Moyopal Logo

Moyopal

MOYOPAL DATA PRIVACY & SECURITY POLICY

Effective Date: January 1, 2026
Version: 2.0 (Enterprise)

1. Governance & Regulatory Framework

Moyopal Inc. ("Moyopal") operates as a mission-critical infrastructure provider. We acknowledge our status as a Data Processor under the Kenya Data Protection Act, 2019 (ODPC) and adhere to the principles of the General Data Protection Regulation (GDPR).

Furthermore, our infrastructure is architected to align with the Health Insurance Portability and Accountability Act (HIPAA) standards regarding the safeguard of Protected Health Information (PHI).

2. Technical Security Architecture (The "Jargon" Clause)

We employ a Zero-Trust Security Model to ensure the integrity, confidentiality, and availability of client data.

  • Encryption at Rest: All persisted data (databases, backups, and object storage) is encrypted using AES-256 (Advanced Encryption Standard) via a managed Key Management Service (KMS).
  • Encryption in Transit: All data moving between client endpoints and our cloud infrastructure is secured via TLS 1.3 (Transport Layer Security). We enforce HTTPS-only access and utilize HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.
  • Network Isolation: Our compute instances run within a logically isolated Virtual Private Cloud (VPC). Database instances are not exposed to the public internet and are accessible only via private subnets or Bastion Hosts with MFA access.

3. Artificial Intelligence & Data Processing

We utilize Deterministic and Probabilistic AI Models to process data.

  • Pseudonymization: Before data enters our model training pipeline, all Personal Identifiable Information (PII)—such as names and National IDs—is pseudonymized or hashed using SHA-256 cryptographic hashing.
  • Human-in-the-Loop (HITL): Our Decision Support Systems (DSS) for claims adjudication are designed as "augmented intelligence." High-confidence predictions (>99%) may be automated, while low-confidence predictions trigger a manual review workflow.
  • Model Non-Retention: Unless explicitly authorized via a Data Sharing Agreement, client data is processed for inference (real-time analysis) and is not permanently stored within the Large Language Model (LLM) weights.

4. Data Sovereignty & Residency

Moyopal commits to Local-First Data Residency.

Patient health records are stored within ISO 27001-certified data centers located within the African continent or compliant jurisdictions as mandated by the ODPC.

We utilize Geo-Redundant Storage (GRS) to ensure business continuity in the event of a regional outage, strictly adhering to Cross-Border Transfer safeguards (Standard Contractual Clauses).

5. Access Control & Audit Logs

  • Role-Based Access Control (RBAC): Internal employee access to data is governed by the Principle of Least Privilege. Engineers are granted temporary, Just-In-Time (JIT) access tokens only when necessary for debugging.
  • Immutable Audit Trails: Every API call, database query, and system access event is logged to a tamper-proof SIEM (Security Information and Event Management) system for forensic auditing.

6. User Rights & Breach Notification

In the unlikely event of a security incident, Moyopal guarantees a 72-hour Notification Window to the Data Controller and relevant regulatory bodies, as required by the Kenya DPA. Data subjects retain the Right to Erasure (Right to be Forgotten) and Data - Portability, executed via our secure API endpoints.