Data Processing Agreement

1. Definitions

In this DPA:

• “Controller Personal Data” means any personal data of your clients, customers, employees, or other third parties that you upload to, input into, or generate within the JUSTRA platform — for example, client names, email addresses, phone numbers, TINs, and postal addresses that appear on invoices or receipts you create.
• “NDPA” means the Nigeria Data Protection Act 2023 and its implementing regulations.
• “Data Controller” has the meaning given in section 65 of the NDPA 2023 — the party that determines the purposes and means of processing personal data.
• “Data Processor” has the meaning given in section 65 of the NDPA 2023 — the party that processes personal data on behalf of a controller.
• “Processing” has the meaning given in section 65 of the NDPA 2023.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data.

2. Roles of the Parties

2.1 You are the Data Controller in respect of Controller Personal Data. You determine why and how that data is collected from your clients and what purposes it serves.

2.2 JUSTRA is the Data Processor in respect of Controller Personal Data. JUSTRA processes that data solely on your documented instructions (as set out in this DPA and the Terms of Service) to provide the platform services.

2.3 In respect of JUSTRA account holder data (your own name, email address, business details, and payment data), JUSTRA acts as a Data Controllerin its own right — this is governed by JUSTRA's Privacy Notice, not this DPA.

3. Processor Obligations

JUSTRA undertakes to:

• process Controller Personal Data only on your documented instructions and for the purposes set out in Annex A, unless required to do so by applicable Nigerian law, in which case JUSTRA will notify you before processing unless prohibited by law;
• ensure that all JUSTRA personnel with access to Controller Personal Data are bound by appropriate confidentiality obligations;
• implement and maintain the technical and organisational security measures described in Annex B;
• engage sub-processors only as permitted under clause 5 and Annex C;
• assist you, taking into account the nature of processing and information available to JUSTRA, to respond to data subject rights requests under the NDPA 2023;
• assist you in meeting your obligations under sections 38–41 of the NDPA 2023 (security, breach notification, impact assessments, and prior consultations), insofar as such assistance relates to Controller Personal Data;
• delete or return all Controller Personal Data on termination of the Terms of Service, at your election, subject to legal retention obligations;
• make available to you all information reasonably necessary to demonstrate JUSTRA's compliance with this DPA.

4. Controller Obligations

You confirm and agree that:

• you have a valid lawful basis under the NDPA 2023 for all Controller Personal Data you input into JUSTRA — for example, a legitimate interest or contractual necessity for storing client invoicing data;
• you have provided all necessary privacy notices to your clients informing them that their data will be processed using JUSTRA (and its sub-processors, including Supabase, ZeptoMail, Paystack, and Netlify);
• you will not instruct JUSTRA to process Controller Personal Data in a manner that would violate the NDPA 2023 or any other applicable law;
• you are solely responsible for the accuracy, quality, and legality of the Controller Personal Data you upload.

5. Sub-Processors

5.1 You grant JUSTRA general prior authorisation to engage the sub-processors listed in Annex C for the purposes described in that Annex.

5.2 JUSTRA will inform you of any intended changes to its list of sub-processors (additions or replacements) by publishing an update to Annex C on this page and, for material changes involving new categories of Controller Personal Data or new countries of processing, notifying registered account holders by email with 30 days' notice.

5.3 If you reasonably object to a new sub-processor on data protection grounds, you may notify JUSTRA at legal@justra.ng within the 30-day notice period. JUSTRA will work with you in good faith to resolve the objection. If resolution is not possible, you may terminate the Terms of Service without penalty in respect of the objected sub-processor.

5.4 JUSTRA imposes data protection obligations on all sub-processors equivalent to those in this DPA and remains fully liable to you for any failure by a sub-processor to meet those obligations.

6. International Transfers

Some of JUSTRA's sub-processors are located outside Nigeria (see Annex C). JUSTRA transfers Controller Personal Data to those sub-processors only where appropriate safeguards are in place in accordance with Part V of the NDPA 2023, including standard contractual clauses or reliance on an adequacy determination made by the Nigeria Data Protection Commission (NDPC). You may request details of the specific transfer mechanisms in place for any sub-processor by contacting legal@justra.ng.

7. Security Measures

JUSTRA implements and maintains the technical and organisational measures set out in Annex B, which JUSTRA considers appropriate having regard to:

• the state of the art and cost of implementation;
• the nature, scope, context, and purposes of processing;
• the risk to the rights and freedoms of natural persons, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data.

JUSTRA may update the security measures in Annex B over time, provided that no update reduces the overall level of protection afforded to Controller Personal Data.

8. Personal Data Breaches

8.1 JUSTRA will notify you without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Controller Personal Data.

8.2 The notification will include, to the extent known at the time: a description of the nature of the breach (including categories and approximate number of individuals and records affected); the name and contact details of JUSTRA's data protection contact; likely consequences of the breach; measures taken or proposed to address the breach.

8.3 You are responsible for notifying the NDPC and affected data subjects where required by sections 40–41 of the NDPA 2023. JUSTRA will assist you in that notification to the extent the breach relates to JUSTRA's processing.

9. Data Subject Rights

Where one of your clients contacts JUSTRA directly to exercise a right under the NDPA 2023 (access, rectification, erasure, portability, restriction, or objection), JUSTRA will:

• inform the data subject that their request must be directed to you as the Controller;
• promptly forward the request to you at the email address associated with your JUSTRA account.

You are responsible for responding to data subject rights requests within the timeframes set by the NDPA 2023 (generally 30 days, extendable to 60 days for complex requests).

10. Deletion and Return of Data

10.1 On termination or expiry of the Terms of Service, JUSTRA will, at your election expressed in writing within 30 days of termination: (a) return a complete copy of all Controller Personal Data to you in a machine-readable format (CSV or JSON); or (b) securely delete all Controller Personal Data and provide written confirmation of deletion.

10.2 After the 30-day recovery window, JUSTRA will permanently delete all Controller Personal Data, subject to any legal retention obligations (for example, invoice records required to be retained under the Nigeria Tax Act 2025 or NRS rules).

10.3 During the subscription term, you may export your data at any time from your JUSTRA account settings.

11. Audit Rights

JUSTRA will make available to you all information reasonably necessary to demonstrate compliance with this DPA and, upon reasonable written notice (minimum 14 days), allow for audits conducted by you or a mutually agreed third-party auditor at your cost, provided that:

• audits are conducted no more than once per calendar year (unless a Personal Data Breach has occurred);
• you give JUSTRA adequate time to prepare and comply with reasonable confidentiality requirements;
• JUSTRA may satisfy an audit request by providing an up-to-date third-party security audit report or ISO 27001 / SOC 2 certification (where available) in lieu of an on-site audit.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the JUSTRA Terms of Service. Nothing in this DPA excludes or limits either party's liability to the extent that such exclusion or limitation is not permitted under applicable Nigerian law, including the NDPA 2023.

13. Term and Termination

This DPA comes into force when you accept the Terms of Service and remains in effect for the duration of your subscription. It terminates automatically when the Terms of Service terminate. Clauses 10 (Deletion), 11 (Audit — for any pre-termination period), and 12 (Liability) survive termination.

14. Governing Law

This DPA is governed by the laws of the Federal Republic of Nigeria. Any dispute arising from this DPA shall be resolved in accordance with clause 16 of the Terms of Service (Lagos courts, good-faith negotiation first).

15. Contact

Annex A — Details of Processing

A.1 Subject Matter and Duration

JUSTRA processes Controller Personal Data for the duration of the subscription term to provide the invoicing, receipt generation, client directory, and document management features of the JUSTRA platform.

A.2 Nature and Purpose of Processing

• Invoice and receipt generation: storing, displaying, and emailing invoices and receipts that include your clients' contact and tax details.
• Client directory: storing your client list (name, email, phone, address, TIN) for autofill in future invoices.
• E-signature (NRS Verified Invoice): embedding client-relevant details into NRS-compliant invoice documents.
• Document vault: storing compliance documents you upload that may reference client or third-party details.

A.3 Categories of Data Subjects

• Your business clients and customers (individuals or business representatives).
• Any other third parties whose personal data appears in invoices, receipts, or documents you upload.

A.4 Categories of Personal Data

• Names, email addresses, phone numbers, and postal addresses.
• Tax Identification Numbers (TINs) and CAC registration numbers.
• Invoice and payment amounts (financial data relating to business transactions).
• Any other personal data contained in documents you choose to upload.

A.5 Special Categories of Personal Data

None anticipated. You must not upload documents containing special categories of personal data (health data, biometric data, etc.) without first obtaining explicit written consent from JUSTRA at legal@justra.ng.

A.6 Your Instructions to JUSTRA

Your instructions to JUSTRA as Processor are: store, display, and transmit Controller Personal Data only as necessary to generate your invoices and receipts, populate your client directory, and provide the platform features you have subscribed to. JUSTRA will not use Controller Personal Data for any other purpose, including JUSTRA's own marketing.

Annex B — Technical and Organisational Measures

JUSTRA implements the following measures to protect Controller Personal Data. These are the minimum baseline; specific measures may be enhanced over time.

B.1 Access Control

• Platform access requires authentication via Supabase Auth (email/password with optional MFA).
• Role-based access: Controller Personal Data is accessible only to the account holder and any team members explicitly authorised under the account holder's subscription plan.
• JUSTRA engineering staff access production data only through audited, role-restricted service accounts with MFA enforced.
• Admin access to JUSTRA's internal tools is restricted by IP allowlist and multi-factor authentication.

B.2 Encryption

• All data in transit is encrypted using TLS 1.2 or higher.
• All data at rest in Supabase (PostgreSQL) is encrypted using AES-256 at the storage layer.
• Passwords are stored as irreversible hashes (bcrypt) and are never accessible to JUSTRA staff.

B.3 Isolation and Multi-Tenancy

• Database Row-Level Security (RLS) policies ensure each account holder can access only their own data and their team's data.
• Service-level database clients used for admin or cross-tenant operations are isolated from the user-facing client and audited.

B.4 Availability and Resilience

• The platform is hosted on Netlify (CDN, global edge) with Supabase providing managed PostgreSQL with automatic backups and point-in-time recovery.
• Automated daily database backups are retained for at least 7 days.
• Uptime monitoring is in place with alerting for availability incidents.

B.5 Incident Response

• JUSTRA maintains an incident response process that covers identification, containment, eradication, recovery, and post-incident review.
• Security events are logged and retained for 3 years.
• Controller notification procedures are as set out in clause 8 of this DPA.

B.6 Personnel and Training

• All JUSTRA personnel with access to production systems are subject to confidentiality obligations.
• Access to production data is restricted to personnel with a documented business need.
• Access rights are reviewed quarterly and revoked promptly on role change or departure.

B.7 Third-Party Risk

• JUSTRA enters into Data Processing Agreements with all sub-processors listed in Annex C before allowing any Controller Personal Data to be processed by them.
• Sub-processor security posture is reviewed at least annually.

Annex C — Approved Sub-Processors

The following sub-processors may process Controller Personal Data as part of the JUSTRA platform. All are engaged under binding Data Processing Agreements with JUSTRA.