Data Protection

1. Our Data Protection Commitment

EduBridge is built to support digital Portfolio of Evidence, assessment readiness, assessment registration, trainer review, institution reporting and assessment pathway workflows.

Because EduBridge handles trainee profiles, uploaded evidence, registered units, institution data, payment records, audit logs and assessment-related information, data protection is central to how the platform is designed and operated.

ABNO Softwares International Ltd is committed to protecting personal data in accordance with applicable data protection laws, including Kenya’s Data Protection Act, 2019 and related data protection principles.

Our commitment is simple:

EduBridge only collects, uses and shares data for legitimate platform, assessment readiness, institution support, payment, security, compliance and service delivery purposes.

2. What This Page Explains

This Data Protection page explains how EduBridge protects data across:

• •
  Trainee activation
• •
  PoE upload and storage
• •
  Assessment unit visibility
• •
  Assessment registration workflows
• •
  Trainer and assessor review
• •
  Institution dashboards and reports
• •
  TVET CDACC and QAB/CBET Master pathways
• •
  Payments and subscriptions
• •
  Support and onboarding
• •
  Partner and ambassador workflows
• •
  Audit logs and security monitoring

This page should be read together with:

• •
  EduBridge Terms of Service
• •
  EduBridge Privacy Policy
• •
  Any applicable Data Processing Agreement
• •
  Institution onboarding terms
• •
  QAB/QAI onboarding agreements, where applicable

3. Data Protection Principles

EduBridge applies the following data protection principles.

Lawful and Fair Use

We process data only for lawful, fair and legitimate purposes connected to EduBridge services.

Purpose Limitation

We use data only for the purpose it was collected or a closely related platform, assessment, support or compliance purpose.

Data Minimization

We collect only the data needed to activate profiles, support PoE readiness, process subscriptions, manage workflows and protect the platform.

Accuracy

We aim to keep data accurate and allow correction processes where records are wrong, outdated or mismatched.

Security

We use reasonable technical and organizational safeguards to protect data from unauthorized access, misuse, loss or alteration.

Accountability

Actions inside EduBridge may be logged for audit, support, security, compliance and dispute resolution.

Transparency

Users should understand what data is collected, why it is used and who may access it.

4. Data We Protect

EduBridge protects different categories of data, including:

5. Why EduBridge Processes Data

EduBridge processes data to:

• 1.
  Activate trainee profiles.
• 2.
  Verify users and prevent profile takeover.
• 3.
  Match trainees to assessment records.
• 4.
  Show registered assessment units.
• 5.
  Allow trainees to upload and manage PoE evidence.
• 6.
  Enable trainers and assessors to review evidence.
• 7.
  Help institutions monitor trainee readiness.
• 8.
  Support assessment registration and unit approval workflows.
• 9.
  Process subscriptions and payment confirmations.
• 10.
  Support TVET CDACC-assessed pathways where configured.
• 11.
  Support QAB/QAI and CBET Master workflows where configured.
• 12.
  Generate reports and dashboards.
• 13.
  Provide support and resolve issues.
• 14.
  Maintain audit trails.
• 15.
  Detect misuse, fraud or unauthorized access.
• 16.
  Improve EduBridge functionality and reliability.

6. How EduBridge Protects Data

EduBridge applies a combination of technical, operational and access-control safeguards.

Account Protection

• •
  Password-based access
• •
  OTP verification where required
• •
  Phone and email verification
• •
  Password reset controls
• •
  Failed login monitoring

Role-Based Access

Users only access what their role allows.

Examples:

• •
  Trainees access their own profiles and PoEs.
• •
  Trainers access assigned trainees, units or programmes.
• •
  Institution users access records linked to their institution and role.
• •
  Finance users access payment or clearance information where authorized.
• •
  Admin users access configuration and support tools based on permissions.

Secure Workflows

EduBridge protects key workflows through:

• •
  Step-based activation
• •
  Verified institution email for workspace activation
• •
  Controlled trainee profile matching
• •
  Approval workflows
• •
  Audit logs
• •
  Permission-based actions
• •
  Support escalation for mismatched records

Data Access Controls

EduBridge limits access to sensitive data based on:

• •
  User role
• •
  Institution
• •
  Programme
• •
  Unit
• •
  Assessment pathway
• •
  Assigned responsibility
• •
  Support authorization

Audit Logging

Actions may be logged with:

• •
  User identity
• •
  Role
• •
  Time and date
• •
  IP address
• •
  Action performed
• •
  Record affected
• •
  Status before and after
• •
  Comments or reasons where applicable

Payment Safety

EduBridge protects users by requiring official payment channels.

EduBridge staff, partners, ambassadors and support agents should never ask for:

• •
  OTPs
• •
  Passwords
• •
  M-Pesa PINs
• •
  Cash payments to personal numbers

7. Trainee Data Protection

EduBridge protects trainees by ensuring that:

• 1.
  A trainee can only activate their own profile.
• 2.
  Profile matching uses controlled identifiers such as Assessment Center, admission number and ID/passport/birth certificate number.
• 3.
  Trainees can review details before activating.
• 4.
  Incorrect profiles can be reported.
• 5.
  Phone verification is required during account creation.
• 6.
  PoE evidence is linked to the trainee’s own workspace.
• 7.
  Institutions see readiness data only for trainees linked to them.
• 8.
  Trainers access only assigned records.
• 9.
  Payments are handled through official channels.
• 10.
  PoE upload and storage are protected by login access.

Trainees should not share passwords, OTPs or account access with anyone.

8. Institution Data Protection

EduBridge protects institutions by ensuring that:

• 1.
  Institution workspace activation uses official verification controls.
• 2.
  TVET CDACC Assessment Center activation uses the official email registered for that center where applicable.
• 3.
  Institution users are created with roles and permissions.
• 4.
  Focal persons, trainers, assessors and admins are added by authorized users.
• 5.
  Sensitive setup actions are logged.
• 6.
  Locked institution records synced from official sources cannot be edited casually.
• 7.
  Incorrect locked records are handled through support or official correction channels.
• 8.
  Dashboards and reports are limited to authorized institution users.

Institution administrators must add only authorized users and remove users who no longer require access.

9. Trainer, Assessor and Reviewer Data Protection

Trainers, assessors and reviewers may access trainee evidence only where they are authorized.

They must:

• 1.
  Use trainee data only for review, feedback, assessment readiness or authorized workflows.
• 2.
  Keep trainee information confidential.
• 3.
  Avoid downloading or sharing evidence unnecessarily.
• 4.
  Report wrong mappings or suspicious records.
• 5.
  Use their own login credentials.
• 6.
  Avoid reviewing records outside their assigned role.

EduBridge may log trainer, assessor and reviewer actions for audit and accountability.

10. TVET CDACC, QAB and CBET Master Pathways

EduBridge supports different assessment pathways.

Where a programme is TVET CDACC-assessed, EduBridge may process data to support TVET CDACC-linked ePoE readiness and assessment workflows.

Where a programme is QAB/QAI-assessed, EduBridge may work with CBET Master to support digital PoE, assessment workflows, verification, moderation, reporting and certification support.

Data is routed based on:

• •
  Institution
• •
  Programme
• •
  Assessment pathway
• •
  User role
• •
  Workflow configuration
• •
  Approved integration channel
• •
  Applicable onboarding setup

EduBridge does not expose trainee evidence to unauthorized assessment reviewers.

11. Data Sharing Controls

EduBridge does not sell trainee personal data.

EduBridge may share data only where needed for:

• •
  Trainee activation
• •
  PoE upload and review
• •
  Institution readiness tracking
• •
  Assessment registration workflows
• •
  Trainer and assessor review
• •
  QAB/QAI or CBET Master workflows
• •
  TVET CDACC-linked workflows where applicable
• •
  Payment processing
• •
  Support and troubleshooting
• •
  Security and compliance
• •
  Legal or regulatory requirements

Access is limited to authorized parties and relevant purposes.

12. Data Retention

EduBridge retains data only for as long as necessary for:

• 1.
  Platform access and service delivery.
• 2.
  Active subscriptions.
• 3.
  PoE storage and portfolio continuity.
• 4.
  Assessment readiness.
• 5.
  Institution reports.
• 6.
  Assessment registration and verification workflows.
• 7.
  Payment records.
• 8.
  Audit logs.
• 9.
  Support and dispute resolution.
• 10.
  Legal, compliance or regulatory obligations.
• 11.
  Security and fraud prevention.

Some records may be retained even after account closure where required for audit, assessment, payment, legal or institutional purposes.

13. Data Correction

Users may request correction of inaccurate data.

However, some records may come from official institution, TVET CDACC, QAB/QAI or assessment records.

Locked or synced records may require correction by the original source.

Examples include:

• •
  Assessment Center name
• •
  Center code
• •
  Admission number
• •
  Assessment registration number
• •
  Programme mapping
• •
  Registered units
• •
  Assessment pathway
• •
  Official institution email
• •
  Accreditation details

EduBridge may guide users on how to report or escalate corrections.

14. Data Subject Rights

Subject to applicable law and verification, users may request to:

• 1.
  Access their personal data.
• 2.
  Correct inaccurate data.
• 3.
  Request deletion where legally permitted.
• 4.
  Object to certain processing.
• 5.
  Withdraw consent where processing is based on consent.
• 6.
  Request restriction of processing where applicable.
• 7.
  Ask how their data is used.

Some requests may be limited where data must be retained for assessment, certification, audit, payment, legal, security or institutional purposes.

Requests should be sent to: info@edubridgeapp.com

15. Data Breach and Security Incident Response

If EduBridge becomes aware of a data security incident, ABNO will take reasonable steps to:

• 1.
  Investigate the incident.
• 2.
  Contain the issue.
• 3.
  Assess the risk.
• 4.
  Protect affected users where possible.
• 5.
  Notify affected parties where required.
• 6.
  Notify regulators where required by law.
• 7.
  Improve controls to reduce future risk.

Users should report suspicious activity immediately through EduBridge support.

16. Data Processor and Controller Roles

Depending on the context, ABNO may act as:

Data Controller

Where ABNO determines how and why data is processed, such as for EduBridge account creation, subscription management, support, security, product improvement and direct trainee services.

Data Processor

Where ABNO processes data on behalf of an institution, QAB/QAI, Assessment Center or assessment workflow owner under agreed instructions.

The exact role may depend on the service, institution arrangement, assessment pathway, integration setup or agreement in place.

17. Cross-Border Processing

EduBridge may use cloud infrastructure, support tools, communication systems or service providers that process data outside Kenya.

Where cross-border processing occurs, ABNO will take reasonable steps to ensure appropriate safeguards, contractual protections or lawful transfer mechanisms are in place.

18. Data Protection by Design

EduBridge aims to apply data protection by design and default.

This means:

• •
  Collecting only necessary data.
• •
  Limiting access by role.
• •
  Masking sensitive information where appropriate.
• •
  Using OTP and verification controls.
• •
  Logging important actions.
• •
  Restricting unauthorized profile activation.
• •
  Using official payment channels.
• •
  Providing support for correction requests.
• •
  Designing workflows that reduce exposure of unnecessary data.

19. User Responsibilities

Users also play a role in data protection.

Trainees should:

• •
  Activate only their own profile.
• •
  Keep passwords private.
• •
  Never share OTPs.
• •
  Use official payment channels.
• •
  Upload only relevant and authorized evidence.
• •
  Report incorrect profiles or suspicious activity.

Institutions should:

• •
  Add only authorized users.
• •
  Remove users who leave or change roles.
• •
  Protect downloaded reports.
• •
  Use trainee data only for education, assessment and readiness.
• •
  Report unauthorized access quickly.

Trainers and assessors should:

• •
  Access only assigned trainee records.
• •
  Keep trainee evidence confidential.
• •
  Avoid sharing or downloading evidence unnecessarily.
• •
  Report mapping or assessment record issues.

Partners and ambassadors should:

• •
  Use only official EduBridge materials and links.
• •
  Never collect cash.
• •
  Never ask for OTPs, passwords or M-Pesa PINs.
• •
  Report suspicious activity.

20. Contact for Data Protection Requests

For data protection enquiries, correction requests, privacy concerns, account security issues or suspected misuse, contact: