Data Processing Addendum

Parties & status

This DPA is entered into between:

This DPA forms part of the Engagement. Where there is a conflict between this DPA and the body of the Engagement, this DPA prevails in respect of the processing of personal data; in all other respects, the Engagement prevails.

When this DPA applies

This DPA applies whenever, in the course of an Engagement:

• the Controller (or a person acting on the Controller's behalf) provides personal data to the Processor;
• the Processor accesses personal data on the Controller's systems or premises;
• the Processor otherwise processes personal data for which the Controller (and not the Processor) determines the means and purposes.

Where the Processor processes personal data for its own purposes — including the data of its own personnel, leads, contacts, and website visitors — the Processor acts as an independent controller under its Privacy policy rather than under this DPA.

Definitions

Applicable Data Protection Law

Each of the following, as in force from time to time and to the extent it applies to the processing under this DPA: (i) the EU General Data Protection Regulation (Regulation (EU) 2016/679); (ii) the UK GDPR and the Data Protection Act 2018; (iii) the Nigeria Data Protection Act 2023; (iv) the Ghana Data Protection Act 2012; and (v) any other data-protection law of a jurisdiction where personal data under this DPA is processed.

Personal data, processing, controller, processor, data subject

Have the meanings given in the EU GDPR, unless local law requires otherwise.

Sub-processor

A third party engaged by the Processor to process personal data on the Controller's behalf.

Standard Contractual Clauses (SCCs)

The Standard Contractual Clauses issued by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, in Module 2 (controller-to-processor) or Module 3 (processor-to-processor) as the context requires.

UK IDTA

The International Data Transfer Agreement and Addendum issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

Subject matter, duration, nature, and purpose

• Subject matter: processing of personal data necessary to deliver the Engagement (for example, project surveys, designs, commissioning, reporting, training, and support).
• Duration: for the term of the Engagement plus the retention period specified in Annex I below.
• Nature and purpose: performance by the Processor of the services set out in the Engagement.
• Types of personal data: identity and contact details of Controller personnel and named project stakeholders; site information that may include personal data (for example, occupancy data, household-member counts); operational data and logs that may include user identifiers. Full list at Annex I.
• Categories of data subjects:the Controller's employees, contractors, household members, tenants, customers, suppliers, and other individuals named in materials supplied to the Processor under the Engagement.

Processor obligations

The Processor shall:

• Process on instructions only. Process personal data solely on the documented instructions of the Controller, including with regard to international transfers — except where required to do so by a law to which the Processor is subject, in which case the Processor will inform the Controller of that legal requirement before processing (unless the law prohibits such notification on important grounds of public interest).
• Confidentiality. Ensure that personnel authorised to process the personal data are subject to enforceable confidentiality obligations and have completed appropriate data-protection training.
• Security. Implement technical and organisational measures appropriate to the risk, including those set out in Annex II.
• Assistance with data-subject requests.Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests for the exercise of data-subject rights under EU GDPR Articles 15–22 and their equivalents under other Applicable Data Protection Law.
• Assistance with compliance obligations.Assist the Controller in meeting its obligations under Articles 32–36 of the EU GDPR (security, breach notification, data-protection impact assessment, prior consultation), taking into account the nature of the processing and the information available to the Processor.
• Personal data breaches. Notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting personal data processed under this DPA. The notification shall include, to the extent then known, the information required by EU GDPR Article 33(3).
• Deletion or return. At the choice of the Controller and on termination of the Engagement, return or delete all personal data processed under this DPA, including copies, unless and to the extent that retention is required by Applicable Data Protection Law.
• Information and audit. Make available to the Controller all information necessary to demonstrate compliance with this DPA, and contribute to audits — including inspections — conducted by the Controller or another auditor mandated by the Controller, subject to the audit conditions set out below.

Sub-processors

The Controller grants the Processor general written authorisation to engage sub-processors for the purpose of performing the Engagement, subject to the conditions in this section.

The Processor shall:

• impose on each sub-processor, by written contract, data-protection obligations substantially the same as those imposed on the Processor under this DPA;
• remain fully liable to the Controller for the performance of each sub-processor;
• maintain a current list of sub-processors used to perform the Engagement, by category and identity, and make that list available to the Controller on request;
• give the Controller at least thirty (30) days' written notice of any intended change to that list (whether by addition or replacement), giving the Controller the opportunity to object on reasonable data-protection grounds. If the Controller objects and the parties cannot agree a solution within thirty (30) days, the Controller may terminate the affected portion of the Engagement without penalty.

International transfers

Where the Processor or any sub-processor transfers personal data of EEA or UK data subjects to a country outside the EEA or the UK, the parties shall rely on a valid transfer mechanism, including (without limitation):

• an adequacy decision by the European Commission or the UK Government;
• the SCCs, with the modules and options that match the role of the parties (controller-to-processor or processor-to-processor); the SCCs are incorporated into this DPA by reference and apply automatically to any in-scope transfer;
• the UK IDTA, where the transfer is subject to the UK GDPR.

Transfers within Nigeria and Ghana, and transfers between either of those countries and the EEA or UK, are made under the safeguards described above (where they involve EEA/UK personal data) and in compliance with the Nigeria Data Protection Act 2023 and the Ghana Data Protection Act 2012 (where they involve Nigerian or Ghanaian personal data).

Audit

The Controller (or an independent auditor it appoints, subject to reasonable confidentiality obligations) may audit the Processor's compliance with this DPA, subject to the following:

• audits shall be conducted no more than once per twelve-month period unless a personal data breach or a regulator's request justifies a more frequent audit;
• the Controller shall give at least thirty (30) days' written notice and the audit shall be carried out during normal business hours and in a way that does not materially disrupt the Processor's operations;
• in lieu of an on-site audit, the Processor may provide attestations, certifications, or summary reports that reasonably demonstrate compliance;
• each party bears its own costs of the audit, unless the audit identifies a material breach of this DPA by the Processor, in which case the Processor shall reimburse the Controller's reasonable audit costs.

Liability

The aggregate liability of each party arising out of or in connection with this DPA is subject to the limitations of liability set out in the Engagement, except that nothing in this DPA or the Engagement limits a party's liability for breach of Applicable Data Protection Law to the extent that the law prohibits such limitation.

Term and termination

This DPA takes effect on the start date of the Engagement and continues for the duration of the Engagement plus any tail-end retention or transition period required for the Processor to fulfil its return or deletion obligations under this DPA. Any clauses that by their nature should survive termination shall do so.

Annex I — description of processing

Annex II — technical and organisational measures

The Processor implements the following measures to ensure a level of security appropriate to the risk:

• Access control. Role-based access with least-privilege provisioning; named user accounts; logged administrative access; periodic access reviews; multi-factor authentication for administrative interfaces.
• Transmission control. Encryption of personal data in transit using TLS 1.2 or higher; secure file-transfer mechanisms for project documents.
• Storage control. Encryption at rest for databases and backups where the underlying platform supports it; segregation between production and non-production environments.
• Input control.Logged data inputs and changes for systems within the Processor's direct control; audit-trail retention aligned with the retention schedule.
• Availability and resilience. Regular backups with documented restore procedures; tested recovery objectives appropriate to the criticality of the data.
• Vulnerability management. Dependency monitoring, regular patching, and review of security advisories.
• Personnel. Confidentiality undertakings for all personnel with access to personal data; data-protection awareness training.
• Incident response. Documented procedure for identifying, containing, investigating, and notifying personal data breaches within the timelines required by Applicable Data Protection Law.

The Processor may update these measures from time to time to reflect changes in the threat landscape, provided that the overall level of protection is not reduced.

Changes to this DPA

The Processor may revise this DPA from time to time to reflect changes in Applicable Data Protection Law or in the Processor's operational practice. The current version is always available at this URL. Material changes that affect existing Engagements will be notified to Controllers in writing; if the Controller objects on reasonable data-protection grounds and the parties cannot agree a solution within thirty (30) days, the Controller may terminate the affected portion of the Engagement without penalty.

Last updated: 14 May 2026

Contact

To request a counter-signed copy of this DPA against your Engagement, to update the sub-processor list maintained for your account, or for any other DPA enquiry, write to info@aseconsultings.com.