Data Processing Agreement
This Data Processing Agreement (“DPA”) governs the processing of personal data by Adscod on behalf of the Customer in connection with the Platform Services.
Effective Date: March 28, 2026
This DPA forms part of the Customer Terms of Service and is entered into between the Customer (“Controller”) and Adscod Limited (“Processor”).
1. Introduction
This DPA sets out the terms on which Adscod processes personal data on behalf of the Customer. It applies to all processing of personal data in connection with the Platform Services.
This DPA is designed to ensure compliance with applicable data protection laws, including but not limited to the Uganda Data Protection and Privacy Act 2019, the Kenya Data Protection Act 2019, the Nigerian Data Protection Act 2023, and the African Union Malabo Convention.
2. Definitions
Controller: The Customer, who determines the purposes and means of processing personal data.
Processor: Adscod Limited, which processes personal data on behalf of the Controller.
Sub-Processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data, whether automated or manual, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
Data Subject: The identified or identifiable person to whom the personal data relates.
Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
3. Scope and Duration
- This DPA applies to all personal data processed by Adscod in connection with the Platform Services.
- The duration of processing shall correspond to the Service Term, unless otherwise required by law.
- The nature, purpose, categories of personal data, and categories of data subjects are described in Annex A.
4. Processor Obligations
Adscod shall:
- Process personal data only on documented instructions from the Controller, unless required by law.
- Ensure that persons authorized to process personal data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organizational security measures.
- Assist the Controller in responding to data subject requests, data protection impact assessments, and consultations with supervisory authorities. Any costs incurred beyond the scope of the Platform Services for such assistance shall be borne by the Controller.
- Make available to the Controller information necessary to demonstrate compliance with this DPA, to the extent Adscod holds relevant certifications or documentation.
- At the Controller's choice, delete or return all personal data upon termination of the Platform Services.
5. Sub-Processing
- The Controller provides general authorization for Adscod to engage sub-processors, subject to the obligations of this DPA.
- Adscod shall maintain a current list of sub-processors, available upon request or at Product Disclosures.
- Adscod shall notify the Controller of any intended addition or replacement of sub-processors at least fourteen (14) days in advance.
- The Controller may object to new sub-processors within fourteen (14) days. If the objection cannot be reasonably resolved, the Controller may terminate the affected services.
- Adscod shall impose data protection obligations on sub-processors no less protective than those in this DPA.
- Adscod shall use reasonable efforts to ensure that sub-processors comply with obligations no less protective than those in this DPA.
6. International Data Transfers
- Adscod shall not transfer personal data to a country outside of the Controller's jurisdiction without appropriate safeguards.
- Appropriate safeguards include Standard Contractual Clauses (SCCs), binding corporate rules, or an adequacy decision by the relevant authority.
- Where required, Adscod shall conduct a transfer impact assessment to evaluate the level of protection in the recipient country.
- The Controller may request details of the safeguards in place for specific transfers.
7. Security Measures
Adscod shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data at rest and in transit
- Measures to ensure ongoing confidentiality, integrity, availability, and resilience of systems
- Ability to restore access to personal data in a timely manner following an incident
- Regular testing and evaluation of the effectiveness of security measures
Detailed security measures are described in Annex B.
8. Personal Data Breach Notification
- Adscod shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, upon becoming aware of a Personal Data Breach.
- The notification shall include: (a) the nature of the breach; (b) categories and approximate number of data subjects affected; (c) likely consequences; and (d) measures taken or proposed to address the breach.
- Adscod shall cooperate with the Controller in investigating and remediating the breach.
- Adscod shall assist the Controller in meeting its obligations to notify supervisory authorities and data subjects.
9. Data Subject Rights
- Adscod shall assist the Controller in fulfilling its obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.
- Adscod shall promptly notify the Controller if it receives a request directly from a data subject, unless otherwise required by law.
- Adscod shall not respond to data subject requests independently unless authorized by the Controller.
10. Audit Rights
- Adscod shall make available to the Controller information necessary to demonstrate compliance with this DPA, to the extent Adscod holds relevant certifications or documentation.
- The Controller may conduct or commission audits, including inspections, upon reasonable notice (no less than thirty (30) days).
- Audits shall be conducted during normal business hours, with reasonable scope and frequency, and in a manner that minimizes disruption.
- Adscod may provide audit reports from independent third-party auditors in lieu of on-site inspections, where such reports are sufficiently detailed.
11. Termination and Data Return/Deletion
- Upon termination of the Platform Services, Adscod shall, at the Controller's election, return or delete all personal data within thirty (30) days.
- Adscod may retain personal data to the extent required by applicable law, provided that such data remains subject to the confidentiality and security obligations of this DPA.
- Certification of deletion shall be provided upon request.
Annex A — Details of Processing
| Field | Details |
|---|---|
| Nature of Processing | Collection, storage, retrieval, use, disclosure, combination, erasure, and destruction of personal data in connection with the Platform Services. |
| Purpose of Processing | Delivery of the Platform Services, including campaign management, The Eye's automated matching and fraud detection, analytics, click/conversion attribution tracking, messaging, wallet operations, and payment processing (via Flutterwave). |
| Categories of Data Subjects | Customers, Users, Creators, end consumers (where applicable), job applicants. |
| Categories of Personal Data | Contact information, account data, usage data, campaign data, creator performance and fraud-signal data, payment data, communication records, technical data, and conversion event data. |
| Sensitive Data | The Platform is not designed for general sensitive data processing. However, Adscod may collect government-issued identity documents from Creators for KYC/verification purposes, as disclosed in the Creator Terms of Use. Such data is processed solely for identity verification and fraud prevention. The Controller must not submit other sensitive data (health, biometric, financial account numbers) unless agreed in writing. |
| Duration of Processing | For the duration of the Service Term, plus any applicable data retrieval or retention period. |
Annex B — Technical and Organizational Security Measures
Access Control
- Role-based access control (RBAC) with least-privilege principles
- Multi-factor authentication (MFA) for all administrative access
- Regular access reviews and de-provisioning procedures
Encryption
- Data at rest encrypted using AES-256
- Data in transit encrypted using TLS 1.2 or higher
- Key management procedures with regular rotation
Network Security
- Firewalls, intrusion detection/prevention systems
- Network segmentation and isolation
- DDoS protection and monitoring
Physical Security
- Data center facilities maintained in compliance with applicable data privacy laws, including the Data Protection and Privacy Act of Uganda
- Physical access controls, surveillance, and environmental protections
Incident Response
- Documented incident response plan with defined roles and escalation paths
- 24/7 monitoring and alerting
- Post-incident review and remediation procedures
Business Continuity
- Regular backups with tested restoration procedures
- Disaster recovery plan with defined RTO and RPO
- Geographic redundancy for critical infrastructure