BandaGo Service Agreement

This Service Agreement (“SA” or “Agreement”) is entered into by and between:

Banda Health (“Banda Health”, “we”, “us”), a US registered entity providing the BandaGo software-as-a-service solution.

AND

The Clinic/Healthcare Facility (“Client”, “you”), subscribing to the BandaGo service.

(Each a “Party” and collectively, the “Parties”)

The effective date of this Agreement is the earlier of the date on which the Client completes the registration process and fully executes all agreement addenda, or otherwise accesses or uses all or any part of the BandaGo Service (“Effective Date”).

RECITALS

WHEREAS, Banda Health develops, operates, and distributes the BandaGo online clinic management system (the “Service”), including hosted applications (“Apps”);

WHEREAS, the Client desires to subscribe to and use the Service for its clinic management, patient registration, electronic medical records (EMR), billing, and inventory management needs;

WHEREAS, the Parties wish to set forth the terms and conditions under which Banda Health will provide the Service to the Client.

NOW, THEREFORE, in consideration of the mutual covenants contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. DEFINITIONS

Capitalized terms not otherwise defined in this SA shall have the meanings given to them in the Service Level Agreement (SLA) and the Data Processing Addendum (DPA) attached hereto.

• “Agreement”: the Service Agreement, inclusive of all Exhibits, or other written and/or electronic agreement between the Clinic and Banda Health for the use of the Service.
• “App(s)”: Software applications developed, operated, and distributed by Banda Health, including hosted applications and applications for mobile devices.
• “Content”: All content, materials, data, and other information created by or for Banda Health (or its affiliates or licensors) and made available via the Service.
• “Data Protection Laws”: the Kenya Data Protection Act, 2019 (Act No. 24 of 2019) and any other applicable data protection laws and regulations.
• “Personal Data”: Any identifiable information relating to a Data Subject that is processed by Banda Health as part of providing the Service under the Agreement.
• “Terms of Service” or “ToS”: The online terms and conditions governing the use of the Service by Users, as published by Banda Health on its Site or via any App, and as may be updated from time to time.
• “Policies”: All other operating rules, conditions, and procedures that may be published by Banda Health from time to time on its Site or via any App, including without limitation the Privacy Policy.
• “Service(s)”: The BandaGo online clinic management system, including the Site and the Apps, and all features and functionalities provided therein.
• “Service Data”: All non-personal data and information provided by the Client during registration and subsequent use of the Service, and all other data and information about the Client that are otherwise discerned or collected by Banda Health based on the Client’s access and use of the Service.
• “Site”: The Banda Health Solutions website (bandahealth.org).
• “User(s)”: Any individual authorized by the Client to access and use the Service.
• “Notice in Writing” or “Written Notice“: Any notice, consent, request, or other communication required or permitted under this Agreement that is in written form, including communications sent by email to the primary email address or WhatsApp number associated with a Party’s account, or delivered through a designated communication feature within the BandaGo Service, or by postal mail to the addresses specified in this Agreement or as otherwise mutually agreed upon by the Parties.
• “Written Consent”: Consent provided in writing, including, but not limited to, electronic acceptance through the BandaGo Service (such as clicking an “I Agree” button or similar electronic affirmation), email confirmation, or any other method that constitutes an electronic record capable of being retained and reproduced, and that is recognized as a valid form of written consent under applicable law.

2. ACCEPTANCE OF TERMS

2.1. The Client acknowledges and agrees to be bound by all the terms and conditions of this SA, including the Service Level Agreement, the Data Processing Addendum, the Privacy Policy, and the Terms of Service, all of which are incorporated by reference herein and form an integral part of this Agreement.

2.2 The Client’s consent to this Service Agreement, including all incorporated Exhibits and Addenda, is provided through the completion of the registration process, the written or  electronic acceptance of these terms (which may include clicking an “I Agree” button or similar electronic affirmation). The Parties agree that electronic acceptance, following review of the terms and conditions herein, shall constitute written consent for the purposes of this Agreement and applicable law.

2.3. If the Client does not agree to these terms, or if the Client is not eligible or authorized to enter into this Agreement, or if the use of this Service is not permitted by the laws of the country in which it will be used, then the Client must not register for, download, access, or use the Service.

3. SERVICE PROVISION

3.1. Description of Service: BandaGo is an online clinic management system designed to help healthcare facilities manage cash flow and inventory, improve information documentation and reporting, and enhance patient care. The Service provides features including but not limited to role-based user access, inventory management, point-of-sale and expense tracking, patient visit management (registration, clinical notes, lab orders, billing, and scheduling).

3.2. Eligibility: The Client represents and warrants that the individual executing this Agreement on its behalf is at least 18 years of age and legally authorized to bind the Client to these terms. Furthermore, the Service is intended for use by individuals who are at least 18 years of age, and under no circumstances may the Service be knowingly used by individuals under 18 years of age. The Client shall ensure that all of its Users meet these age requirements.

3.3. Registration and Account Management: To establish an account, register for and use the Service, certain information about the healthcare facility or provider may be required, including name, address, telephone number, email address, username, and password. Banda Health may refuse to accept the Client’s application to register for the Service, in its sole discretion. Upon acceptance, Banda Health will activate the access credentials for the Client’s account. The Client is solely responsible for maintaining the confidentiality of its access credentials and other account information and will be solely liable for any and all activities under its account. The Client agrees to notify Banda Health immediately of any unauthorized use of its account or any other breach of security related to the Service.

3.4. Not Healthcare Services: The Service is only intended as an information tool to aid healthcare providers and must not be used as a substitute for professional healthcare services. Banda Health does not provide professional healthcare services and has no control over how a healthcare provider uses the Service.

3.5. Client Indemnification: The Client agrees to defend, indemnify, and hold harmless Banda Health, its affiliates, officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or in connection with:

• Any breach by the Client or its Users of this Agreement (including the Terms of Service, Privacy Policy, SLA, or DPA);
• The Client’s or its Users’ access to or use of the Service, including any actions, omissions, or errors committed by the Client or its Users in the provision of healthcare services, patient treatment, or professional medical advice, where the Service was used as an information tool;
• Any claim by a third party (including patients or their representatives) alleging patient harm, malpractice, personal injury, or property damage resulting from the Client’s or its Users’ acts or omissions in providing healthcare services, even if the Service was utilized in connection with such acts or omissions, given that Banda Health does not provide healthcare services;
• Any violation by the Client or its Users of any applicable laws, regulations, or third-party rights (including privacy or data protection laws).

3.6. Customization: Banda Health uses a lean iterative approach to incorporating user and stakeholder needs. New features are released to all clients simultaneously, and BandaGo is not customized for individual clinic needs.

4. FEES AND PAYMENTS

4.1. Subscription Plans: Banda Health offers one or more subscription plans for Services (each a “Plan”). Specific prices and plans are listed on Banda Health’s official pricing page available at www.bandahealth.org, which is incorporated by reference herein.

4.2. Payment Terms: Clients must select a Plan and, where applicable, pay for Services in advance before the Client and the Users they approve access BandaGo. Plan fees may change from time to time, with new fees applying to a Client when a new subscription period commences. Payments are not cancellable, and fees paid are non-refundable. Payments are primarily accepted via mPesa. However, the Parties may mutually agree upon alternative payment methods in writing.

4.3. Subscription Renewal: Subscription periods may differ based on the Plan selected at the time of payment. At the end of a subscription period, Plans will automatically renew with fees assessed according to the fee and subscription schedule active at the time of renewal. Subscription renewal fees are due within 7 calendar days of renewal.

4.4. Suspension and Closure for Non-Payment: Failure to pay in accordance with this Section 4 may lead to suspension or termination of the Service as detailed in Section 9 (Term and Termination). Client and User will not have access to data in accounts suspended or closed for non-payment unless the Client has submitted a written payment dispute requesting continued access during resolution discussions and is cooperating with Banda Health in good faith to resolve the dispute.

4.5. Price Stability and Increases: Banda Health commits to not increasing subscription prices for the first two years from the effective date of this agreement, conditional on uninterrupted and punctual fee payments.

4.6. Taxes: Subscription fees do not include any taxes, levies, duties, or other governmental assessments such as value-added, sales, use, or withholding taxes assessed by any jurisdiction whatsoever (collectively “Taxes”). The Client is responsible for paying all Taxes associated with its use of Services. If Banda Health is found to have a legal obligation to pay or collect Taxes for which the Client is responsible, Banda Health will send the Client an invoice for the Taxes due, and the Client must pay the amount unless the Client provides Banda Health with a valid tax exemption certificate authorized by the appropriate taxing authority.

5. SERVICE LEVEL AGREEMENT (SLA)

The Service Level Agreement (SLA), attached hereto as Exhibit A and incorporated into this Agreement; outlines Banda Health’s commitments regarding Service availability, performance, and support services. The Client agrees to the terms and conditions set forth in the SLA.

6. DATA PROCESSING ADDENDUM (DPA)

The Data Processing Agreement (DPA), attached hereto as Exhibit B and incorporated into this Agreement, outlines the obligations of both Parties with respect to the processing of Personal Data and Service Data. The Client agrees to the terms and conditions set forth in the DPA.

7. PRIVACY POLICY

Banda Health’s Privacy Policy, available on the Site and incorporated by reference herein, explains our online information practices and the choices the Client and Users can make about the way information is collected and used when visiting the Site or using the Service. By using the Service, the Client accepts the terms of the Privacy Policy.

8. CLIENT OBLIGATIONS AND CONDUCT

8.1. Compliance with Laws: The Client agrees to abide by all applicable local, state, national, and international laws, regulations, and rules, including without limitation data protection and privacy laws, in connection with its access and use of the Service, and shall ensure that its Users also comply with all such laws.

8.2. User Compliance with Terms of Service: The Client acknowledges that access and use of the Service by its Users are subject to Banda Health’s Terms of Service, available on the Site and incorporated herein by reference. The Client agrees to ensure that all of its Authorized Users comply with the Terms of Service. The Client shall be responsible for any breach of the Terms of Service by its Users, and Banda Health reserves the right to suspend or terminate the access of any User or the Client’s entire account for such breaches, in accordance with the Terms of Service and this SA. The Client further agrees to inform its Users of the existence and content of the Terms of Service and to obtain any necessary consents from its Users for the processing of their data in accordance with the Terms of Service and Privacy Policy.

9. TERM AND TERMINATION

9.1. Term of Agreement: This Agreement shall commence on the Effective Date and shall continue in effect for the subscription period selected by the Client as per Section 4.1. The Agreement shall automatically renew for successive subscription periods unless terminated earlier in accordance with the terms herein.

9.2. Termination for Convenience:

9.2.1. By Client: The Client may terminate this Agreement by providing written notice to Banda Health. Such termination will be effective at the end of the then-current subscription period, provided notice is given at least 7 calendar days prior to the end of the current subscription period. No refunds will be provided for any prepaid fees for the remainder of the current subscription period.

9.2.2. By Banda Health: Banda Health may terminate this Agreement for convenience by providing at least 30 calendar days’ written notice to the Client. In such an event, Banda Health will refund any prepaid fees for the remaining portion of the subscription period after the effective date of termination.

9.3. Termination for Cause:

9.3.1. By Either Party: Either Party may terminate this Agreement with immediate effect by written notice to the other Party if the other Party:

• Commits a material breach of any term of this Agreement (including any incorporated addendum like the SLA or DPA) and fails to remedy that breach within 30 calendar days of being notified in writing to do so; or
• Becomes insolvent or unable to pay its debts as they fall due, enters into receivership, administration, or any equivalent insolvency proceedings, or ceases to conduct business.

9.3.2. Other Client Breaches: Banda Health may also terminate this Agreement immediately upon written notice if the Client (or any of its Users) breaches Section 8.1 (Compliance with Laws) or 8.2 (User Compliance with Terms of Service).

9.. Effects of Termination:

9.4.1. Upon termination of this Agreement for any reason, all rights and licenses granted to the Client hereunder shall immediately cease, and the Client and its Users must immediately cease all use of the Service.

9.4.2. Termination of this Agreement shall not affect any rights, remedies, obligations, or liabilities of the Parties that have accrued up to the date of the effective date of termination.

9.4.3. Data Handling upon Termination:

• Upon termination, the Client may request the return of all Personal Data within 90 days from the effective date of termination. If requested within this period, Banda Health shall return all Personal Data to the Client in CSV format after the end of the provision of services relating to processing.
• At the 90-day mark following the effective date of termination, all identified Personal Data will be deleted, and within the subsequent 90 days, identified Personal Data will be removed from all backup copies, unless and to the extent the law permits or requires its retention (as per the Data Processing Addendum).
• Banda Health may retain anonymized or de-identified data for research and analytics purposes as per the terms of the Data Processing Addendum.

9.5. Survival

Sections 1 (Definitions), 3.4 (Not Healthcare Services), 3.5 (Client Indemnification), 4 (Fees and Payments – for accrued but unpaid fees), 9.4 (Effects of Termination), 11 (Dispute Resolution and Governing Law), and any other provisions which by their nature are intended to survive termination, shall survive the termination of this Agreement.

10. Updates to Our Service Agreement

10.1. Our Commitment to Improvement

To ensure the BandaGo system remains effective and secure, we may need to amend this  Agreement  from time to time, such as to comply with new laws, address security needs, or reflect improvements and new features in our service.

10.2. Notice of Material Changes

For any material change, we promise to give you at least 30 days’ advance notice. We will notify you via the email or WhatsApp number associated with your account, or through a clear notification within the BandaGo system. A “material change” is a significant alteration that affects the system’s functionality, availability, security, support, or your core obligations.

10.3. Your Acceptance of Changes

Your continued use of the BandaGo service after the 30-day notice period will signify your acceptance of the new terms.

However, for any update that:

• Materially increases your financial obligations; or
• Significantly reduces our core service commitments to you,

we will require your explicit, affirmative consent (for example, by asking you to click an “I Agree” button within the system) before the change is applied to your account.

10.4. Your Right to Disagree

We respect your right to choose. If you do not agree with the proposed changes, you may reject them by terminating your agreement with us without penalty before the changes take effect. You can do this by providing us with written notice of your decision to terminate.

11. Dispute Resolution and Governing Law

This Agreement  and any dispute arising out of it shall be governed by and construed in accordance with the laws of the Republic of Kenya. The parties agree to attempt to resolve any dispute amicably through negotiation. If the dispute cannot be resolved through negotiation, it shall be referred to arbitration in Nairobi, Kenya, in accordance with the Arbitration Act, 1995. 

Client Particulars and Acknowledgment of Terms:

Please enroll my health facility in the BandaGo online clinic management system according to the terms and conditions outlined in this Service Agreement, including all incorporated addenda and policies, which I have read, understood, and agree to be bound by.

Facility Name:      _______________________________________________________________

Facility Address/Location: _______________________________________________________________

Full name of legally authorized representative of the health facility:

_______________________________________________________________

Title: __________________________________________________________

Email address:                _______________________________________________________________

Mobile Phone:                _______________________________________________________________

Signature:                        _______________________________________________________________

Signature of legally authorized representative of the health facility

Date:                                _______________________________________________________________

Exhibit A: Service Level Agreement

This Service Level Agreement (SLA) is entered into between Banda Health (“Banda Health”, “we”, “us”) and the client health facility (“Client”, “you”) and outlines the terms and conditions for the provision of the BandaGo online clinic management system (“Service”). This SLA should be read in conjunction with the Banda Health Solutions Terms of Service, Data Processing Agreement, and Privacy Policy.

1. Introduction & System Overview

BandaGo is an online clinic management system designed to help healthcare facilities save money by managing cash flow and inventory, save time through efficient information documentation and reporting, and improve patient care with more complete and accessible records. The service provides a robust set of features including role-based user access, inventory management, point-of-sale and expense tracking, and patient visit management (registration, clinical notes, lab orders, billing, and scheduling).

2. Definitions

1. “Uptime”: The percentage of time in a calendar month that the BandaGo system is available for access.
2. “Downtime”: The total time in a calendar month during which the BandaGo system is not available, excluding Scheduled Maintenance and Exclusions.
3. “Scheduled Maintenance”: Planned maintenance performed by Banda Health to update and maintain the Service.
4. “Business Hours”: 8:00 AM to 5:00 PM East Africa Time (EAT), Monday through Friday, excluding public holidays in Kenya.
5. “Incident”: Any event not part of the standard operation of the Service which causes, or may cause, an interruption to, or a reduction in, the quality of the Service.
6. “Response Time”: The time elapsed from when the Client reports an Incident to when Banda Health acknowledges receipt of the report and begins work on the Incident.
7. “Resolution Time”: The time elapsed from when Banda Health begins work on an Incident to when the Incident is resolved.

3. Service Availability and Performance

Uptime: our target is 99.9% uptime outside of scheduled maintenance.

1. 1. Measurement: Uptime is measured based on server-side availability of BandaGo, excluding scheduled maintenance.
   2. Exclusions: This target does not apply to performance issues or downtime caused by:
      1. Client’s internet connectivity issues.
      2. Client’s hardware or software failures.
      3. Third-party services not under the direct control of Banda Health (e.g. SMS providers).
      4. Force Majeure events (acts of God, war, terrorism, natural disasters, etc.).
      5. Scheduled maintenance (as defined below).
   3. Scheduled Maintenance
      1. Notice: Banda Health will give at least 4 hours’ notice  of any planned scheduled maintenance that may result in service unavailability except in cases where emergency maintenance is required (as defined below).
      2. Frequency and duration: The service may undergo scheduled maintenance for updates and improvements. These will typically be limited to 4 scheduled maintenance windows per month outside of East Africa business hours. Each maintenance window is not expected to last more than 2 hours.

4. Support Services

1. Support Channels: Support is available during Business Hours via the designated WhatsApp and phone lines. Non urgent support is available at the designated email address.
2. Incident Response and Resolution: Banda Health responds to reported critical system issues within one business day, with resolution prioritized and completed as soon as possible. Critical issues are those that significantly affect a key process and for which there is no viable workaround. For non-critical issues, our response time is within 10-20 business days, with resolution based on priority and impact.
   1. Critical Example: “system error preventing patient registration or billing.”
   2. Non-Critical Example: “a minor display bug on a specific report that has a workaround.”

5. Data Protection and Security

Banda Health maintains industry-standard security measures to protect client data, details of which are provided in the Terms of Service and its associated Data Processing Agreement (DPA).

1. Roles and Responsibilities: Under the DPA, the Client health facility is the “Data Controller,” and Banda Health is the “Data Processor.” It is the Client’s sole responsibility to ensure it is duly registered as a Data Controller with the Office of the Data Protection Commissioner (ODPC) as required by law.

6. Client Obligations

The Client agrees to:

1. Ensure its hardware, software, and internet connectivity meet the minimum requirements for accessing the Service.
2. Manage its user accounts and be responsible for all activities conducted under those accounts.
3. Use the Service in compliance with all applicable laws and the terms of this SLA and the Terms of Service.
4. Provide timely and accurate information to Banda Health to facilitate the resolution of any reported incidents.

7. Commercial Terms & Training

1. Training: Banda Health is committed to ensuring a smooth onboarding process by providing comprehensive training during the initial onboarding period, whether remotely or in person. During the initial training, we will train a designated system champion within the clinic to handle onboarding for any new staff. For any additional training needs, we provide support through detailed documentation, training videos, and, when necessary, online meetings to ensure users continue to receive the help they need.
2. Customization: Banda Health uses a lean iterative approach to incorporating all user and stakeholder needs rather than customizing BandaGo for individual clinics needs. New features are released to all clients simultaneously.
3. Pricing and Payment: Payment and pricing terms are detailed in the separate Service Agreement.

Exhibit B: Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between:

The Controller: The Clinic or Healthcare Facility subscribing to the BandaGo service (“the Clinic” or “Controller”).

and

The Processor: Banda Health, the provider of the BandaGo software-as-a-service solution (“Banda Health” or “Processor”).

This DPA is incorporated into and forms an integral part of the Service Agreement (“the Agreement”) between the Clinic and Banda Health for the use of the BandaGo platform (“the Service”).

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

• “Agreement”: The Service Agreement, inclusive of all Exhibits, or other written and/or electronic agreement between the Clinic and Banda Health for the use of the Service.
• “Data Protection Laws”: The Kenya Data Protection Act, 2019 (Act No. 24 of 2019) and any other applicable data protection laws and regulations.
• “Data Controller” or “Controller”: The entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Clinic is the Data Controller.
• “Authorized User”: Individuals (e.g., employees, contractors) who have been granted permission by the Controller to access personal data.
• “Data Processor” or “Processor”: The entity which processes Personal Data on behalf of the Controller. For the purposes of this DPA, Banda Health is the Data Processor.
• “Data Subject”: An identified or identifiable natural person. In the context of the Service, this primarily refers to the Clinic’s patients and staff.
• “Service Data”: All non-personal data and information provided by the Client during registration and subsequent use of the Service, and all other data and information about the Client that are otherwise discerned or collected by Banda Health based on the Client’s access and use of the Service.
• “Personal Data”: Any identifiable information relating to a Data Subject that is processed by Banda Health as part of providing the Service under the Agreement. This includes, but is not limited to, names, contact details, identification numbers, and Sensitive Personal Data.
• “Sensitive Personal Data”: Data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject. In the context of the Service, this primarily refers to patient health data.
• “Processing”: Any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• “Personal Data Breach”: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

2. Scope and Purpose of Processing

2.1. Processing Activities. Banda Health shall process Personal Data on behalf of the Clinic for the sole purpose of providing, maintaining, and improving the BandaGo Service as described in the Agreement.

2.2. Details of Processing Clinic, patient, and staff data:

• Duration: For the term of the Agreement, and until all Personal Data is returned or deleted in accordance with Section 11 of this DPA.
• Nature and Purpose: To enable the Clinic to use the BandaGo platform for purposes including but not limited to clinic management, patient registration, electronic medical records (EMR), billing, and inventory management.
• Types of Personal Data:
  • Personal Data, including Sensitive Personal Data, of patients
  • Personal Data including name, contact information, role, and user credentials of approved users.

3. Roles and Obligations of the Parties

3.1. Processor’s Obligations. Banda Health, as the Data Processor, agrees to:

• Process Personal Data only in accordance with agreement between the parties including this Data Processing Agreement, the Service Agreement, and any other specific written mandates concerning the processing of Personal Data.
• Process Personal Data in accordance with applicable law.
• Train and obligate its personnel authorised to process Personal Data to protect the confidentiality of such data.
• Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Section 7 of this DPA.
• Respect the conditions for engaging another processor (a “Sub-processor”) as referred to in Section 5.
• Provide the Data Controller with administrative tools to manage and restrict users’ access to Personal Data, including but not limited to:
  • Authorized User Account Management: Enable the creation, modification, and deactivation of user accounts, allowing immediate access revocation upon termination of employment or contract.
  • Password Policies: Implement requirements for Authorized User password complexity and update frequency.
  • Role-Based Access Control (RBAC): Limit Authorized User access to the minimum data essential for their job functions.
• Assist the Controller, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject’s rights as required by relevant Data Protection Laws.
• Support the Controller in meeting its compliance responsibilities under Data Protection Laws, by providing relevant assistance for Data Protection Impact Assessments (DPIAs) upon reasonable request.
• At the choice of the Controller, return Personal Data to the Controller or delete it after the end of the provision of services unless and to the extent the law permits or requires its retention.
• Make available to the Controller, when Controller is legally required to demonstrate compliance with applicable Data Protection Laws, information necessary to demonstrate compliance with applicable Data Protection Laws.
• Upon reasonable request, allow for and contribute to audits (including inspections) conducted by the Controller or another auditor mandated by the Controller at the sole expense of the Controller. Such audits shall be conducted during regular business hours, with reasonable advance notice, and subject to confidentiality obligations.

3.2. Controller’s Obligations. The Clinic, as the Data Controller, agrees to:

• Ensure that its collection and processing of Personal Data is lawful and compliant with Data Protection Laws.
• Be solely responsible for the accuracy, quality, and legality of the Personal Data, and the means by which it acquired the Personal Data, including the obtaining of explicit consent to collect Sensitive Personal Data.
• Be solely responsible for properly using the administrative tools provided by the Data Processor to ensure that only authorized personnel have access to personal data, including but not limited to:
  • Creating, managing, and promptly deactivating user accounts. This includes immediately revoking access for any user whose employment or contract is terminated.
  • Using the provided tools to enforce password policies that meet or exceed the recommended standards for complexity and update frequency.
  • Configuring and maintain role-based access controls to ensure that each authorized user can only access the minimum amount of personal data necessary to perform their specific job functions.”
• Provide all necessary notices and obtain and document all necessary consents from Data Subjects as required by Data Protection Laws for Banda Health to process Personal Data for the purposes described in the Agreement and this DPA.
• Provide all necessary notices and reporting required by applicable government agencies and obtain all related approvals required by law.

4. Data Subject Rights

Banda Health shall promptly notify the Clinic if it receives a request from a Data Subject to exercise their rights under Data Protection Laws (e.g., right of access, rectification, erasure, etc.). It is the Clinic’s obligation to respond to data subject requests. Banda Health shall not respond to any such request itself, except  required by applicable laws. Banda Health will provide the Clinic with reasonable cooperation and assistance.

5. Sub-processors

5.1. Authorization. Banda Health from time to time utilizes sub-processors to provide and maintain the Services and the Sites. By signing this Agreement, the Clinic agrees and consents to Banda Health’s use of Sub-processors to process Personal Data. Banda Health shall maintain an up-to-date list of its Sub-processors, which shall be made available to the Clinic upon request.

5.2. Obligations. Banda Health shall:

• Enter into a written agreement with each Sub-processor containing data protection obligations that are no less protective than those in this DPA.
• Remain responsible to the Clinic for the performance of the Sub-processor’s data protection obligations.

6. Data Transfers

Banda Health’s hosting provider may be located in a country or territory outside of Kenya and therefore Banda Health may need to transfer Personal Data outside of Kenya to provide the Services. Clinic agrees to such data transfer. Banda Health will ensure that the transfer is compliant with Data Protection Laws and that appropriate safeguards are in place to protect the Personal Data.

7. Security Measures

7.1. Overall Security Program: Banda Health maintains industry-standard security measures to protect Personal Data, Service Data and the BandaGo Platform. Banda Health’s overall security program includes the following key components:

7.1.1. Secure Software Development Lifecycle: Banda Health is responsible for implementing and maintaining a secure software development lifecycle for all updates, enhancements, and maintenance of the BandaGo Platform to minimize security vulnerabilities.

7.1.2. Incident Response Plans: Banda Health is responsible for establishing and maintaining comprehensive incident response plans for the detection, investigation, containment, and remediation of any Security Incident or Data Breach affecting the BandaGo Platform, Personal Data, or Service Data. Banda Health shall notify the Client without undue delay upon becoming aware of a Data Breach affecting the Client’s Personal Data, in accordance with the Data Processing Addendum and applicable Data Protection Laws.

7.1.3. Physical Security of Data Centers: Banda Health utilizes third-party cloud service providers to host the BandaGo Platform. As such, the physical and environmental security of the servers and infrastructure is the responsibility of these providers. Banda Health commits to engaging reputable cloud providers who maintain industry-standard security certifications (such as ISO 27001, SOC 2, or equivalent) and who implement robust measures to protect against unauthorized access, damage, and environmental hazards.

7.1.4. Network Security Practices: Banda Health implements robust network security practices, which include, but are not limited to:

• Encryption of data at rest and in transit using industry-standard cryptographic protocols, as required for the protection of Personal Data and Service Data under the Data Processing Addendum.
• Implementation of firewalls.
• Regular testing, assessing, and evaluating the effectiveness of technical and organisational measures to identify and address potential security weaknesses, contributing to the overall security posture required by the Data Processing Addendum.

7.1.5. Access Controls: Banda Health implements strict access control mechanisms, including role-based access controls, to limit access to the BandaGo Platform, Personal Data and Service Data only to authorized individuals based on the principle of least privilege, in accordance with the requirements of the Data Processing Addendum for limiting access to Personal Data.

7.1.6. Compliance by Design: Banda Health warrants that the BandaGo Platform is and will continue to be designed and operated with data protection principles such as data minimization, privacy by design, and privacy by default at its core, in alignment with applicable Data Protection Laws.

7.1.7. Alignment with Data Protection Laws: Banda Health’s overall security program, including the measures detailed in this Section 5, is designed and implemented to comply with the requirements of the Kenya Data Protection Act, 2019, and other applicable data protection laws, particularly with regard to the protection of Personal Data.

7.1.8. Data Retention and Disposal Policies: Banda Health maintains and adheres to policies for the retention and secure disposal of Service Data and Personal Data. Service Data and Personal Data. will be securely disposed of when no longer necessary for the provision of the BandaGo Platform or upon the Client’s request, subject to legal and regulatory requirements.

7.1.9. Employee Training and Awareness: Banda Health commits to providing regular security training and awareness programs for all employees who have access to the BandaGo Platform, Service Data or Personal Data to ensure they understand their responsibilities regarding data security and protection.

7.1.10. Client’s Security Obligations: The Client acknowledges and agrees to be responsible for maintaining the security of its access credentials, implementing appropriate security measures on its end-user devices, and promptly reporting any suspected security incidents or unauthorized access to Banda Health. Further Client obligations are detailed in Section 8 (Client Obligations and Conduct).

7.1.11. Sub-Processor Security: Where Banda Health engages sub-processors in the provision of the BandaGo Platform that process Service Data and Personal Data, Banda Health shall ensure that such sub-processors are bound by written agreements that require them to maintain security measures no less protective than those set forth herein and in compliance with applicable Data Protection Laws.

7.1.12. Audit Rights: Upon reasonable written request and no more than once per year, Banda Health shall cooperate with Client’s reasonable requests for information to demonstrate compliance with this Security Section, which may include providing executive summaries of security audits or certifications. Any direct audit rights of the Client shall be limited to third-party audits arranged and overseen by Banda Health, at Client’s reasonable expense, to ensure the confidentiality and integrity of Banda Health’s systems and data.

7.2 Personal Data: Banda Health shall implement and maintain appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures shall include, as appropriate:

• The encryption of Personal Data.
• The implementation of processes for timely restoration of access to Personal Data in the event of a physical or technical incident.
• The implementation of processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
• The use of access controls to limit access to Personal Data to authorised personnel only.

8. Personal Data Breach

In the event of a Personal Data Breach, Banda Health shall notify the Clinic without delay after becoming aware of the breach. Banda Health shall provide the Clinic with sufficient information to enable the Clinic to meet its obligations to report the Personal Data Breach to the Data Protection Commissioner and notify affected Data Subjects.”

9. Limitation of Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

10. Term and Termination

This DPA shall commence on the date of the Agreement and shall continue until the Agreement is terminated by the client or by Banda Health. Upon termination, the Clinic may request the return of all Personal Data within 90 days. If requested within this period, Banda Health shall return all Personal Data to the Clinic in CSV format after the end of the provision of services relating to processing. At the 90-day mark following termination, all identified Personal Data will be deleted, and within the subsequent 90 days, identified Personal Data will be removed from all backup copies, unless and to the extent the law permits or requires its retention.

11. Retention of Anonymized Data

The Processor may retain data for research and analytics only if it has been irreversibly anonymized to a standard where individuals are no longer identifiable, at which point it ceases to be personal data.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Republic of Kenya.