Data Processing Agreement
The DPA that applies when Evodira processes personal data on behalf of partners and enterprise customers.
Last updated: 1 January 2026 · This DPA is incorporated by reference into the Master Services Agreement.
1. Parties & Scope
This Data Processing Agreement ("DPA") applies between Evodira Technologies Ltd ("Processor") and the entity identified in the relevant Order Form ("Controller"). It governs the processing of personal data carried out by Evodira on behalf of the Controller as part of the Lagos Merchant Trust Service.
The DPA supplements the Terms of Service and takes precedence in the event of conflict with respect to data-protection matters.
2. Processing Details
| Controller | Evodira Technologies Ltd, Lagos, Nigeria |
| Processor | As named in your Order Form |
| Subject matter | Merchant data, evidence, and risk scores |
| Duration | Term of the Master Services Agreement |
| Nature | Collection, storage, analysis, scoring, deletion |
| Data subjects | Merchants, their representatives, and end-consumers |
| Personal data types | Identity, contact, business registration, images, complaints |
3. Processor Obligations
Evodira (as Processor) shall:
- Process personal data only on documented instructions from the Controller.
- Ensure personnel with access to personal data are bound by confidentiality obligations.
- Implement the technical and organisational security measures described in Section 4.
- Not engage a sub-processor without prior written authorisation from the Controller.
- Assist the Controller in fulfilling data-subject rights requests within 5 business days.
- Notify the Controller of any personal data breach within 48 hours of becoming aware.
- Delete or return all personal data upon termination of the Agreement.
4. Security Measures
Evodira maintains the following controls:
- Encryption — AES-256 at rest; TLS 1.3 in transit.
- Access control — RBAC with MFA enforced for all privileged accounts.
- Network — VPC isolation, private subnets for databases, WAF on public endpoints.
- Audit logging — all data access events recorded with immutable audit trails.
- AI model governance — inference inputs and outputs logged; human-in-the-loop for high-impact decisions; model cards maintained for each active model.
- Vulnerability management — continuous SAST/DAST scanning; annual penetration test.
- Business continuity — daily backups with 99.9% uptime SLA; RTO 4 hours, RPO 1 hour.
5. Sub-processors
Evodira uses the following categories of sub-processors. An up-to-date list is available on request:
- Cloud infrastructure — Google Cloud Platform (storage, compute, managed databases).
- AI inference — Google Vertex AI; third-party model APIs under DPAs.
- Monitoring & observability — application performance and error tracking tools.
- Email delivery — transactional email provider for notifications.
Controllers will be given 14 days' prior notice of any new sub-processor and may object in writing.
6. Data Subject Rights
When Evodira receives a data subject request directly, it will promptly forward it to the Controller. Evodira will provide reasonable technical assistance to help the Controller respond within statutory deadlines. Where the Controller has authorised Evodira to respond directly, Evodira will do so in accordance with applicable law.
7. International Transfers
Personal data is stored in Google Cloud EU (Belgium). Where transfers outside Nigeria or the EEA occur (e.g. for AI inference), Evodira relies on:
- EU Standard Contractual Clauses (2021) incorporated by reference.
- Adequacy decisions where recognised by the NDPC.
8. Audit Rights
The Controller may audit Evodira's compliance with this DPA once per calendar year by providing 30 days' written notice. Audits must be conducted during business hours, not unreasonably disrupt operations, and the auditor must sign a confidentiality agreement.
9. Contact
DPA queries: dpa@evodira.com
Evodira Technologies Ltd, Lagos, Nigeria.