Legal

Data Processing Agreement (DPA)

This Data Processing Agreement outlines the standards, responsibilities, and security measures we implement when processing tenant and rental property data on your behalf.

12 min readUpdated: July 2026

1. Definitions and Roles of Controller and Processor

This Data Processing Agreement ("DPA") is entered into by and between the Landlord using the Nidamiye platform (referred to as the "Controller" or "you") and Groundwork Technologies, the owner and operator of Nidamiye (referred to as the "Processor", "Nidamiye", "we", or "us").

Under applicable data protection laws (including the Kenyan Data Protection Act, 2019, and the General Data Protection Regulation - GDPR):

  • Controller: You are the Controller of the tenant data and property logs you upload to our platform. You determine the purposes and means of processing this personal data.
  • Processor: Nidamiye acts as the Processor on your behalf. We process the personal data solely under your instructions and according to the terms of this DPA and our Terms of Service.

2. Scope and Processing Purposes

Nidamiye processes tenant and landlord information to provide, maintain, and support the automated rent-tracking platform. The types of processing activities we perform include:

  • Property & Tenant Setup: Storing names, phone numbers, house numbers, rental configurations, and lease details as defined by you in your dashboard workspace.
  • Rent Reconciliation: Processing incoming M-Pesa transaction records and matching them automatically to your tenant lists.
  • Messaging & Delivery: Dispatching automated invoice details, payment receipts, and rent reminders to your tenants via WhatsApp or SMS channels based on your triggers.
  • Customer Support: Accessing logs to resolve user-reported discrepancies or server issues under your explicit request.

3. Security Measures and Technical Standards

We implement and maintain production-grade technical and organizational security measures to protect the personal data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access.

Our core security standards include:

  • Data Encryption: All personal data is encrypted in transit using SSL/TLS protocols and encrypted at rest in our databases using AES-256 standard algorithms.
  • Access Restrictions: Access to database records is restricted to authorized platform engineers only on a strict need-to-know basis and subject to strict confidentiality agreements.
  • Network Security: Firewalls, secure API keys, and regular software vulnerability checks are deployed to secure our environment from external vectors.
  • System Backups: Automated daily backups are created and stored securely to prevent data loss and ensure system recovery in the event of an outage.

4. Authorized Subprocessors

You agree that Nidamiye may engage third-party subprocessors to perform specialized infrastructure or messaging activities. We maintain a list of authorized subprocessors, ensuring that each subprocessor is bound by data protection obligations at least as protective as those in this DPA:

  • Cloud Hosting Providers: Maintain the server nodes, database infrastructure, and backup assets where our code runs.
  • Safaricom M-Pesa API: Handles verification and notifications of incoming transactions.
  • WhatsApp/SMS Gateway Providers: Handle the network delivery of automated receipt messages and landlord notifications.
  • Error Logging Platforms: Sentry is integrated to capture system logs and trace code crashes to fix errors quickly.

We will notify you of any planned changes or additions to our subprocessors, giving you the opportunity to object to such changes on reasonable privacy grounds.

5. International Data Transfers

Nidamiye's primary servers and hosting services are located in secure cloud data centers. In the event that personal data is transferred across national boundaries (for example, to cloud servers outside of Kenya), we ensure that the transfer is protected by appropriate legal frameworks, standard contractual clauses, or adequacy decisions to maintain equivalent data protection levels.

6. Confidentiality of Processing

We ensure that all personnel authorized by Nidamiye to process tenant and property data have committed themselves to strict confidentiality agreements or are under an appropriate statutory obligation of confidentiality.

Nidamiye will not disclose any processed personal data to third parties, law enforcement, or government agencies unless explicitly instructed by you or required by binding statutory legal mandates.

7. Data Subject Rights Assistance

Tenants (Data Subjects) have the right to access, rectify, restrict, or delete their personal data. As the Controller, you are responsible for handling their requests.

Nidamiye will assist you by:

  • Providing self-service tools inside the landlord dashboard that enable you to view, edit, download, or delete tenant records directly.
  • Responding to your written support requests within a reasonable timeframe to retrieve, anonymize, or permanently erase tenant data that cannot be cleared via the dashboard.

8. Breach Notification and Incident Management

In the unlikely event of a confirmed security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, Nidamiye will:

  • Notify you in writing without undue delay (and in any case, within 72 hours of becoming aware of the breach).
  • Provide relevant information regarding the nature of the breach, the estimated categories of data affected, and the mitigation measures we have taken or plan to take.
  • Collaborate with you to help you meet your regulatory notification obligations to data protection authorities or affected data subjects.

9. Data Retention, Deletion, and Return

We process and retain the data only for the duration of your active subscription or as required to fulfill the purposes described in this DPA.

Upon termination of your account or at your request:

  • We will delete all active property, payment, and tenant records within our production systems, unless legal, auditing, or tax regulations mandate longer storage.
  • Any residual logs preserved in our regular secure system backups will be permanently overwritten in accordance with our standard backup retention cycle.

10. Audits and Inspections

Nidamiye will make available to you all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA.

We will allow for and contribute to audits or inspections conducted by you or a mutually agreed-upon independent auditor. Any such audits must be scheduled with reasonable advance notice, conducted during standard business hours, and designed to minimize disruption to our operations and preserve the privacy of other platform tenants.

11. Term and Termination

This DPA shall enter into force on the date you register an account or accept these terms, and shall remain in effect for the duration of your active subscription and until all personal data processed on your behalf is permanently deleted from Nidamiye's systems.

12. Liability and Miscellaneous Terms

This DPA is subject to the limitation of liability provisions set forth in our Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding data protection obligations, the terms of this DPA shall prevail.

Simplify your property management today

Experience the power of automatic rent tracking, instant M-Pesa matching, and automatic WhatsApp receipts.