EQ
EQUA Legal
arrow_back Back to App
Home chevron_right Legal chevron_right Data Processing Agreement
handshake

Data Processing Agreement

The contractual framework governing how Equa Finance processes personal data on your behalf as a data processor.

calendar_today Effective: 1 January 2026 update Updated: 1 January 2026 schedule 18 min read

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between you, the Customer ("Controller", "you", "your"), and Equa Finance Ltd. ("Processor", "Equa Finance", "we", "us", "our"), governing the processing of personal data by Equa Finance on behalf of the Customer in connection with the EQUA Finance platform (the "Platform").

This DPA is entered into in compliance with the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019, and, where applicable to the Customer, the General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK GDPR.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

1. Definitions

In this DPA, unless the context requires otherwise:

  • "Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of personal data, including the NDPA 2023, NDPR 2019, GDPR (where applicable), and any amendments, successor legislation, or implementing regulations thereto.
  • "Controller" means the Customer (you), who determines the purposes and means of the processing of personal data through the Platform.
  • "Data Subject" means an identified or identifiable natural person whose personal data is processed through the Platform.
  • "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller through the Platform, as further described in Annex A.
  • "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Processor" means Equa Finance Ltd., which processes personal data on behalf of the Controller.
  • "Security Incident" or "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  • "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
  • "Supervisory Authority" means the Nigeria Data Protection Commission (NDPC), or any other competent data protection authority with jurisdiction over the Controller or Processor.

2. Scope and Applicability

2.1 Scope

This DPA applies to all processing of personal data by Equa Finance on behalf of the Customer in connection with the provision of the Platform. The details of the processing activities are set out in Annex A of this DPA.

2.2 Roles of the Parties

The Customer acts as the Controller of personal data processed through the Platform. Equa Finance acts as the Processor of such personal data, processing it only on the documented instructions of the Controller as described in this DPA and the Agreement. Where Equa Finance processes personal data for its own purposes (e.g., billing, account management, aggregated analytics), it acts as an independent Controller and the terms of the Privacy Policy apply.

2.3 Duration

This DPA shall remain in effect for the duration of the Agreement and for as long as the Processor retains personal data processed on behalf of the Controller.

3. Obligations of the Processor

3.1 Processing Instructions

The Processor shall:

  • Process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless the law prohibits such notification);
  • Immediately inform the Controller if, in the Processor's opinion, an instruction infringes Applicable Data Protection Law;
  • Not process personal data for any purpose other than to provide the Platform and perform its obligations under the Agreement.

3.2 Confidentiality

The Processor shall:

  • Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Limit access to personal data to those personnel who need access to fulfill the Processor's obligations under this DPA and the Agreement;
  • Ensure that personnel processing personal data receive appropriate training on data protection obligations.

3.3 Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

  • Encryption: Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256);
  • Pseudonymization: Where feasible, pseudonymization of personal data;
  • Confidentiality: Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • Restoration: The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • Testing: A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing;
  • Access Control: Role-based access control with the principle of least privilege;
  • Multi-Tenant Isolation: Complete logical separation of personal data between different Controller organizations;
  • Audit Logging: Comprehensive logging of access to and changes in personal data;
  • Vulnerability Management: Regular vulnerability scanning and patching of systems;
  • Incident Detection: Continuous monitoring for security events and anomalies.

The specific technical and organizational measures are set out in Annex B of this DPA.

3.4 Sub-processing

The Controller provides general authorization for the Processor to engage Sub-processors as listed in Annex C of this DPA. The Processor shall:

  • Maintain an up-to-date list of Sub-processors, including their names, locations, and the processing activities they perform;
  • Notify the Controller in writing at least thirty (30) days before adding or replacing any Sub-processor, including the name and location of the proposed Sub-processor and the processing activities to be performed;
  • Provide the Controller with the opportunity to object to the appointment of a new Sub-processor within fourteen (14) days of receiving notice. If the Controller objects on reasonable grounds related to data protection, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected services without penalty;
  • Impose data protection obligations on each Sub-processor by way of a written contract that provides at least the same level of protection for personal data as set out in this DPA;
  • Remain fully liable to the Controller for the performance of the Sub-processor's obligations.

3.5 Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under Applicable Data Protection Law. The Processor shall:

  • Promptly notify the Controller if it receives a request from a Data Subject directly;
  • Not respond to any Data Subject request directly unless authorized by the Controller or required by applicable law;
  • Provide the Controller with the technical capability to retrieve, correct, delete, or restrict the processing of personal data through the Platform's built-in features;
  • Provide reasonable additional assistance where the Platform's features are insufficient to fulfill a specific Data Subject request.

3.6 Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under Applicable Data Protection Law, taking into account the nature of processing and the information available to the Processor.

4. Security Incident Notification

4.1 Notification Timeline

The Processor shall notify the Controller of any Security Incident without undue delay and in any event no later than forty-eight (48) hours after becoming aware of the incident. Notification shall be made to the Controller's designated contact address or, if not specified, to the email address of the primary account administrator.

4.2 Notification Content

The Security Incident notification shall include, to the extent known:

  • A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects affected and the categories and approximate number of personal data records affected;
  • The name and contact details of the Processor's data protection point of contact;
  • A description of the likely consequences of the Security Incident;
  • A description of the measures taken or proposed to be taken by the Processor to address the Security Incident, including measures to mitigate its possible adverse effects;
  • The date and time the Processor became aware of the Security Incident.

4.3 Cooperation

Following a Security Incident, the Processor shall:

  • Cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident;
  • Provide the Controller with timely updates on the investigation and remediation progress;
  • Not make any public statement regarding the Security Incident without the Controller's prior written consent, unless required by applicable law;
  • Preserve and provide relevant evidence and logs to the Controller;
  • Take immediate steps to contain the Security Incident and prevent further unauthorized access.

4.4 Record-Keeping

The Processor shall maintain a record of all Security Incidents, including the facts relating to the incident, its effects, and the remedial actions taken. This record shall be made available to the Controller and any supervisory authority upon request.

5. International Data Transfers

5.1 Transfer Restrictions

The Processor shall not transfer personal data to a country outside Nigeria unless it has ensured appropriate safeguards are in place in accordance with Applicable Data Protection Law. Where such transfer is necessary for the provision of the Platform, the Processor shall ensure that at least one of the following transfer mechanisms is in place:

  • The receiving country has been determined by the NDPC (or other applicable supervisory authority) to provide an adequate level of data protection;
  • Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent contractual safeguards approved by the NDPC have been executed;
  • Binding Corporate Rules approved by the relevant supervisory authority are in place;
  • The Controller has provided explicit consent to the specific transfer;
  • The transfer is necessary for the performance of the Agreement at the Controller's request.

5.2 Transfer Impact Assessment

Where transfers are made pursuant to SCCs or equivalent mechanisms, the Processor shall conduct and document a transfer impact assessment evaluating the laws and practices of the receiving country to ensure they do not undermine the protections provided by the transfer mechanism.

6. Audit and Inspection Rights

6.1 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

  • The Controller shall provide at least thirty (30) days' prior written notice of any audit;
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations;
  • The Controller shall bear its own costs for any audit, unless the audit reveals material non-compliance by the Processor;
  • The auditor shall be bound by confidentiality obligations and shall not be a competitor of the Processor;
  • Audits shall not occur more than once per twelve (12) month period, unless required by a supervisory authority or in the event of a Security Incident.

6.2 Compliance Reporting

Upon the Controller's written request (no more than once per year), the Processor shall provide a written summary of its current technical and organizational security measures, results of recent security assessments or certifications, and any material changes to its processing practices since the last report.

7. Data Deletion and Return

7.1 Upon Termination

Upon termination of the Agreement, the Processor shall, at the Controller's election:

  • Return all personal data to the Controller in a structured, commonly used, machine-readable format (CSV, JSON, PDF); or
  • Delete all personal data and certify such deletion in writing.

The Controller shall make its election within thirty (30) days of termination. If no election is made, the Processor shall delete the personal data in accordance with Section 7.2.

7.2 Deletion Schedule

Following the thirty (30) day export/election period:

  • Personal data shall be permanently deleted from active systems within ninety (90) days;
  • Personal data in encrypted backup archives shall be permanently purged within one hundred eighty (180) days;
  • The Processor shall provide written confirmation of deletion upon the Controller's request.

7.3 Exceptions

The Processor may retain personal data beyond the above periods where required by Applicable Data Protection Law, subject to appropriate safeguards. The Processor shall inform the Controller of any such legal retention requirement and the specific categories of data retained.

8. Liability

8.1 Allocation

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. This DPA does not increase the aggregate liability of either party under the Agreement.

8.2 Indemnification

The Processor shall indemnify the Controller against any losses, damages, costs, and expenses (including reasonable legal fees) arising from the Processor's breach of this DPA or Applicable Data Protection Law, to the extent such breach is caused by the Processor's acts or omissions and not by the Controller's instructions.

9. General Provisions

9.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Federal Republic of Nigeria, without regard to its conflict of laws principles.

9.2 Amendments

This DPA may be amended by mutual written agreement of the parties. Equa Finance may update this DPA to reflect changes in Applicable Data Protection Law, provided that such changes do not materially reduce the level of data protection, and with thirty (30) days' prior notice to the Controller.

9.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Annex A — Details of Processing

Subject Matter Processing of personal data in connection with the provision of the EQUA Finance cloud-based ERP platform
Duration For the term of the Agreement plus any applicable retention period
Nature and Purpose Storage, organization, retrieval, consultation, use, transmission, and deletion of personal data for the purpose of providing accounting, invoicing, expense management, tax compliance, audit management, reporting, and related financial management services
Categories of Data Subjects
  • Authorized Users (employees, contractors, agents of the Controller)
  • Controller's customers and clients
  • Controller's vendors and suppliers
  • Controller's employees (payroll and expense data)
  • Auditors and third-party advisors
  • Tax authority contacts
Categories of Personal Data
  • Identity data: names, job titles, business roles
  • Contact data: email addresses, phone numbers, business addresses
  • Financial data: bank account details, payment records, transaction amounts, invoice details
  • Tax data: Tax Identification Numbers (TIN), VAT registration numbers, filing data
  • Organizational data: business registration numbers, company names
  • Technical data: IP addresses, login timestamps, user agent strings
  • Usage data: feature access logs, activity trails
Sensitive Data None intentionally processed. If incidentally included in uploaded documents, treated with the same protections as all personal data.

Annex B — Technical and Organizational Measures

B.1 Access Control

  • Role-based access control (RBAC) with granular permissions at the module and action level
  • Principle of least privilege applied to all user and system accounts
  • Multi-factor authentication support for user accounts
  • JWT-based API authentication with token expiration and refresh mechanisms
  • Session management with configurable timeout periods
  • Automated account lockout after repeated failed authentication attempts

B.2 Encryption

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for all data at rest (database and file storage)
  • HMAC-verified encryption for sensitive credentials (API keys, integration tokens)
  • Encrypted database connections (SSL/TLS)
  • Encrypted backup archives

B.3 Data Isolation

  • Complete logical multi-tenant isolation at the database level
  • All queries scoped to the authenticated organization — no cross-tenant data access
  • Separate credential storage per organization integration
  • Organization-scoped file storage with access controls

B.4 Monitoring and Logging

  • Comprehensive audit trail for all data modifications (create, update, delete)
  • Authentication event logging (login, logout, failed attempts)
  • API access logging with request details
  • Security event monitoring and alerting
  • Log integrity protection and tamper detection

B.5 Availability and Resilience

  • Regular automated backups with tested restoration procedures
  • Geographic redundancy for critical infrastructure
  • Disaster recovery procedures with defined Recovery Time and Recovery Point Objectives
  • Uptime commitments as defined in the Service Level Agreement

B.6 Vulnerability Management

  • Regular security assessments and penetration testing
  • Dependency vulnerability scanning and patch management
  • Secure software development lifecycle (SSDLC) practices
  • Code review and security testing for all changes
  • OWASP Top 10 vulnerability mitigation

B.7 Personnel

  • Background checks for employees with access to personal data
  • Mandatory data protection and security awareness training
  • Confidentiality agreements for all personnel
  • Access revocation upon employment termination

Annex C — Authorized Sub-processors

Sub-processor Purpose Location Data Processed
Cloud Infrastructure Provider Database hosting, file storage, compute As disclosed All Customer Data (encrypted at rest)
Paystack Payment processing Nigeria Billing name, email, payment amount, payment token
Email Delivery Provider Transactional email delivery As disclosed Recipient email, name, email content
Groq AI language model processing United States User queries and relevant data context (when AI is used)
Google (Gemini) AI language model processing United States / Global User queries and relevant data context (when AI is used)
OpenAI AI language model processing United States User queries and relevant data context (when AI is used)
Anthropic AI language model processing United States User queries and relevant data context (when AI is used)

The Controller acknowledges that AI sub-processors are only engaged when the Controller's Authorized Users actively use the AI Assistant feature. AI processing can be disabled at any time through Organization settings.

An up-to-date list of Sub-processors is maintained and available upon request to dpo@equafinance.com.

Questions about this document?

mail

legal@equafinance.com

We typically respond within 2 business days

arrow_back

Previous

Privacy Policy

Next

Acceptable Use Policy

arrow_forward