W
WikrenaOS
LegalGo to app
HomeLegalData Processing Agreement

Data Processing Agreement

This agreement governs how Wikrena Limited processes personal data on behalf of WikrenaOS customers acting as data controllers, in compliance with the Nigeria Data Protection Act 2023.

Effective1 April 2026
Last updated1 April 2026
Governing lawFederal Republic of Nigeria

Who this applies to: This Data Processing Agreement ("DPA") applies to all WikrenaOS subscribers who, in the course of using WikrenaOS, input personal data belonging to their own clients, employees, or other individuals. By using WikrenaOS, you agree to this DPA as part of our Terms of Service.

1. Definitions

  • "Controller" means you, the WikrenaOS customer, who determines the purposes and means of processing personal data entered into WikrenaOS.
  • "Processor" means Wikrena Limited, which processes personal data on behalf of the Controller.
  • "Data Subject" means the individual whose personal data is being processed — typically your clients, contacts, or team members.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on personal data, including storage, retrieval, use, disclosure, and deletion.
  • "NDPA" means the Nigeria Data Protection Act 2023.
  • "NDPR" means the Nigeria Data Protection Regulation 2019.

2. Nature and Purpose of Processing

Wikrena Limited processes personal data on behalf of the Controller solely for the purpose of providing the WikrenaOS service. The categories of personal data processed may include:

  • Client names, email addresses, phone numbers, and business addresses
  • Engagement and project details associated with clients
  • Invoice amounts, payment histories, and transaction references
  • Scope change requests and approval records
  • Team member names, roles, and contact details
  • Any other data the Controller chooses to enter into WikrenaOS

3. Obligations of Wikrena Limited as Processor

Wikrena Limited agrees to:

3.1 Process only on documented instructions

Process personal data only on the documented instructions of the Controller, including as set out in these Terms and the DPA, unless required to do otherwise by Nigerian law, in which case we will inform the Controller before processing unless prohibited by law.

3.2 Maintain confidentiality

Ensure that all personnel who process personal data are subject to binding confidentiality obligations and are authorised to process only what is necessary for their role.

3.3 Implement appropriate security measures

Implement and maintain technical and organisational security measures appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and multi-factor authentication for production systems
  • Regular security assessments and penetration testing
  • Incident response procedures with a 72-hour notification window for breaches affecting Controller data

3.4 Engage sub-processors only with consent

Not engage any new sub-processor without providing the Controller with the opportunity to object. The current list of approved sub-processors is:

  • Supabase Inc. — database and authentication infrastructure
  • Vercel Inc. — application hosting and edge functions
  • Paystack Inc. — payment processing (does not receive client personal data beyond transaction references)
  • Resend Inc. — transactional email delivery
  • Upstash Inc. — rate limiting and background job processing

Each sub-processor is bound by data processing obligations no less protective than those in this DPA.

3.5 Assist with data subject rights

Assist the Controller, by appropriate technical and organisational measures, in responding to requests from Data Subjects exercising their rights under the NDPA, including the right of access, rectification, erasure, and portability.

3.6 Assist with compliance obligations

Provide reasonable assistance to the Controller in ensuring compliance with obligations under the NDPA, including security, breach notification, and data protection impact assessments where applicable.

3.7 Delete or return data on termination

At the Controller's choice, delete or return all personal data on termination of the service, within 90 days of the termination date. After deletion, we will confirm in writing that all data has been deleted, unless Nigerian law requires us to retain it.

3.8 Provide information and allow audits

Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or their appointed auditor, with reasonable advance notice.

4. Obligations of the Controller

The Controller agrees to:

  • Ensure that there is a lawful basis for processing each category of personal data entered into WikrenaOS
  • Provide any required notices to Data Subjects about the processing of their data
  • Not instruct Wikrena Limited to process personal data in a manner that would violate applicable law
  • Ensure that the personal data entered is accurate and kept up to date
  • Not enter sensitive personal data (as defined in the NDPA) into WikrenaOS without notifying us and obtaining appropriate safeguards

5. Data Transfers

WikrenaOS primarily processes data within infrastructure that serves the African region. Where personal data is transferred to sub-processors operating outside Nigeria, Wikrena Limited ensures that such transfers are subject to appropriate safeguards, including contractual clauses that provide protections equivalent to those required under the NDPA.

6. Data Breach Notification

In the event of a personal data breach affecting Controller data, Wikrena Limited will:

  • Notify the Controller within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, the categories and approximate number of Data Subjects affected, and the likely consequences
  • Describe measures taken or proposed to address the breach and mitigate its effects
  • Cooperate with the Controller in making any required notifications to the Nigeria Data Protection Commission (NDPC)

7. Term and Termination

This DPA is effective from the date you first use WikrenaOS and continues for as long as Wikrena Limited processes personal data on your behalf. It terminates automatically when your WikrenaOS account is closed and all personal data has been deleted in accordance with Section 3.7.

8. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Where a party is held liable to a Data Subject for a breach caused by the other party, the party not at fault is entitled to indemnification from the responsible party.

9. Governing Law

This DPA is governed by the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Regulation 2019.

10. Contact and Complaints

For any questions about this DPA or to exercise data subject rights:

You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.