1. Introduction
This Acceptable Use Policy ("AUP") defines the rules that govern how you may use the Kappit platform. It applies to all users of the Service — including Company Owners, Managers, and Employees — and forms part of the legally binding agreement between you and Kappit.
The purpose of this AUP is to protect the integrity, security, and reliability of the platform and to ensure that it is used in a lawful, ethical, and responsible manner. The platform handles sensitive personal and financial data, and the trust of all users depends on everyone using it appropriately.
By using Kappit, you agree to comply with this AUP in full. Violation of this policy may result in immediate account suspension or termination and, where applicable, reporting to the relevant authorities.
2. Fraud & Misrepresentation
You must not use Kappit to create, process, or store:
- False or fabricated invoices, receipts, or financial records
- Fictitious employee records or ghost payroll entries
- Fraudulent purchase orders, delivery notes, or goods received notes
- Inflated or understated figures intended to misrepresent the financial position of a business
- Documents intended to deceive customers, suppliers, lenders, investors, regulators, or government authorities
- False payroll data designed to evade PAYE, NSSF, NHIF, or other statutory obligations
The creation of fraudulent business records is a criminal offence under the Kenyan Penal Code, the Tax Procedures Act, and the Proceeds of Crime and Anti-Money Laundering Act. Kappit will cooperate fully with any lawful investigation by the Kenya Revenue Authority, the Ethics and Anti-Corruption Commission, or any other competent authority.
3. Illegal Activities
You must not use the Kappit platform in connection with any activity that violates the laws of Kenya or any jurisdiction in which you operate. Prohibited activities include, but are not limited to:
- Money laundering or structuring transactions to conceal the proceeds of crime
- Tax evasion or the deliberate misrepresentation of taxable income or deductible expenses
- Violations of the Employment Act, 2007, including failure to pay minimum wage or unlawful deductions from employee salaries
- Violations of the Data Protection Act, 2019, including processing personal data without a lawful basis
- Any activity that violates the Computer Misuse and Cybercrimes Act, 2018
- Facilitation of corruption, bribery, or kickbacks as prohibited by the Bribery Act, 2016
- Conducting business in sanctioned sectors or with sanctioned entities under applicable law
4. Intellectual Property
You must not upload, store, or transmit through Kappit any content that infringes the intellectual property rights of any third party, including:
- Copyrighted text, images, software, or multimedia content that you do not have a licence to use
- Trademarks used in a way that is likely to cause confusion or misrepresentation
- Confidential or proprietary information belonging to a third party, obtained without proper authorisation
- Patented processes or inventions incorporated into uploaded documents without a valid licence
Where Kappit receives a valid intellectual property infringement notice relating to content uploaded by a user, we may remove the content and notify the affected user.
5. Harassment
Kappit must be used in a professional and respectful manner. You must not use the platform to:
- Harass, intimidate, threaten, or bully any person — including colleagues, employees, customers, or suppliers
- Discriminate against any person on the basis of their gender, race, ethnicity, disability, religion, sexual orientation, or any other protected characteristic under Kenyan law
- Create a hostile or abusive work environment through the platform's communication or document features
- Defame or publicly embarrass any individual through records created on the platform
- Record false or malicious notes about any employee, customer, or supplier
Harassment of any Kappit employee or agent, including in the course of support interactions, is also prohibited and will result in immediate termination of service.
6. Malware
You must not upload, transmit, introduce, or otherwise deploy through Kappit any software, code, script, or file that:
- Is designed to damage, disrupt, or gain unauthorised access to any computer system or network
- Contains or installs viruses, Trojan horses, worms, ransomware, spyware, adware, or any other form of malicious code
- Is designed to intercept, monitor, or capture data without the authorisation of the data owner
- Exploits vulnerabilities in software, hardware, or network infrastructure
- Is designed to perform denial-of-service attacks or degrade the availability of any system
All uploaded files are subject to automated security scanning. Files identified as potentially malicious will be quarantined and may be deleted without notice.
7. Unauthorised Access
You must not attempt to access any data, account, system, or network resource that you are not explicitly authorised to access. Prohibited conduct includes:
- Attempting to bypass authentication mechanisms or session controls
- Attempting privilege escalation — accessing features or data beyond your assigned role
- Using another user's credentials, whether obtained legitimately or otherwise
- Exploiting software vulnerabilities, misconfigurations, or implementation errors in the platform
- Intercepting network traffic to capture authentication tokens or session data
- Probing or scanning the platform for vulnerabilities without explicit written authorisation from Kappit
Authorised security testing (penetration testing) may only be conducted with prior written permission from Kappit. To request permission, contact security@kappit.co.ke.
8. Password Sharing
Each user must have their own individual account and must not share their login credentials with any other person under any circumstances. This applies without exception, including situations where:
- A colleague needs temporary access while the account owner is absent
- A manager wishes to act on behalf of an employee
- An IT administrator needs to perform maintenance tasks
- A third-party consultant or auditor requires access to review records
In all of the above scenarios, the Company Owner should create a separate account with appropriate permissions for the relevant person. Kappit customer support will never ask for your password.
If you suspect that your credentials have been compromised, you must change your password immediately and notify your Company Owner and Kappit at security@kappit.co.ke.
9. Cross-Company Data Access
You must not attempt to access, view, copy, modify, delete, or exfiltrate data belonging to any other company using the Kappit platform. This includes:
- Attempting to bypass tenant isolation controls through technical exploitation
- Using social engineering to obtain access credentials or session tokens belonging to users of another company
- Accessing or attempting to access Kappit's administrative interfaces without authorisation
- Submitting crafted requests designed to return data from other tenants
Any suspected cross-tenant vulnerability — even if discovered accidentally — must be reported immediately to security@kappit.co.ke without exploiting or disclosing it further. Kappit operates a responsible disclosure programme and will acknowledge reports promptly.
Deliberate cross-company data access constitutes a criminal offence under the Computer Misuse and Cybercrimes Act, 2018 and will be reported to the Kenya Cybercrime Unit.
10. Reverse Engineering
You must not attempt to discover the source code, underlying architecture, algorithms, or data models of the Kappit platform by any means, including:
- Decompiling or disassembling any compiled code or software
- Reverse engineering through network traffic analysis or API response inspection beyond normal use
- Using automated tools to map or extract the platform's data schema or business logic
- Examining memory or process dumps to extract proprietary information
Legitimate developers building integrations with Kappit's published API may inspect the API responses relevant to their integration. This does not constitute reverse engineering provided they do not attempt to extract information beyond the scope of their authorised integration.
11. Automated Abuse
You must not use automated scripts, bots, crawlers, scrapers, or any other automated tools to access Kappit in ways that exceed normal use or that are not explicitly permitted by Kappit's API documentation. Prohibited activities include:
- Sending an excessive number of requests to the platform in a short period (rate abuse)
- Scraping data from the platform's web interface using automated tools
- Using bots to create accounts, send messages, or perform actions on behalf of users
- Stress testing or load testing the platform's infrastructure without prior written permission from Kappit
- Attempting to circumvent rate limits or access controls through distributed requests
Kappit implements rate limiting and anomaly detection that may automatically block access from sources identified as performing automated abuse.
12. Spam
Kappit's communication features — including invoice emails, payment reminders, and statement delivery — are provided for legitimate business communications only. You must not use these features to:
- Send unsolicited commercial messages (spam) to individuals who have not consented to receive communications from your business
- Send bulk messages to large contact lists for purposes other than legitimate business transactions
- Send communications that are misleading, deceptive, or that impersonate another business or individual
- Send messages containing links to malicious websites, phishing content, or any other harmful material
- Repeatedly contact individuals who have requested not to be contacted
Use of Kappit's communication features must comply with the Kenya Information and Communications Act and any applicable regulations governing electronic communications and marketing.
13. Malicious File Uploads
You must not upload any file to the Kappit platform that:
- Contains embedded executable code designed to run on the recipient's device
- Is crafted to exploit vulnerabilities in document viewers, image processors, or other software used to open uploaded files
- Contains hidden scripts or macros designed to perform unauthorised actions
- Is designed to exfiltrate data from the devices of colleagues or Kappit's systems upon opening
- Contains content that constitutes child sexual abuse material, extreme violent content, or any other category of content that is illegal under Kenyan law
Uploaded files are subject to automated content scanning. Files identified as potentially harmful will be quarantined and may be reported to the relevant authorities.
14. Consequences of Violation
A breach of this Acceptable Use Policy may result in one or more of the following:
- Immediate suspension of the user account pending investigation
- Permanent termination of the user account or the entire business workspace
- Reporting to the Kenya Cybercrime Unit, Kenya Revenue Authority, Office of the Data Protection Commissioner, or any other relevant authority
- Civil legal action by Kappit or by any third party affected by the breach
- Criminal prosecution under the Computer Misuse and Cybercrimes Act, 2018, the Data Protection Act, 2019, or any other applicable Kenyan law
- Recovery of damages from you to cover the costs incurred by Kappit in investigating and remediating the breach
The severity of the consequence will be proportionate to the nature and seriousness of the violation. Kappit reserves the right to determine the appropriate response in each case.
15. Reporting Violations
If you become aware of any actual or suspected violation of this Acceptable Use Policy — whether by another user, a Company Owner, an employee, or any third party — you are encouraged to report it to Kappit immediately.
Reports should be directed to:
| Security Incidents & AUP Violations | security@kappit.co.ke |
| Data Protection Concerns | privacy@kappit.co.ke |
| Fraud & Financial Misconduct | legal@kappit.co.ke |
All reports will be treated as confidential. Kappit will acknowledge reports within 2 business days and will conduct a fair and thorough investigation. Individuals who report violations in good faith will be protected from any retaliation.
© 2026 Kappit. All rights reserved. Registered in Kenya.