Data Processing Agreement
Last updated: June 25, 2026
This Data Processing Agreement ("DPA") is entered into between FrontStaff Technologies Limited ("Processor", "we", "us") and the business entity that has accepted the FrontStaff Terms of Service ("Controller", "you"). This DPA forms part of, and is subject to, the FrontStaff Terms of Service and governs the processing of personal data in connection with the FrontStaff platform.
This DPA is made pursuant to the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and any other applicable data protection legislation.
1. Definitions
- "Controller" means the business or individual that determines the purposes and means of processing personal data (the FrontStaff customer).
- "Processor" means FrontStaff Technologies Limited, which processes personal data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- "Sub-Processor" means a third party engaged by the Processor to carry out processing activities on behalf of the Controller.
2. Scope of Processing
2.1 Subject Matter
The Processor shall process personal data on behalf of the Controller for the purpose of providing the FrontStaff platform services, including AI-powered customer assistant interactions, lead capture, conversation management, and related analytics.
2.2 Nature of Processing
- Storage and retrieval of customer conversation data.
- AI processing of messages to generate responses.
- Lead capture and CRM functionality.
- Analytics and reporting on conversation data.
- Embedding and vector search of business knowledge content.
2.3 Types of Personal Data
- Customer names, phone numbers, and email addresses submitted during conversations.
- Conversation messages and interaction history.
- IP addresses and device metadata from web sessions.
- Order details including product, quantity, and payment status.
2.4 Categories of Data Subjects
Customers, prospective customers, and visitors who interact with the Controller's AI assistant deployed via FrontStaff.
3. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, including those set out in this DPA and the Terms of Service.
- Ensure that persons authorised to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures as described in Section 5.
- Respect the conditions for engaging Sub-Processors as set out in Section 6.
- Assist the Controller in fulfilling data subject rights requests as set out in Section 7.
- Delete or return all personal data upon termination of services as set out in Section 9.
- Provide all information necessary to demonstrate compliance with this DPA and cooperate with audits conducted by the Controller or a mandated auditor.
4. Controller Obligations
The Controller warrants that:
- It has a valid legal basis under the NDPR/NDPA for instructing the Processor to process personal data.
- It will provide clear and conspicuous privacy notices to data subjects before or at the time of data collection.
- It will obtain any required consents and maintain records of such consents.
- It will promptly inform the Processor of any changes to applicable data protection laws that may affect the Processor's obligations.
5. Security Measures
The Processor maintains the following technical and organisational security measures:
- Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Sensitive fields (bank details, payment references) are encrypted using AES-256.
- Access controls: Role-based access control (RBAC) with multi-tenant data isolation enforced at the database query level.
- Database security: PostgreSQL with restricted network access; credentials managed via environment variables, never committed to source control.
- Audit logging: All admin actions, authentication events, and billing changes are recorded in an immutable audit log.
- Vulnerability management: Dependency updates and security patches applied within 30 days of release.
- Backup and recovery: Daily automated encrypted backups to object storage with a recovery time objective (RTO) of 4 hours and recovery point objective (RPO) of 24 hours.
- Penetration testing: Annual penetration testing by an independent security firm.
6. Sub-Processors
6.1 Authorisation
The Controller grants the Processor general authorisation to engage Sub-Processors. The Processor shall notify the Controller of intended changes to Sub-Processors by updating this DPA, providing 30 days' prior notice. The Controller may object to a new Sub-Processor with reasonable grounds.
6.2 Current Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| OpenRouter / OpenAI | AI language model inference | United States |
| Cloudflare R2 | File and document storage | Global CDN |
| Zep (Graphiti) | AI conversation memory | United States |
| Firecrawl | Web content scraping for knowledge base | United States |
| Paystack | Payment processing | Nigeria / United States |
| Flutterwave | Alternative payment processing | Nigeria / United States |
| Twilio / SignalWire | Phone and WhatsApp communications | United States |
| Betterstack | Logging and uptime monitoring | European Union |
6.3 Sub-Processor Contracts
The Processor shall impose data protection obligations on Sub-Processors equivalent to those in this DPA and remain fully liable to the Controller for the acts and omissions of Sub-Processors.
7. Data Subject Rights
The Processor shall assist the Controller in responding to data subject rights requests. Upon receiving a data subject request forwarded by the Controller, the Processor shall:
- Provide the Controller with access to the data subject's personal data within 5 business days.
- Correct inaccurate data upon instruction from the Controller within 5 business days.
- Erase personal data upon instruction, completing deletion within 72 hours and providing confirmation.
- Provide data in a portable, machine-readable format upon request.
Data subjects may submit deletion requests directly via the platform's NDPR deletion form at /api/privacy/delete-form.
8. Data Breach Notification
In the event of a personal data breach, the Processor shall:
- Notify the Controller without undue delay and within 72 hours of becoming aware of the breach.
- Provide information about the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
- Cooperate with the Controller in any notification to the Nigeria Data Protection Commission (NDPC) or data subjects as required by law.
9. Data Retention and Deletion
- Conversation data: Retained for 90 days from the date of the conversation, then automatically purged.
- Lead data: Retained for the duration of the subscription plus 30 days.
- Voice transcripts: Retained for 30 days.
- Business knowledge content: Retained until deleted by the Controller or for 30 days post-termination.
- On termination: The Processor shall, at the Controller's election, return or securely delete all personal data within 30 days of termination.
10. International Data Transfers
Where personal data is transferred outside Nigeria (e.g., to AI model providers in the United States), the Processor shall ensure such transfers are subject to adequate safeguards including standard contractual clauses or the recipient country's equivalent protections, as required by the NDPA 2023.
11. Audit Rights
The Controller may, upon 30 days' written notice and at its own cost, audit the Processor's compliance with this DPA no more than once per calendar year. Audits shall be conducted during business hours in a manner that does not unreasonably disrupt Processor's operations. The Processor may satisfy audit requirements by providing a current third-party audit report (e.g., SOC 2 Type II) in lieu of an on-site inspection.
12. Term and Termination
This DPA is effective upon acceptance of the Terms of Service and remains in force until the termination of the Controller's subscription. Obligations relating to confidentiality and data security survive termination for a period of 3 years.
13. Governing Law
This DPA is governed by the laws of the Federal Republic of Nigeria. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Lagos State, Nigeria, except where mandatory data protection law requires otherwise.
14. Contact
For data protection matters, please contact our Data Protection Officer:
- Email: [email protected]
- Address: FrontStaff Technologies Limited, Lagos, Nigeria
- NDPC Registration Number: [Pending registration]
