Section 1
Purpose & Parties
Data Controller
[Enterprise Client Name], a company incorporated under the laws of [Jurisdiction], with registered address at [Address] (“Controller” or “Client”).
Data Processor
DOT (Digital Okonma Technologies Ltd.), incorporated under the laws of Nigeria, registered address: Ibeju/Lekki, Lagos, Nigeria (“Processor” or “NestFlow”).
This DPA forms part of the Master Subscription Agreement or Terms of Service (“Principal Agreement”) between the parties and applies where NestFlow processes personal data on behalf of the Client in the course of providing the Service.
Section 2
Definitions
Section 3
Subject Matter & Duration
Subject Matter
NestFlow processes personal data on behalf of the Controller solely to provide the Service as described in the Principal Agreement.
Duration
This DPA remains in force for the duration of the Principal Agreement and for as long as NestFlow retains any personal data processed on behalf of the Controller.
Section 4
Nature & Purpose of Processing
| Attribute | Detail |
|---|---|
| Nature | Collection, storage, retrieval, transmission, deletion, and analysis of personal data via the NestFlow CRM platform. |
| Purpose | Property management, booking administration, tenant management, payment processing, communications (email, WhatsApp), AI-assisted CRM. |
| Types of Personal Data | Names, email addresses, phone numbers, addresses, identity documents, booking records, payment metadata, WhatsApp messages, AI chat logs. |
| Categories of Data Subjects | Tenants, guests, agents, receptionists, property managers employed by or contracting with the Controller. |
| Special Category Data | None under standard use. If the Controller processes special category data (e.g., disability-related accommodation needs), the Controller must notify NestFlow and obtain appropriate consent. |
Section 5
Processor Obligations
NestFlow as Processor agrees to:
Instructions
Process personal data only on documented instructions from the Controller, except where required by applicable law. NestFlow will promptly notify the Controller if it believes an instruction infringes Applicable Data Protection Law.
Confidentiality
Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
Security
Implement and maintain technical and organisational security measures as described in Schedule A (Section 9 of this DPA).
Sub-Processors
Not engage Sub-Processors without the Controller's general prior written authorisation. NestFlow will notify the Controller of any intended additions or replacements with at least 30 days' notice, giving the Controller the opportunity to object.
Data Subject Rights
Assist the Controller in fulfilling obligations to respond to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection). NestFlow will promptly forward any data subject requests it receives directly.
Security Incidents
Notify the Controller without undue delay (and within 48 hours of becoming aware) of any personal data breach affecting Controller data. The notification will include: nature of the breach; categories and approximate number of data subjects and records affected; likely consequences; and measures taken or proposed.
DPIA Assistance
Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required by Applicable Data Protection Law.
Deletion or Return
At the Controller's request or upon termination of the Principal Agreement, delete or return all personal data in a structured, machine-readable format (JSON export), unless applicable law requires retention. Confirmation of deletion will be provided in writing.
Audit Rights
Make available to the Controller all information necessary to demonstrate compliance with this DPA. Allow audits and inspections by the Controller or a third-party auditor, subject to reasonable notice (minimum 14 days) and confidentiality obligations. NestFlow may satisfy audit rights by providing up-to-date third-party audit reports (e.g., SOC 2 Type II) in the first instance.
Section 6
Controller Obligations
The Controller agrees to:
- Ensure it has a lawful basis for processing and for instructing NestFlow to process personal data.
- Provide clear and complete processing instructions.
- Obtain all required consents from Data Subjects for processing activities carried out via the Service.
- Ensure that personal data provided to NestFlow is accurate and limited to what is necessary.
- Notify NestFlow immediately of any data subject request, complaint, or supervisory authority inquiry relating to personal data processed by NestFlow under this DPA.
- Comply with all Applicable Data Protection Law obligations applicable to it as a Controller.
Section 7
International Transfers
Where NestFlow or its Sub-Processors transfer personal data outside the EEA, UK, or Nigeria, the following safeguards are in place:
Standard Contractual Clauses (SCCs)
The EU SCCs (2021/914, Module 2 , Controller to Processor) are incorporated by reference and apply to transfers from the EEA.
UK International Data Transfer Agreement (IDTA)
The UK IDTA will apply to transfers from the United Kingdom.
NDPR / NDPA Transfer Restrictions
Cross-border transfers of Nigerian personal data comply with Article 43 of the NDPA 2023.
Section 8
Sub-Processor List (Schedule B)
| Sub-Processor | Service | Transfer Country | Safeguard |
|---|---|---|---|
| Paystack | Payment processing | Nigeria / Global | PCI-DSS, contractual terms |
| Cloudinary | Media storage | USA (Akamai CDN) | SCCs |
| Resend | Email delivery | USA | DPA |
| Meta (WhatsApp Business API) | Messaging | USA / Global | Meta Data Processing Terms |
| OpenAI (or equivalent) | AI inference | USA | DPA + SCCs |
| MongoDB Atlas | Database hosting | AWS / Paris (eu-west-3) | DPA + SCCs, ISO 27001 |
| [Cloud Hosting Provider] | Cloud infrastructure | [Insert Region] | DPA + SCCs |
| [Log Aggregation Provider] | Log aggregation | [Insert Region] | DPA |
Section 9
Technical & Organisational Measures (Schedule A)
NestFlow implements and maintains the following minimum technical and organisational security measures:
Encryption
- TLS 1.2+ for all data in transit
- AES-256-GCM for PII fields at rest
- bcrypt (cost factor ≥ 12) for password storage
- Encrypted MongoDB connections with certificate validation
Access Controls
- Role-based access control enforced server-side on every request
- JWT access tokens with 15-minute expiry
- Rotating refresh tokens with reuse detection
- Principle of least privilege for all internal access
- MFA required for administrative production access
Availability & Resilience
- Target uptime: 99.5% per calendar month
- Automated backups on a daily/hourly schedule
- Backup restoration tested quarterly
- Incident response plan in place
Audit & Monitoring
- Structured audit logs for authentication and data access
- Sensitive data actively redacted from all logs
- Security event alerting with defined response thresholds
- Anomaly detection on authentication events
Vendor Management
- DPAs in place with all Sub-Processors
- Security assessments before onboarding new Sub-Processors
- Annual review of Sub-Processor security posture
Personnel
- Background checks for staff with production data access
- Annual data protection training
- Confidentiality obligations in all employment contracts
- Access revoked immediately upon termination of employment
Section 10
Liability
Each party's liability under this DPA is subject to the limitations set out in the Principal Agreement, except where Applicable Data Protection Law imposes mandatory liability that cannot be contractually limited.
Section 11
Governing Law
This DPA is governed by the same law as the Principal Agreement. In the event of conflict between this DPA and the Principal Agreement, this DPA prevails in matters of personal data processing.
Execute a Signed DPA
Enterprise clients who require a countersigned DPA or a customised version incorporating jurisdiction-specific SCCs should contact our Data Protection Officer.