Data Handling Policy: Ravora Systems

1. POLICY OVERVIEW

This Data Handling Policy outlines the internal procedures, technical safeguards, and governance frameworks used to manage personal data collected via the Ravora Systems platform. This policy ensures compliance with the Data Protection Act (2019) and the Data Protection (General) Regulations (2021) of Kenya.

2. DESIGNATION OF DATA ROLES

For the purposes of this policy and all operations conducted under the Ravora Systems brand:

• Data Controller & Processor: Siscom Technology is hereby designated as the primary Data Controller and Data Processor.
• Scope of Authority: Siscom Technology determines the purposes and means of processing personal data and implements the technical and organizational measures to protect such data.
• Accountability: Any data subject requests, inquiries, or regulatory reporting to the Office of the Data Protection Commissioner (ODPC) shall be managed by Siscom Technology.

3. DATA COLLECTION AND MINIMIZATION

3.1 Principles of Collection

Siscom Technology adheres to the principle of Data Minimization. We only collect data that is strictly necessary for the fulfillment of e-commerce transactions, including:

• Full Name and Contact Details.
• Geographic location for delivery fulfillment.
• Transaction identifiers (M-Pesa/Bank reference codes).

3.2 Prohibited Data

Unless specifically required by law for high-value transactions (Anti-Money Laundering protocols), Siscom Technology does not collect or store sensitive personal data such as religious beliefs, political affiliations, or biometric data.

4. TECHNICAL SECURITY MEASURES

As the technical lead, Siscom Technology implements "Security by Design" through the following:

• Encryption: All data in transit is protected via TLS/SSL encryption. Data at rest is stored in encrypted databases.
• Access Control: Access to Ravora Systems' customer data is restricted via Role-Based Access Control (RBAC). Only authorized Siscom Technology engineers and customer fulfillment officers have access to PII (Personally Identifiable Information).
• Anonymization: For the purposes of sales analytics and business intelligence, data is anonymized to ensure individual customers cannot be identified.

5. DATA STORAGE AND LOCALIZATION

5.1 Kenyan Data Localization

In compliance with the Data Protection (General) Regulations, Siscom Technology ensures that all data related to the strategic interests of Kenya or critical infrastructure is processed and stored on servers located within the Republic of Kenya unless otherwise authorized by the Data Commissioner.

5.2 Backup Protocols

Automated backups are performed daily to ensure data availability and resilience. These backups are stored in secure, off-site locations within Siscom Technology's private cloud infrastructure.

6. DATA SHARING AND THIRD-PARTY TRANSFERS

6.1 Logistics Partners

Data may be shared with third-party couriers. Siscom Technology ensures that these partners are bound by Data Processing Agreements (DPAs) that prevent them from using customer data for any purpose other than delivery.

6.2 Law Enforcement

Siscom Technology will only disclose personal data to Kenyan government authorities upon receipt of a valid court order or a formal request that meets the threshold of the Criminal Procedure Code and the Data Protection Act.

7. DATA RETENTION AND DISPOSAL

• Active Data: Retained for the duration of the customer's relationship with Ravora Systems.
• Statutory Retention: Financial records are retained for seven (7) years to comply with Kenya Revenue Authority (KRA) audits.
• Secure Disposal: Once the retention period expires, data is permanently deleted from servers using industry-standard wiping tools. Physical records (if any) are cross-cut shredded.

8. BREACH NOTIFICATION

In the event of a security breach, Siscom Technology—as the Data Controller—assumes responsibility for:

• Notifying the ODPC within 72 hours of becoming aware of the breach.
• Communicating the breach to affected customers where there is a high risk of identity theft or fraud.
• Initiating a forensic audit to prevent recurrence.

9. GOVERNANCE AND COMPLIANCE

Siscom Technology shall conduct periodic Data Protection Impact Assessments (DPIAs) for any new technology or process introduced to the Ravora Systems platform that may pose a high risk to the rights and freedoms of data subjects.

10. CONTACT INFORMATION

For all data-related inquiries, Ravora Systems can be reached at: