Data Processing Agreement

1. Definitions

• "Data Controller": You, the Customer/User.
• "Data Processor": Dockase Inc.
• "NDPR": Nigeria Data Protection Regulation 2019.
• "Personal Data": Any information relating to an identified or identifiable natural person.

2. Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller (i.e., your use of the Service), including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Nigerian law.

3. Confidentiality & Security

The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality. We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit (TLS 1.2+) and at rest.
• Regular vulnerability scanning and penetration testing.
• Role-based access controls (RBAC) and Multi-Factor Authentication (MFA).

4. Sub-processors

The Processor has the Controller’s general authorization for the engagement of sub-processors. We use the following key sub-processors:

• Google Cloud (GCP): Hosting & Database (Location: EU/Multi-region for redundancy).
• Anthropic/Google/Groq: LLM Inference Providers (Stateless processing).
• Paystack: Payment Processing.

5. Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under the NDPR.