Data Processing Agreement (DPA)

1. Purpose and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ShopKatalog ("Processor" or "Data Processor") and you ("Controller" or "Data Controller") regarding the processing of personal data.

This DPA applies to Shop Owners who collect and process personal data of their customers through the ShopKatalog platform. It ensures compliance with:

• General Data Protection Regulation (GDPR) - EU Regulation 2016/679
• Nigeria Data Protection Regulation (NDPR) - 2019
• Other applicable data protection laws

2. Definitions

• "Personal Data": Any information relating to an identified or identifiable natural person
• "Processing": Any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.)
• "Data Controller": The Shop Owner who determines purposes and means of processing
• "Data Processor": ShopKatalog, which processes data on behalf of the Controller
• "Data Subject": The individual whose personal data is being processed (your customers)
• "Sub-processor": Third-party service providers engaged by ShopKatalog
• "Supervisory Authority": Data protection authority (e.g., NITDA in Nigeria, ICO in UK)

3. Roles and Responsibilities

3.1 Controller Responsibilities (You - Shop Owner)

As the Data Controller, you are responsible for:

• Determining the purposes and means of processing personal data
• Ensuring lawful basis for processing (consent, contract, legitimate interest, etc.)
• Providing privacy notices to your customers
• Obtaining necessary consents from data subjects
• Responding to data subject rights requests
• Complying with data protection laws applicable to your jurisdiction
• Ensuring you have authority to instruct ShopKatalog to process data

3.2 Processor Responsibilities (ShopKatalog)

As the Data Processor, ShopKatalog will:

• Process personal data only on your documented instructions
• Ensure persons authorized to process data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Assist you in responding to data subject rights requests
• Assist you in ensuring compliance with data protection obligations
• Delete or return personal data upon termination (subject to legal requirements)
• Maintain records of processing activities
• Notify you of any personal data breaches without undue delay

4. Processing Details

4.1 Subject Matter and Duration

Subject Matter: Provision of e-commerce platform services for online shops

Duration: For the duration of your subscription and as required by law thereafter

4.2 Nature and Purpose of Processing

• Hosting and displaying Shop information and products
• Processing customer orders and inquiries
• Storing product images and shop content
• Facilitating communication between Shop Owners and customers
• Providing analytics and reporting to Shop Owners
• Processing subscription payments

4.3 Categories of Data Subjects

• Shop customers and potential customers
• Shop Owners and their authorized users
• Individuals who submit inquiries or reviews

4.4 Types of Personal Data Processed

• Contact Information: Name, email, phone number, delivery address
• Order Information: Products ordered, quantities, preferences
• Communication Data: Messages, inquiries, support tickets
• Technical Data: IP address, browser type, device information
• Usage Data: Pages visited, products viewed, actions taken
• Review Data: Ratings, reviews, feedback

5. Security Measures

ShopKatalog implements appropriate technical and organizational measures to ensure data security, including:

5.1 Technical Measures

• Encryption: HTTPS/TLS for data in transit, encryption at rest for sensitive data
• Authentication: Secure password hashing (bcrypt), multi-factor authentication
• Access Controls: Role-based access control (RBAC)
• Network Security: Firewalls, intrusion detection systems
• Data Backup: Regular automated backups with encryption
• Vulnerability Management: Regular security updates and patches

5.2 Organizational Measures

• Confidentiality: Staff bound by confidentiality obligations
• Training: Regular security and privacy training
• Access Limitation: Need-to-know principle for data access
• Incident Response: Data breach response procedures
• Vendor Management: Due diligence on sub-processors

6. Sub-processors

ShopKatalog engages the following sub-processors to provide services:

By accepting this DPA, you authorize ShopKatalog to engage these sub-processors. We will notify you of any changes to sub-processors and provide an opportunity to object.

7. Data Subject Rights

ShopKatalog will assist you in fulfilling data subject rights requests, including:

• Right of Access: Provide copies of personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Delete data ("right to be forgotten")
• Right to Restriction: Limit processing of data
• Right to Data Portability: Transfer data to another service
• Right to Object: Object to certain processing activities
• Rights Related to Automated Decision-Making: Not to be subject to automated decisions

You remain responsible for responding to data subject requests. ShopKatalog will provide reasonable assistance within 7 business days of your request.

8. Data Breach Notification

In the event of a personal data breach, ShopKatalog will:

• Notify you without undue delay (within 72 hours of becoming aware)
• Provide details of the breach, including:
  • Nature of the breach
  • Categories and approximate number of affected data subjects
  • Likely consequences
  • Measures taken to address the breach
• Take reasonable measures to mitigate harm
• Assist you in meeting your notification obligations to supervisory authorities and data subjects

9. Data Retention and Deletion

9.1 Retention Period

ShopKatalog retains personal data:

• For the duration of your active subscription
• For suspended Shops: 90 days before deletion
• For deleted accounts: 30 days in backups
• As required by law (e.g., financial records for tax purposes)

9.2 Data Return and Deletion

Upon termination of services, ShopKatalog will:

• Provide you with an export of your data (upon request)
• Delete or anonymize all personal data within 30 days
• Retain only what is required by law
• Provide certification of deletion upon request

10. International Data Transfers

Personal data may be transferred to and processed in countries outside your jurisdiction. ShopKatalog ensures appropriate safeguards through:

• Standard Contractual Clauses (SCCs): EU Commission approved clauses
• Adequacy Decisions: Where applicable under GDPR
• Binding Corporate Rules: Where our sub-processors have them
• Specific Consent: Where required by law

11. Audits and Inspections

You have the right to audit ShopKatalog's compliance with this DPA. ShopKatalog will:

• Provide information necessary to demonstrate compliance
• Allow for and contribute to audits (with reasonable notice)
• Provide audit reports and certifications upon request
• Respond to audit findings and implement corrective actions

Audits must be conducted with 30 days' notice and may be subject to confidentiality obligations.

12. Liability and Indemnification

12.1 Controller Liability

You are liable for:

• Ensuring lawful basis for processing
• Your instructions to ShopKatalog
• Your compliance with data protection laws
• Obtaining necessary consents from data subjects

12.2 Processor Liability

ShopKatalog is liable for:

• Processing outside your instructions
• Failure to implement appropriate security measures
• Unauthorized disclosure of personal data
• Breach of this DPA

13. Term and Termination

This DPA:

• Comes into effect when you create a Shop on ShopKatalog
• Continues for the duration of your subscription
• Survives termination for obligations requiring ongoing compliance
• May be updated with notice to reflect legal changes

14. Governing Law and Jurisdiction

This DPA is governed by:

• The laws of the Federal Republic of Nigeria
• GDPR for EU data subjects
• NDPR for Nigerian data subjects
• Other applicable data protection laws based on data subject location

15. Data Protection Officer Contact

For questions about data processing or to exercise your rights under this DPA, contact our Data Protection Officer: