Cloud Services Agreement (Kenya)
CLOUD SERVICES AGREEMENT
THIS CLOUD SERVICES AGREEMENT is made on [Agreement Date]
BETWEEN: [Provider Name], BRS Registration No. [Provider BRS No], KRA PIN [Provider KRA PIN], of [Provider Address] ("Provider")
AND: [Customer Name], BRS Registration No. [Customer BRS No], of [Customer Address] ("Customer")
This Agreement is governed by the Law of Contract Act (Cap. 23), the Data Protection Act No. 24 of 2019, and the Computer Misuse and Cybercrimes Act No. 5 of 2018.
1. SERVICES AND TERM
Service type: [Service Type].
Service description: [Service Description]
This Agreement commences on [Commencement Date] and continues for an initial term of [Initial Term], and thereafter renews automatically on the same terms unless either party gives 30 days' written notice of non-renewal.
Fees and payment: [Fees]
2. SERVICE LEVEL AGREEMENT
Availability: Provider commits to [Uptime Commitment].
Scheduled maintenance: [Maintenance Windows]
Incident response: [Incident Response Time]
SLA remedies: [SLA Remedies]
3. DATA PROTECTION AND PROCESSING
This clause constitutes the data processing agreement required by Section 43 of the Data Protection Act No. 24 of 2019. The Customer is the data controller; the Provider is the data processor.
Categories of personal data: [Data Categories]
Processing purpose: [Data Processing Purpose]
Data location: [Data Location]. Cross-border transfers shall comply with Section 48 of the Data Protection Act No. 24 of 2019 and the Data Protection (General) Regulations 2021.
Data breach notification: [Data Breach Notification]
Provider shall not engage sub-processors without the Customer's prior written consent and shall impose equivalent data protection obligations on any approved sub-processor.
Data ownership: The Customer owns all data uploaded to or generated in the cloud service. The Provider has no right to use Customer data for its own product development or analytics without the Customer's explicit written consent.
4. SECURITY
Security measures: [Security Measures]
The Provider shall comply with the Computer Misuse and Cybercrimes Act No. 5 of 2018 and cooperate with the National KE-CIRT/CC operated by the Communications Authority of Kenya (CA) in the event of a significant cybersecurity incident.
5. LIABILITY AND INDEMNIFICATION
Liability cap: [Liability Cap]
Neither party shall be liable for indirect, consequential, special, or punitive loss arising from this Agreement.
The Office of the Data Protection Commissioner (ODPC) may impose fines of up to KES 5 million or 1% of annual global turnover for contraventions of the Data Protection Act No. 24 of 2019. Each party shall indemnify the other against fines arising from that party's own breach of data protection obligations.
6. TERMINATION AND DATA RETURN
Data return and deletion on termination: [Data Return Deletion]
Either party may terminate this Agreement on 30 days' written notice. The Customer may terminate immediately upon a material breach of data protection obligations by the Provider.
7. GOVERNING LAW AND DISPUTE RESOLUTION
This Agreement is governed by the laws of Kenya, including the Law of Contract Act (Cap. 23), the Data Protection Act No. 24 of 2019, and the Computer Misuse and Cybercrimes Act No. 5 of 2018.
Dispute resolution: [Dispute Resolution]. Where arbitration is selected, disputes shall be referred to the Nairobi Centre for International Arbitration (NCIA) under the Arbitration Act No. 4 of 1995 (revised 2022).
Cloud Service Provider
________________
Signature
Customer
________________
Signature
Witness
________________
Signature
What Is a Cloud Services Agreement (Kenya)?
A Cloud Services Agreement in Kenya records the obligations, timelines and payment owed between the client and the service provider.
The Data Protection Act No. 24 of 2019 is the primary regulatory framework for the personal data dimensions of a Cloud Services Agreement. Where the customer is a data controller (an entity that determines the purposes and means of processing personal data) and the cloud service provider processes personal data on the customer's behalf, the customer is required under Section 43 of the Data Protection Act to enter into a written data processing agreement with the provider. This data processing agreement — often incorporated into or annexed to the Cloud Services Agreement — must specify the subject matter and duration of the processing, the nature and purpose of the processing, the categories of personal data, and the obligations and rights of the data controller. Failure to enter a compliant data processing agreement exposes the data controller to enforcement action by the ODPC including fines under Section 65 of the Data Protection Act.
The Computer Misuse and Cybercrimes Act No. 5 of 2018 creates criminal liability for unauthorised access to computer systems, data interference, system interference, and interception of communications. Cloud service providers and customers operating in Kenya must confirm that their cloud infrastructure and access control measures comply with the Act's provisions on cybersecurity. The National Kenya Computer Incident Response Team Coordination Centre (National KE-CIRT/CC), operated by the Communications Authority of Kenya (CA), provides national cybersecurity coordination and may issue guidance relevant to cloud security standards.
The Kenya Information and Communications Act (Cap. 411A) and the CA's licensing framework govern internet service providers (ISPs) and data centre operators in Kenya. Cloud service providers with physical infrastructure in Kenya — including data centres in Nairobi's Eastlands, Westlands, and Karen districts — must comply with CA licensing requirements. The Nairobi International Financial Centre Authority (NIFCA) offers incentives to financial technology and cloud service companies establishing operations in Kenya, including reduced corporate income tax rates under the Nairobi International Financial Centre Act No. 26 of 2017.
The Kenya Revenue Authority (KRA) applies the Significant Economic Presence (SEP) Tax at 3% of gross Kenyan earnings under the Finance Act 2025 to non-resident cloud service providers deriving income from Kenyan customers via the internet — a Kenya-specific digital services tax provision that cloud agreements should address in their tax and withholding clauses.
The legal framework governing the Cloud Services Agreement (Kenya) in Kenya draws on several key statutes and regulatory bodies. Under the Companies Act No. 17 of 2015, the Registrar of Companies at the Office of the Attorney General maintains the register of Kenyan companies. Section 3 of the Law of Contract Act (Cap. 23) governs contractual obligations. The Competition Authority of Kenya (CAK) enforces the Competition Act No. 12 of 2010. The Kenya Revenue Authority (KRA) administers corporate tax under the Income Tax Act (Cap. 470). The High Court of Kenya has unlimited original jurisdiction under Article 165 of the Constitution of Kenya 2010. Parties executing a Cloud Services Agreement (Kenya) in Kenya should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Data Protection Act No. 24 of 2019 sets the foundational requirements.
When Do You Need a Cloud Services Agreement (Kenya)?
A Kenya Cloud Services Agreement is required whenever a business, government entity, or individual engages a cloud computing provider, and in several specific contexts.
A Cloud Services Agreement is required when a Kenyan company registered with the Business Registration Service (BRS) migrates its operations — accounting software, customer relationship management (CRM) systems, email infrastructure, or enterprise resource planning (ERP) systems — to a cloud platform provided by companies such as Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform, or African-headquartered providers including Liquid Intelligent Technologies, SEACOM, or Safaricom's cloud division. The agreement formalises the service scope, service level commitments, and data handling obligations.
A Cloud Services Agreement is needed when a regulated entity — such as a bank licensed by the Central Bank of Kenya (CBK), an insurance company regulated by the Insurance Regulatory Authority (IRA), or a Capital Markets Authority (CMA)-licensed fund manager — engages a cloud provider for processing or storing regulated financial data. The CBK, IRA, and CMA each issue cloud computing guidance requiring cloud service agreements to address data sovereignty, security standards, audit rights, and exit provisions.
A Cloud Services Agreement is required when a data controller in Kenya processes personal data using a third-party cloud infrastructure. The Data Protection Act No. 24 of 2019 and the Data Protection (General) Regulations 2021 require a written data processing agreement under Section 43 of the Act — which is typically incorporated into the Cloud Services Agreement.
A Cloud Services Agreement is needed when a Kenya government ministry, department, or agency (MDA) procures cloud services through the Public Procurement Regulatory Authority (PPRA) framework. Government cloud procurement must comply with the Public Procurement and Asset Disposal Act No. 33 of 2015 and the National Information Communications Technology (ICT) Policy.
A Cloud Services Agreement is required when a software-as-a-service (SaaS) provider operating from Kenya under a business name or company registered with BRS offers subscription-based software to Kenyan or international customers. The agreement governs intellectual property ownership, service availability guarantees, and the provider's obligations under Kenya's data protection and cybercrime legislation.
The Kenya Revenue Authority (KRA) requires cloud providers to register for VAT at the standard rate of 16% under the Value Added Tax Act No. 35 of 2013 once annual taxable turnover exceeds KES 5 million. Non-resident providers of digital services are subject to the 16% digital services VAT and the Significant Economic Presence Tax under the Finance Act 2025.
What to Include in Your Cloud Services Agreement (Kenya)
A Kenya Cloud Services Agreement must include the following essential elements to be enforceable and compliant with the Data Protection Act No. 24 of 2019, the Computer Misuse and Cybercrimes Act No. 5 of 2018, and related Kenyan legislation.
Parties: Full legal names, BRS Registration Numbers, KRA PINs, and addresses of the cloud service provider and the customer. For international cloud providers, the registered address and jurisdiction of incorporation must be stated, as this determines the applicable data transfer provisions under the Data Protection (General) Regulations 2021.
Service Description and Scope: A precise description of the cloud services to be provided — compute resources, storage capacity, network services, software applications, managed services, or a combination. The description should reference the specific service tiers and configurations agreed, with a separate Schedule of Services for technical details.
Service Level Agreement (SLA): The provider's commitments on service availability (e.g. 99.9% uptime), performance (response time thresholds), maintenance windows, incident response times, and the customer's remedies (service credits, termination rights) if SLA targets are missed. The CA's licensing conditions for internet service providers impose minimum quality of service standards that SLA provisions should reflect.
Data Protection and Processing Terms: The data processing agreement required by Section 43 of the Data Protection Act No. 24 of 2019 — specifying the categories of personal data processed, the processing purposes, the security measures implemented by the provider, the obligations on sub-processors, the data breach notification procedure (required within 72 hours under the Data Protection (General) Regulations 2021), and the data deletion or return procedure on contract termination.
Security Standards: The technical and organisational security measures the provider maintains — including encryption standards, access controls, penetration testing schedules, and compliance with the Computer Misuse and Cybercrimes Act No. 5 of 2018. Regulated sector customers (banks, insurers, capital markets entities) must confirm the provider's compliance with CBK, IRA, or CMA cloud security requirements.
Intellectual Property and Data Ownership: Confirmation that the customer owns all data uploaded to or generated in the cloud service, and the provider's licence to process that data solely for the purpose of delivering the services. No licence to use customer data for the provider's own product development or analytics without explicit consent.
Liability and Indemnification: Caps on the provider's liability — typically limited to a multiple of the annual service fees — and exclusions for consequential or indirect loss. The forms-legal.com Cloud Services Agreement template covers all mandatory provisions for Kenya-compliant cloud contracting under the Data Protection Act No. 24 of 2019.
Governing Law and Dispute Resolution: Kenyan law governs the agreement; disputes are referred to the Nairobi Centre for International Arbitration (NCIA) under the Arbitration Act No. 4 of 1995 (revised 2022) or to the High Court (Commercial Division) of Kenya.
Additional compliance elements for a Cloud Services Agreement (Kenya) used in Kenya include: Under the Companies Act No. 17 of 2015, the Registrar of Companies at the Office of the Attorney General maintains the register of Kenyan companies. Section 3 of the Law of Contract Act (Cap. 23) governs contractual obligations. The Competition Authority of Kenya (CAK) enforces the Competition Act No. 12 of 2010. The Kenya Revenue Authority (KRA) administers corporate tax under the Income Tax Act (Cap. 470). The High Court of Kenya has unlimited original jurisdiction under Article 165 of the Constitution of Kenya 2010. Forms-legal.com provides this template as a starting point for Kenya-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Cloud Services Agreement (Kenya) (Kenya) [Legal document template]. Forms Legal. https://forms-legal.com/kenya/business/contracts/cloud-services-agreement-kenya
"Cloud Services Agreement (Kenya) (Kenya)." Forms Legal, 2026, https://forms-legal.com/kenya/business/contracts/cloud-services-agreement-kenya.
@misc{formslegal-cloud-services-agreement-kenya,
author = {{Forms Legal}},
title = {Cloud Services Agreement (Kenya) (Kenya)},
year = {2026},
howpublished = {\url{https://forms-legal.com/kenya/business/contracts/cloud-services-agreement-kenya}},
note = {Free legal document template}
}
Frequently Asked Questions
Yes. A Cloud Services Agreement is legally binding in Kenya as a commercial contract under the Law of Contract Act (Cap. 23), provided it meets the standard requirements for a valid contract: offer, acceptance, consideration, capacity, and legality. Cloud services agreements — whether entered in writing, electronically, or through click-wrap acceptance of online terms — are valid contracts under Kenyan law. The Kenya Information and Communications Act (Cap. 411A) recognises electronic contracts and electronic signatures, and the High Court (Commercial Division) of Kenya has upheld online click-through agreements in disputes about cloud and software services. A written agreement signed by both parties provides stronger evidentiary protection than an unsigned online terms-of-service document, particularly for disputes about service scope, data handling, and liability. The Data Protection Act No. 24 of 2019 specifically requires the data processing agreement component of a Cloud Services Agreement to be in writing under Section 43 — verbal or implied data processing arrangements are non-compliant.
The Data Protection Act No. 24 of 2019 imposes obligations on cloud service providers in Kenya both as data processors (when processing data on behalf of customers) and potentially as data controllers (when independently determining processing purposes). As a data processor, Section 43 of the Data Protection Act requires the provider to: process personal data only on documented instructions from the data controller; implement appropriate technical and organisational security measures to protect data; not engage sub-processors without the controller's prior written consent; assist the controller in responding to data subject rights requests within the timelines set by the Act; notify the controller of any data breach without undue delay and in any case within 72 hours under the Data Protection (General) Regulations 2021; and delete or return all personal data on termination of the services. The Office of the Data Protection Commissioner (ODPC) enforces these obligations and may impose fines of up to KES 5 million or 1% of annual global turnover (whichever is higher) for contraventions of the Data Protection Act. Cloud service providers with operations or customers in Kenya must register with the ODPC as data controllers or processors under Section 17 of the Act.
Yes, but with conditions. The Data Protection Act No. 24 of 2019 and the Data Protection (General) Regulations 2021 permit Kenyan data controllers to transfer personal data to overseas cloud servers, provided the transfer meets one of the permissible grounds in Section 48 of the Act. Permissible grounds include: the receiving country has been assessed by the ODPC as providing adequate data protection; the transfer is subject to appropriate safeguards such as standard contractual clauses approved by the ODPC; or the data subject has explicitly consented to the transfer. The ODPC maintains a list of countries assessed as providing adequate protection. For transfers to countries not on the adequate protection list — including transfers to cloud data centres in the United States, India, or other jurisdictions — the Cloud Services Agreement must include ODPC-compliant standard contractual clauses. Regulated entities including banks licensed by the Central Bank of Kenya (CBK) and companies under the Capital Markets Authority (CMA) are subject to additional data localisation requirements for specific categories of regulated data — these requirements should be confirmed with the relevant regulator before entering a cross-border cloud agreement.
The Significant Economic Presence (SEP) Tax is a digital services tax introduced in Kenya's Finance Act 2023 and expanded by the Finance Act 2025. The SEP Tax applies to non-resident companies — including international cloud service providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform — that derive income from providing digital services to Kenyan customers through the internet. The rate is 3% of gross Kenyan earnings and applies regardless of whether the non-resident company has a physical presence in Kenya. The Finance Act 2025 removed the minimum annual turnover threshold previously applicable, meaning all non-resident digital service providers with any Kenyan revenue are subject to the SEP Tax. The SEP Tax is collected by the Kenya Revenue Authority (KRA) through a registration and self-assessment system on iTax. In addition, non-resident cloud service providers supplying digital services in Kenya are subject to 16% VAT at the standard rate under the Value Added Tax Act No. 35 of 2013, with mandatory VAT registration irrespective of turnover under the Finance Act 2025 amendments. Cloud Services Agreements should specify which party bears the SEP Tax and VAT obligation in the pricing and tax provisions.
On termination or expiry of a Cloud Services Agreement, the treatment of customer data is governed by Section 43 of the Data Protection Act No. 24 of 2019, which requires the cloud service provider (as data processor) to delete or return all personal data to the data controller (the customer) in accordance with the data controller's instructions. The Cloud Services Agreement should specify: the format in which data will be returned (structured export file, database dump, or specific format); the timeline for return or deletion (typically 30 to 60 days after termination); whether the provider will issue a certificate of deletion; and the disposal procedure for backup copies of data. The ODPC's enforcement guidance confirms that a provider's failure to delete or return data after contract termination constitutes a violation of Section 43 of the Data Protection Act. For customers with regulatory obligations — such as banks under the Central Bank of Kenya (CBK) prudential guidelines that require retention of financial records for at least 7 years under the Banking Act (Cap. 488) — the Cloud Services Agreement must include provisions for the customer's own data archiving and retention before the provider deletes its copies.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Non-Disclosure Agreement (Kenya)
A Kenya Non-Disclosure Agreement protecting confidential business information, governed by the Law of Contract Act Cap. 23 and the Data Protection Act No. 24 of 2019, enforceable in Kenya courts.
Independent Contractor Agreement (Kenya)
A Kenya Independent Contractor Agreement clearly establishing a service relationship — not employment — under the Employment Act No. 11 of 2007, Income Tax Act Cap. 470, and Data Protection Act No. 24 of 2019.