Data Processing Agreement (DPA)
Data Processing Agreement (DPA)
LWR-LAT-CWC-001-R1: Data Processing Agreement (DPA)
Effective Date: 10 May 2026
© 2026 Enxèro Systems. All rights reserved.
Printed copies are uncontrolled. Refer to the online version for the current revision.
1. Purpose and Structure
This Data Processing Agreement (“DPA”) forms part of the agreement between Enxèro Systems (“Processor”) and the Customer (“Controller”) for the provision of services.
This DPA applies only where Enxèro Systems processes Personal Data on behalf of the Customer in connection with the Services.
2. Who we Are
This DPA is entered into with:
Enxero System Ltd
P.O. Box 1036-00606
Nairobi, Kenya
(“Company”, “we”, “us”, or “our”)
3. Roles of the Parties
3.1 Customer (Controller)
The Customer determines:
the purposes of processing
the categories of Personal Data
the categories of Data Subjects
3.2 Enxèro Systems (Processor)
We process Personal Data only:
on documented instructions from the Customer
for the purpose of providing the Services
We do not determine the purposes or means of processing beyond what is necessary to operate the Services.
4. Instructions
The Customer instructs Enxèro Systems to process Personal Data:
to provide, maintain, and support the Services
to ensure security and system integrity
as otherwise necessary to perform the Services
If an instruction violates applicable law, we will inform the Customer where legally permitted and may suspend affected processing.
5. Processing Details
5.1 Nature of Processing
Processing may include:
storage
hosting
retrieval
transmission
technical support
security monitoring
5.2 Duration
Processing continues for the duration of the Customer’s use of the Services and as required under this DPA.
5.3 Categories of Data Subjects
Determined by the Customer and may include:
employees
contractors
clients
users authorized by the Customer
5.4 Categories of Personal Data
Determined by the Customer and may include:
identification data
contact information
system usage data
business data submitted through the Services
We do not require or process special categories of data unless explicitly configured by the Customer.
6. Obligations of the Processor
Enxèro Systems shall:
process Personal Data only under documented instructions
ensure confidentiality of personnel with access
implement appropriate technical and organizational security measures
assist the Customer where reasonably possible with data subject requests
notify the Customer of a Personal Data Breach without undue delay
not sell Personal Data
not use Personal Data for unrelated purposes
7. Sub-processors
We may engage subprocessors to support delivery of the Services.
We will ensure that:
sub-processors are bound by written agreements with equivalent data protection obligations
sub-processors only process Personal Data for service delivery purposes
We remain responsible for our sub-processors.
A list of subprocessors may be made available upon reasonable request.
8. International Transfers
Where Personal Data is transferred outside the jurisdiction of origin, we will implement appropriate safeguards required under applicable law, including contractual and organizational measures.
9. Security Measures
We implement appropriate technical and organizational measures designed to protect Personal Data, including:
access controls
authentication mechanisms
logging and monitoring
encryption where appropriate
secure development practices
These measures are proportionate to the risk of processing.
10. Personal Data Breach
We will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
Notification will include:
nature of the breach
categories of data affected
known or expected impact
mitigation measures taken
11. Assistance to the Customer
We will assist the Customer, where reasonably possible, in fulfilling obligations relating to:
data subject rights requests
security obligations
breach notifications (where applicable)
This assistance is limited to information available to us as Processor.
12. Return and Deletion of Data
Upon termination of Services:
Personal Data will be deleted or returned at the Customer’s choice
unless retention is required by law
backup data may persist temporarily in secure systems before deletion cycles complete
13. Audits and Information
We will make available reasonable information necessary to demonstrate compliance with this DPA.
Any audit requests must:
be reasonable in scope
not disrupt operations
respect confidentiality and security constraints
14. Liability
Liability arising from this DPA is subject to the limitation of liability provisions in the Terms of Service, except where prohibited by applicable law.
15. No Ownership or Controller Assumption
Nothing in this DPA shall be interpreted as:
transferring ownership of Personal Data to Enxèro Systems
granting Enxèro Systems any control over purposes of processing
making Enxèro Systems a joint controller
We act strictly as a Processor, except where independently required by law.
16. Conflict
If there is a conflict between this DPA and other agreement documents, this DPA prevails with respect to Personal Data processing.
17. Contact Information
For legal or governance inquiries:
Enxero System Ltd
P.O. Box 1036-00606
Nairobi, Kenya
[email protected]
LWR-LAT-CWC-001-R1: Data Processing Agreement (DPA)
Effective Date: 10 May 2026
© 2026 Enxèro Systems. All rights reserved.