Data Processing Addendum • Webcoupers Intelligence

Data
& Processing.

Forms part of the Terms and Conditions between Webcoupers Consulting (Data Processor) and the Agency or Consultant (Data Controller).

Data Processing Addendum (DPA)

Webcoupers Intelligence Platform

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions between Webcoupers Consulting ("Data Processor") and the Agency or Consultant using the Platform ("Data Controller"). The Data Processor and the Data Controller shall be jointly referred to as the “Parties” and individually as a “Party.”

01

Purpose and Scope

This DPA reflects the Parties' agreement with regard to the processing of personal data in accordance with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR) and the General Data Protection Regulation (GDPR).

policy

Ensuring strict compliance and safeguarding of Personal Data across all platform operations.

02

Definitions & Interpretations

Key Terms

Data Protection Laws

All laws and regulations concerning Personal Information processing, including NDPR 2019, NDPA 2023, EU GDPR 2016/679, and any other applicable laws.

Data Controller's Personal Data

Any personal data processed by the Data Processor on behalf of the Data Controller.

Sub-processor

Any third party appointed by the Processor to process Personal Data on behalf of the Controller.

Statutory Meanings

“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal data breach”, and “Sensitive personal data” shall have the meanings provided in the Data Protection Legislations.

In this DPA:

  • The terms used in this DPA will have the meanings set out in this DPA;
  • The schedules to this DPA form part of this DPA and will have the same force and effect as if set out in the body of this DPA;
  • Unless the context otherwise requires, references to the singular include the plural and vice versa;
  • References to a “person” include any individual, body corporate, association, partnership, firm, trust, organisation, joint venture, government, or agency;
  • Words following “include”, “includes”, “including”, “in particular” will be construed without limitation;
  • References to a Party to this DPA include references to the successors or assigns of that Party.
03

License to Process

verified
3.1 Warrant

The Data Controller warrants it has necessary rights to provide Personal Data for processing, supported by lawful bases set forth in relevant Legislation.

key
3.2 Scope

Controller grants a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use data solely for approved purposes.

gavel
3.3 Breach

If the Data Controller uses the Data for any purpose other than the approved purpose, such use shall be a material breach of this DPA.

04

Processing of Controller's Data

  • 4.1.a

    Comply with all applicable Data Protection Laws in the Processing of the Data Controller’s Personal Data, and provide assistance to help Controller comply.

  • 4.1.b

    Only process the Data Controller’s Personal Data on the Data Controller’s written instruction or direction for the performance of services.

  • 4.1.c

    Not do anything or fail to do anything which would cause the Data Controller to be in breach of its obligations under applicable Laws.

  • 4.1.d

    Not disclose or permit the disclosure of Personal Data to any third party unless specifically authorised to do so in writing.

  • 4.2

    Immediately notify the Data Controller before any Processing is carried out if any instruction infringes or is likely to infringe Data Protection Laws.

05

Data Security & Confidentiality

5.1 Technical Measures: Implement and maintain appropriate technical and organisational measures, including pseudonymisation, encryption, ensuring ongoing resilience, restoring access in a timely manner, and regularly testing security effectiveness.

5.2 Sensitive Data: Where Processing Sensitive Personal Data, ensure it is encrypted using industry-standard encryption tools.

5.3 Standard of Care: Exercise the same degree of care as used with own confidential information (no less than reasonable care) to protect against misuse and unauthorized access.

5.4 Authorized Access: Disclose Data only to employees, directors, affiliates, agents, and professional advisers on a "need to know" basis, ensuring they are bound by these obligations.

5.5 Breach Protocol

  • alarm_on Notify the Data Controller immediately upon discovery of unauthorized use/disclosure within twenty-four (24) hours.
  • handshake Cooperate in every reasonable way to help regain possession of Confidential Information and prevent further unauthorized use.
06

Data Subject Rights

  • Promptly notify Controller of any subject request (access, delete, block, restrict).
  • Do not respond except on written instructions of the Controller, unless required by Applicable Laws.
07

Records of Processing (RoPA)

  • 7.1 Maintain a written record of Processing activities carried out on behalf of the Controller.
  • 7.2 Provide the RoPA within fourteen (14) business days of receipt of a request.
08

Requests from Authorities

Immediately inform the Data Controller if a request, inquiry, complaint, notice, or subpoena is received from a regulatory authority, except where prohibited by Applicable Laws.

09

Managing Breaches

  • 9.1 Notify Controller without undue delay (24-48 hours) upon becoming aware, providing sufficient information for reporting.
  • 9.2 Immediately implement measures to stop the Breach and assist to investigate and mitigate.
10

Return, Deletion or Destruction

10.1 Cease Processing within 14 days of:

  • The end of the provision of services;
  • The Term of the subscription agreement; or
  • At any time upon the Data Controller’s request.

10.2 At Controller's option, Processor will:

  • Return all Personal Data in specified form/manner;
  • Securely and permanently delete or destroy Data;
  • Provide written certification of compliance.

10.3 Processor may retain copies if required by Applicable Laws, ensuring continued security.

11

Audit Rights

At the Data Controller’s request, the Data Processor will make available all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.

12

Sub-Processing

Processor is authorized to engage sub-processors provided:

  • Appropriate due diligence and safeguards are implemented.
  • Sub-processors sign an agreement with equivalent DPA obligations.

General Legal Provisions

13 Indemnity

Either Party will indemnify and hold harmless the other Party and its Indemnified Parties from and against third party claims, losses, liabilities, fines, costs, and expenses (including legal fees) arising out of any breach of obligations under this DPA, and/or Data Protection Laws.

14 Limitation of Liability

14.1 Neither Party shall be liable for indirect or consequential damages (loss of revenue, profit, opportunity, goodwill, non-data subject 3rd party claims).
14.2 No limitation of liability applies in case of gross negligence or wilful intent.

15 Counterparts

This DPA may be signed in any number of counterparts (including a PDF file), each constituting an original but together constituting the same document.

16 Severability

If any provision is invalid, illegal or unenforceable, it shall not affect any other provision, and this DPA shall be construed as if such unenforceable provision was never contained herein.

17 Governing Law and Jurisdiction

This Agreement shall be governed in accordance with the Laws of the Federal Republic of Nigeria. The Parties submit to the exclusive jurisdiction of the courts of the Federal Republic of Nigeria in respect of any dispute arising out of or in connection with this DPA.

Schedule A: Details of Processing

The subject matter, duration, nature, and purpose of the processing are as follows:

Item Description
Subject Matter Provision of AI-powered marketing intelligence and content generation services.
Duration The term of the Subscription Agreement plus the period until data deletion.
Nature/Purpose To analyze marketing metrics via OAuth, generate content, and manage client brand voices.
Data Categories Names, email addresses, social media metrics, marketing copy, and IP addresses.
Data Subjects Controller’s employees, clients, and end-consumers of the marketing campaigns.

Compliance Inquiries

For further information regarding our data processing protocols, please contact our privacy squad.

mail privacy@webcoupers.com