Ask AwraIQ about features, pricing, onboarding, login, integrations, security, demos, mobile apps, automation, reports, or support.
Data Processing Agreement
The binding terms that govern how AWRA OpsHub processes personal data on behalf of your organization, in compliance with the Kenya Data Protection Act, 2019 and other applicable data protection laws.
This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service and any related order form or subscription agreement (collectively, the "Agreement") between AWRA OpsHub ("AWRA", "we", "us", "our", the "Processor") and the customer organization that accesses or uses the Services (the "Customer", "you", the "Controller").
This DPA applies whenever AWRA processes Personal Data on behalf of the Customer in the course of providing the AWRA OpsHub platform — a multi-tenant inventory, procurement, sales, finance, asset, and operations management system. Where the Customer is acting on behalf of its own clients or beneficiaries, the Customer may itself be a processor and AWRA a sub-processor; in that case the obligations in this DPA apply mutatis mutandis.
In the event of a conflict between this DPA and the rest of the Agreement, this DPA controls in relation to the processing of Personal Data. A separate negotiated or signed DPA executed between the parties takes precedence over this public DPA where the two directly conflict.
Unless otherwise defined in this DPA, capitalised terms have the meaning given in the Agreement. For the purposes of this DPA:
The parties acknowledge that, with respect to the processing of Personal Data under the Agreement, the Customer is the Controller and AWRA is the Processor. The Customer determines the purposes and means of processing the workspace content it configures, uploads, and manages, and is responsible for establishing a lawful basis for that processing.
AWRA acts as an independent Controller only for limited, separate activities — such as account administration, billing, platform security, fraud prevention, and product analytics — which are governed by our Privacy Policy rather than this DPA.
AWRA shall process Personal Data only to the extent necessary to provide and support the Services, and as further described in Annex I to this DPA. The subject matter, duration, nature, and purpose of the processing, the categories of Data Subjects, and the types of Personal Data are set out in Annex I.
The duration of processing corresponds to the term of the Agreement, plus any retention period required to complete return or deletion of Personal Data as described in Section 13.
AWRA shall:
AWRA shall ensure that all personnel authorised to process Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory) and have received adequate training on their data protection responsibilities. Access to Personal Data is limited to those personnel who require access to perform their duties under the Agreement, on a least-privilege basis.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, AWRA shall implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including those described in Annex II. These measures include, as appropriate:
The Customer is responsible for the security of its own credentials, access management within its workspace, role assignments, and the configuration choices it makes within the Services.
The Customer provides general written authorisation for AWRA to engage Sub-processors to support the provision of the Services. AWRA shall:
Our current primary Sub-processors include:
The complete, current register — including AI providers and optional integrations, with the purpose, data categories, and region for each — is maintained on our Sub-processors page, where you can also subscribe to advance notice of changes.
Taking into account the nature of the processing, AWRA shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfil the Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law — including rights of access, rectification, erasure, restriction, objection, and data portability.
Where AWRA receives a request directly from a Data Subject relating to Personal Data processed on behalf of the Customer, AWRA shall, unless legally required to act, promptly forward the request to the Customer and not respond directly except on the Customer's instructions.
AWRA shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. Such notification shall, to the extent known and available, describe the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it and mitigate harm.
AWRA shall provide reasonable assistance to enable the Customer to meet its own breach-notification obligations to the Data Commissioner and to affected Data Subjects. Where Kenyan data protection law applies and AWRA itself is required to notify, AWRA will notify the Data Commissioner in accordance with the law.
AWRA shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with the Data Commissioner or other supervisory authority that the Customer reasonably considers necessary, in each case solely in relation to the processing of Personal Data by AWRA and taking into account the information available to AWRA.
AWRA operates from Kenya but may use infrastructure and Sub-processors located in other jurisdictions. AWRA shall not transfer Personal Data outside Kenya or the Customer's country of residence except where there is a lawful basis and an appropriate safeguard or transfer mechanism in place under Applicable Data Protection Law — such as contractual protections (including standard contractual clauses where applicable), adequacy determinations, or the Customer's documented instructions and consent.
AWRA shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.
To minimise disruption and protect the confidentiality and security of other customers in our multi-tenant environment, audits shall: (a) be conducted on reasonable prior written notice; (b) take place no more than once per twelve-month period (save where required by a supervisory authority or following a Personal Data Breach); (c) be subject to confidentiality obligations; and (d) ordinarily be satisfied in the first instance by AWRA providing relevant policies, control descriptions, and third-party audit reports or certifications where available.
Upon termination or expiry of the Agreement, AWRA shall, at the Customer's choice, return or delete the Personal Data processed on behalf of the Customer, and delete existing copies, unless retention is required by Applicable Data Protection Law. To allow for export, AWRA generally retains workspace data for a limited period (as described in our Terms of Service) before secure deletion.
Secure deletion follows our standard disposal practices, including purging of Personal Data from primary and, in due course, backup systems in accordance with our backup rotation cycle. Anonymised or aggregated data that no longer identifies a Data Subject may be retained for system improvement and analytics.
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes either party's liability where it cannot lawfully be limited or excluded under Applicable Data Protection Law.
This DPA is governed by the laws of the Republic of Kenya, and the parties submit to the exclusive jurisdiction of the courts of Nairobi, Kenya, save where Applicable Data Protection Law requires otherwise. This DPA is read consistently with the Kenya Data Protection Act, 2019.
AWRA may update this DPA from time to time to reflect changes in the Services, Sub-processors, or Applicable Data Protection Law. Material changes affecting the processing of Personal Data will be communicated through email or in-app notification. The "Last updated" date reflects the most recent revision.
Subject matter: Provision of the AWRA OpsHub multi-tenant inventory, procurement, sales, finance, asset, and operations management platform.
Duration: The term of the Agreement, plus any post-termination period required for return or deletion of Personal Data.
Nature and purpose of processing: Hosting, storage, organization-level segregation, processing, transmission, analysis, and display of Customer records to provide and support the Services and the Customer's lawful instructions.
Categories of Data Subjects may include:
Categories of Personal Data may include:
Special category data: AWRA does not require special category (sensitive) Personal Data to provide the Services. Where the Customer chooses to store such data, the Customer is responsible for ensuring an appropriate lawful basis and additional safeguards.
AWRA maintains data processing agreements with each Sub-processor and reviews their security and compliance posture before engagement.
For DPA execution, data protection questions, or to exercise audit and information rights, contact us at [email protected] (please include "DPA Request" in the subject line) or via the Contact AWRA page. A signable, contract-ready version of this DPA is available on request through our procurement channel. See also our overview at the Data Processing Addendum page.
Last updated: June 16, 2026
Help Center
Run inventory, procurement, assets, sales, and field work with approved AWRA guidance for setup, migration, integrations, security, pricing, and support.