This Data Processing Addendum ("DPA") applies when it is incorporated into a Cizonet order form, subscription, statement of work, product terms, or written agreement. It is intended to let Cizonet apps rely on one central data processing framework.
1. Scope and Definitions
This DPA supplements the Terms of Service and the customer's agreement with Cizonet. It applies to personal data that Cizonet processes on behalf of a customer in connection with the Services ("Customer Personal Data").
Terms such as "controller", "processor", "service provider", "business", "personal data", "personal information", "data subject", and "processing" have the meanings given under applicable data protection laws.
2. Roles
The customer is the controller or business for Customer Personal Data. Cizonet is the processor or service provider that processes Customer Personal Data on the customer's behalf and according to the customer's documented instructions.
The customer is responsible for lawful collection, notices, consents, legal bases, user permissions, data accuracy, retention decisions, and responding to individuals unless the parties agree otherwise.
3. Processing Details
| Subject matter |
Provision, operation, support, security, maintenance, and improvement of Cizonet products and services. |
| Duration |
The term of the customer agreement plus the period required for deletion, return, backups, legal obligations, disputes, security, and audit records. |
| Nature and purpose |
Hosting, storage, transmission, retrieval, display, organization, analysis, automation, support, security monitoring, troubleshooting, backup, deletion, and other processing needed to provide the Services. |
| Categories of data subjects |
Customer users, employees, contractors, candidates, students, parents, guardians, teachers, vendors, customers, prospects, support contacts, and other individuals whose data is submitted to the Services. |
| Categories of data |
Identity, contact, account, HR, payroll, attendance, school, academic, parent, sales, inventory, invoice, communications, document, support, device, usage, and other data submitted to the Services. |
| Sensitive data |
Only where the relevant product, plan, configuration, and customer instructions authorize it, such as employment, payroll, student, education, or other regulated records. |
4. Customer Instructions
Cizonet will process Customer Personal Data only to provide the Services, follow documented customer instructions, comply with the agreement, comply with law, protect the Services, or as otherwise permitted by this DPA.
If Cizonet believes an instruction violates applicable law, Cizonet may suspend that instruction and notify the customer unless prohibited by law.
5. Security
Cizonet will implement reasonable administrative, technical, and organizational measures designed to protect Customer Personal Data against unauthorized access, loss, misuse, alteration, and disclosure. Measures may include access controls, least privilege, encryption in transit, logging, backups, confidentiality obligations, vendor review, vulnerability management, and incident response.
6. Subprocessors
The customer authorizes Cizonet to use subprocessors to provide the Services. Cizonet will require subprocessors to protect Customer Personal Data under written obligations that are materially consistent with this DPA.
Cizonet remains responsible for subprocessors' processing of Customer Personal Data to the extent required by applicable law and the customer agreement. Customers may request current subprocessor information by contacting contact@cizonet.com.
7. International Transfers
Cizonet and its subprocessors may process Customer Personal Data in Nigeria and other countries where Cizonet, customers, or subprocessors operate. Where required, the parties will use appropriate transfer safeguards such as contractual protections, standard contractual clauses, adequacy decisions, transfer assessments, or other lawful mechanisms.
8. Assistance, Requests, and Incidents
Taking into account the nature of processing and information available to Cizonet, Cizonet will provide reasonable assistance for data subject requests, data protection impact assessments, security obligations, and regulator inquiries where required by applicable law and the customer agreement.
Cizonet will notify the customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data, unless legally prohibited. The customer is responsible for notifications to individuals or regulators unless law or the agreement requires otherwise.
9. Audit and Information
Cizonet will make reasonable information available to demonstrate compliance with this DPA. Any audit must be reasonable, non-disruptive, confidential, limited to relevant processing, and subject to prior written agreement on scope, timing, security, and costs.
10. Return and Deletion
At the customer's request after termination, Cizonet will delete or return Customer Personal Data within a reasonable period, unless retention is required by law, backup cycles, dispute, audit, security, or legitimate business records. Backup copies will be overwritten or deleted according to Cizonet's backup lifecycle.
11. Contact
For DPA questions, contact contact@cizonet.com with the subject line "Data Processing Request".