Data Processing Addendum

1. Definitions

Capitalized terms not defined here have the meaning in the main agreement or applicable Data Protection Law.

• Data Protection Law: means the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR) to the extent applicable, Regulation (EU) 2016/679 (GDPR), UK GDPR, and any other applicable data protection or privacy law.
• Personal Data: means any information relating to an identified or identifiable natural person that is Processed by Processor on behalf of Controller.
• Process / Processing: means any operation or set of operations on Personal Data.
• Restricted Transfer: means a transfer of Personal Data to a country or territory outside Nigeria that is not subject to an adequacy decision or equivalent safeguards under the NDPA.
• Standard Contractual Clauses (SCCs): means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced.

2. Scope and Roles

• 2.1 Processor acts as a data processor (or sub-processor) and Controller acts as a data controller.
• 2.2 The subject matter, duration, purpose, and categories of Data are set out in Annex 1.

3. Processing Instructions

3.1 Processor shall Process Personal Data only:

• on documented instructions from Controller;
• as necessary to provide the Service;
• as required by applicable law (in which case Processor shall inform Controller, unless prohibited).

3.2 Processor shall immediately inform Controller if, in its opinion, an instruction infringes Data Protection Law.

4. Confidentiality & Security

4.1 Processor shall ensure that persons authorised to Process Personal Data are bound by confidentiality obligations.

5.1 Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those set out in Annex 2.

6. Sub-processors

6.1 Controller provides general written authorisation for Processor to engage sub-processors.

6.2 Processor shall maintain an up-to-date list of sub-processors (available at /sub-processors).

6.4 Controller may object to a new sub-processor on reasonable grounds relating to data protection within 15 days of notification.

7. Assistance to Controller

Processor shall assist Controller by:

• Implementing appropriate technical and organisational measures;
• Notifying Controller without undue delay (within 72 hours) after becoming aware of a Personal Data Breach;
• Assisting with data subject rights requests, impact assessments, and prior consultations.

11. International Transfers

11.1 Processor shall not make a Restricted Transfer unless appropriate safeguards are in place.

11.3 For transfers subject to GDPR: The Parties agree to incorporate the Standard Contractual Clauses (Module 2 – Controller to Processor) with governing law and jurisdiction of Nigeria.

14. Governing Law

This DPA is governed by the laws of the Federal Republic of Nigeria.

Annex 1 – Data Processing Details

• Subject matter: Provision of the RuyQA SaaS platform.
• Nature and purpose: Hosting, storage, retrieval, analysis, and display of test management data.
• Type of Personal Data: Any Personal Data included in test cases, defects, comments, attachments, user profiles (e.g., names, emails).
• Categories of Data Subjects: Employees, contractors, or personnel of Controller.

Annex 2 – Technical Measures

• Encryption in transit (TLS 1.2+) and at rest.
• Access controls: role-based access, MFA, least privilege.
• Regular security patching and vulnerability management.
• Logging and monitoring of access.
• Backup and disaster recovery procedures.
• Incident response plan (breach notification within 72h).