Data Processing Addendum (DPA)

Effective Date: 1 July 2026

This Data Processing Addendum (“DPA”) forms part of the Kafunda Terms of Service between Sprint S.P Telecom (“Sprint”, the “Processor”) and the Organisation (“Controller”). It governs Sprint's processing of personal data on the Organisation's behalf when the Organisation uses Kafunda to operate hotspot or PPPoE service for its own end users.

Where this DPA conflicts with the Terms of Service on a matter of data processing, this DPA governs.

1. Roles

The Organisation is the data controller for personal data belonging to its end users, the individuals who buy hotspot vouchers or subscribe to PPPoE service through the Organisation's network. The Organisation decides why that data is collected and what it is used for: authenticating access, billing, and managing the Organisation's own customer relationships.

Sprint is the data processor for that data. Sprint processes it only to provide the platform functionality the Organisation has configured, and does not use it for any other purpose.

For its own account and business data (the Organisation's registered contact details, staff accounts, wallet, and platform fee records), Sprint is the data controller.

2. Categories of data processed

Sprint processes the following categories of end-user personal data on the Organisation's instructions:

  • Phone number, submitted at the point of payment for mobile money processing.
  • Device identifiers and connection details, collected automatically when a device connects to the Organisation's network.
  • Session records: connection time, disconnection time, and data volume used, generated for billing and network management.
  • Voucher codes and PPPoE usernames, generated by the platform or supplied by the Organisation.
  • For PPPoE subscribers specifically, whatever additional identifying information the Organisation chooses to record against a subscriber, entered by the Organisation's own staff.

Sprint does not collect special categories of personal data as defined under the Data Protection and Privacy Act, 2019: health, political opinion, religious belief, or sexual life. The Organisation must not enter any such data into the platform.

3. Purpose and instructions

Sprint processes end-user data only:

  • To authenticate hotspot and PPPoE sessions.
  • To process mobile money payments through Yo! Payments and reconcile them against vouchers, invoices, or subscriber accounts.
  • To generate the usage and billing reports the platform exposes to the Organisation.
  • To detect and prevent fraud or abuse of the platform, including duplicate voucher redemption and payment fraud.
  • To provide technical support when the Organisation raises a support request that requires Sprint to inspect specific records.

Sprint will not process end-user data for any purpose outside this list without the Organisation's documented instruction, except where required by Ugandan law. Where the law requires it, Sprint will inform the Organisation before complying unless the law prohibits that notice.

4. Sub-processors

Sprint uses the following sub-processors in connection with Kafunda:

Sub-processorPurposeData shared
Yo! PaymentsMobile money collection and disbursementPhone number, transaction amount, transaction reference
Hetzner Cloud & AWSDatabase and application hostingAll platform data, encrypted at rest
Cloudflare (R2)Storage of portal assets and exported reportsFiles the Organisation or its end users generate through the platform

Sprint will notify the Organisation at least thirty days before adding a new sub-processor with access to end-user personal data, and will give the Organisation the opportunity to object on reasonable data protection grounds.

Where a sub-processor stores or processes data outside Uganda, Sprint will ensure that sub-processor maintains protections for that data equivalent to those required under the Data Protection and Privacy Act, 2019, consistent with section 19 of that Act.

5. Security

Sprint maintains the following measures over end-user personal data:

  • Encryption of data in transit and encryption of stored credentials at rest.
  • Access to production data restricted to staff who require it for support or operations, logged and reviewed.
  • Network-level isolation of authentication systems from public access.
  • Regular review of these measures as the platform's data footprint changes.

6. Breach notification

Sprint will notify the Organisation without undue delay, and in any event within seventy-two hours, of becoming aware of a confirmed unauthorised access to or disclosure of end-user personal data. The notification will describe, to the extent then known, the nature of the breach, the categories and approximate number of end users affected, and the steps Sprint is taking in response.

The Organisation remains responsible for its own notification obligations to the National Information Technology Authority, Uganda, and to affected end users, as required under section 23 of the Data Protection and Privacy Act, 2019. Sprint will provide reasonable assistance to the Organisation in meeting those obligations.

7. Assistance with data subject rights

Where an end user contacts Sprint directly to exercise a right under the Data Protection and Privacy Act, 2019, such as access, correction, or deletion of their data, Sprint will refer the request to the relevant Organisation and provide the technical means for the Organisation to respond, since the Organisation is the controller of that relationship. Sprint will not act on such a request directly without the Organisation's instruction, except where the request concerns data for which Sprint is itself the controller.

8. Retention and deletion

Sprint retains end-user personal data for as long as the Organisation's account is active, plus the retention period the Organisation configures for vouchers, sessions, and subscriber records, subject to any minimum retention period required by law, including financial record-keeping requirements applicable to mobile money transactions.

On termination of the Organisation's account, Sprint will delete or anonymise end-user personal data within 30 days, except data Sprint is required to retain by law, which will be retained only for the required period and for no other purpose.

9. Audit

The Organisation may request a written summary of Sprint's security measures and sub-processor arrangements once per year. Sprint will provide independent audit evidence, such as a penetration test summary, where one exists and is available for disclosure.

10. Liability

Liability arising under this DPA is subject to the limitation of liability set out in the Terms of Service, except in respect of breach notification obligations under section 6, where Sprint's obligation to notify is not subject to that limitation.