Privacy & Identity

This Data Processing Addendum ("DPA") forms a part of the Terms and Conditions between Webcoupers Consulting ("Data Processor") and the Agency or Consultant using the Platform ("Data Controller").

The Data Processor and the Data Controller shall be jointly referred to as the “Parties” and individually as a “Party”.

This DPA applies to the processing of personal data related to Nigerian SMEs and their customers in accordance with the Nigeria Data Protection Act 2023 (NDPA), Nigeria Data Protection Regulation 2019 (NDPR), and the General Data Protection Regulation (GDPR).

In this DPA, unless the context otherwise requires, the following expressions have the following meanings:

In this DPA:

• (a) The terms used in this DPA will have the meanings set out in this DPA;
• (b) the schedules to this DPA form part of this DPA and will have the same force and effect as if set out in the body of this DPA;
• (c) references to the singular include the plural and vice versa;
• (d) references to a “person” include any individual, body corporate, association, partnership, firm, trust, organisation, joint venture, government, local or municipal authority, or state agency;
• (e) any words following the words “include”, “includes”, “including”, “in particular” will be construed without limitation;
• (f) references to a Party to this DPA include references to the successors or assigns of that Party.

3.1. The Data Controller warrants that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in the relevant Data Protection Legislation support the lawfulness of the Processing.

3.2. The Data Controller grants the Data Processor, a limited, non-exclusive, non-transferable, non-sublicensable, and revocable license to access and use the data solely for the approved purpose and duration as agreed by the Parties, subject to applicable Data Protection Laws.

3.3. If the Data Controller uses the Data for any purpose other than the approved purpose, such use shall be a material breach of this DPA.

4.1. The Data Processor will:

• (a) comply with all applicable Data Protection Laws in the Processing of the Data Controller’s Personal Data, and provide reasonable assistance to the Data Controller;
• (b) only process the Data Controller’s Personal Data on the Data Controller’s written instruction or direction for the performance of services;
• (c) not do anything or fail to do anything which would cause the Data Controller to be in breach of its obligations under applicable Data Protection Laws;
• (d) not disclose or permit the disclosure of the Data Controller’s Personal Data to any third party unless specifically authorised to do so in writing;

4.2. The Data Processor will immediately notify the Data Controller before any Processing is carried out if, in the Data Processor’s opinion, any instruction from the Data Controller infringes or is likely to infringe Data Protection Laws.

5.1. The Data Processor will implement and maintain at all times appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate:

• (a) the pseudonymisation and encryption of the Data Controller’s Personal Data;
• (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
• (c) the ability to restore the availability and access to the Data Controller’s Personal Data in a timely manner in the event of a physical or technical incident;
• (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

5.2. Where the Data Processor processes Sensitive Personal Data, it will ensure that the Sensitive Personal Data is encrypted using industry-standard encryption tools.

5.3. The Data Processor will exercise the same degree of care as it uses with its own data and confidential information, but in no event less than reasonable care, to protect the Data from misuse and unauthorized access or disclosure.

5.4. The Data Processor shall only disclose the Data to its employees, directors, affiliates, agents and professional advisers (“Authorized Representatives”) on a need-to-know basis to facilitate the Approved Purpose.

5.5. The Data Processor shall notify the Data Controller immediately upon discovery of any unauthorised use or disclosure of the Confidential Information or any other breach of this DPA within twenty-four (24) hours of becoming aware and will cooperate with the Data Controller.

The Data Processor will:

• (a) promptly notify the Data Controller if it or a Sub-processor receives any query, complaint or request from a Data Subject to access, delete, block or restrict access to their Personal Data, or to receive a machine-readable copy of their Personal Data; and
• (b) ensure that neither it nor the Sub-processor responds to any query, complaint or request by a Data Subject except on the written instructions of the Data Controller unless required to do so by Applicable Laws.

7.1. The Data Processor will keep and maintain a written record of Processing activities (“RoPA”) carried out on behalf of the Data Controller in compliance with Data Protection Laws.

7.2. At the Data Controller’s request, the Data Processor will provide the RoPA within fourteen (14) business days of receipt of the request.

The Data Processor will immediately inform the Data Controller if the Data Processor or any sub-processor receives any request, inquiry, complaint, notice, subpoena or any other communication from a regulatory authority relating to the Processing of the Data Controller’s Personal Data under this DPA, except where the Data Processor is prohibited from doing so under Applicable Laws.

9.1. The Data Processor will:

• (a) notify the Data Controller without undue delay (and in any event within 24-48 hours) upon becoming aware of a Personal Data Breach involving the Data Controller’s Personal Data; and
• (b) provide the Data Controller with sufficient information to permit it to meet any obligations to report the Personal Data Breach to the appropriate authority and/or inform Data Subjects.

9.2. The Data Processor will immediately implement or procure the implementation of appropriate measures to stop the Personal Data Breach and assist the Data Controller to investigate, mitigate and remediate the Personal Data Breach.

10.1. Within fourteen (14) days of:

• (a) the end of the provision of the services relating to the processing of the Data Controller’s Personal Data; or
• (b) the Term of the subscription agreement; or
• (c) at any time upon the Data Controller’s request, the Data Processor will and ensure that any Sub-processor immediately ceases processing the Data Controller’s Personal Data.

10.2. At the Data Controller’s option, the Data Processor and each Sub-processor will:

• (a) return all Personal Data shared by the Data Controller in the form and manner, specified;
• (b) securely and permanently delete or destroy all of the Data Collector’s Personal Data;
• (c) provide the Data Controller with a written certification certifying compliance with clauses 10.2(a) and 10.2(b).

10.3. The Data Processor may retain copies of the Data Controller’s Personal Data and for such periods, as required by Applicable Laws. The Data Processor will ensure the security and confidentiality of such Personal Data.

At the Data Controller’s request, the Data Processor will make available to the Data Controller all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.

Subject to compliance by the Data Processor with the terms of this DPA, the Data Controller authorises the Data Processor to engage sub-processors to process the Data Controller’s Personal Data in the performance of the services, provided always that:

• (a) the Data Processor carries out appropriate due diligence to ensure that the sub-processor can provide the level of protection for the processing of the Data Controller’s Personal Data or implement appropriate safeguards such as the execution of standard contractual clauses, or other legally recognised transfer mechanisms, etc; and
• (b) the Data Processor and each Sub-processor have signed an agreement including terms which contain the same (or equivalent) obligations concerning the Data Controller’s Personal Data as those set out in this DPA.