← Back to Zira HR

Data Processing Agreement

Last updated: May 2026

This Data Processing Agreement reflects the parties' agreement with respect to the processing of personal data by Zira Technologies on behalf of customers using the Zira HR platform.

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Zira Technologies ("Processor") and the customer organization ("Controller") using Zira HR. It governs the processing of personal data on behalf of the Controller in compliance with the Kenyan Data Protection Act (2019) and applicable data protection laws.

2. Processing Details

The Processor shall process personal data only on documented instructions from the Controller. The subject matter is HR, payroll, and workforce management data processing. The duration corresponds to the subscription term. Categories of data subjects include employees, contractors, job applicants, and dependents of the Controller. Personal data includes names, contact details, national ID numbers, KRA PIN, statutory numbers, bank details, payroll data, employment records, performance data, and disciplinary records.

3. Processor Obligations

The Processor shall: (a) process data only on documented instructions; (b) ensure personnel processing data are bound by confidentiality; (c) implement appropriate technical and organizational security measures; (d) not engage sub-processors without prior notification; (e) assist the Controller in fulfilling data subject rights; (f) notify the Controller of personal data breaches without undue delay; (g) delete or return data upon termination.

4. Security Measures

The Processor maintains encryption at rest and in transit (TLS 1.3), tenant-isolated architecture, role-based access controls, audit logging of all data access, regular security assessments, and background-checked personnel with access to production data.

5. Sub-Processors

The Controller authorizes the engagement of the following sub-processors: Vercel Inc. (cloud hosting), Neon Inc. (database infrastructure), and Resend Inc. (email delivery). The Processor will provide 30 days notice of any new sub-processors, during which the Controller may object.

6. Data Subject Rights

The Processor shall assist the Controller in responding to data subject requests under applicable law. The Controller is responsible for managing access, correction, and deletion requests from their employees and other data subjects.

7. Breach Notification

The Processor shall notify the Controller within 48 hours of becoming aware of a personal data breach affecting Controller data. Notification shall include the nature of the breach, categories of data affected, likely consequences, and remediation measures.

8. Data Deletion

Upon termination of the agreement, the Processor shall delete or return all Controller data within 90 days, except where retention is required by applicable law. The Processor may retain anonymized, aggregated data for analytics purposes.

9. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per year, subject to reasonable notice and confidentiality obligations. The Processor may charge reasonable fees for extensive audits.

10. Governing Law

This DPA is governed by the laws of the Republic of Kenya. The parties submit to the jurisdiction of Kenyan courts for disputes arising from this DPA.