Data Processing Agreement


This Data Processing Agreement ( the “Agreement”) relates to Terms of Use and the Order Form (“Master Agreement”) entered into between the Customer and the Provider, that may require the Provider to Process Personal Data on behalf of the Customer. This Agreement sets out the additional terms, requirements and conditions upon which the Provider will Process Personal Data when providing services under the Master Agreement.

AGREED TERMS
1.             Definitions and Interpretation
The following definitions and rules of interpretation apply in this Agreement.
1.1          
Definitions:
               
Business Purposes: the services to be provided by the Provider to the Customer as described in the Master Agreement and any other purpose specifically agreed as between the Parties.

Controller: has the meaning given under the Data Protection Legislation.

Customer: means the Controller under this Agreement
               
Data Protection Legislation: means the Nigeria Data Protection Act 2023, the Nigeria Data Protection Regulation 2019, the NDPR Implementation Framework, as may be amended, revised or replaced from time to time.

Data Subject: has the meaning given under the Data Protection Legislation.

Personal Data: has the meaning given under the Data Protection Legislation and refers to the categories of Personal Data to be Processed by the Processor on behalf of the Controller, as communicated to the Controller by the Provider.
               
Processing, Processor, Processes, Processed, Process: has the meaning given under the Data Protection Legislation.
               
Personal Data Breach: has the meaning given under the Data Protection Legislation.

Provider: means Pade HCM Technology Limited

1.2          This Agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this Agreement.
1.3          The Annexes, if any, form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes
the Annexes.
1.4          In the case of conflict or ambiguity between:
(a)       any provision contained in the body of this Agreement and any provision contained in the Annexes, if any, the provision in the body of this Agreement will prevail.
(b)       the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, if any, the provision contained in the Annexes, if any, will prevail.
(c)       any of the provisions of this Agreement and the provisions of the Master Agreement, the provisions of this Agreement will prevail.

2.             Data Processing

2.1          The Customer and the Provider agree and acknowledge that for the purpose of the
Data Protection Legislation:
(a)       the Customer is the Controller and the Provider is the Processor.
(b)       the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the Processing instructions it gives to the Provider.

3.             Provider's obligations

3.1          The Provider will only Process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's instructions. The Provider will not Process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider shall use reasonable efforts to notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.

3.2          The Provider shall use reasonable efforts to comply with Customer written instructions requiring the Provider to amend, transfer, delete or otherwise Process the Personal Data, or to stop, mitigate or remedy any unauthorised Processing.

3.3          The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or such disclosure is required by any applicable law.

3.4          The Provider will reasonably assist, at Customer’s cost, the Customer with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider's Processing and the information available to the Provider.

4.             Provider's employees

4.1          The Provider will use reasonable endeavours to ensure that all of its employees:
(a)       areinformed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data; and
(b)       have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their duties.

5.             Security

5.1          The Provider shall use reasonable endeavours to implement appropriate technical and organisational measures against accidental, unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data. The Provider shall use reasonable endeavours to implement such measures to ensure a level of security appropriate to the risk involved. This clause 5.1. applies to the Customer in equal measure.

6.             Personal data breach

6.1          The Provider will without undue delay notify the Customer in writing if it becomes aware of any Personal Data Breach.
6.2          Where the Provider becomes aware of a Personal Data Breach, it may, also provide the Customer with the following written information:
(a)       description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
(b)       the likely consequences; and
(c)       a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
6.3          Immediately following any accidental, unauthorised or unlawful Personal Data Processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer in the Customer's handling of the matter.
6.4          The Provider will not inform any third-party of any accidental, unauthorised or unlawful Processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by Data Protection Legislation.
6.5          This clause 6 applies to the Customer in equal measure.

7.             Transfers of Personal Data

7.1          The Customer acknowledges that Provider may transfer and Process the Personal Data outside of Nigeria, where PaidHR, its affiliates or its sub-processors maintain Processing operations. Provider shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws.

8.             Subcontractors
8.1          The Provider may authorise any third party or subcontractor and sub-processors to Process the Personal Data. The Provider shall use reasonable efforts to ensure that such Processing activities is done in accordance with the Data Protection Legislation.

9.             Complaints

9.1          The Provider must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

9.2          The Provider must notify the Customer within 3 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
9.3          The Provider will give the Customer reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.4          This clause 9 applies to the Customer, in equal measure.

10.          Term and Termination

10.1       This Agreement will remain in full force and effect so long as:
(a)       the Master Agreement remains in effect; or
(b)       the Provider retains any of the Personal Data related to the Master Agreement in its possession or control (Term).

10.2       Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data will remain in full force and effect.

11.          Data Return and Destruction

11.1       At the Customer's request, the Provider will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media
reasonably specified by the Customer.
11.2       On termination of the Master Agreement for any reason or expiry of its term, the Provider will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control, except any provision of the Data Protection Legislation requires otherwise.

12.          Records

12.1       The Provider will keep reasonable records of its Processing activities concerning the Personal Data (Records) as necessary to comply with Data Protection Legislation.

13.          Notice

13.1       Any notice given to the Processor under or in connection with this Agreement shall be in writing and may be sent via email to hello@paidhr.com.

13.2      
This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

14.          Limitation of Liability

14.1       Both Parties agree that in no event shall Processor’s aggregate liability under this Agreement exceed the value of all fees paid by Customer to Processor in the last twelve (12) months immediately preceding the incident that gave rise to Customer’s claim.

15.          Severability

15.1       If any provision of this Agreement is held to be invalid or unenforceable, then the remainder of this Agreement will remain valid and in force. The invalid or unenforceable provision will be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible; and (b) construed in a manner as if the invalid or unenforceable part had never been included.

16.          Governing Law & Dispute Resolution

16.1       This Agreement and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of Nigeria. We shall try to settle all disputes amicably. Any dispute arising out of this Agreement which cannot be settled, by mutual agreement or negotiation within 1 (one) month shall be referred to arbitration by a single arbitrator at the Lagos Multi-Door Courthouse (“LMDC”) and governed by the Arbitration and Mediation Act, 2023. The findings of the arbitrator and subsequent award shall be binding on both Parties. Each Party shall bear its respective costs in connection with the arbitration. The venue for the arbitration shall be Lagos, Nigeria