VisiChek
Sign in
Back to legal documents

Data Processing Agreement

Data Processing Agreement

This Data Processing Agreement (“DPA” or “Agreement”) forms part of and is subject to the Service Agreement, Terms of Service, subscription agreement, order form, statement of work, or other agreement governing the provision of the VisiChek platform to the Organization (the “Main Agreement”).

Effective:May 27, 2026Published:May 27, 2026Updated:May 27, 2026Version:4

This Data Processing Agreement (“DPA” or “Agreement”) forms part of and is subject to the Service Agreement, Terms of Service, subscription agreement, order form, statement of work, or other agreement governing the provision of the VisiChek platform to the Organization (the “Main Agreement”).

  1. This DPA governs VisiChek’s Processing of Personal Data on behalf of the Organization in connection with the Services.
  2. If there is no separately executed Main Agreement, this DPA shall apply as a standalone agreement to the extent VisiChek Processes Personal Data on behalf of the Organization.

1. Parties

This Data Processing Agreement (“DPA” or “Agreement”) is entered into between:

Controller / Organization

The organization, business entity, or other customer that registers for, accesses, or uses the VisiChek Services and accepts this DPA, including its authorized representatives and users (“Customer” or “Controller”).

Customer details, including legal name, address, account information, and contact email, shall be those provided by Customer during account registration, subscription, or use of the Services.

and

Processor / VisiChek

Name: VisiChek Limited

Address: OAU Quarters, Maitama, Abuja, Nigeria.

Contact Email: abah@visichek.app

Each a “Party” and together the “Parties”.

2. Definitions and interpretation

In this DPA, unless the context otherwise requires:

  1. Applicable Data Protection Laws” means all laws, regulations, directives, guidance and binding supervisory requirements applicable to the Processing of Personal Data under this DPA, including, where applicable, the Nigeria Data Protection Act 2023, the Nigeria Data Protection Regulation, the Nigeria Data Protection Act General Application and Implementation Directive, and any amendment, replacement or successor legislation.
  2. Controller” means the person or entity that determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Organization is the Controller of Organization Personal Data.
  3. Organization Personal Data” means any Personal Data that VisiChek Processes on behalf of the Organization in connection with the Services.
  4. Data Subject” means an identified or identifiable natural person whose Personal Data is Processed under this DPA.
  5. Instructions” means the Organization’s documented instructions to VisiChek for the Processing of Organization Personal Data, including as set out in the Main Agreement, this DPA, the Organization’s use and configuration of the Services, support communications, or other written directions agreed between the Parties.
  6. Personal Data” means any information relating to an identified or identifiable natural person as defined under Applicable Data Protection Laws.
  7. Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Organization Personal Data transmitted, stored or otherwise Processed by VisiChek.
  8. Process”, “Processing” or “Processed” means any operation or set of operations performed on Personal Data, whether by automated means or not, including collection, recording, organisation, structuring, storage, retrieval, consultation, use, disclosure, alignment, restriction, erasure, destruction and transfer.
  9. Processor” means a party that Processes Personal Data on behalf of the Controller. For the purposes of this DPA, VisiChek is the Processor.
  10. Restricted Transfer” means a transfer of Organization Personal Data outside Nigeria or to any jurisdiction requiring transfer safeguards under Applicable Data Protection Laws.
  11. Services” means the visitor management, identity verification support, badge generation, access control, visitor-session tracking, reporting, and related services provided by VisiChek under the Main Agreement.
  12. Sub-processor” means any third party engaged by or on behalf of VisiChek to Process Organization Personal Data in connection with the Services.
  13. Supervisory Authority” means the Nigeria Data Protection Commission and, where relevant to a Restricted Transfer, any other competent data protection authority.
  14. Capitalised terms not defined in this DPA have the meanings given to them in the Main Agreement. In the event of any conflict between this DPA and the Main Agreement in relation to the Processing of Personal Data, this DPA shall prevail. This DPA shall be interpreted in a manner consistent with Applicable Data Protection Laws.

3. Scope and approved purpose

  1. VisiChek shall Process Organization Personal Data only on the Organization’s Instructions and only for the purpose of providing the Services and performing its obligations under the Main Agreement and this DPA (the “Approved Purpose”).
  2. The Organization instructs VisiChek to Process Organization Personal Data as reasonably necessary to provide the Services, maintain the security and reliability of the Services, and comply with legal obligations directly binding on VisiChek.
  3. VisiChek shall not retain, use or disclose Organization Personal Data for unrelated purposes, shall not sell Organization Personal Data, and shall not disclose Organization Personal Data to third parties except as required to provide the Services, as permitted by this DPA, or as required by law.
  4. If VisiChek becomes aware that an Instruction infringes or is likely to infringe Applicable Data Protection Laws, VisiChek shall promptly notify the Organization. VisiChek is not required to provide legal advice to the Organization.

4. Roles of the Parties

  1. The Parties agree that, in relation to Organization Personal Data Processed through the Services, the Organization is the Controller and VisiChek is the Processor.
  2. The Organization is responsible for determining the lawful basis for Processing, issuing notices to Data Subjects, configuring retention periods, enabling or disabling optional identity-verification features, responding to Data Subject rights requests, and ensuring that its use of the Services complies with Applicable Data Protection Laws.
  3. VisiChek acts as an independent controller only in relation to platform administration data that it Processes for its own business and legal purposes, including administrator account data, authentication logs, billing records, service analytics, infrastructure telemetry, and security logs. Such Processing is outside the scope of this DPA.

5. Organization obligations

  1. The Organization shall ensure that it has a valid lawful basis for Processing Organization Personal Data through the Services and that it has provided all notices, disclosures and transparency information required under Applicable Data Protection Laws.
  2. The Organization shall be solely responsible for determining whether any category of Organization Personal Data constitutes sensitive, special, regulated or high-risk data under Applicable Data Protection Laws and for ensuring that any required safeguards, consents, notices or approvals are in place before such data is Processed through the Services.
  3. If the Organization is itself acting as a processor on behalf of another controller, the Organization represents and warrants that it has been authorised to appoint VisiChek as a sub-processor and to give the Instructions contemplated by this DPA.
  4. The Organization shall not instruct VisiChek to Process Organization Personal Data in a manner that would cause VisiChek to breach Applicable Data Protection Laws. The Organization remains responsible for its use of the Services, for the security of its own accounts, devices and environments, and for backing up or retaining copies of its data where appropriate.

6. VisiChek personnel and confidentiality

  1. VisiChek shall take reasonable steps to ensure the reliability of all personnel authorised to Process Organization Personal Data. Access to Organization Personal Data shall be limited to personnel who need such access for the Approved Purpose.
  2. VisiChek shall ensure that such personnel are informed of the confidential nature of Organization Personal Data, are subject to binding confidentiality obligations, and receive privacy and security training appropriate to their responsibilities.
  3. These confidentiality obligations shall survive termination of this DPA and the Main Agreement.

7. Security of Processing

  1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risks of varying likelihood and severity for the rights and freedoms of Data Subjects, VisiChek shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
  2. Such measures shall include, as appropriate, encryption of Organization Personal Data in transit and at rest, role-based access controls, tenant-level logical isolation between organisations, authentication safeguards for privileged access, administrative activity logging, infrastructure monitoring, backup protection, incident-response procedures, and procedures for restoring availability of Organization Personal Data in a timely manner following a physical or technical incident.
  3. VisiChek shall regularly test, assess and evaluate the effectiveness of these measures and may update them from time to time, provided that the overall level of security is not materially diminished.

8. Data Subject rights

  1. Taking into account the nature of the Processing, VisiChek shall provide reasonable assistance to the Organization, insofar as commercially reasonable and legally permitted, to help the Organization fulfil its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, objection, and portability where applicable.
  2. If VisiChek receives a Data Subject request relating to Organization Personal Data, VisiChek shall, unless legally prohibited, promptly notify the Organization and shall not respond directly except where required to do so under Applicable Data Protection Laws or where VisiChek is legally prohibited from notifying the Organization of the request.
  3. The Organization remains responsible for responding to Data Subject requests and for determining whether any request should be granted, denied or restricted.
  4. VisiChek shall provide reasonable assistance to the Organization, taking into account the nature of the Processing and the information available to VisiChek, to enable the Organization to fulfil its obligations in relation to Data Subject rights.

9. Requests from authorities and legal process

  1. If VisiChek or any Sub-processor receives a subpoena, court order, regulatory demand, or other legally binding request for access to Organization Personal Data, VisiChek shall, where legally permitted, promptly notify the Organization and provide reasonable cooperation to enable the Organization to challenge, limit, or otherwise respond to the request.
  2. VisiChek shall disclose Organization Personal Data only where it has determined in good faith that it is legally required to do so. Where notification is prohibited by law, VisiChek shall notify the Organization once that prohibition no longer applies, to the extent legally permitted.
  3. The Organization shall provide reasonable cooperation where a request from an authority directly concerns the Organization’s Instructions, lawful basis, or its own compliance obligations.

10. Personal Data Breach

  1. After becoming aware of a Personal Data Breach affecting Organization Personal Data, VisiChek shall notify the Organization without undue delay and, in any event, within seventy-two (72) hours. Where necessary to support the Organization’s legal obligations or to contain imminent harm, VisiChek may provide immediate preliminary notice followed by a fuller incident report.
  2. VisiChek shall provide the Organization with available information reasonably necessary to enable the Organization to assess and discharge its notification obligations under Applicable Data Protection Laws. Such information shall include, where available, the nature of the breach, the categories and approximate number of affected Data Subjects, the categories and approximate number of affected records, the likely consequences of the breach, and the remediation or mitigation measures taken or proposed.
  3. VisiChek shall take reasonable steps within its control to contain, investigate, mitigate and remediate the Personal Data Breach, and shall cooperate with the Organization in relation to required notifications to the Supervisory Authority and affected Data Subjects.
  4. Where VisiChek acts only as Processor, the Organization remains responsible for any required notification to the Supervisory Authority and affected Data Subjects, except to the extent Applicable Data Protection Laws impose a direct obligation on VisiChek. Nothing in this clause shall be construed as an admission of fault or liability by VisiChek.

11. Data protection impact assessments and regulatory consultations

  1. Taking into account the nature of the Processing and the information available to VisiChek, VisiChek shall provide reasonable assistance to the Organization in connection with any data protection impact assessment, transfer impact assessment, prior consultation, or other regulatory risk assessment that the Organization is required to conduct under Applicable Data Protection Laws.
  2. The Organization shall bear reasonable costs incurred by VisiChek in providing extensive or bespoke assistance under this clause, unless otherwise agreed in writing.

12. Sub-processing

  1. The Organization provides VisiChek with general written authorisation to engage Sub-processors in connection with the Services.
  2. VisiChek shall ensure that each Sub-processor is engaged under a written agreement that imposes obligations on the Sub-processor that are no less protective of Organization Personal Data than the obligations imposed on VisiChek under this DPA, to the extent applicable to the services performed by that Sub-processor.
  3. VisiChek remains responsible to the Organization for the acts and omissions of its Sub-processors in relation to the Processing of Organization Personal Data.
  4. VisiChek shall maintain a current list of Sub-processors and shall provide notice of any new Sub-processor before enabling that Sub-processor to Process Organization Personal Data. The Organization may object to a new Sub-processor on reasonable data protection grounds within thirty (30) days of notice. If the Parties cannot resolve the objection within a reasonable period, the Organization may terminate the affected Services without prejudice to any other rights available under law or contract.

13. Restricted transfers

  1. To the extent VisiChek or its Sub-processors Process Organization Personal Data outside Nigeria, VisiChek shall ensure that such Restricted Transfers are subject to appropriate safeguards consistent with Applicable Data Protection Laws.
  2. VisiChek currently stores and Processes relevant data using secure cloud infrastructure located in Paris, France. VisiChek shall ensure that all Sub-processors handling Organization Personal Data outside Nigeria implement appropriate technical and organisational safeguards consistent with applicable data protection requirements.
  3. Where required, such safeguards may include contractual transfer clauses, adequacy-style protections, encryption, access controls, confidentiality obligations, regulatory oversight, and any other lawful transfer mechanism recognised under Applicable Data Protection Laws.

14. Return, deletion and retention

  1. Upon termination or expiry of the Main Agreement, or upon the Organization’s written request, VisiChek shall return or delete Organization Personal Data in accordance with the Main Agreement, applicable service documentation, or the Organization’s Instructions, unless retention is required by law, regulatory obligation, security investigation, backup retention cycles, or internal compliance recordkeeping.
  2. Where retention is required, VisiChek shall continue to protect such Organization Personal Data in accordance with this DPA and shall Process it only for the purpose requiring retention and for no other purpose.
  3. Where the Services provide functionality enabling the Organization to delete Organization Personal Data directly, the Organization may use those tools to fulfil its deletion requirements, subject to the same legal and operational retention carve-outs.
  4. For the avoidance of doubt, VisiChek’s obligation to protect Organization Personal Data shall continue until all retained Organization Personal Data has been returned, deleted or destroyed in accordance with this clause.

15. Audit and compliance verification

  1. VisiChek may use independent auditors to verify the adequacy of its security measures and its compliance with relevant security and privacy obligations. Where such audits are conducted, summaries or certifications may be made available to the Organization upon written request, subject to confidentiality restrictions.
  2. Upon the Organization’s written request and no more than once in any twelve-month period, VisiChek shall make available a summary of relevant audit reports, certificates, or similar compliance materials sufficient to demonstrate VisiChek’s compliance with this DPA, subject to confidentiality restrictions.
  3. If the Organization’s obligations under Applicable Data Protection Laws cannot reasonably be satisfied through such documentation, the Organization may request a further audit of VisiChek’s relevant processing operations, provided that such audit is limited in scope, conducted on reasonable notice, during normal business hours, does not unreasonably interfere with VisiChek’s operations, does not expose other organizations data, and is subject to appropriate confidentiality restrictions.
  4. The Organization shall bear the cost of any such audit unless the audit reveals a material breach of this DPA by VisiChek.

16. Operational capacity and risk management

  1. Each Party shall maintain reasonable organisational, technical, and financial capacity appropriate to its responsibilities under this DPA and Applicable Data Protection Laws. Nothing in this clause relieves either Party of its direct obligations under this Agreement.

17. Liability and indemnity

  1. Each Party shall remain responsible for its own compliance with Applicable Data Protection Laws and for its own acts and omissions under this DPA.
  2. VisiChek shall not be liable for any claim, fine, loss, damage, or penalty arising from Processing carried out in accordance with the Organization’s Instructions, except where such claim arises from VisiChek’s own breach of this DPA or Applicable Data Protection Laws.
  3. The Organization acknowledges that VisiChek relies on the Organization for direction as to the extent to which Organization Personal Data may lawfully be Processed. The Organization shall indemnify VisiChek against losses arising from the Organization’s unlawful Instructions, failure to obtain a lawful basis, failure to provide required notices, or failure to comply with Data Subject rights obligations, except to the extent caused by VisiChek’s own breach.
  4. Each Party shall indemnify and hold the other harmless against third-party claims, losses, damages and expenses arising out of that Party’s breach of this DPA or Applicable Data Protection Laws, provided that the indemnified Party gives prompt notice of the claim, allows the indemnifying Party to control the defence to the extent appropriate, provides reasonable assistance, and avoids admissions of liability without consent.
  5. Any limitation of liability in the Main Agreement shall apply to this DPA unless prohibited by Applicable Data Protection Laws or unless this DPA expressly provides otherwise.

18. Force majeure

  1. Neither Party shall be liable for delay or failure to perform obligations under this DPA to the extent caused by events beyond that Party’s reasonable control, including acts of God, war, terrorism, civil unrest, labour disputes, widespread telecommunications failures, serious cyber incidents not caused by that Party’s breach, governmental orders, or major infrastructure failures, provided that the affected Party takes reasonable steps to mitigate the impact and resumes performance as soon as reasonably possible.
  2. This clause shall not excuse either Party from maintaining confidentiality, taking reasonable security measures, or complying with mandatory breach-notification obligations once aware of a Personal Data Breach.

19. Term and survival

  1. This DPA shall commence on the effective date of the Main Agreement or, where there is no signed Main Agreement, on the date VisiChek first Processes Organization Personal Data on behalf of the Organization.
  2. This DPA shall remain in force for as long as VisiChek Processes Organization Personal Data on behalf of the Organization.
  3. Any provisions which by their nature are intended to survive termination or expiry, including confidentiality, liability, indemnity, Restricted Transfers, audit, retention, deletion, and dispute resolution obligations, shall survive termination or expiry of this DPA.

20. Governing law and dispute resolution

  1. This DPA shall be governed by the governing law and dispute resolution provisions set out in the Main Agreement. Where there is no Main Agreement, this DPA shall be governed by the laws of the Federal Republic of Nigeria, and the courts of competent jurisdiction in Nigeria shall have jurisdiction over disputes arising under this DPA, subject to any mandatory requirements of Applicable Data Protection Laws.

21. General

  1. This DPA constitutes the entire agreement between the Parties in relation to the Processing of Organization Personal Data under the Services and supersedes prior discussions or arrangements on that subject matter, except as expressly incorporated into the Main Agreement.
  2. No amendment to this DPA shall be effective unless in writing and agreed by both Parties, except where VisiChek updates this DPA to reflect changes required by Applicable Data Protection Laws, in which case VisiChek shall provide notice to the Organization.
  3. If any provision of this DPA is held to be invalid or unenforceable, the remainder shall remain in full force and effect, and the invalid provision shall be interpreted or amended to the minimum extent necessary to make it valid and enforceable while preserving the Parties’ original intent as closely as possible.
Back to legal documents