When this DPA applies. Whenever a Customer organization uses Muster to process personal data (almost always, in practice), this DPA forms part of the contract between the Customer (as data controller) and Data Druid Tech Limited (as data processor). It overrides anything in the Terms of Service that conflicts with it.
1. Roles and definitions
| Controller | The Customer organization. Determines the purposes and means of processing personal data uploaded to Muster. |
| Processor | Data Druid Tech Limited. Processes personal data on the Controller's instructions. |
| Personal data | Any data that can identify a living individual — directly or indirectly. In Muster: account holder names, account numbers, BVN, NIN, phone, email, beneficiary records, workforce records, audit logs. |
| Sub-processors | Third parties Data Druid engages to help deliver Muster, who themselves process personal data. Listed in §8. |
| Applicable law | The Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), and — where the Customer or its data subjects are in the EU/UK — the GDPR / UK GDPR. |
2. Subject-matter and duration
Data Druid processes personal data on the Customer's behalf for the duration of the Customer's active Subscription, plus the deletion period in §11 of the Terms of Service. Processing scope is limited to delivering the features the Customer has subscribed to.
3. Categories of data subjects and personal data
Categories of data subjects whose personal data may be processed:
- Account holders whose bank accounts the Customer is verifying
- Beneficiaries / participants in the Customer's programs
- The Customer's own staff, partners, contractors
- Suppliers and vendors paid through Muster (where payments features are used)
Categories of personal data are listed in §3 of the Privacy Policy.
4. Nature and purpose of processing
- Bank account verification (sending account number + bank code to a NIBSS-aligned channel; receiving the resolved name)
- Storing and indexing Customer Data so the Customer can retrieve it
- Producing the Customer's reports, exports, and audit trails
- Handling billing for the service
- Operating audit logs of who did what
5. Controller obligations
The Customer warrants and agrees:
- It has a lawful basis under applicable law to process the personal data it uploads to Muster (consent, contract, legal obligation, vital interests, public task, legitimate interests — whichever applies)
- It has provided appropriate notice to data subjects about the processing
- It will respond to data subject requests received about its own data, with Data Druid's reasonable assistance
- Its instructions to Data Druid (through use of Muster's features) comply with applicable law
- It will not upload special-category data (health data, biometrics intended for unique ID, racial origin, religious belief, etc.) without first agreeing additional safeguards in writing
6. Processor obligations
Data Druid will:
- Process personal data only on the Customer's documented instructions (which include the act of using a Muster feature). If we are required by law to do something else, we'll tell the Customer first unless that notice itself is unlawful.
- Ensure persons authorised to process personal data are bound by confidentiality obligations
- Implement and maintain the technical and organisational measures listed in §7
- Engage sub-processors only as listed in §8, with notice of changes
- Assist the Customer to respond to data subject requests, security incidents, DPIAs, and consultations with supervisory authorities — at no additional cost for routine assistance
- Make available, on reasonable request, the information needed to demonstrate compliance with this DPA, including audit reports the Customer may request once per 12-month period
- Delete or return personal data on termination as set out in the Terms
7. Security measures
The technical and organisational measures Data Druid applies to protect personal data are described in detail on the Security Statement. Headlines:
- Encryption in transit (TLS 1.2+); selective field-level encryption for highly sensitive fields (BVN, NIN)
- Logical isolation between Customer workspaces; database role-level isolation between Muster and other applications on the same hosting infrastructure
- Authentication, role-based access control, audit logging
- Secure secret storage, encrypted backups, off-site backup retention
- Regular vulnerability scanning of dependencies; security patches applied promptly
- Background checks and confidentiality agreements for Data Druid personnel with production access
- Incident response procedures and breach notification within 72 hours (§9)
8. Sub-processors
Data Druid engages the following sub-processors to deliver Muster:
| Sub-processor | Role | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting and storage | Germany (EU) |
| Flutterwave Technology Solutions Limited | NIBSS-aligned bank account verification; subscription card payments | Nigeria |
| Paystack Payments Limited | Alternate NIBSS-aligned bank account verification; subscription card payments | Nigeria |
| Backblaze, Inc. (or Cloudflare, Inc.) — encrypted backup storage | Off-site backup | EU regions |
| Let's Encrypt (ISRG) | TLS certificate issuance | USA |
Data Druid will give the Customer at least 30 days' notice before engaging a new sub-processor or replacing an existing one. The Customer may object to a new sub-processor on reasonable, documented grounds within the notice period. If the parties cannot agree, the Customer may terminate the affected Subscription with a pro-rata refund of pre-paid fees.
9. Personal data breach notification
Data Druid will notify the Customer's organization administrator within 72 hours of becoming aware of a personal data breach affecting the Customer's data, with:
- A description of what happened, when, and how
- The categories and approximate number of data subjects and records affected
- The likely consequences
- The measures taken or proposed to address the breach and mitigate adverse effects
The Customer remains responsible for any further notifications it must make to data subjects or supervisory authorities under applicable law.
10. International transfers
Personal data is primarily stored in Germany (EU). Where personal data is transferred to a sub-processor outside the EU/Nigeria, Data Druid relies on:
- EU Standard Contractual Clauses (where the recipient is in a country without an adequacy decision), or
- The recipient's certification under a recognised adequacy framework (where applicable), or
- The Customer's express written authorisation
11. Data subject requests
Data Druid will not respond directly to data subject requests received about Customer Data, except to redirect the data subject to the Customer. Data Druid will assist the Customer to respond, including by providing technical means (data export, deletion) within Muster.
12. Audits
The Customer may, on at least 30 days' written notice and not more than once per 12-month period, request:
- Copies of Data Druid's most recent security-control documentation
- Responses to a reasonable security questionnaire
- Where the Customer is itself subject to a regulatory audit that requires direct examination, the parties will agree the scope, timing, and confidentiality of an on-site or remote audit, which will not unreasonably disrupt Data Druid's operations
If audit findings show material non-compliance with this DPA, Data Druid will remediate at its expense within a reasonable timeframe.
13. Liability
Each party's liability under this DPA is subject to the same overall cap and exclusions as in §12 of the Terms of Service. The cap applies to all claims arising from this DPA combined with claims under the Terms of Service.
14. Order of precedence
In the event of conflict between this DPA and the Terms of Service or Privacy Policy on a data-protection matter, this DPA prevails.
15. Term
This DPA is effective as of the Customer's acceptance of the Terms of Service (or earlier if signed separately) and continues for as long as Data Druid processes Customer Data.
16. Acceptance
Acceptance of the Terms of Service constitutes acceptance of this DPA. Customers requiring a counter-signed bilateral DPA on company letterhead may request one at legal@datadruidtech.org.ng.