Data Processing Agreement

1. Definitions

• "Agreement" means this Data Processing Agreement, including any schedules.
• "Controller" means the customer organisation that determines the purposes and means of processing personal data through the Anomira platform.
• "Processor" means Anomira, operated by SageGrey Technologies Ltd, which processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the Nigeria Data Protection Act 2023 (NDPA 2023).
• "Processing" means any operation performed on personal data, including collection, storage, analysis, transmission, or deletion.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
• "NDPA" means the Nigeria Data Protection Act 2023 and any regulations or guidance issued thereunder.

2. Scope and Duration

• This DPA applies to all personal data processed by Anomira in connection with the provision of the Anomira API security monitoring platform (the "Service") to the Controller.
• This DPA is incorporated into and forms part of the Terms of Service between the parties. It takes effect from the date the Controller first activates the Service and remains in force until the Terms of Service are terminated and all personal data has been deleted or returned.

3. Nature and Purpose of Processing

• Purpose: The Processor processes personal data solely to provide the Service — specifically, to detect, alert, and respond to security threats against the Controller's APIs and digital infrastructure.
• Nature of processing: Collection, storage, analysis, aggregation, and automated decision-support based on API request metadata. The Processor does not process request or response bodies.
• The Processor shall not process personal data for any purpose other than those set out in this DPA or as otherwise instructed in writing by the Controller.

4. Categories of Personal Data and Data Subjects

• Categories of personal data processed include: IP addresses and related network identifiers; HTTP request metadata (method, path, status code, timing, user-agent); user identifiers passed by the Controller's SDK (e.g. userId, sessionId); geolocation data derived from IP addresses; and device fingerprint signals.
• Categories of data subjects: End users and customers of the Controller's applications and APIs; and employees or administrators of the Controller who access the Anomira dashboard.
• The Controller is responsible for ensuring that the personal data it submits to the Service is collected and shared with the Processor lawfully, and that data subjects have been informed of such processing where required by applicable law.

5. Obligations of the Processor

• Process only on instruction: The Processor shall process personal data only on documented instructions from the Controller, including as set out in this DPA and the Terms of Service. If the Processor is required by Nigerian law to process personal data beyond those instructions, it shall inform the Controller before such processing unless prohibited by law.
• Confidentiality: The Processor shall ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.
• Security: The Processor shall implement and maintain appropriate technical and organisational security measures as described in Schedule 1 to protect personal data against a Security Incident.
• Sub-processors: The Processor shall not engage sub-processors without prior general or specific written authorisation from the Controller, except as listed in Schedule 2. The Processor shall impose equivalent data protection obligations on sub-processors and shall remain liable for their acts and omissions.
• Data subject rights: The Processor shall assist the Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability) to the extent technically feasible, taking into account the nature of the processing.
• Breach notification: The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a Security Incident affecting personal data processed under this DPA.
• DPIA assistance: The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments where required under the NDPA.
• Audit rights: The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall permit and contribute to audits conducted by the Controller or an authorised auditor, with reasonable notice.

6. Obligations of the Controller

• The Controller warrants that it has a lawful basis under the NDPA for processing the personal data it submits to the Service.
• The Controller shall provide clear and accurate instructions to the Processor and ensure those instructions comply with applicable law.
• The Controller shall not instruct the Processor to process personal data in a way that would violate any applicable law.
• The Controller is responsible for informing its own data subjects about the processing of their data through the Anomira platform, as required by the NDPA.

7. Sub-processors

• The Controller grants general authorisation for the Processor to engage the sub-processors listed in Schedule 2.
• The Processor shall notify the Controller of any intended changes to sub-processors (additions or replacements) by email or dashboard notice at least 14 days before the change takes effect. The Controller may object to a new sub-processor on reasonable data protection grounds within 14 days of notification. If the Processor cannot accommodate the objection, the Controller may terminate the Terms of Service without penalty.

8. Data Subject Rights

• Where a data subject exercises rights under the NDPA directly against the Processor, the Processor shall promptly (and in any event within 5 business days) forward the request to the Controller and shall not respond to the data subject directly except as instructed by the Controller or required by law.
• The Processor shall provide reasonable technical assistance (e.g. data exports, search functionality) to help the Controller respond to data subject requests within the 30-day window required by the NDPA.

9. Security Measures

• The Processor implements and maintains the technical and organisational security measures described in Schedule 1. These include, but are not limited to, encryption of data in transit (TLS 1.2+) and at rest, access controls and principle of least privilege, audit logging of all administrative actions, regular security assessments, and incident response procedures.
• The Processor shall regularly review and update its security measures in response to new threats and technical developments.

10. Security Incident Notification

• In the event of a Security Incident, the Processor shall: notify the Controller at the contact address on record without undue delay and within 72 hours of becoming aware; provide a description of the nature of the incident, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
• Notification to the Controller does not constitute an admission of fault or liability. The Processor shall cooperate fully with the Controller in any investigation and remediation.
• The Controller remains responsible for notifying the Nigeria Data Protection Commission (NDPC) and affected data subjects where required under the NDPA.

11. International Data Transfers

• The Processor's primary infrastructure is currently hosted within cloud environments that may process data outside Nigeria. Where personal data is transferred outside Nigeria, the Processor shall ensure such transfers are made in compliance with the NDPA, including by relying on adequate safeguards (such as standard contractual clauses or the adequacy decision of the NDPC).
• The Controller acknowledges and consents to cross-border transfers as necessary for the Processor to provide the Service, subject to the safeguards described herein.

12. Return and Deletion of Data

• Upon termination of the Terms of Service or on written request from the Controller, the Processor shall, at the Controller's choice: return all personal data to the Controller in a machine-readable format; or securely delete all personal data.
• Deletion shall be completed within 30 days of the request or termination. The Processor shall certify deletion in writing upon request.
• The Processor may retain personal data beyond this period only where required by Nigerian law, and only for the duration and purposes required by that law.

13. Audit and Inspection

• The Controller may, upon providing at least 14 days' written notice, audit the Processor's compliance with this DPA no more than once per calendar year. Audits shall be conducted during business hours with minimum disruption to the Processor's operations.
• The Processor may satisfy its audit obligations by providing the Controller with up-to-date third-party audit reports or certifications (e.g. ISO 27001, SOC 2) in lieu of a direct audit, where the Controller reasonably agrees.

14. Liability

• Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
• Where both parties are responsible for damage caused by processing in breach of the NDPA, each party shall be held liable for its own portion of the damage. Neither party shall be entitled to claim contribution from the other party where it was not responsible for the event causing the damage.

15. Governing Law and Disputes

• This DPA is governed by the laws of the Federal Republic of Nigeria. The parties submit to the exclusive jurisdiction of the courts of Lagos State, Nigeria for the resolution of any disputes arising from this DPA.

16. How to Execute This DPA

• By activating the Anomira Service, the Controller agrees to this DPA. For enterprise customers requiring a countersigned physical or digital copy, please contact legal@anomira.io with the subject line "DPA Execution Request" — we will provide a signed copy within 5 business days.
• This DPA supersedes any prior data processing agreements between the parties relating to the Service.

Schedule 1 — Technical and Organisational Security Measures

The following security measures are implemented and maintained by the Processor as of the effective date of this DPA.

Schedule 2 — Approved Sub-processors

The Controller grants general authorisation to the Processor to engage the following sub-processors. The Processor will notify the Controller of any changes per clause 7.