Data Processing Agreement

Effective date: 12 June 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Richinei Technologies Limited (RC [YOUR_RC_NUMBER]) ("Processor", "we", "us") and you, the Customer ("Controller"), and governs the processing of personal data by us on your behalf when you use Richinei ERP (the "Service").

This DPA reflects the requirements of:

the Nigeria Data Protection Act 2023 ("NDPA") and the Nigeria Data Protection Regulation 2019 ("NDPR");
the EU General Data Protection Regulation 2016/679 ("GDPR") for transfers and processing involving EU/EEA data subjects;
the United Kingdom GDPR and Data Protection Act 2018 for UK data subjects;
the California Consumer Privacy Act / California Privacy Rights Act for California residents.

By accepting the Terms of Service or by using the Service, you accept this DPA. If your Tenant requires a signed version, please contact richineitechnologies@gmail.com.

1. Definitions

Capitalised terms not defined here have the meaning given in the Terms of Service or in applicable data-protection law.

"Controller" means the entity that determines the purposes and means of processing Personal Data. For Customer Data processed via the Service, the Customer is the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined by the NDPA and GDPR.
"Processing" means any operation performed on Personal Data, whether or not by automated means, including collection, recording, storage, use, disclosure, erasure, and destruction.
"Processor" means Richinei Technologies Limited when processing Personal Data on behalf of the Controller.
"Subprocessor" means a third party engaged by us to process Personal Data on the Controller's behalf — for example, our cloud-infrastructure provider.
"Data Subject" means the individual whose Personal Data is being processed.
"Personal Data Breach" has the meaning given in Article 4(12) GDPR and Section 40 NDPA — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

2. Scope and roles

2.1 Roles

You (the Controller) determine the purposes and means of Processing your Customer Data through the Service.
We (the Processor) process Customer Data only on documented instructions from you, which include these Terms, this DPA, and your use of features of the Service.

2.2 Subject matter and duration

The subject matter is the provision of the Service. The duration is the Subscription Term, plus the post-termination retention period set out in our Privacy Policy.

2.3 Nature and purpose of processing

Processing necessary to operate, secure, support, and improve the Service, including:

storing and serving your operational data;
authenticating users;
generating reports and exports;
transmitting receipts, invoices, and notifications;
maintaining audit trails;
backing up data for recovery purposes;
securing the Service against abuse.

2.4 Categories of Data Subjects

your authorised users;
your customers (where you store records about them in the Service);
your suppliers (where you store records about them);
your employees (where you use the HRM module);
any individuals you choose to include in your Customer Data.

2.5 Categories of Personal Data

Typical categories include identification data (name, email, phone), business-relationship data (role, employer), transactional data (purchases, sales, payments), payment data (last four digits of card; full card data is processed by our payment processor only), location data (when used in delivery flows), employment data (compensation, attendance), and any other categories you choose to upload.

You agree not to upload special categories of Personal Data (Article 9 GDPR / Section 30 NDPA — race, religion, political opinion, health, genetic, biometric, sexual orientation, trade-union membership) unless you have a clear lawful basis and have notified us in advance, as our standard Service is not designed for the heightened safeguards required for such data.

3. Our obligations as Processor

We will:

Process Personal Data only on documented instructions from you, including with regard to transfers of Personal Data to a country outside Nigeria, unless required to do so by applicable law. If a law requires us to process outside your instructions, we will notify you before that processing unless prohibited from doing so by law.
Ensure confidentiality: persons authorised to process Personal Data are under appropriate confidentiality obligations.
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- encryption of Personal Data in transit using HTTPS / TLS as provided by our infrastructure provider, and encryption at rest as provided by the managed database service;
- access controls based on the principle of least privilege;
- periodic review of the effectiveness of our security measures;
- ability to restore availability and access to Personal Data in line with our backup arrangements with Railway (see Section 6 of the Service Level Agreement);
- role-based access controls in the Service and audit logging of meaningful administrative actions.
Engage Subprocessors only as set out in this DPA (see Section 5).
Assist you with your obligations under data-protection law, including responding to data-subject requests, conducting data-protection impact assessments where required, and consulting supervisory authorities.
Notify you of Personal Data Breaches as set out in Section 7.
At your choice, delete or return all Personal Data after the end of provision of the Service, and delete existing copies unless retention is required by law.
Make available to you all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by you or an auditor mandated by you, subject to Section 8.

4. Your obligations as Controller

You will:

ensure you have a valid lawful basis for the Personal Data you upload to or process through the Service;
provide your data subjects with an appropriate privacy notice;
maintain records of processing activities as required by Article 30 GDPR or Section 24 NDPA;
honour data-subject rights directed to you and request our assistance where required;
comply with applicable data-transfer rules for any data you choose to import into the Service from outside Nigeria;
not instruct us to process Personal Data in a manner that violates applicable data-protection law.

5. Subprocessors

5.1 General authorisation

You generally authorise us to engage Subprocessors to provide the Service, subject to this Section 5.

5.2 Current Subprocessors

A current list of our Subprocessors is maintained at /legal/subprocessors. As at the effective date of this DPA:

Subprocessor	Service	Location
Railway	Cloud infrastructure / hosting	United States
Anthropic	AI assistant (default)	United States
OpenAI	AI assistant (alternate)	United States
Google	AI assistant (alternate) / Gemini	United States / Ireland
Resend	Transactional email	United States
Termii	SMS notifications	Nigeria
GitHub	Source code hosting / CI	United States

5.3 Changes to Subprocessors

We will notify you of any intended changes to our Subprocessors at least 30 days in advance by email and an in-app banner. You may object to a new Subprocessor within that period on reasonable grounds relating to data protection. If we cannot agree on a resolution, you may terminate the affected portion of the Service with a pro-rated refund of any prepaid fees.

5.4 Subprocessor obligations

We will impose on each Subprocessor data-protection obligations substantially equivalent to those in this DPA. We remain fully liable for the acts and omissions of our Subprocessors.

6. International transfers

To the extent we transfer Personal Data outside Nigeria or outside the EEA in the course of providing the Service, we ensure adequate safeguards as required by applicable law:

Transfers from Nigeria: in line with Section 41 NDPA — including (where applicable) NDPC-approved transfer mechanisms, standard contractual clauses, or derogations permitted by law.
Transfers from EEA / UK: where the receiving country is not the subject of an adequacy decision, we use the European Commission's Standard Contractual Clauses (SCCs) dated 4 June 2021 (Modules 2 and 3 as applicable), supplemented by appropriate technical and organisational measures, and the UK International Data Transfer Addendum as required.

7. Personal Data Breaches

We will notify you of a Personal Data Breach affecting your Customer Data without undue delay after becoming aware of it. We will use reasonable efforts to provide an initial notification within 72 hours to align with the NDPA / GDPR statutory timeline. The notification will include, to the extent known at the time:

the nature of the breach;
the categories and approximate number of Data Subjects affected;
the categories and approximate number of records affected;
the likely consequences;
the measures taken or proposed to address the breach.

We will provide further information as it becomes available. You are responsible for notifying the relevant supervisory authority (e.g. the Nigeria Data Protection Commission) and affected Data Subjects as required by law.

8. Audits

We will respond to your reasonable enquiries needed to verify our compliance with this DPA. Once per year, or in the event of a material change to our processing or following a Personal Data Breach affecting your data, you may request an audit. Audits are subject to:

reasonable notice (at least 30 days);
conduct during normal business hours;
agreement on scope to avoid disruption to other Tenants;
confidentiality safeguards;
a reasonable participation fee where the audit is extensive.

We do not currently hold formal third-party certifications such as SOC 2 or ISO 27001. Should we obtain them in the future, we may satisfy audit obligations by providing copies of the relevant audit report instead of a bespoke audit.

9. Data-Subject requests

If you receive a request from a Data Subject relating to Personal Data we process on your behalf, you remain responsible for handling that request. We will, taking into account the nature of the processing, assist you by appropriate technical and organisational measures, including providing data-export tools, search functions, and (where necessary) bespoke support.

If we receive a Data-Subject request directly relating to your Customer Data, we will:

promptly forward the request to you;
not respond on our own behalf except to acknowledge receipt and indicate that the request will be handled by you.

10. Return or deletion of data

Upon termination of the Service, we will retain your Customer Data for 90 days to allow export. After that period, we will delete or anonymise the data unless:

you instruct us to delete it earlier (free of charge);
you renew or reactivate the Service;
retention is required by law (e.g. tax records).

Records retained for legal reasons remain protected by this DPA's confidentiality and security obligations.

11. Liability

The liability cap and exclusions set out in the Terms of Service apply to claims arising under this DPA. Liability under this DPA is governed by the Terms of Service as a whole.

12. Order of precedence

In the event of any conflict between the Terms of Service and this DPA in relation to processing of Personal Data, this DPA prevails.

13. Changes to this DPA

We may amend this DPA to reflect:

changes in applicable data-protection law;
changes in our Subprocessor list (which take effect on notice as in Section 5.3);
changes that improve protection for Data Subjects.

Material changes will be notified at least 30 days in advance. Continued use of the Service after the effective date constitutes acceptance, except where law requires fresh consent.

14. Governing law

This DPA is governed by the laws of the Federal Republic of Nigeria.

15. Contact

For all DPA matters and Subprocessor queries:

Richinei Technologies Limited Attn: Data Protection Officer Email: richineitechnologies@gmail.com

Last updated: 12 June 2026