Terms & Conditions
1. Definitions
“Benzion Investments Limited” or “The Company” means Benzion Investments Limited, a registered company.“data” means information which –
a) is processed by means of equipment operating automatically in response to
instructions given for that purpose;
b) is recorded with the intention that it should be processed by means of such
equipment;
c) is recorded as part of a relevant filing system;
d) where it does not fall under the paragraphs above, forms part of an accessible
record; or
e) is recorded information which is held by a public entity and does not fall within any
of the paragraphs above. & data controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of
personal data; “Data Protection Act” or the “DPA” means the Data Protection Act No. 24 of 2019 and all subsequent regulations, under the Laws of Kenya as amended from time to time; “GDPR” means the General Data Protection Regulation (EU) 2016/679;
& personal data & means any information relating to an identified or identifiable natural
person; “processor” means a natural or legal person, authority, organization or other agency that processes personal data on behalf of the controller.
2. Who we are
Benzion Investments Limited is a FinTech company that offers a comprehensive product
suite for Small and Medium Enterprises (SMEs) and Corporates.
3. Personal data and other information collected
This Data Protection Policy helps explain the thinking behind the information (including
correspondence) and practices, with regard to the information we process to support the
provision of the services offered through our product suite. A good illustration, is the
information we collect for business purposes and how this affects you as our client. The
Policy explains the steps we take, as a Company to protect your privacy and comply with the GDPR, Data Protection Act No. 24 of 2019, and any other applicable data protection
legislation. The Company must receive and collect some information in order to operate, provide, improve, understand, customize, support, and market our product suite and services. This also includes any personal data that you install, access, or use our product suite. The type of information we receive and collect depends on how you use our product suite and services. In certain circumstances it may be lawful for the Company to continue processing information even where consent has been withdrawn, in the event, that a legal basis is applicable. This Data Protection Policy applies to all Benzion Investments Limited services and products, unless specified otherwise. All Terms and Conditions, which describe the terms under which you access and use our product suite and services apply to this Policy.
4. Information provided by our clients and third party information
This Policy also applies to any information you provide the Company including but not
limited to your basic information, customer data, profile name and picture, personal contact details including e-mail addresses and telephone numbers, biometric data, financial information and all information obtained from third parties, including those from publicly available sites.
5. Automatically collected information
This Policy also applies to all usage and log information, device, connection and location
information and cookies as specified below. Cookies The Company uses cookies to operate and provide our services, including to provide services that are web-based, improve your experiences, understand how our services and product suite are being used and customize our product suite. As an example, if you leave a comment on our site you may opt-in to saving your name, e-mail address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for a specified amount of time that will be communicated to you, once on our site. Other examples includes using your account to log in to our site or product suite, setting a temporary cookie that is determined by your browser accepting the cookie. This temporary cookie contains no personal data and is discarded when you close your browser.
6. How we use your data
The Company uses the data provided, with your consent, to operate, provide, improve,
understand, customize, support, and market our product suite and services.
7. Analytics
The Company may use a number of analytical tools and products to collect visitor’s data.
We will provide a link to the Privacy Policy of any analytical products utilized, in the event
you would like to opt out or install any add-ons onto your browser.
8. Information sharing
All personal data is kept confidential. In certain instances, in order to enable the service of your needs and meet legal obligations, we may share any information you provide to us
within our group of companies and their agents, counterparties, support service or data
providers, and government authorities or agents (when legally required), wherever located. In the event, you have provided information to other members of our group of companies, those entities may also share that information with us. We will ensure that if we share such information with third parties, any such disclosure is at all times in compliance with the GDPR, DPA, as well as any other relevant Data Protection Legislation. To assist with the provision of our services through our product suite, your data will be processed internally and externally by other third parties. We use third parties for administrative, servicing, monitoring and storage of your data. This Policy will also apply to any information shared with third parties.
9. Data Retention
The Company will only keep the information we collect about you on our systems or with
third parties for as long as required for the purposes set out above or as required to
comply with any legal obligations the Company is subject to. This will involve the Company regularly reviewing our files to check that information is accurate and is still required. We will destroy or delete data after statutory timelines lapse. However, we may retain your information, or information relating to your account after you cease to be a customer for longer than this, provided it is necessary for a legal, regulatory, fraud prevention or other legitimate business purpose.
10. Rights over your data
If you have an account on our site or product suite, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we delete any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
11. Updates to our Data Protection Policy
The Company will notify you when any changes to this Policy are made and give you the
opportunity to review the revised Policy before you choose to continue using our product
suite and services.
12. Contact information
Please contact our legal team with any privacy concerns you may have.
CYBER SECURITY BACKGROUND. The Company’s business operations thrives on technological platforms. That makes the company susceptible to the threat of cyber-attacks. The problem of cyber security is not limited to a particular department of the business, but it is an enterprise problem. It requires an interdisciplinary approach to address various cyber security risks arising from different sources of the organization and external.
SCOPE.
This policy applies to all employees, contractors third party service providers working at THE COMPANY OBJECTIVE
The objective of the cyber security policy is to provide THE COMPANY, an approach to managing cyber risk and directives for the protection of information assets to all units, and those contracted to provide services.
OWNERSHIP.
The Board of Directors of THE COMPANY are the owners of this policy and ultimate responsible for cyber security.
PERIODIC REVIEW
The policy shall be reviewed every one year or at any time when any major change in
regulation occurs impacting on the processes and procedures and must always be approved by the Board. Laws and Regulations
• Banking and Financial Services Act 7,2017
• Data Protection Act 3,2021
• Cyber Security and Cybercrimes Act 2, 2021
CYBER SECURITY GOVERNANCE
Cyber security governance comprises, leadership, organizational structures, and processes that protect assets and mitigation of ever-growing cyber threats. Pertinent outcomes of cyber security governance is not limited to;
• Alignment of cyber security with business strategy to support organizational goals
• Management and mitigation of cyber risks and reduction of potential impact of
cyber-attacks.
• Management of performance of cyber security by measuring, monitoring, and
reporting
• Optimization of cyber security investment in support of organization goals
ROLES AND RESPONSIBILITIES
BOARD RISK COMMITTEE
The role of the Board risk committee shall inter alia, include the following;
• Formulate the cyber security risk strategy
• Approve the cyber security policy which shall include;
• A framework for identification of internal and external risks faced by the business
• Measures for cyber risk mitigation including systems, processes and procedures for
internal control of the identified cyber risk.
3. To set the tone at the top and delegate their responsibilities to the senior
management for implementation
4. To ensure that the appropriate methodology, process and systems are in place to
monitor and evaluate the cyber risk
SENIOR MANAGEMENT
• Senior Management has the primary responsibility to own the implementation of
the Board approved cyber security policy.
• Ensure that sufficient controls, including appropriate systems, processes and
procedures are in place in each business unit to comply with the obligations
contained in the legislation and the institution's frameworks and internal rules.
• Senior Management’s clear support is also required to enable the IT function and
Internal Auditors to fulfil their roles and responsibilities with regards to the laws
governing cyber risk control and the Institution's framework and internal rules.
• Provision of necessary resource for successful implementation of the risk policy
• To monitor and oversee the implementation of the cyber risk policy including
evaluating the adequacy of the cyber risk management systems;
INTERNAL AUDITOR
The internal auditors shall ensure that they thoroughly examine the systems, policies,
procedures on a periodical basis to provide assurance on the adequacy of the internal
controls put in place to counter cyber risk to the business. The audit report shall be tabled at the risk management committee.
INFORMATION/CYBER SECURITY OFFICER
• The I/CSO shall be responsible for the implementation of the cyber risk policy across
the business.
• Review the Cyber risk policy/procedures and suggesting improvements
• Coordinating cyber security meetings
• Facilitate training to all members of staff trained and records of training well
maintained for future reference.
• Facilitating and conducting cyber security risk assessments and recommending
mitigation controls
• Promote security awareness amongst employees
EMPLOYEES
• Employees are expected to comply with this policy and any additional controls,
processes and procedures that may be implemented.
• Employees will be subjected to continuous training interventions with regard to
cyber security controls, trends and related matters to ensure that they are able to
effectively protect themselves and the Institution against any attempt to utilize the
Institution and its systems for the purposes of any unlawful activity.
• Employees must ensure that they complete all related training and have a thorough
understanding of the material
Cyber Risk Management Procedure
A detailed risk assessment for cyber risk shall be undertaken in order to identify threats,
extent of vulnerability to those threats, the likelihood and potential impact should the
threat mature into a vulnerability. This assessment shall determine acceptable, transferable,
and avoidable risk.
• Data Classification
To ensure that confidentiality, integrity and availability of information is maintained, a data
classification shall be designed.
• Acceptable IT Usage
The policy shall be prepared to and implemented to ensure that all staff at THE COMPANY are aware of their responsibilities towards acceptable use of IT assets.
• Email Security Guidelines
THE COMPANY shall implement effective system and procedures to ensure emails are used as an efficient mode of business communication and implement control procedures to limit abuse
• Internet and Intranet Guidelines
THE COMPANY should utilize internet as a medium to carry out business efficiently. User
must understand that any connection to the internet offers an opportunity for unauthorized users to view or access company and customer information.
• Password and Security Guidelines
THE COMPANY shall establish a standard for the creation of strong passwords, protection of those passwords. The exercise will be extended to all customers.
• Change Management Policy
Changes to IT facilities and systems should be controlled in order to ensure that changes
made to the production components are applied in a secure and consistent manner
• Anti-Virus Policy
Virus, Trojans, worms, are malicious programs called malware and corrupt or destroy data
or may spread confidential information to unauthorized recipients, resulting into loss of
confidentiality, integrity and availability of the information. The policy shall be galvanized to enhance security of the data of THE COMPANY.
• Backup and Recovery Policy
In order to safe guard information, and computing resources from the business and
environmental threats, system and procedures shall be developed for backup of all business data
• Log and Audit Trail Policy
The log and audit trail policy address the framework for logging and auditing operating
system events, application events, database events in the local network and network
events. Backup and recovery procedures shall be automated where possible with system.
• Version Control Policy
The version control policy at THE COMPANY addresses implementing, managing, and
controlling the changes in versions of application system. The aim of the policy is to ensure uniformity in versions running across THE COMPANY maintain up to date documentation for
the entire version change process.
• Encryption Policy
In the current environment and of increasingly open and interconnected systems and
networks, appropriate guidelines shall be established to safe guard the customers and
company information from cyber-attacks.
• Security Awareness
All employees of THE COMPANY and where necessary, contractors and third-party users
shall receive appropriate awareness training and regular updates in organizational policy
and procedures.