This Data Processing Agreement ("DPA") forms part of the Terms of Service between CashTrack ("Processor") and the entity or individual agreeing to these terms ("Controller"). This DPA is entered into pursuant to Article 28(3) of the General Data Protection Regulation (GDPR) and the Nigeria Data Protection Act (NDPA) 2023.
1. Definitions
- Controller: The entity that determines the purposes and means of processing Personal Data, being the CashTrack account holder.
- Processor: CashTrack, which processes Personal Data on behalf of the Controller.
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
- Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller.
- Data Subject: An identified or identifiable natural person whose Personal Data is processed.
- Supervisory Authority: The Nigeria Data Protection Commission (NDPC) or any applicable EU/EEA data protection authority.
2. Subject Matter & Duration
This DPA governs the Processor's processing of Personal Data on behalf of the Controller. The duration of processing shall be for the term of the service agreement between the Controller and the Processor, plus any period required for data deletion or return as specified in this DPA.
3. Nature & Purpose of Processing
The Processor processes Personal Data to provide the Controller with SaaS invoicing, payment tracking, expense management, bank account linking, and tax compliance services. This includes generating invoices, recording payments, linking bank accounts via Mono, computing tax estimates, and delivering transactional notifications.
4. Types of Personal Data Processed
- Identity Data: Names, business names, job titles.
- Contact Data: Email addresses, phone numbers, business addresses.
- Financial Data: Invoice amounts, payment records, expense records, subscription details.
- Bank Transaction Data: Bank account details, transaction history, and account balances obtained through Mono integration.
- Tax Identifiers: Tax Identification Numbers (TIN), VAT registration numbers, and related FIRS compliance data.
5. Categories of Data Subjects
- Business Owners: Individuals who register for and administer CashTrack accounts.
- Clients of Business Owners: Individuals or entities whose data is entered by the Controller for invoicing and payment tracking purposes.
- Team Members: Employees or contractors of the Controller who are granted access to the CashTrack platform.
6. Controller Obligations
The Controller shall:
- Ensure that it has a lawful basis for processing Personal Data and for instructing the Processor to process such data.
- Ensure the accuracy, quality, and legality of all Personal Data provided to the Processor.
- Provide documented instructions to the Processor regarding the processing of Personal Data.
- Comply with all applicable data protection laws, including the NDPA 2023 and, where applicable, the GDPR.
- Inform the Processor without undue delay of any changes to data protection legislation that may affect the Processor's obligations.
7. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law.
- Ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organisational security measures as described in Section 8.
- Engage Sub-processors only in accordance with Section 9 of this DPA.
- Assist the Controller in responding to Data Subject Access Requests (DSARs) as described in Section 11.
- Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required.
- Delete or return all Personal Data to the Controller upon termination of the service agreement, as described in Section 12.
- Make available to the Controller all information necessary to demonstrate compliance and allow for audits as described in Section 14.
8. Security Measures
The Processor implements the following technical and organisational security measures:
- Encryption at Rest: AES-256-GCM encryption for all stored Personal Data.
- Encryption in Transit: TLS 1.3 for all data transmitted between clients and servers.
- Password Hashing: bcrypt hashing algorithm for all user passwords; passwords are never stored in plain text.
- Role-Based Access Control (RBAC): Granular permissions ensuring users access only the data necessary for their role.
- Two-Factor Authentication (2FA): Available for all user accounts, mandatory for administrative access.
- Session Management: Secure session tokens with configurable expiry, automatic session invalidation on security events.
- Audit Logging: Comprehensive logging of all data access and modification events with tamper-resistant storage.
- Rate Limiting: API rate limiting to prevent abuse and denial-of-service attacks.
- IP Whitelisting: Administrative access restricted to approved IP addresses.
9. Sub-processor Provisions
The Controller provides general authorisation for the Processor to engage Sub-processors. The current list of Sub-processors is maintained at cashtrack.ng/sub-processors.
- The Processor shall notify the Controller at least 30 days before engaging a new Sub-processor or replacing an existing one.
- The Controller has the right to object to a new Sub-processor within 14 days of receiving notification, providing reasonable grounds for the objection.
- If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected services.
- The Processor shall impose data protection obligations on all Sub-processors that are no less protective than those set out in this DPA.
10. Data Breach Notification
In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:
- The nature of the Personal Data breach, including the categories and approximate number of Data Subjects and records concerned.
- The categories of Personal Data affected by the breach.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
11. Data Subject Request Assistance
The Processor shall assist the Controller in fulfilling Data Subject requests. Upon receiving a request from a Data Subject, the Processor shall acknowledge the request within 72 hours and work with the Controller to fulfil the request within 30 days. The Processor provides self-service tools within the platform for common requests including data access, rectification, and deletion.
12. Data Deletion on Termination
Upon termination of the service agreement, the Controller shall have a 30-day window to export all Personal Data from the platform. Following this period, the Processor shall delete all Personal Data within 90 days, except where retention is required by applicable law (e.g., Nigerian tax law requires financial records to be retained for a minimum of 6 years). The Processor shall provide written certification of deletion upon the Controller's request.
13. International Data Transfers
Personal Data may be transferred internationally in the course of providing the services. The Processor ensures appropriate safeguards are in place for all international transfers:
- Application Hosting (Vercel): US and EU data processing regions with Standard Contractual Clauses (SCCs) where applicable.
- Database Hosting (Supabase): EU (Frankfurt) region for primary data storage.
- Where transfers are made to countries without an adequate level of data protection, the Processor shall ensure SCCs or other approved transfer mechanisms are in place.
- The Processor shall inform the Controller of any changes to data processing locations.
14. Audit Rights
The Controller has the right to conduct audits of the Processor's data processing activities, subject to the following conditions:
- Audits may be conducted annually or upon reasonable suspicion of non-compliance.
- The Controller shall provide at least 30 days' written notice before conducting an audit.
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
- All audit findings and materials shall be treated as confidential information of the Processor.
- The Processor may satisfy audit requests by providing relevant certifications, audit reports, or other documentation demonstrating compliance.
15. Liability
The Processor's aggregate liability arising out of or in connection with this DPA shall be limited to the total fees paid by the Controller to the Processor in the 12 monthspreceding the event giving rise to the claim. This limitation shall not apply to liability arising from the Processor's wilful misconduct or gross negligence in its data processing obligations.
16. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Act (NDPA) 2023. Where the Controller is subject to the GDPR, the provisions of the GDPR shall apply in addition to Nigerian law. Any disputes arising from this DPA shall be resolved through arbitration in Lagos, Nigeria, unless the parties agree otherwise.
17. Contact
For questions or concerns regarding this DPA, please contact: