimeStart does not process personal data for its own purposes.

2. Categories of Data

  • Contact data: names, email addresses, phone numbers of the Client’s stakeholders and contacts.
  • Communication data: email contents, calendar entries, meeting notes, chat messages.
  • Business data: financial records, deal information, strategic plans shared by the Client.
  • Research data: survey responses, interview recordings, focus group data collected on the Client’s behalf.

3. Processing Purposes

Personal data is processed solely for: executive support services, market research activities, and operational coordination as defined in the engagement letter. No processing for marketing, profiling, or automated decision-making.

4. Security Measures

PrimeStart maintains the following technical and organizational measures:

  • HTTPS encryption for all data in transit (TLS 1.3).
  • Encrypted at rest using provider-managed encryption (AES-256).
  • Least-privilege access controls with quarterly audits.
  • NDA-backed personnel with restricted-access tools.
  • Dedicated, audited accounts for inbox, calendar, and CRM access.
  • No data exports or transfers to personal devices.
  • Regular security reviews and incident response procedures.

5. Sub-Processors

PrimeStart uses the following sub-processors:

  • Vercel — web hosting and application deployment (EU/US regions).
  • Neon (Vercel Postgres) — database hosting.
  • Email provider — for outbound email delivery (configured per engagement).

All sub-processors are bound by data processing agreements. The Client will be notified of any new sub-processor 30 days before activation.

6. Data Subject Rights

PrimeStart assists the Client in fulfilling data subject requests (access, correction, deletion, portability) within 30 days. Requests are routed through the Client’s designated contact.

7. Breach Notification

In the event of a personal data breach, PrimeStart notifies the Client within 24 hours of becoming aware of the breach. Notification includes: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

8. Data Retention and Deletion

Personal data is retained for the duration of the engagement plus 7 years for legal/financial compliance, unless the Client requests earlier deletion. Upon termination, all personal data is securely deleted within 30 days, except where retention is required by law.

9. Cross-Border Transfers

Data may be processed in Kenya, the United States, and the European Union (via Vercel/Neon infrastructure). Transfers are made under appropriate safeguards including standard contractual clauses where applicable.

10. Governing Law

This DPA is governed by the Kenya Data Protection Act, 2019 and, where applicable, GDPR. Disputes are resolved under the jurisdiction of the Kenyan courts and the Office of the Data Protection Commissioner (ODPC).

11. Requesting the Full DPA

This page is a summary. The full Data Processing Agreement is provided to clients upon engagement. To request a copy before engaging, please contact us.

Last updated: July 2026. PrimeStart Consultant Ltd., 5th Floor, Westlands Square, Nairobi, Kenya.