About MorduMark & This Policy
MorduMark is a product of Mordulabs, a recruitment and hiring platform duly registered and operating in Nairobi, Kenya. We empower organizations to create job postings, receive applications, conduct AI-assisted CV analysis, and manage end-to-end recruitment workflows with efficiency and precision.
This Privacy Policy explains how MorduMark, acting as a Data Controller under the Kenya Data Protection Act, No. 24 of 2019 ("the Act"), collects, uses, stores, processes, discloses, and protects personal data. It applies to all users β employer organizations, their personnel, and job applicants.
By registering an account or submitting an application through our platform, you acknowledge that you have read and understood this Privacy Policy.
Our Role Under the Kenya DPA
MorduMark operates as a Data Controller in respect of all personal data processed through the platform. Where we engage third-party service providers (e.g., cloud infrastructure providers), those parties act as Data Processors under our instructions, pursuant to written data processing agreements as required by Section 37(3) of the Act.
MorduMark is registered with the Office of the Data Protection Commissioner (ODPC) as required under the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.
Data Protection Principles
In accordance with Section 25 of the Act, MorduMark ensures all personal data is:
- Processed in accordance with the right to privacy of the data subject
- Processed lawfully, fairly, and in a transparent manner
- Collected for explicit, specified, and legitimate purposes and not further processed in incompatible ways
- Adequate, relevant, and limited to what is necessary (data minimisation)
- Accurate and kept up to date, with inaccurate data erased or rectified without delay
- Kept for no longer than is necessary for the purposes collected
- Not transferred outside Kenya unless adequate data protection safeguards are in place or consent is given
Personal Data We Collect
A. Employer / Organisation Registration Data
- First Name and Last Name
- Organisation Name and Industry
- Country and Billing Currency
- Hiring Frequency
- Company Website (optional)
- Email Address
- Encrypted Password
B. Job Posting Data
- Job Title, Department, and Job Type
- Industry / Category and Experience Level
- Salary Range and Work Policy (Remote / Hybrid / Onsite)
- Job Description, Requirements, and related metadata
C. Applicant / Candidate Data
- First Name and Last Name
- Email Address
- Phone Number (optional)
- Resume / CV document
- Cover Letter (optional)
- Application activity timestamps
Note: Applicants are the primary data subjects in respect of this data. Employers accessing applicant data through our platform do so as authorised parties acting under our data processing terms.
D. Technical & Usage Data
- IP address and device information
- Browser type and version
- Login records and session timestamps
- Usage analytics and platform navigation data
- Security logs
Lawful Basis for Processing
MorduMark processes personal data under one or more of the following lawful bases under Section 30 of the Act:
- Consent β freely given, specific, informed, and unambiguous consent for one or more purposes
- Contractual Necessity β necessary for the performance of a contract with the data subject
- Legal Obligation β necessary for compliance with Kenyan law
- Legitimate Interests β necessary for MorduMark's legitimate interests, where not overridden by the data subject's rights
Where we rely on consent, data subjects may withdraw it at any time without detriment. Withdrawal does not affect the lawfulness of prior processing.
Sensitive Personal Data
MorduMark does not deliberately collect sensitive personal data as defined under Section 2 of the Act (including data on health, race, ethnic origin, religious beliefs, genetic or biometric data, marital status, or criminal history).
If such data is incidentally included in a CV or cover letter, it will be handled with additional care and accessed only where strictly necessary. Applicants are advised to omit sensitive data from applications where not directly relevant.
How We Use Personal Data
- Creating and managing organisation accounts and user profiles
- Publishing and managing job listings on behalf of employers
- Receiving, storing, and processing job applications
- Providing AI-assisted CV analysis and candidate matching (see Section 8)
- Communicating with users regarding accounts, applications, or listings
- Improving and maintaining platform functionality and user experience
- Preventing fraud, abuse, and security threats
- Complying with legal and regulatory obligations under Kenyan law
AI-Based CV Analysis
MorduMark utilises internally developed AI models hosted on Microsoft Azure to assist with resume/CV analysis, including:
- Automated skills and qualification extraction
- Experience relevance scoring
- CV summarisation and candidate-job fit recommendations
- Matching of candidate profiles to role requirements
In accordance with Section 32 of the Act: applicants are informed when their CV is subject to automated processing; final hiring decisions are always made by a human; and data subjects may request that significant decisions not be made solely on the basis of automated processing.
Data Storage & Security
A. Data Localisation
In compliance with Section 25(h) of the Act, MorduMark ensures that at least one serving copy of personal data is stored on a server or data centre located in Kenya.
B. Cross-Border Data Transfers
Where personal data is processed outside Kenya through Microsoft Azure infrastructure, MorduMark implements safeguards under Sections 48β50 of the Act, including contractual protections, transfer to adequate jurisdictions, and explicit informed consent where required.
C. Security Measures
- Encrypted data transmission using HTTPS/SSL protocols
- Role-based access controls limiting data access to authorised personnel
- Authentication and credential protection mechanisms
- Regular data backups and recovery systems
- Continuous activity monitoring and security logging
- Secure cloud hosting standards via Microsoft Azure
Data Breach Notification
In the event of a personal data breach posing a real risk of harm, MorduMark will comply with Section 43 of the Act, including:
- Notifying the ODPC without undue delay
- Informing affected data subjects as soon as reasonably practicable
- Documenting the nature of the breach, data affected, and remedial measures taken
Data Retention
- Applicant and recruitment data is retained for up to 90 days following job closure
- Employer account data is retained for the duration of the active account and a reasonable period thereafter
- Employers may request earlier deletion of applicant data
- Technical logs may be retained longer for security, fraud prevention, or legal compliance
At the end of the retention period, personal data is securely deleted or anonymised so it can no longer be attributed to an identifiable individual.
Your Rights as a Data Subject
Under the Act, you have the following rights regarding your personal data:
To exercise any right, contact us at the details in Section 17. We will respond within the timeframes prescribed by the Act.
Automated Decision-Making
MorduMark uses automated processing tools to assist with CV analysis and candidate ranking. In accordance with Section 32 of the Act, you have the right to:
- Be informed when automated decision-making processes are applied to your personal data
- Request that a significant decision affecting you not be based solely on automated processing
- Request human review of any automated recommendation that materially affects your application
MorduMark ensures that no hiring decision is made without meaningful human involvement by the relevant employer.
Children & Minors
MorduMark is a professional recruitment platform intended exclusively for adults. We do not knowingly collect or process personal data of persons under the age of 18. If you believe a minor has submitted data through our platform, please contact us immediately and we will delete such data promptly, in line with Section 33 of the Act.
Data Protection Officer
MorduMark has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with the Act and acting as a point of contact for data subjects and the ODPC.
- Name: Dorcas Mosiori
- Email: dorcas.mosiori@mordulabs.com
- Address: Westlands, Nairobi, Kenya
- Website: www.odpc.go.ke
- Britam Towers, 12th Floor
- Hospital Road, Upperhill, Nairobi
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features. When we make material changes, we will:
- Post the updated policy on our platform with a revised effective date
- Notify registered users by email where the changes are significant
Continued use of the platform following notification of any updates constitutes acceptance of the revised Privacy Policy.