Vemtap
HomeMarketplace
FeaturesPricingSupport
LoginGet Started Free
Enterprise StandardDPA v3.0

Data Processing Agreement

Effective Date: [Insert Date]

"This Data Processing Agreement ("DPA") forms part of the agreement between Vemtap ("Processor") and the business client ("Controller") and governs the processing of Personal Data in connection with Vemtap and QRThrive services. It is designed to meet enterprise-grade standards and comply with the Nigeria Data Protection Act (NDPA) and applicable international data protection frameworks."

1. Definitions

ControllerThe entity that determines the purposes and means of processing Personal Data.
ProcessorVemtap, which processes Personal Data on behalf of the Controller.
Personal DataAny information relating to an identified or identifiable individual.
ProcessingAny operation performed on Personal Data.
Sub-ProcessorAny third party engaged by the Processor to process data.
Data SubjectThe individual whose Personal Data is processed.

2. Scope and Purpose of Processing

Vemtap shall process Personal Data only for the purpose of providing services, including:

  • QR-based customer interactions
  • Data collection and storage
  • Customer engagement and messaging
  • Analytics and reporting dashboards

Processing shall be carried out strictly in accordance with the Controller’s documented instructions.

3. Nature, Duration, and Context of Processing

  • Nature: Collection, storage, organization, retrieval, and analysis of data
  • Duration: For the duration of the service agreement unless otherwise required by law
  • Context: Digital customer engagement and business intelligence

4. Types of Personal Data

  • Identification data (name)
  • Contact data (phone number, email)
  • Transactional data (orders, service requests)
  • Interaction data (QR scans, messages)
  • Technical data (IP address, device information)

5. Categories of Data Subjects

  • Customers of the Controller
  • Prospective customers
  • Website visitors
  • End-users interacting via QR codes or forms

6. Obligations of the Controller

The Controller shall:

  • Ensure lawful basis for processing (consent, contract, etc.)
  • Provide clear privacy notices to Data Subjects
  • Ensure accuracy of data provided
  • Comply with all applicable data protection laws
  • Issue lawful instructions to the Processor

7. Obligations of the Processor (Vemtap)

Vemtap shall:

  • Process Personal Data only on documented instructions
  • Ensure personnel confidentiality obligations
  • Implement appropriate technical and organizational measures
  • Maintain records of processing activities
  • Assist the Controller in compliance obligations
  • Not use data for its own purposes without authorization

8. Technical & Organizational Security Measures

Encryption in transit (TLS/HTTPS)
Encryption at rest (AES-256 or equivalent)
Role-Based Access Control (RBAC)
Multi-Factor Authentication (MFA)
Network firewalls and intrusion detection systems
Continuous monitoring and logging
Regular vulnerability assessments and penetration testing

9. Sub-Processors

Vemtap may engage Sub-Processors under the following conditions:

  • Sub-Processors are bound by written agreements with equivalent data protection obligations
  • Vemtap remains fully liable for Sub-Processor performance
  • A list of Sub-Processors shall be made available upon request

10. International Data Transfers

Where data is transferred outside Nigeria:

  • Adequate safeguards shall be implemented
  • Transfers shall comply with NDPA requirements
  • Standard contractual protections shall be applied where necessary

11. Data Subject Rights Assistance

Vemtap shall assist the Controller in responding to Data Subject requests, including:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Data portability
  • Objection

12. Data Breach Management

In the event of a Personal Data breach, Vemtap shall:

  1. Notify the Controller within 48 hours of becoming aware
  2. Provide detailed incident information
  3. Assist in mitigation and remediation
  4. Support regulatory reporting obligations

13. Data Retention and Deletion

  • Data shall be retained only as necessary for service delivery
  • Upon termination, data shall be deleted or returned at the Controller’s request
  • Legal retention obligations may apply

14. Audit and Inspection Rights

The Controller may:

  • Request documentation of security measures
  • Conduct audits (with reasonable notice)

Vemtap shall provide reasonable cooperation, subject to confidentiality and operational constraints.

15. Confidentiality

All personnel involved in processing Personal Data are subject to strict confidentiality obligations.

16. Liability and Indemnity

  • Each party is responsible for its own compliance
  • Vemtap shall not be liable for unlawful instructions from the Controller
  • Liability may be limited as defined in the main service agreement

17. Service Levels (Security & Availability)

Vemtap commits to:

  • High system availability
  • Continuous monitoring
  • Timely response to security incidents

18. Term and Termination

This DPA remains in effect for the duration of data processing activities.

19. Governing Law

This Agreement shall be governed by the laws of the Federal Republic of Nigeria.

20. Annex A – Processing Details

Subject Matter: Customer engagement and data collection

Duration: Duration of service agreement

Nature of Processing: Collection, storage, analysis, communication

Types of Data: Name, phone number, email, interaction data, technical data

Categories of Data Subjects: Customers, prospects, visitors

21. Annex B – Security Measures Summary

  • Encryption (TLS, AES-256)
  • RBAC and access controls
  • Monitoring and logging
  • Backup and recovery systems
  • Vulnerability testing

22. Contact Information

For data protection matters:

contact@vemtap.io

Vemtap – Enterprise-Grade Data Processing Infrastructure