All Documents

Data Processing Agreement

Effective Date: March 29, 2026

Version: 1.0

1. Definitions

"Controller" means Jyv Tech LLC (global entity) and/or Tanta Innovative Limited (Nigeria subsidiary), as the entity responsible for determining the purposes and means of processing Personal Data in relation to the Chipon Alert application.

"Processor" means any natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, transmission, or erasure.

"Sub-processor" means any natural or legal person, public authority, agency, or other body engaged by the Processor to process Personal Data on behalf of the Controller.

"Data Subject" means the individual to whom Personal Data relates.

"Data Breach" means a security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

"NDPR" means the Nigeria Data Protection Regulation, as implemented under applicable Nigerian law.

"GDPR" means the General Data Protection Regulation (EU 2016/679), applicable to processing of Personal Data of EU/EEA residents.

"Chipon Alert" means the preventive safety intelligence mobile application (iOS and Android) operated by the Controller.

2. Scope and Purpose

2.1 Subject Matter

This Agreement governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the operation of Chipon Alert.

2.2 Categories of Personal Data

The Processor shall process the following categories of Personal Data:

  • Identification Data: Phone numbers, full names, user IDs
  • Profile Data: Avatar photos, profile biographies
  • Location Data: GPS coordinates (home locations, work locations, incident locations), geofenced areas
  • Incident Data: Incident reports (text descriptions, categories, severity levels), incident photos, incident timestamps
  • Behavioral Data: Route search history, map interaction history, alert preferences
  • Device Data: Device identifiers, device OS version, app version, push notification tokens
  • Communication Data: SMS OTP codes, email addresses (where provided)

2.3 Categories of Data Subjects

  • Active users of Chipon Alert (registered and onboarded)
  • Incident reporters (community contributors)
  • Residents of Nigeria (primary user base: Lagos, Abuja, Port Harcourt)
  • EU/EEA residents accessing the app (if applicable)

2.4 Purposes of Processing

The Processor shall process Personal Data exclusively for the following purposes, as directed by the Controller:

  • Authentication and account management (OTP verification, session management)
  • Provision of core app features (safety map, incident alerts, route safety scoring, neighborhood intelligence)
  • Community moderation and incident verification
  • Real-time notification delivery (proximity-based, severity-filtered)
  • Provision of route safety scores and recommendations
  • Aggregate safety analytics and heatmap generation
  • Push notification delivery via Firebase Cloud Messaging
  • Technical support and account recovery
  • Legal compliance and fraud prevention

The Processor shall not process Personal Data for any other purpose without prior written authorization from the Controller.

3. Obligations of the Controller

3.1 Lawful Basis

The Controller shall ensure that:

  • All processing has a lawful basis under NDPR and GDPR (where applicable)
  • Consent is obtained from Data Subjects prior to processing (except where exempted)
  • Privacy notices are clear, transparent, and available to Data Subjects
  • Processing is limited to stated purposes

3.2 Instructions

The Controller shall issue written instructions to the Processor regarding:

  • The scope and purpose of processing
  • Categories of Personal Data to be processed
  • Categories of Data Subjects
  • Duration of processing
  • Rights and obligations of the Processor

3.3 Data Subject Rights

The Controller shall ensure mechanisms are in place to:

  • Respond to Data Subject access requests (within 30 days per NDPR, 30 days per GDPR)
  • Handle rectification, erasure, and restriction requests
  • Provide portability of Personal Data upon request
  • Manage opt-out preferences and consent withdrawal

3.4 Compliance Responsibility

The Controller shall:

  • Monitor compliance with NDPR and GDPR
  • Conduct Data Protection Impact Assessments (DPIA) as required
  • Maintain records of processing activities
  • Notify the Processor of any changes in legal requirements

4. Obligations of the Processor

4.1 Processing Restrictions

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data are bound by confidentiality
  • Not disclose Personal Data to third parties except as authorized in writing or required by law
  • Implement technical and organizational measures as specified in Section 6

4.2 Sub-processor Management

The Processor shall:

  • Maintain a current list of all Sub-processors engaged in processing Personal Data
  • Notify the Controller prior to engaging new Sub-processors (minimum 30 days' notice)
  • Ensure Sub-processors are bound by equivalent data protection obligations
  • Remain liable to the Controller for Sub-processor performance

4.3 Data Subject Rights Assistance

The Processor shall assist the Controller in fulfilling Data Subject requests by:

  • Providing access to Personal Data upon request
  • Facilitating rectification of inaccurate data
  • Supporting erasure requests (where applicable)
  • Enabling data portability in machine-readable formats
  • Providing information about processing activities

4.4 Confidentiality

The Processor shall:

  • Ensure employees and contractors sign confidentiality agreements
  • Limit access to Personal Data to authorized personnel only
  • Prohibit processing outside the scope of this Agreement
  • Return or securely delete Personal Data upon termination

4.5 Audit and Compliance

The Processor shall:

  • Maintain records of all processing activities for a minimum of 3 years
  • Cooperate with the Controller in compliance activities
  • Submit to audits and inspections by the Controller or authorized auditors
  • Provide compliance certifications upon request

5. Sub-processors

5.1 Current List of Sub-processors

The Processor engages the following Sub-processors for processing Personal Data:

Sub-processor Location Purpose Data Categories
Firebase Cloud Messaging (Google) US/Global Push notification delivery Device tokens, user IDs
Google Maps Platform US Map rendering, geocoding GPS coordinates, location names
AWS S3 US/Global Photo storage (incident reports, avatars) Incident photos, avatar images
Multitexter Nigeria SMS OTP delivery Phone numbers, OTP codes
Resend US/Global Email delivery (account recovery, notifications) Email addresses, user names
Railway or Fly.io US/Global Application hosting All Personal Data in transit
AWS EC2 US/Global Compute infrastructure (alternative to Railway/Fly.io) All Personal Data in processing
Neon or Supabase US/Global Managed PostgreSQL database All Personal Data at rest
Managed PostgreSQL (alternative) Varies Database services All Personal Data at rest
Upstash Global Serverless Redis cache, rate limiting Cached Personal Data, session tokens

5.2 Sub-processor Data Processing Agreements

The Processor shall ensure that:

  • Each Sub-processor has signed a Data Processing Agreement (DPA) or Standard Contractual Clauses (SCCs) as required by GDPR
  • Sub-processors comply with equivalent data protection standards
  • Sub-processor changes are communicated to the Controller with 30 days' notice

5.3 Sub-processor Liability

The Processor remains liable to the Controller for any Sub-processor's failure to fulfill data protection obligations.

6. Security Measures

6.1 Technical Measures

The Processor shall implement:

  • Encryption in Transit: TLS 1.3+ for all data transmission (HTTPS for web APIs, secure protocols for mobile-to-backend communication)
  • Encryption at Rest: AES-256 encryption for Personal Data stored in databases and object storage
  • Access Control: Role-based access control (RBAC) with principle of least privilege
  • Authentication: Multi-factor authentication (MFA) for administrative access
  • Intrusion Detection: Network monitoring and intrusion detection systems
  • Vulnerability Management: Regular security scanning, penetration testing (minimum annually)
  • Logging: Comprehensive audit logging of access and modifications to Personal Data

6.2 Organizational Measures

The Processor shall implement:

  • Data Protection Officer (DPO): Appoint a DPO or equivalent compliance officer responsible for data protection
  • Access Limitation: Grant database and system access only to authorized personnel on a need-to-know basis
  • Staff Training: Mandatory data protection and security training for all staff with access to Personal Data (minimum annually)
  • Confidentiality Agreements: Require all employees to sign confidentiality agreements
  • Vendor Management: Vet and monitor all Sub-processors and third-party service providers
  • Incident Response Plan: Maintain a documented incident response and breach notification procedure

6.3 Physical Security

The Processor shall ensure:

  • Secure facilities managed by hosting providers (AWS, Railway, etc.) with data center security controls
  • Restricted access to physical infrastructure
  • Environmental controls (fire suppression, climate control)

6.4 Regular Assessment

The Processor shall:

  • Conduct annual security assessments and penetration tests
  • Maintain documentation of security measures
  • Update security controls in response to emerging threats
  • Provide evidence of compliance to the Controller upon request

7. Data Breach Notification

7.1 Processor Obligation to Notify

The Processor shall notify the Controller without undue delay and in no case later than 72 hours of discovering or confirming a Data Breach.

7.2 Notification Content

The breach notification shall include:

  • Nature and scope of the breach
  • Types of Personal Data affected
  • Approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate harm
  • Contact information for the Processor's breach notification coordinator

7.3 Controller Notification to Supervisory Authority

The Controller shall be responsible for notifying the relevant Supervisory Authorities (Nigeria Data Protection Commission for NDPR; relevant EU/EEA authorities for GDPR) within 72 hours, unless the breach is unlikely to result in risk to Data Subjects.

7.4 Data Subject Notification

Where the breach poses a high risk to Data Subjects, the Controller shall notify affected individuals without undue delay in accordance with NDPR and GDPR.

7.5 Cooperation in Investigation

The Processor shall:

  • Cooperate fully in investigating the breach
  • Provide all relevant information and evidence
  • Implement corrective measures to prevent recurrence
  • Document all communications and findings

8. Data Transfers

8.1 Nigeria to US/Global Infrastructure

The Processor acknowledges that Personal Data shall be transferred from Nigeria to hosting infrastructure located in the United States and other global regions via Sub-processors (Railway, Fly.io, AWS, Neon, Supabase, Upstash, etc.).

8.2 GDPR Adequacy and SCCs

For transfers of Personal Data relating to EU/EEA residents:

  • The Processor shall ensure compliance with GDPR transfer restrictions
  • Standard Contractual Clauses (SCCs) shall be executed between the Controller and each Sub-processor handling EU/EEA Personal Data
  • The Processor shall conduct Transfer Impact Assessments (TIAs) as required following Schrems II
  • The Processor shall implement supplementary safeguards where necessary

8.3 NDPR Cross-Border Transfer

For transfers of Personal Data relating to Nigerian residents:

  • The Processor shall comply with NDPR provisions regarding cross-border data transfers
  • Where required by Nigerian law, the Processor shall obtain appropriate authorization from the Nigeria Data Protection Commission (NDPC)
  • Personal Data shall not be transferred to jurisdictions deemed inadequate under NDPR without appropriate safeguards

9. Audit Rights

9.1 Controller Audit Rights

The Controller shall have the right to:

  • Conduct periodic audits of the Processor's data protection practices
  • Request evidence of compliance with this Agreement
  • Engage independent third-party auditors to conduct compliance assessments
  • Inspect facilities and systems (with reasonable notice)
  • Request compliance certifications (ISO 27001, SOC 2, etc.)

9.2 Audit Frequency

  • Annual audits or inspections are standard practice
  • Additional audits may be conducted following a Data Breach or in response to regulatory inquiries
  • Audits shall be conducted during normal business hours with reasonable notice (minimum 10 business days)

9.3 Audit Costs

  • The first audit per calendar year is conducted by the Controller at its own expense
  • Additional audits requested by the Controller shall be conducted at the Processor's expense if required by law or regulation; otherwise costs may be negotiated

9.4 Remediation

The Processor shall address any compliance gaps identified during audits within agreed timeframes (typically 30–90 days depending on severity).

10. Data Subject Rights

10.1 Rights Under NDPR

Data Subjects have the following rights under the Nigeria Data Protection Regulation:

  • Right of Access: Obtain confirmation of processing and access to Personal Data
  • Right to Rectification: Correct inaccurate or incomplete Personal Data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of Personal Data under certain conditions
  • Right to Restrict Processing: Limit processing in specific circumstances
  • Right to Data Portability: Receive Personal Data in a structured, commonly used, machine-readable format and transmit it to another controller
  • Right to Object: Object to processing for direct marketing or certain other purposes
  • Right to Withdraw Consent: Withdraw consent for processing at any time

10.2 Rights Under GDPR

For EU/EEA residents, Data Subjects have equivalent rights under GDPR:

  • Access, rectification, erasure, restriction, portability, and objection rights
  • Right to lodge a complaint with a Supervisory Authority
  • Right to be informed about automated decision-making and profiling

10.3 Processor Assistance

The Processor shall assist the Controller in fulfilling Data Subject rights by:

  • Providing Personal Data in response to access requests within 10 business days
  • Implementing rectification, erasure, and restriction requests promptly
  • Facilitating data portability in machine-readable formats (CSV, JSON, etc.)
  • Providing information about processing activities and Sub-processors
  • Responding to objections regarding processing

11. Termination and Data Return/Deletion

11.1 Termination Conditions

This Agreement may be terminated:

  • By either party with 60 days' written notice for material breach (if not remedied within 30 days)
  • By either party with 30 days' written notice at the end of the Agreement term
  • Immediately by the Controller if the Processor materially breaches data protection obligations and fails to remedy the breach

11.2 Data Return and Deletion

Upon termination or expiration of this Agreement, the Processor shall:

  • Return or Delete All Personal Data within 30 days of termination, at the Controller's written direction
  • Provide written certification of deletion or return
  • Ensure all Sub-processors return or delete Personal Data
  • Permanently purge backups containing Personal Data, except where retention is required by law

11.3 Transition Support

The Processor shall:

  • Cooperate in transferring data to a successor Processor or the Controller
  • Provide technical assistance during the transition period
  • Maintain confidentiality and security of Personal Data during transition
  • Provide a transition plan within 5 business days of termination notice

12. Liability

12.1 Processor Liability

The Processor is liable to the Controller for:

  • Breach of obligations under this Agreement
  • Unauthorized processing of Personal Data
  • Failure to implement required security measures
  • Failure to notify the Controller of Data Breaches within 72 hours
  • Sub-processor failures (the Processor remains liable)

12.2 Liability Cap

Except in cases of gross negligence, willful misconduct, or violation of confidentiality obligations, each party's liability to the other shall be capped at the fees paid by the Controller in the 12 months preceding the claim.

12.3 Exclusions

Neither party shall be liable for:

  • Indirect, incidental, consequential, special, or punitive damages
  • Loss of revenue, profits, or business opportunity
  • Damage to reputation or data

12.4 Data Subject Claims

The Processor indemnifies the Controller against claims by Data Subjects arising from the Processor's breach of this Agreement or applicable data protection law, except where the breach was caused by the Controller's instructions.

13. Governing Law and Jurisdiction

13.1 Governing Law

This Agreement shall be governed by and construed in accordance with:

  • Primary Law: The laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Regulation (NDPR)
  • Supplementary Law: Where applicable, the General Data Protection Regulation (GDPR) for processing of EU/EEA Personal Data

13.2 Jurisdiction

  • Disputes arising from this Agreement shall be subject to the exclusive jurisdiction of the courts of Lagos State, Nigeria
  • Either party may pursue injunctive relief in any court of competent jurisdiction to prevent irreparable harm

13.3 Alternative Dispute Resolution

Prior to litigation, the parties shall attempt to resolve disputes through good-faith negotiation and, if necessary, mediation under the rules of the Lagos Chamber of Commerce and Industry (LCCI).

13.4 Regulatory Compliance

Notwithstanding any other provision, this Agreement shall comply with:

  • Nigeria Data Protection Regulation (NDPR)
  • Nigeria Data Protection Commission (NDPC) guidelines
  • General Data Protection Regulation (GDPR) where applicable
  • Relevant regulatory guidance from Supervisory Authorities

14. Amendment and Review

14.1 Amendment Procedure

This Agreement may be amended:

  • By written agreement of both parties
  • Unilaterally by the Controller to comply with changes in applicable law (30 days' notice required)

14.2 Annual Review

The parties shall review this Agreement annually to ensure continued compliance with NDPR, GDPR, and evolving security practices.

14.3 Sub-processor Updates

The Processor shall notify the Controller of changes to the Sub-processor list with 30 days' advance notice. The Controller may object to new Sub-processors within 15 days; failure to object constitutes acceptance.

15. Contact Information

15.1 Controller

Jyv Tech LLC / Tanta Innovative Limited

Jyv Tech LLC (US Parent)

  • Address: 1301 N Broadway STE 32286, Los Angeles, CA 90012, United States
  • Delaware File Number: 10316295
  • Registered Office: 131 Continental Dr, Suite 305, Newark, DE 19713, United States
  • Email: team@chipon.io
  • Data Protection Officer: privacy@chipon.io

Tanta Innovative Limited (Nigeria Subsidiary)

15.2 Processor

Jyv Tech LLC

16. Effective Date and Term

  • Effective Date: March 29, 2026
  • Initial Term: Aligned with underlying service agreement between the parties
  • Renewal: Automatic annual renewal unless either party provides 60 days' written notice of non-renewal

Signature Block

By executing this Agreement, both parties acknowledge their understanding and agreement to be bound by the terms and conditions set forth herein.

For the Controller (Jyv Tech LLC / Tanta Innovative Limited):

Name and Title Date

Authorized Signature

For the Processor:

Name and Title Date

Authorized Signature

This Data Processing Agreement is effective as of March 29, 2026, and supersedes any prior versions. It shall be reviewed and updated annually to ensure ongoing compliance with NDPR, GDPR, and industry standards.

Jyv Tech, LLC · Tanta Innovative Limited (RC 1475301) · team@chipon.io