Data Processing Agreement

1. Definitions

In this Agreement, the following terms have the meanings set out below:

• "Controller" means the organisation that determines the purposes and means of processing personal data (the Customer).
• "Processor" means Metriq Tanzania Limited, which processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable data protection law.
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
• "Data Subject" means the natural person to whom personal data relates.
• "GDPR" means the EU General Data Protection Regulation (2016/679) and/or equivalent applicable data protection legislation.
• "Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
• "Services" means the MetriqOS platform as described in the applicable subscription agreement.
• "Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

2. Subject Matter and Duration

2.1 This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the Services.

2.2 This Agreement commences on the date the Controller accepts the MetriqOS Terms of Service and remains in force for the duration of the subscription agreement, including any renewal periods.

2.3 Upon termination of the subscription agreement, the Processor shall cease processing and dispose of personal data in accordance with Section 12.

3. Nature and Purpose of Processing

3.1 The Processor processes personal data solely for the following purposes:

• Providing, maintaining, and improving the MetriqOS platform and its features;
• User authentication and authorised access to the platform;
• Storing and managing project, programme, MEAL, and reporting data entered by the Controller;
• Sending platform notifications, alerts, and reports as configured by the Controller;
• Technical support and incident resolution;
• Compliance with legal obligations applicable to the Processor.

3.2 The Processor shall not process personal data for any purpose beyond those set out in this Agreement without prior written consent from the Controller.

4. Types of Personal Data and Categories of Data Subjects

4.1 Categories of Data Subjects

• Employees, contractors, and consultants of the Controller using the platform;
• Project beneficiaries and survey respondents whose data is entered into the platform by the Controller;
• Third-party contacts entered by the Controller (e.g. donors, partners).

4.2 Types of Personal Data

4.3 The Processor does not intentionally process special categories of personal data as defined under Article 9 GDPR. If the Controller enters such data, the Controller is responsible for ensuring a valid legal basis.

5. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by applicable law;
• Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Implement and maintain appropriate technical and organisational security measures in accordance with Section 9;
• Respect the conditions in Section 7 for engaging sub-processors;
• Assist the Controller in ensuring compliance with obligations relating to the security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation;
• At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage;
• Make available to the Controller all information necessary to demonstrate compliance with obligations under applicable data protection law;
• Notify the Controller promptly if, in the Processor's opinion, an instruction from the Controller infringes applicable data protection law.

6. Obligations of the Controller

The Controller shall:

• Ensure it has a valid legal basis for processing personal data via the Services;
• Provide adequate privacy notices to data subjects as required by applicable law;
• Ensure that personal data entered into the platform is accurate and limited to what is necessary;
• Configure user access rights, permissions, and roles appropriately within the platform;
• Notify the Processor promptly if it becomes aware of any Security Incident involving personal data processed via the Services;
• Not instruct the Processor to process personal data in a manner that would violate applicable law.

7. Sub-processors

7.1 The Controller provides general authorisation for the Processor to engage sub-processors. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.

7.2 Where the Processor engages sub-processors, it shall impose on them data protection obligations equivalent to those set out in this Agreement.

7.3 Current sub-processors include:

7.4 The Processor shall maintain an up-to-date sub-processor list available upon request at info@metriqos.net.

8. International Transfers

8.1 Personal data is primarily stored on servers located in Tanzania. Where personal data is transferred outside of the Controller's jurisdiction, the Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where applicable.

8.2 The Controller acknowledges that the platform is hosted in Tanzania and consents to such processing as a condition of using the Services.

9. Security Measures

9.1 The Processor implements and maintains the following technical and organisational security measures:

Technical Measures

• Encryption of data in transit (TLS 1.2+);
• Bcrypt hashing of all user passwords;
• JWT-based authentication with expiry and rotation;
• Role-based access control (RBAC) with least-privilege enforcement;
• Tenant data isolation (multi-tenant architecture with strict tenant_id filtering);
• Regular automated database backups;
• Audit logging of all data access and modification events.

Organisational Measures

• Confidentiality obligations for all personnel with access to personal data;
• Access to production systems restricted to authorised personnel only;
• Regular review of access rights;
• Incident response procedures for Security Incidents.

9.2 The Processor reviews and updates security measures in response to evolving threats and technological developments.

10. Personal Data Breach

10.1 The Processor shall notify the Controller without undue delay, and where feasible within 72 hours, after becoming aware of a Security Incident affecting the Controller's personal data.

10.2 Such notification shall include, to the extent available:

• A description of the nature of the Security Incident;
• The categories and approximate number of data subjects concerned;
• The categories and approximate volume of personal data records concerned;
• Measures taken or proposed to address the Security Incident;
• Contact details of the Processor's data protection contact.

10.3 Notifications shall be sent to the Controller's primary contact email on record. The Controller is responsible for notifying relevant supervisory authorities and data subjects as required by applicable law.

11. Data Subject Rights

11.1 The Processor shall assist the Controller in fulfilling obligations to respond to data subject requests (right of access, rectification, erasure, restriction, portability, and objection) within the platform's technical capabilities.

11.2 Where a data subject contacts the Processor directly regarding their rights, the Processor shall inform the Controller and direct the data subject to the Controller, unless otherwise agreed.

11.3 The Controller is responsible for responding to data subject requests within applicable legal timeframes.

12. Return and Deletion of Data

12.1 Upon termination of the subscription, the Processor shall:

• Make available to the Controller a full export of all their data in a standard machine-readable format (CSV/JSON) for a period of 30 days following termination;
• Permanently delete all personal data belonging to the Controller from live systems within 30 days of termination, unless applicable law requires longer retention;
• Delete backup copies containing the Controller's personal data within 90 days of termination.

12.2 Upon request, the Processor shall provide written confirmation of deletion.

13. Audits and Inspections

13.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and allow for audits conducted by the Controller or a mandated auditor.

13.2 Audits shall be conducted with reasonable notice (minimum 30 days), at the Controller's expense, during normal business hours, and in a manner that minimises disruption to the Processor's operations.

13.3 The Processor may provide documentation, questionnaires, or third-party certifications as an alternative or supplement to on-site inspections where appropriate.

14. Liability

14.1 Each Party's liability under this Agreement is subject to the limitations and exclusions set out in the Master Subscription Agreement between the Parties.

14.2 The Processor's aggregate liability under this Agreement shall not exceed the total fees paid by the Controller in the 12 months preceding the event giving rise to the claim.

14.3 Nothing in this Agreement limits a Party's liability for fraud, wilful misconduct, or death or personal injury caused by negligence.

15. Governing Law

15.1 This Agreement shall be governed by and construed in accordance with the laws of Tanzania, without prejudice to any mandatory data protection law applicable to the Controller in its jurisdiction.

15.2 Any dispute arising from this Agreement shall be subject to the exclusive jurisdiction of the courts of Tanzania, unless otherwise agreed in writing by the Parties.

16. Entire Agreement and Amendments

16.1 This Agreement constitutes the entire agreement between the Parties with respect to the subject matter herein and supersedes all prior written or oral agreements.

16.2 This Agreement may be amended only by written agreement signed by authorised representatives of both Parties, or by the Processor publishing an updated version with at least 30 days' notice to the Controller.

16.3 If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.