Data Processing Agreement

1. Introduction

This DPA sets out the terms on which Adscod processes personal data on behalf of the Customer. It applies to all processing of personal data in connection with the Subscription Services.

This DPA is designed to ensure compliance with applicable data protection laws, including but not limited to the Uganda Data Protection and Privacy Act 2019, the Kenya Data Protection Act 2019, the Nigerian Data Protection Act 2023, and the African Union Malabo Convention.

2. Definitions

3. Scope and Duration

• This DPA applies to all personal data processed by Adscod in connection with the Subscription Services.
• The duration of processing shall correspond to the Subscription Term, unless otherwise required by law.
• The nature, purpose, categories of personal data, and categories of data subjects are described in Annex A.

4. Processor Obligations

Adscod shall:

• Process personal data only on documented instructions from the Controller, unless required by law.
• Ensure that persons authorized to process personal data are bound by confidentiality obligations.
• Implement and maintain appropriate technical and organizational security measures.
• Assist the Controller in responding to data subject requests, data protection impact assessments, and consultations with supervisory authorities. Any costs incurred beyond the scope of the Subscription Services for such assistance shall be borne by the Controller.
• Make available to the Controller information necessary to demonstrate compliance with this DPA, to the extent Adscod holds relevant certifications or documentation.
• At the Controller's choice, delete or return all personal data upon termination of the Subscription Services.

5. Sub-Processing

• The Controller provides general authorization for Adscod to engage sub-processors, subject to the obligations of this DPA.
• Adscod shall maintain a current list of sub-processors, available upon request or at Product Disclosures.
• Adscod shall notify the Controller of any intended addition or replacement of sub-processors at least fourteen (14) days in advance.
• The Controller may object to new sub-processors within fourteen (14) days. If the objection cannot be reasonably resolved, the Controller may terminate the affected services.
• Adscod shall impose data protection obligations on sub-processors no less protective than those in this DPA.
• Adscod shall use reasonable efforts to ensure that sub-processors comply with obligations no less protective than those in this DPA.

6. International Data Transfers

• Adscod shall not transfer personal data to a country outside of the Controller's jurisdiction without appropriate safeguards.
• Appropriate safeguards include Standard Contractual Clauses (SCCs), binding corporate rules, or an adequacy decision by the relevant authority.
• Where required, Adscod shall conduct a transfer impact assessment to evaluate the level of protection in the recipient country.
• The Controller may request details of the safeguards in place for specific transfers.

7. Security Measures

Adscod shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data at rest and in transit
• Measures to ensure ongoing confidentiality, integrity, availability, and resilience of systems
• Ability to restore access to personal data in a timely manner following an incident
• Regular testing and evaluation of the effectiveness of security measures

Detailed security measures are described in Annex B.

8. Personal Data Breach Notification

• Adscod shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, upon becoming aware of a Personal Data Breach.
• The notification shall include: (a) the nature of the breach; (b) categories and approximate number of data subjects affected; (c) likely consequences; and (d) measures taken or proposed to address the breach.
• Adscod shall cooperate with the Controller in investigating and remediating the breach.
• Adscod shall assist the Controller in meeting its obligations to notify supervisory authorities and data subjects.

9. Data Subject Rights

• Adscod shall assist the Controller in fulfilling its obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.
• Adscod shall promptly notify the Controller if it receives a request directly from a data subject, unless otherwise required by law.
• Adscod shall not respond to data subject requests independently unless authorized by the Controller.

10. Audit Rights

• Adscod shall make available to the Controller information necessary to demonstrate compliance with this DPA, to the extent Adscod holds relevant certifications or documentation.
• The Controller may conduct or commission audits, including inspections, upon reasonable notice (no less than thirty (30) days).
• Audits shall be conducted during normal business hours, with reasonable scope and frequency, and in a manner that minimizes disruption.
• Adscod may provide audit reports from independent third-party auditors in lieu of on-site inspections, where such reports are sufficiently detailed.

11. Termination and Data Return/Deletion

• Upon termination of the Subscription Services, Adscod shall, at the Controller's election, return or delete all personal data within thirty (30) days (for Power-tier accounts) or immediately (for Starter/Active-tier accounts).
• Adscod may retain personal data to the extent required by applicable law, provided that such data remains subject to the confidentiality and security obligations of this DPA.
• Certification of deletion shall be provided upon request.

Annex A — Details of Processing