Privacy Policy

Last updated: 26 March 2026

Xcobean Systems Limited ("Xcobean", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website, client portal, mobile applications, and related services.

1. Scope of This Policy

This Privacy Policy applies to:

• Our Website. xcobean.co.ke and all subdomains
• Client Portal. our WHMCS-based client area for account management, billing, and service provisioning (including Apache CloudStack integration)
• Mobile Applications. the myxcobean mobile app available on Google Play and Apple App Store
• Communications. emails, live chat (Zoho SalesIQ), WhatsApp Business, Telegram, and phone calls
• Third-Party Integrations. services we use to deliver and improve our products

2. Data Controller

The data controller responsible for your personal data is:

3. Data We Collect

3.1 Account Information

When you register for an account or purchase services, we collect:

• Full name, company name, and job title
• Email address and phone number
• Physical/postal address
• KRA PIN (for VAT compliance, where applicable)
• Username and password (hashed)

3.2 Authentication Data

Depending on the method you choose, we may process:

• Email/password credentials (passwords are stored as one-way hashes)
• Social login tokens (Google Sign-In, Apple Sign-In)
• Biometric authentication flags (processed locally on your device; we do not store biometric data)
• FIDO2/WebAuthn passkeys (public key only; private key remains on your device)
• Two-factor authentication (2FA) recovery codes

3.3 Billing and Financial Data

• Invoices and payment history
• Payment method details (M-Pesa phone number, PayPal email, Pesapal transaction references)
• Credit notes and account balances

We do not store full credit/debit card numbers. Payment processing is handled by our third-party payment providers.

3.4 Service and Technical Data

• Cloud resource usage (virtual machines, storage, bandwidth) via Apache CloudStack
• Domain registrations and DNS records
• Support tickets and communications
• Service configuration data

3.5 Device and Usage Data

• IP address and approximate geolocation
• Browser type, version, and operating system
• Device type and screen resolution
• Pages visited, time spent, and referral source
• Mobile app: device model, OS version, app version, unique device identifiers

3.6 Permissions (Mobile App)

The myxcobean app may request the following device permissions:

• Camera. for scanning QR codes or uploading documents
• Notifications. to send service alerts and updates
• Biometric. for secure local authentication

Permissions are requested at the point of use and can be revoked through your device settings at any time.

4. How We Collect Data

• Directly from you. when you register, place orders, submit tickets, fill in forms, or communicate with us
• Automatically. through cookies, analytics, and server logs when you use our website or apps
• From third parties. payment providers (transaction confirmations), social login providers (basic profile data), and public registries (WHOIS, company registries)

5. How We Use Your Data

We use your personal data to:

• Provision, manage, and support the services you purchase
• Process payments and issue invoices
• Communicate with you about your account, services, and support requests
• Send service notifications, maintenance alerts, and security advisories
• Send marketing communications (only with your consent; you can opt out at any time)
• Analyse website and app usage to improve our products and user experience
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations, including tax and regulatory requirements
• Enforce our Terms of Service and Acceptable Use Policy

6. Legal Basis for Processing

Under the Kenya Data Protection Act 2019 and, where applicable, the EU General Data Protection Regulation (GDPR), we process your data on the following bases:

• Contractual necessity. to perform our obligations under your service agreement
• Legitimate interests. to improve our services, prevent fraud, and maintain security
• Legal obligation. to comply with tax, accounting, and regulatory requirements
• Consent. for marketing communications and non-essential cookies (which you can withdraw at any time)

7. Cookies and Tracking Technologies

Our website uses the following categories of cookies:

You can manage cookie preferences through your browser settings. Note that disabling strictly necessary cookies may affect the functionality of our website.

8. Third-Party Services and Integrations

We use the following third-party services, each of which has its own privacy policy:

8.1 Service Delivery

• WHMCS. client management, billing, and support ticketing
• Apache CloudStack. cloud infrastructure orchestration

8.2 Zoho Suite

• Zoho SalesIQ. live chat and visitor tracking
• Zoho PageSense. website analytics and A/B testing
• Zoho Marketing Automation. email marketing and lead nurturing
• Zoho Books. accounting and invoicing
• Zoho Desk. customer support management
• Zoho Sign. electronic document signing
• Zoho Assist. remote support sessions (initiated with your consent)
• Zoho Survey. customer satisfaction surveys
• Zoho Bookings. appointment scheduling

8.3 Google Services

• Google Analytics (GA4). website traffic analysis
• Google Workspace. email and collaboration (for internal operations)
• Google Sign-In / OAuth. social login for the mobile app

8.4 Payment Processors

• M-Pesa (Safaricom). mobile money payments
• PayPal. international payments
• Pesapal. card and mobile money payments

8.5 Communications

• WhatsApp Business API. customer messaging
• Telegram Bot. notifications and support
• Firebase Cloud Messaging. push notifications for the mobile app

8.6 Authentication

• Apple Sign-In. social login for iOS
• Google Sign-In. social login
• Firebase Authentication. mobile app user management

9. Data Sharing and Disclosure

We do not sell your personal data. We may share data with:

• Service providers. third parties who process data on our behalf (as listed in Section 8), bound by data processing agreements
• Payment processors. to facilitate transactions you initiate
• Regulatory authorities. where required by Kenyan law (e.g., Kenya Revenue Authority, Office of the Data Protection Commissioner)
• Law enforcement. where legally compelled by a valid court order
• Business transfers. in the event of a merger, acquisition, or asset sale, with prior notice to affected users

10. Data Storage and Security

Your data is primarily stored on servers located in Kenya. We implement appropriate technical and organisational measures, including:

• Encryption in transit (TLS 1.2+) and at rest
• Firewalls, intrusion detection, and DDoS mitigation
• Role-based access controls and multi-factor authentication for staff
• Regular security audits and vulnerability assessments
• Encrypted backups with tested restoration procedures

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy:

12. Your Rights

Under the Kenya Data Protection Act 2019 (and the GDPR for EU/EEA residents), you have the right to:

• Access. request a copy of the personal data we hold about you
• Rectification. request correction of inaccurate or incomplete data
• Erasure. request deletion of your personal data (subject to legal retention obligations)
• Data portability. receive your data in a structured, machine-readable format
• Restriction. request that we limit the processing of your data
• Objection. object to processing based on legitimate interests or direct marketing
• Withdraw consent. where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@xcobean.co.ke. We will respond within 30 days.

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya.

13. International Data Transfers

Some of our third-party service providers (e.g., Google, PayPal, Firebase) may process data outside Kenya. Where this occurs, we ensure that appropriate safeguards are in place, including:

• Standard contractual clauses
• Adequacy decisions by the ODPC
• Binding corporate rules of the service provider

14. Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us at privacy@xcobean.co.ke and we will promptly delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a revised "Last updated" date
• Sending an email notification for significant changes
• Displaying a prominent notice on our website or client portal

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Terms of Service

Last updated: 26 March 2026

These Terms of Service ("Terms") govern your access to and use of the services provided by Xcobean Systems Limited ("Xcobean", "we", "us", or "our"). By accessing our website, creating an account, or purchasing any service, you agree to be bound by these Terms.

1. Acceptance of Terms

By accessing or using any Xcobean service, you acknowledge that you have read, understood, and agree to be bound by these Terms, our Privacy Policy, and our Acceptable Use Policy. If you are entering into these Terms on behalf of a company or other legal entity, you represent that you have the authority to bind that entity.

If you do not agree to these Terms, you must not use our services.

2. Definitions

• "Client", "you", "your". the individual or entity that registers for and/or uses our services
• "Services". all products, platforms, and professional services offered by Xcobean, including but not limited to cloud hosting, colocation, connectivity, managed IT, communications, cybersecurity, and business applications
• "Client Portal". the online account management area accessible via our website
• "Content". any data, files, applications, or materials you upload, store, or transmit through our services

3. Our Services

Xcobean provides enterprise technology services including, but not limited to:

• Cloud & Infrastructure. virtual private servers, dedicated servers, cloud hosting, backup and disaster recovery
• Colocation. rack space, power, and cooling in our data-centre facilities
• Network & Connectivity. internet transit, IP addressing (AS329239), MPLS, and SD-WAN
• Managed IT Services. monitoring, patching, remote and onsite support
• Unified Communications. 3CX, VoIP, SIP trunking, and collaboration tools
• Cybersecurity. firewall management, endpoint protection, vulnerability assessments, and incident response
• Business Productivity. Zoho, Microsoft 365, Google Workspace, and custom integrations

Service specifications, features, and pricing are described on our website and in individual service agreements.

4. Account Registration and Responsibilities

4.1 To access most services, you must register for an account and provide accurate, complete, and current information.

4.2 You are responsible for maintaining the confidentiality of your account credentials and for all activity that occurs under your account.

4.3 You must notify us immediately at info@xcobean.co.ke if you suspect any unauthorised use of your account.

4.4 You must be at least 18 years old to create an account.

4.5 We reserve the right to suspend or terminate accounts that contain false, outdated, or incomplete information.

5. Billing and Payment

5.1 Currency. All prices are quoted in Kenya Shillings (KES) unless otherwise stated. International clients may be invoiced in USD upon arrangement.

5.2 VAT. All applicable prices are exclusive of Value Added Tax (VAT) at the prevailing rate as required by Kenyan law. VAT will be added to invoices where applicable. Our VAT PIN is P051782544J.

5.3 Payment methods. We accept payment via:

• M-Pesa (Paybill / STK Push)
• Bank transfer (KES and USD)
• Pesapal (Visa, Mastercard, mobile money)
• PayPal (international payments)

5.4 Invoicing. Invoices are issued through our Client Portal and sent to your registered email address. Payment is due within the period stated on the invoice (typically Net 14 days for post-paid services, or in advance for prepaid services).

5.5 Late payment. Overdue invoices may attract a late payment fee of 2% per month on the outstanding balance. Services may be suspended if payment remains overdue for more than 14 days after the due date.

5.6 Refunds. Refunds are handled on a case-by-case basis. Setup fees and custom work are generally non-refundable. Any applicable money-back guarantees are specified in the relevant service description.

6. Service Level Agreements

6.1 Specific uptime commitments, response times, and service credits are defined in our Service Level Agreement (SLA), which forms part of these Terms for applicable services.

6.2 SLA details are published on our Support & SLA page and may be customised for enterprise clients under separate written agreements.

6.3 Scheduled maintenance windows are communicated in advance and are excluded from uptime calculations.

7. Acceptable Use

Your use of our services is subject to our Acceptable Use Policy, which is incorporated into these Terms by reference. Violations of the AUP may result in service suspension or termination.

8. Intellectual Property

8.1 Our IP. All content, trademarks, logos, software, and materials on the Xcobean website and platforms are the property of Xcobean Systems Limited or its licensors and are protected by Kenyan and international intellectual property laws.

8.2 Your Content. You retain all ownership rights in the content you upload to our services. By using our services, you grant us a limited licence to host, store, and transmit your content solely for the purpose of providing the services.

8.3 You may not copy, modify, distribute, or reverse-engineer any Xcobean proprietary software or materials without our prior written consent.

9. Data Protection

9.1 We process personal data in accordance with our Privacy Policy and the Kenya Data Protection Act 2019.

9.2 Where we process personal data on your behalf (i.e., as a data processor), the terms of our Data Processing Agreement shall apply.

9.3 You are responsible for ensuring that your use of our services complies with all applicable data protection laws, including obtaining necessary consents from your end users.

10. Service Suspension and Termination

10.1 By us. We may suspend or terminate your services, with or without notice, if:

• You breach these Terms or the Acceptable Use Policy
• Your account has an overdue balance exceeding 14 days
• Your use of services poses a security risk or disrupts other clients
• We are required to do so by law or regulation

10.2 By you. You may cancel your services at any time by submitting a cancellation request through the Client Portal or by contacting us. Cancellation will take effect at the end of the current billing period unless otherwise agreed.

10.3 Data after termination. Upon termination, we will retain your data for 30 days to allow retrieval. After this period, data will be permanently deleted unless a longer retention is required by law.

11. Limitation of Liability

11.1 To the maximum extent permitted by Kenyan law, Xcobean's total aggregate liability for any claim arising out of or related to these Terms or our services shall not exceed the total fees paid by you to Xcobean during the 12 months preceding the claim.

11.2 In no event shall Xcobean be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, business opportunities, or goodwill.

11.3 These limitations apply regardless of the theory of liability (contract, tort, strict liability, or otherwise) and even if Xcobean has been advised of the possibility of such damages.

12. Indemnification

You agree to indemnify, defend, and hold harmless Xcobean, its directors, officers, employees, and agents from any claims, damages, losses, liabilities, and expenses (including reasonable legal fees) arising out of or related to your use of our services, your violation of these Terms, or your infringement of any third-party rights.

13. Force Majeure

Neither party shall be liable for any failure or delay in performance due to circumstances beyond its reasonable control, including but not limited to natural disasters, war, terrorism, pandemics, government actions, power failures, internet or telecommunications failures, fibre cuts, or acts of third parties. The affected party shall notify the other party promptly and use reasonable efforts to mitigate the impact.

14. Dispute Resolution and Governing Law

14.1 Governing law. These Terms are governed by and construed in accordance with the laws of the Republic of Kenya.

14.2 Informal resolution. Before initiating formal proceedings, both parties agree to attempt to resolve disputes through good-faith negotiation for a period of at least 30 days.

14.3 Jurisdiction. Any disputes that cannot be resolved informally shall be submitted to the exclusive jurisdiction of the courts of Nairobi, Kenya.

14.4 Arbitration. For enterprise clients, disputes may alternatively be resolved through binding arbitration under the Nairobi Centre for International Arbitration (NCIA) rules, if both parties agree in writing.

15. Changes to These Terms

We may update these Terms from time to time. We will provide at least 30 days' notice of material changes by email or through the Client Portal. Your continued use of our services after the effective date of the updated Terms constitutes your acceptance of the changes.

16. Severability

If any provision of these Terms is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

17. Contact Information

For questions about these Terms, please contact us:

Acceptable Use Policy

Last updated: 26 March 2026

This Acceptable Use Policy ("AUP") defines the acceptable and prohibited uses of services provided by Xcobean Systems Limited ("Xcobean", "we", "us", or "our"). This AUP is incorporated into and forms part of our Terms of Service. All clients, users, and any persons accessing our network and services must comply with this policy.

1. Prohibited Activities

You may not use Xcobean services to engage in, facilitate, or promote any of the following:

1.1 Illegal Activities

• Any activity that violates the laws of Kenya or the jurisdiction in which you operate
• Distribution of child sexual abuse material (CSAM). zero tolerance, immediate termination and reporting to authorities
• Fraud, identity theft, phishing, or impersonation
• Trafficking in stolen property, counterfeit goods, or controlled substances
• Terrorism-related content or activity

1.2 Malicious Software and Hacking

• Distributing viruses, trojans, ransomware, worms, or any other malicious code
• Hosting command-and-control (C2) infrastructure for botnets or malware
• Attempting to gain unauthorised access to any system, network, or account (whether ours or a third party's)
• Port scanning, vulnerability scanning, or penetration testing of systems you do not own (without explicit written authorisation from the system owner)
• Operating open proxies or open relays without our prior written approval

1.3 Spam and Unsolicited Communications

• Sending unsolicited bulk email (spam), SMS, or messages
• Operating mailing lists without proper opt-in consent and unsubscribe mechanisms
• Using our services to harvest email addresses or other personal data
• Sending messages with forged, misleading, or fraudulent headers

1.4 Intellectual Property Infringement

• Hosting, distributing, or linking to pirated software, media, or other copyrighted material without authorisation
• Trademark infringement or passing off

1.5 Denial of Service

• Launching or participating in Distributed Denial of Service (DDoS) attacks against any target
• Operating "booter" or "stresser" services
• Intentionally degrading the performance of our network or any connected network

1.6 Cryptocurrency Mining

• Running cryptocurrency mining software on shared or standard hosting plans without prior written approval from Xcobean
• Cryptocurrency mining on dedicated servers or cloud instances is permitted only when explicitly agreed to in your service order and within your allocated resource limits

2. Network Abuse

The following network behaviours are prohibited:

• IP address spoofing or hijacking
• BGP hijacking or route leaking
• Excessive bandwidth consumption that impacts other clients on shared infrastructure
• Operating services that attract large-scale DDoS attacks without implementing adequate mitigation
• Running TOR exit nodes without prior written approval
• ARP spoofing, DHCP spoofing, or other layer-2 attacks

3. Email Policies

If you use our services to send email, you must:

• Maintain proper SPF, DKIM, and DMARC records for your sending domains
• Honour unsubscribe requests within 48 hours
• Maintain bounce rates below 5% and complaint rates below 0.1%
• Not use purchased, rented, or scraped email lists
• Comply with applicable anti-spam legislation (including the Kenya Information and Communications Act)

We reserve the right to throttle or block outbound email from accounts that generate excessive bounces or complaints.

4. Resource Usage

4.1 Shared resources. On shared hosting and shared cloud plans, you must not consume CPU, memory, disk I/O, or network bandwidth to the extent that it degrades service for other clients.

4.2 Fair use. "Unlimited" or "unmetered" resources are subject to fair use. We will contact you before taking action if your usage significantly exceeds normal patterns.

4.3 Backups. While we provide backup services as described in your plan, you are ultimately responsible for maintaining your own independent backups of critical data.

5. Security Responsibilities

You are responsible for:

• Keeping your operating systems, applications, and scripts updated with the latest security patches
• Using strong, unique passwords and enabling multi-factor authentication where available
• Securing any software you install on your services (CMS, databases, custom applications)
• Monitoring your services for signs of compromise and reporting incidents promptly
• Revoking access for former employees or contractors without delay

If we detect that your service has been compromised (e.g., sending spam, participating in a botnet, hosting malware), we may suspend the affected service immediately to protect the network. We will notify you and work with you to resolve the issue.

6. Content Standards

You must not host or transmit content that:

• Is unlawful, threatening, abusive, harassing, defamatory, or obscene
• Promotes violence, discrimination, or hatred against any individual or group
• Constitutes or facilitates child exploitation in any form
• Infringes on any patent, trademark, trade secret, copyright, or other proprietary right
• Contains private or personal information of third parties without their consent

7. Reporting Violations

If you become aware of any violation of this AUP, whether by a fellow Xcobean client or originating from our network, please report it to:

We investigate all reports promptly and in good faith. Reporters may remain anonymous.

8. Enforcement

Xcobean reserves the right to take any of the following actions in response to AUP violations, at our sole discretion:

• Warning. written notice of the violation with a deadline to remedy
• Content removal. removal or disabling of specific offending content
• Service suspension. temporary suspension of the affected service(s)
• Account termination. permanent termination of your account and all associated services
• Reporting to authorities. referral to law enforcement where criminal activity is suspected

For severe violations (CSAM, active DDoS attacks, malware distribution), we may act immediately without prior notice. For less severe violations, we will typically provide a reasonable opportunity to remedy the issue before escalating enforcement.

No refunds will be issued for services terminated due to AUP violations.

9. Changes to This Policy

We may update this AUP from time to time. Material changes will be communicated via email or through the Client Portal with at least 14 days' notice. Your continued use of our services after the effective date constitutes acceptance of the updated policy.

10. Contact Information

For questions about this Acceptable Use Policy:

Anti-Bribery & Anti-Corruption Policy

Last updated: 26 March 2026

Xcobean Systems Limited ("Xcobean", "we", "us", or "our") is committed to conducting all business ethically, honestly, and in full compliance with applicable anti-bribery and anti-corruption laws. This policy sets out our zero-tolerance approach to bribery and corruption in all forms.

1. Board Commitment

The Board of Directors and senior management of Xcobean Systems Limited are unequivocally committed to preventing bribery and corruption in all business activities. We expect the highest standards of integrity from every person who acts on our behalf. This commitment is reflected in our business practices, our relationships with clients and partners, and our corporate culture.

This policy has been approved by the Board and applies to every level of the organisation without exception.

2. Scope

This policy applies to:

• All directors, officers, and employees of Xcobean Systems Limited
• All contractors, consultants, and temporary staff engaged by Xcobean
• All agents, intermediaries, and representatives acting on Xcobean's behalf
• All business partners, suppliers, and vendors in their dealings with or on behalf of Xcobean

This policy applies to all operations, including those in Kenya, Rwanda, and any other jurisdiction where Xcobean conducts business.

3. Applicable Laws

Xcobean is committed to complying with all applicable anti-bribery and anti-corruption laws, including but not limited to:

• Kenya Bribery Act, 2016. criminalises bribery in the public and private sectors, and imposes a duty on organisations to prevent bribery
• Anti-Corruption and Economic Crimes Act, 2003 (Kenya). establishes the Ethics and Anti-Corruption Commission (EACC) and defines corruption offences
• UK Bribery Act, 2010. applicable to Xcobean's international dealings; it has extraterritorial reach and covers commercial bribery, bribery of foreign officials, and failure to prevent bribery
• United Nations Convention against Corruption (UNCAC). as ratified by Kenya

Where local laws impose stricter requirements, we will comply with the stricter standard.

4. What Constitutes Bribery

Bribery is the offering, promising, giving, accepting, or soliciting of an advantage as an inducement for action which is illegal, unethical, or a breach of trust. This includes but is not limited to:

• Cash payments or financial inducements. direct or indirect payments to influence a decision
• Gifts. giving or receiving gifts intended to improperly influence business decisions
• Kickbacks. returning a portion of money received in a transaction as a reward for facilitating the deal
• Facilitation payments. small payments to expedite routine government actions (see Section 9)
• Entertainment and hospitality. lavish or disproportionate hospitality intended to secure an improper advantage
• Favours and preferential treatment. providing jobs, contracts, or other benefits to influence decisions
• Political or charitable donations. made to gain a business advantage (see Section 10)

5. Employee and Contractor Obligations

All employees and contractors must:

• Read, understand, and comply with this policy
• Never offer, promise, give, request, or accept a bribe in any form
• Refuse any request or demand for a bribe and report it immediately
• Avoid any activity that could lead to or suggest a conflict of interest
• Declare any gifts, hospitality, or other benefits received or offered in connection with Xcobean business
• Report any suspicion of bribery or corruption through the channels described in Section 12
• Cooperate fully with any investigation into potential violations

6. Partners and Suppliers

We expect all partners, suppliers, and third parties who work with Xcobean to:

• Maintain their own anti-bribery and anti-corruption policies and controls
• Comply with all applicable anti-bribery laws in their dealings with and on behalf of Xcobean
• Promptly report any suspected bribery or corruption related to Xcobean business
• Permit Xcobean to audit their compliance with this policy where reasonably required

Anti-bribery clauses will be included in all material contracts with third parties.

7. Due Diligence

Before engaging agents, intermediaries, joint venture partners, or other high-risk third parties, Xcobean will conduct proportionate due diligence to assess:

• The third party's reputation and track record
• Whether the third party has adequate anti-bribery policies and controls
• The corruption risk profile of the countries and sectors involved
• Any red flags, such as connections to government officials, requests for unusual payment arrangements, or a history of corruption allegations

Enhanced due diligence will be applied to engagements involving government contracts, regulated sectors, or high-corruption-risk jurisdictions.

8. Gifts and Hospitality

Xcobean recognises that modest, reasonable gifts and hospitality are a normal part of business relationships. However, they must never be used to improperly influence business decisions.

The following guidelines apply:

• Gifts and hospitality must be reasonable in value, proportionate, and given in good faith
• They must be transparent. never given or received in secret
• They must be documented in the gifts and hospitality register
• Gifts of cash or cash equivalents (vouchers, gift cards) are never permitted
• Gifts to or from government officials require prior management approval
• Any gift or hospitality exceeding KES 10,000 (or equivalent) must be reported to management and recorded in the register

When in doubt, decline the gift or hospitality and seek guidance from management.

9. Facilitation Payments

Facilitation payments. small, unofficial payments made to secure or expedite the performance of routine government actions. are prohibited by Xcobean.

If you are asked to make a facilitation payment:

• Refuse the request
• Record the details (who, when, where, what was requested)
• Report the incident to management and via the channels in Section 12

If you feel physically threatened or your safety is at risk, make the payment if necessary, ensure your safety, and then report the incident immediately.

10. Political and Charitable Contributions

Xcobean does not make donations to political parties, political organisations, or individual politicians.

Charitable donations and sponsorships must:

• Be made transparently and for legitimate purposes
• Not be used as a conduit for bribery
• Be approved by management
• Be properly documented

11. Record Keeping

Xcobean maintains accurate and complete financial records that reflect all transactions and expenditures. Specifically:

• All payments to third parties must have a clear, legitimate business purpose and be properly documented
• A gifts and hospitality register is maintained and reviewed regularly
• Due diligence records for third-party engagements are retained for the duration of the relationship plus 7 years
• All reports of suspected bribery or corruption are documented and retained securely
• Falsifying or concealing any record is a serious violation of this policy and may constitute a criminal offence

12. Reporting Concerns

If you know or suspect that bribery or corruption has occurred or may occur in connection with Xcobean's business, you must report it. Reports can be made through:

Whistleblower protection. Xcobean is committed to protecting anyone who raises a genuine concern in good faith. No individual will be subjected to retaliation, dismissal, demotion, or any other form of detriment for reporting suspected bribery or corruption. This protection extends to employees, contractors, and external parties.

Reports will be treated confidentially to the fullest extent possible. Anonymous reports are accepted and will be investigated.

13. Training and Awareness

Xcobean provides anti-bribery and anti-corruption training to:

• All new employees and contractors as part of onboarding
• All existing staff on a periodic basis (at least annually)
• Staff in higher-risk roles (procurement, sales, finance, government relations) on a more frequent basis

Training covers the requirements of this policy, relevant legal obligations, how to recognise bribery and corruption, and how to report concerns.

14. Consequences of Violation

Any violation of this policy will be treated as a serious matter. Consequences may include:

• Disciplinary action. up to and including summary dismissal
• Contract termination. for contractors, agents, and suppliers
• Criminal prosecution. bribery is a criminal offence under Kenyan law, carrying penalties of up to 10 years' imprisonment and/or fines of up to KES 5 million for individuals
• Civil liability. personal liability for damages resulting from corrupt acts
• Corporate penalties. under the Kenya Bribery Act, organisations that fail to prevent bribery face unlimited fines

15. Review

This policy is reviewed annually by the Board of Directors, or more frequently if required by changes in legislation, regulation, or business circumstances. Suggestions for improvement are welcome and should be directed to ethics@xcobean.co.ke.

16. Contact Information

For questions about this policy: