Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Flisters Limited ("Processor", "we", "us") and the customer ("Controller", "you") using our property management platform.

This DPA applies to all processing of personal data by Flisters on behalf of the Controller in connection with the provision of our services.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by Flisters to process Personal Data.
• "Data Breach" means any accidental or unlawful destruction, loss, alteration, or unauthorized access to Personal Data.

3. Scope of Processing

3.1 Categories of Data Subjects

We process Personal Data relating to:

• Property owners and landlords
• Property managers and their staff
• Tenants and prospective tenants
• Maintenance vendors and contractors

3.2 Types of Personal Data

Categories of Personal Data processed include:

• Contact information (name, email, phone, address)
• Identity documents (for verification purposes)
• Financial information (bank details, payment history)
• Employment information
• Property and tenancy details
• Communication records

3.3 Processing Purposes

We process Personal Data for:

• Providing property management services
• Processing rent payments
• Sending payment reminders and notifications
• Managing maintenance requests
• Generating reports and analytics
• Providing customer support

4. Obligations of the Processor

Flisters agrees to:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Delete or return Personal Data upon termination of services
• Make available all information necessary to demonstrate compliance
• Allow for and contribute to audits conducted by the Controller

5. Security Measures

We implement the following security measures:

5.1 Technical Measures

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Secure authentication and access controls
• Regular security testing and vulnerability assessments
• Intrusion detection and prevention systems
• Secure development practices
• Regular backups with encryption

5.2 Organizational Measures

• Role-based access control
• Employee training on data protection
• Confidentiality agreements
• Incident response procedures
• Business continuity and disaster recovery plans

6. Sub-processors

6.1 Authorization

The Controller provides general authorization for Flisters to engage Sub-processors. We maintain a list of current Sub-processors which can be provided upon request.

6.2 Current Sub-processors

6.3 Changes to Sub-processors

We will notify the Controller of any intended changes to Sub-processors, giving reasonable opportunity to object.

7. Data Subject Rights

Flisters will assist the Controller in responding to Data Subject requests:

• Access: Providing copies of Personal Data
• Rectification: Correcting inaccurate data
• Erasure: Deleting data where required
• Portability: Exporting data in machine-readable format
• Objection: Ceasing processing upon valid objection
• Restriction: Limiting processing as required

8. Data Breach Notification

In the event of a Data Breach:

• We will notify the Controller without undue delay (within 72 hours)
• Notification will include:
  • Nature of the breach
  • Categories and number of Data Subjects affected
  • Likely consequences
  • Measures taken or proposed to address the breach
• We will cooperate with the Controller in investigating and mitigating the breach

9. International Transfers

Where Personal Data is transferred outside Nigeria:

• We ensure appropriate safeguards are in place
• Transfers comply with the Nigeria Data Protection Regulation (NDPR)
• Standard Contractual Clauses are used where required

10. Data Retention and Deletion

10.1 Retention Period

We retain Personal Data for the duration of the service agreement, plus any additional period required by law (typically 7 years for financial records).

10.2 Deletion

Upon termination of services or request, we will:

• Delete or return all Personal Data
• Provide certification of deletion upon request
• Ensure Sub-processors delete their copies
• Retain only what is required by law

11. Audits and Compliance

The Controller may audit our compliance with this DPA:

• With reasonable advance notice (minimum 30 days)
• During normal business hours
• Subject to confidentiality obligations
• At the Controller's expense (unless breach is found)

We may also provide third-party audit reports or certifications as evidence of compliance.

12. Liability

Each party shall be liable for damages caused by processing that violates applicable data protection laws or this DPA. Liability is subject to the limitations set forth in our Terms of Service.

13. Term and Termination

This DPA is effective for the duration of the service agreement. Obligations regarding data security, confidentiality, and deletion survive termination.

14. Contact Information

For questions about this DPA or data processing inquiries: