1. Roles
You ("Customer") are the Data Controller. ASIRI is the Data Processor under NDPA 2023 s.2. Where ASIRI sets means and purposes for its own operations (security, billing), it is an independent Controller for that processing.
The processor commitments, in writing.
NDPA 2023 s.29-aligned. Approved tenants receive this DPA during the access and procurement workflow.
Effective: 1 May 2026 · Version 2.1 · Forms part of the Terms of Service
2. Subject matter & duration
ASIRI processes Customer Personal Data to deliver the modules listed in the order form, for the duration of the agreement plus the deletion window in §10.
3. Categories of data subjects
Customer’s employees, end users, applicants, patients, learners, account holders, and any other natural person whose data Customer chooses to process in ASIRI.
4. Categories of personal data
Identifiers, contact details, employment data, financial identifiers (BVN/NIN where Customer enables), health data (where applicable), behavioural data, and any other data Customer uploads or generates.
5. Processor obligations
ASIRI will: process only on documented Customer instructions; ensure personnel are bound to confidentiality; implement the security measures at /company/trust-security; assist with DSRs, DPIAs, and breach notifications; delete or return data on termination; and make available all information needed to demonstrate compliance.
6. Sub-processors
Customer authorises the sub-processors listed at /policy/sub-processors. ASIRI gives 30 days’ notice of any addition; Customer may object on reasonable grounds and, if not resolved, terminate the affected service.
7. International transfers
Where transfers leave Nigeria, ASIRI relies on adequacy assessments and the NDPC-approved Standard Contractual Clauses under NDPA s.41. Transfer impact assessments are available on request.
8. Security
AES-256 at rest, TLS 1.3 in transit, SSO/SCIM, MFA enforcement, hash-chained audit log, per-tenant encryption keys, RPO 5 min and RTO 1 hour. Full controls described at /company/trust-security.
9. Breach notification
ASIRI notifies Customer without undue delay (and in any event within 24 hours) of becoming aware of a personal data breach affecting Customer Data, providing the information Customer needs to meet the NDPC 72-hour clock under s.40.
10. Audit rights
Customer may, no more than once per 12 months and at its cost, audit ASIRI’s compliance via a SOC 2 / ISO 27001 report or a mutually agreed independent assessor under NDA, with 30 days’ notice. Enterprise customers may run an annual penetration test against a staging tenant.
11. Deletion & return
On termination, Customer may export all Customer Data via the platform for 30 days. Thereafter, ASIRI deletes it within 60 days, except where law requires retention. A deletion certificate is issued on request.
12. Liability & precedence
This DPA forms part of the Terms at /policy/terms. In any conflict on data protection, this DPA prevails. Liability remains as set out in the Terms.