1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Votrack Inc. ("Votrack", the "Processor") and the subscribing entity ("Controller", "you") for the provision of the Votrack election vote tracking platform and related services ("Services").
Votrack is registered with Kenya's Office of the Data Protection Commissioner (ODPC) as both a data controller (for its own processing activities) and a data processor (when processing personal data on behalf of subscribers) under the Data Protection Act, 2019.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in the Data Protection Act, 2019
- "Processing" means any operation performed on personal data, including collection, storage, use, transmission, and deletion
- "Data Subject" means an identified or identifiable natural person whose personal data is processed
- "Sub-processor" means a third party engaged by the Processor to process personal data on behalf of the Controller
3. Scope and Purpose of Processing
3.1 Role of Parties
The Controller (campaign, political party, or organization) determines the purposes and means of processing personal data through the Votrack platform. Votrack acts as the Processor, processing personal data solely on the Controller's instructions and for the purpose of providing the Services.
3.2 Categories of Data Subjects
The following categories of data subjects' personal data may be processed:
- Controller's polling agents deployed to polling stations
- Controller's coordinators and administrative users
- Election candidates (names and party affiliations as public record)
3.3 Types of Personal Data
- Identity data (full names, national ID numbers)
- Contact data (phone numbers, email addresses)
- Authentication data (Telegram chat IDs, USSD session identifiers)
- Location data (assigned polling station, county, constituency, ward)
- Photographic data (agent passport photos, Form 34A images, incident photos)
- Activity data (vote submissions, attendance records, station status changes)
- Audit data (timestamps, IP addresses, submission channels, action logs)
4. Processing Instructions
The Processor shall:
- Process personal data only on documented instructions from the Controller
- Not process personal data for any purpose other than providing the election tracking Services
- Inform the Controller if, in the Processor's opinion, an instruction infringes the Data Protection Act, 2019
- Ensure that persons authorized to process personal data have committed to confidentiality
5. Sub-processors
The Controller provides general authorization for the Processor to engage sub-processors. Current sub-processors include:
| Sub-processor | Purpose | Data Processed |
|---|
| Cloud hosting provider | Infrastructure and data storage | All platform data |
| USSD gateway provider | USSD result submission channel | Phone numbers, session data |
| SMS gateway provider | OTP delivery and notifications | Phone numbers, message content |
| Telegram | Telegram bot for result submission | Chat IDs, usernames, messages |
| Google Analytics | Website and platform analytics | Anonymized usage data |
| Hotjar | User behaviour analytics and heatmaps | Anonymized interaction data |
The Processor shall notify the Controller before adding or replacing sub-processors, giving the Controller the opportunity to object.
6. Security Measures
The Processor implements the following technical and organizational measures:
- Database isolation — Each subscriber's data is stored in a separate, isolated database
- Access control — Role-based permissions with fine-grained access levels
- Authentication — Multi-factor verification (OTP via SMS and email, ID number validation, Telegram identity check)
- Encryption — TLS/SSL for data in transit; encrypted storage for sensitive fields (Telegram bot tokens)
- Audit logging — Comprehensive logging of all data access and modifications with user, timestamp, and IP address
- Authentication logging — All login/logout events recorded with IP address, user agent, and timestamp
- Session management — Automatic session expiry and idle timeout across all channels (web: 2 hours, Telegram: 15 minutes)
- USSD security — Request signature validation, rate limiting (30 requests/minute per phone), and identity verification with lockout after 3 failed attempts
7. Data Breach Notification
In the event of a personal data breach, the Processor shall:
- Notify the Controller without undue delay, and within 72 hours of becoming aware of the breach
- Provide details of the breach including categories of data affected, approximate number of data subjects, and likely consequences
- Take immediate steps to contain and remediate the breach
- Cooperate with the Controller in notifying the ODPC and affected data subjects where required
8. Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability) by providing relevant data and technical cooperation within reasonable timeframes.
9. Data Return and Deletion
Upon termination of the service agreement:
- The Controller may request export of all their data within 30 days
- Data will be provided in structured, machine-readable formats (CSV, Excel, JSON)
- After the 30-day period, the Processor shall securely delete the Controller's data unless retention is required by law
- The Processor shall certify deletion upon request
10. Audits
The Controller has the right to audit the Processor's compliance with this DPA, subject to reasonable notice and confidentiality obligations. The Processor shall make available all information necessary to demonstrate compliance.
11. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.
12. Contact
For DPA-related inquiries:
Last updated: March 2026