Terms & Conditions

1. Definitions 

“Benzion Investments Limited” or “The Company” means Benzion Investments Limited, a registered company.“data” means information which –

a) is processed by means of equipment operating automatically in response to

instructions given for that purpose;

b) is recorded with the intention that it should be processed by means of such

equipment;

c) is recorded as part of a relevant filing system;

d) where it does not fall under the paragraphs above, forms part of an accessible

record; or

e) is recorded information which is held by a public entity and does not fall within any

of the paragraphs above. & data controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of

personal data; “Data Protection Act” or the “DPA” means the Data Protection Act No. 24 of 2019 and all subsequent regulations, under the Laws of Kenya as amended from time to time; “GDPR” means the General Data Protection Regulation (EU) 2016/679;

& personal data & means any information relating to an identified or identifiable natural

person; “processor” means a natural or legal person, authority, organization or other agency that processes personal data on behalf of the controller.

2. Who we are

Benzion Investments Limited is a FinTech company that offers a comprehensive product

suite for Small and Medium Enterprises (SMEs) and Corporates.

3. Personal data and other information collected

This Data Protection Policy helps explain the thinking behind the information (including

correspondence) and practices, with regard to the information we process to support the

provision of the services offered through our product suite. A good illustration, is the

information we collect for business purposes and how this affects you as our client. The

Policy explains the steps we take, as a Company to protect your privacy and comply with the GDPR, Data Protection Act No. 24 of 2019, and any other applicable data protection

legislation. The Company must receive and collect some information in order to operate, provide, improve, understand, customize, support, and market our product suite and services. This also includes any personal data that you install, access, or use our product suite. The type of information we receive and collect depends on how you use our product suite and services. In certain circumstances it may be lawful for the Company to continue processing information even where consent has been withdrawn, in the event, that a legal basis is applicable. This Data Protection Policy applies to all Benzion Investments Limited services and products, unless specified otherwise. All Terms and Conditions, which describe the terms under which you access and use our product suite and services apply to this Policy.

4. Information provided by our clients and third party information

This Policy also applies to any information you provide the Company including but not

limited to your basic information, customer data, profile name and picture, personal contact details including e-mail addresses and telephone numbers, biometric data, financial information and all information obtained from third parties, including those from publicly available sites.

5. Automatically collected information

This Policy also applies to all usage and log information, device, connection and location

information and cookies as specified below. Cookies The Company uses cookies to operate and provide our services, including to provide services that are web-based, improve your experiences, understand how our services and product suite are being used and customize our product suite. As an example, if you leave a comment on our site you may opt-in to saving your name, e-mail address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for a specified amount of time that will be communicated to you, once on our site. Other examples includes using your account to log in to our site or product suite, setting a temporary cookie that is determined by your browser accepting the cookie. This temporary cookie contains no personal data and is discarded when you close your browser.

6. How we use your data

The Company uses the data provided, with your consent, to operate, provide, improve,

understand, customize, support, and market our product suite and services.

7. Analytics

The Company may use a number of analytical tools and products to collect visitor’s data.

We will provide a link to the Privacy Policy of any analytical products utilized, in the event

you would like to opt out or install any add-ons onto your browser.

8. Information sharing

All personal data is kept confidential. In certain instances, in order to enable the service of your needs and meet legal obligations, we may share any information you provide to us

within our group of companies and their agents, counterparties, support service or data

providers, and government authorities or agents (when legally required), wherever located. In the event, you have provided information to other members of our group of companies, those entities may also share that information with us. We will ensure that if we share such information with third parties, any such disclosure is at all times in compliance with the GDPR, DPA, as well as any other relevant Data Protection Legislation. To assist with the provision of our services through our product suite, your data will be processed internally and externally by other third parties. We use third parties for administrative, servicing, monitoring and storage of your data. This Policy will also apply to any information shared with third parties.

9. Data Retention

The Company will only keep the information we collect about you on our systems or with

third parties for as long as required for the purposes set out above or as required to

comply with any legal obligations the Company is subject to. This will involve the Company regularly reviewing our files to check that information is accurate and is still required. We will destroy or delete data after statutory timelines lapse. However, we may retain your information, or information relating to your account after you cease to be a customer for longer than this, provided it is necessary for a legal, regulatory, fraud prevention or other legitimate business purpose.

10. Rights over your data

If you have an account on our site or product suite, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we delete any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

11. Updates to our Data Protection Policy

The Company will notify you when any changes to this Policy are made and give you the

opportunity to review the revised Policy before you choose to continue using our product

suite and services.

12. Contact information

Please contact our legal team with any privacy concerns you may have. 

CYBER SECURITY BACKGROUND. The Company’s business operations thrives on technological platforms. That makes the company susceptible to the threat of cyber-attacks. The problem of cyber security is not limited to a particular department of the business, but it is an enterprise problem. It requires an interdisciplinary approach to address various cyber security risks arising from different sources of the organization and external.

SCOPE. 

This policy applies to all employees, contractors third party service providers working at THE COMPANY OBJECTIVE

The objective of the cyber security policy is to provide THE COMPANY, an approach to managing cyber risk and directives for the protection of information assets to all units, and those contracted to provide services.

OWNERSHIP.  

The Board of Directors of THE COMPANY are the owners of this policy and ultimate responsible for cyber security.

PERIODIC REVIEW 

The policy shall be reviewed every one year or at any time when any major change in

regulation occurs impacting on the processes and procedures and must always be approved by the Board. Laws and Regulations

• Banking and Financial Services Act 7,2017

• Data Protection Act 3,2021

• Cyber Security and Cybercrimes Act 2, 2021

CYBER SECURITY GOVERNANCE

Cyber security governance comprises, leadership, organizational structures, and processes that protect assets and mitigation of ever-growing cyber threats. Pertinent outcomes of cyber security governance is not limited to;

• Alignment of cyber security with business strategy to support organizational goals

• Management and mitigation of cyber risks and reduction of potential impact of

cyber-attacks.

• Management of performance of cyber security by measuring, monitoring, and

reporting

• Optimization of cyber security investment in support of organization goals

ROLES AND RESPONSIBILITIES

BOARD RISK COMMITTEE

The role of the Board risk committee shall inter alia, include the following;

• Formulate the cyber security risk strategy

• Approve the cyber security policy which shall include;

• A framework for identification of internal and external risks faced by the business

• Measures for cyber risk mitigation including systems, processes and procedures for

internal control of the identified cyber risk.

3. To set the tone at the top and delegate their responsibilities to the senior

management for implementation

4. To ensure that the appropriate methodology, process and systems are in place to

monitor and evaluate the cyber risk

SENIOR MANAGEMENT

• Senior Management has the primary responsibility to own the implementation of

the Board approved cyber security policy.

• Ensure that sufficient controls, including appropriate systems, processes and

procedures are in place in each business unit to comply with the obligations

contained in the legislation and the institution's frameworks and internal rules.

• Senior Management’s clear support is also required to enable the IT function and

Internal Auditors to fulfil their roles and responsibilities with regards to the laws

governing cyber risk control and the Institution's framework and internal rules.

• Provision of necessary resource for successful implementation of the risk policy

• To monitor and oversee the implementation of the cyber risk policy including

evaluating the adequacy of the cyber risk management systems;

INTERNAL AUDITOR

The internal auditors shall ensure that they thoroughly examine the systems, policies,

procedures on a periodical basis to provide assurance on the adequacy of the internal

controls put in place to counter cyber risk to the business. The audit report shall be tabled at the risk management committee.

INFORMATION/CYBER SECURITY OFFICER

• The I/CSO shall be responsible for the implementation of the cyber risk policy across

the business.

• Review the Cyber risk policy/procedures and suggesting improvements

• Coordinating cyber security meetings

• Facilitate training to all members of staff trained and records of training well

maintained for future reference.

• Facilitating and conducting cyber security risk assessments and recommending

mitigation controls

• Promote security awareness amongst employees

EMPLOYEES

• Employees are expected to comply with this policy and any additional controls,

processes and procedures that may be implemented.

• Employees will be subjected to continuous training interventions with regard to

cyber security controls, trends and related matters to ensure that they are able to

effectively protect themselves and the Institution against any attempt to utilize the

Institution and its systems for the purposes of any unlawful activity.

• Employees must ensure that they complete all related training and have a thorough

understanding of the material

Cyber Risk Management Procedure

A detailed risk assessment for cyber risk shall be undertaken in order to identify threats,

extent of vulnerability to those threats, the likelihood and potential impact should the

threat mature into a vulnerability. This assessment shall determine acceptable, transferable,

and avoidable risk.

• Data Classification

To ensure that confidentiality, integrity and availability of information is maintained, a data

classification shall be designed.

• Acceptable IT Usage

The policy shall be prepared to and implemented to ensure that all staff at THE COMPANY are aware of their responsibilities towards acceptable use of IT assets.

• Email Security Guidelines

THE COMPANY shall implement effective system and procedures to ensure emails are used as an efficient mode of business communication and implement control procedures to limit abuse

• Internet and Intranet Guidelines

THE COMPANY should utilize internet as a medium to carry out business efficiently. User

must understand that any connection to the internet offers an opportunity for unauthorized users to view or access company and customer information.

• Password and Security Guidelines

THE COMPANY shall establish a standard for the creation of strong passwords, protection of those passwords. The exercise will be extended to all customers.

• Change Management Policy

Changes to IT facilities and systems should be controlled in order to ensure that changes

made to the production components are applied in a secure and consistent manner

• Anti-Virus Policy

Virus, Trojans, worms, are malicious programs called malware and corrupt or destroy data

or may spread confidential information to unauthorized recipients, resulting into loss of

confidentiality, integrity and availability of the information. The policy shall be galvanized to enhance security of the data of THE COMPANY.

• Backup and Recovery Policy

In order to safe guard information, and computing resources from the business and

environmental threats, system and procedures shall be developed for backup of all business data

• Log and Audit Trail Policy

The log and audit trail policy address the framework for logging and auditing operating

system events, application events, database events in the local network and network

events. Backup and recovery procedures shall be automated where possible with system.

• Version Control Policy

The version control policy at THE COMPANY addresses implementing, managing, and

controlling the changes in versions of application system. The aim of the policy is to ensure uniformity in versions running across THE COMPANY maintain up to date documentation for

the entire version change process.

• Encryption Policy

In the current environment and of increasingly open and interconnected systems and

networks, appropriate guidelines shall be established to safe guard the customers and

company information from cyber-attacks.

• Security Awareness

All employees of THE COMPANY and where necessary, contractors and third-party users

shall receive appropriate awareness training and regular updates in organizational policy

and procedures.