.png)
- Last updated
- 6 March 2026
Entity: Fusion Labs Limited (Budj) Version: 1.0
1. Introduction
This document outlines the steps to be taken in the event of a personal data breach at Fusion Labs Limited, in compliance with the Data Protection Act, 2019 (Kenya).
2. Definition of a Data Breach
A "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
3. Immediate Response (Within 24 Hours)
- Identification: Bug detected via Sentry, user report, or internal monitoring.
- Containment: Technical team (DevOps/Security) to immediately isolate affected systems or revoke compromised credentials.
- Assessment: Determine the scale of the breach and types of data involved (e.g., identity, financial, or technical).
4. Notification Requirements
A. Notification to the Data Commissioner (ODPC)
If a breach poses a high risk to the rights and freedoms of data subjects, Budj will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach.
B. Notification to Data Subjects
Affected users or merchants will be notified without undue delay if the breach is likely to result in a high risk to their rights (e.g., identity theft or financial loss).
5. Investigation and Remediation
- Conduct a root-cause analysis.
- Close the vulnerability that led to the breach.
- Update security protocols and provide additional staff training if necessary.
6. Recording
All data breaches, regardless of scale, must be recorded in an internal Data Breach Register, detailing:
- Facts of the breach.
- Effects of the breach.
- Remedial actions taken.
7. Contact Point
Data Protection Officer: Email: support@budj.app Phone: +254 711 455 555