Legal

Data Processing Agreement

Version 1.0 · Last updated 30 April 2026

✓ NDPR Compliant✓ GDPR-aligned✓ Enterprise ready

Preamble

This Data Processing Agreement ("DPA") forms part of the QApoint Terms of Service ("Agreement") between QApoint Technologies Ltd ("QApoint", "we", "Processor") and the entity using QApoint's services ("Customer", "Controller").

This DPA reflects the requirements of the Nigeria Data Protection Regulation (NDPR) 2019, issued by the National Information Technology Development Agency (NITDA), and the Nigeria Data Protection Act (NDPA) 2023, as well as GDPR-equivalent safeguards for Customers with international obligations.

Where this DPA conflicts with the Agreement, this DPA governs in respect of data protection matters.

1. Definitions

  • "Personal Data" — any information relating to an identified or identifiable natural person, as defined under NDPR Article 1.3(xxx).
  • "Processing" — any operation performed on Personal Data, whether automated or not.
  • "Sub-processor" — any third party engaged by QApoint to process Personal Data on the Customer's behalf.
  • "Data Subject" — a natural person whose Personal Data is processed under this DPA (e.g., event participants, team members).
  • "Services" — the QApoint real-time Q&A platform and all related features accessed by the Customer.

2. Scope and Nature of Processing

2.1. Subject matter

QApoint processes Personal Data on behalf of the Customer solely to provide the Services described in the Agreement and this DPA.

2.2. Categories of data processed

  • Participant data: display names (optional), anonymous session tokens, question text, IP addresses (hashed), upvote counts, reaction data.
  • Member data: name, work email, role within the organisation, login timestamps.
  • Usage data: event metadata, room configuration, analytics aggregates.

2.3. Purpose limitation

QApoint will not process Personal Data for any purpose other than providing the Services or as required by applicable Nigerian law. QApoint will never sell Customer data to third parties.

3. Processor Obligations

3.1. Instructions

QApoint will process Personal Data only on documented instructions from the Customer. The Customer's use of the Services constitutes documented instructions for the purposes of this DPA.

3.2. Confidentiality

QApoint will ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security measures

QApoint implements and maintains appropriate technical and organisational measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and role-based permissions
  • Regular penetration testing (annual)
  • Incident response procedures and breach notification within 72 hours of discovery
  • Audit logging of all administrative actions

3.4. Sub-processors

QApoint engages the following categories of sub-processors:

  • Cloud infrastructure — AWS / GCP (data hosted in the region selected by the Customer)
  • Email delivery — SendGrid (transactional emails only)
  • Payment processing — Paystack (payment data only; QApoint does not store card details)
  • Error monitoring — Sentry (anonymised stack traces)

QApoint will notify the Customer of any intended addition or replacement of sub-processors with at least 14 days' notice, giving the Customer the opportunity to object.

4. Controller Obligations

4.1. Lawful basis

The Customer warrants that it has a lawful basis under NDPR / NDPA to collect and transfer Personal Data to QApoint for processing, including obtaining appropriate consent from Data Subjects where required.

4.2. Participant transparency

The Customer is responsible for informing event participants (Data Subjects) that their questions, display names, and engagement data will be processed by QApoint and for providing a link to QApoint's Privacy Policy.

5. Data Subject Rights

QApoint will assist the Customer in responding to Data Subject requests under NDPR, including:

  • Right of access — export of all data held for a Data Subject on request
  • Right to erasure — deletion of a participant's questions and data via the Customer admin panel or a written request to QApoint
  • Right to correction — amendment of inaccurate personal data
  • Right to data portability — export in machine-readable format (CSV, JSON)

Requests should be submitted by the Customer to privacy@qapoint.com. QApoint will respond within 30 days.

6. International Data Transfers

Customer data is stored in the region selected during onboarding. QApoint currently offers:

  • Nigeria (default) — data stored in AWS af-south-1 (Cape Town) or equivalent African region
  • Europe — data stored in AWS eu-west-1 (Ireland)
  • United States — data stored in AWS us-east-1 (Virginia)

Where data is transferred outside Nigeria, QApoint relies on Standard Contractual Clauses (SCCs) or equivalent mechanisms as permitted under NDPR Article 2.12 and the NDPA 2023.

7. Data Retention and Deletion

7.1. Retention periods

  • Active account data: retained for the duration of the Customer's subscription + 90 days after cancellation
  • Participant question data: retained per the Customer's configured retention policy (30, 90, or 180 days)
  • Audit logs: retained for the period specified in the Customer's plan (90 days on Pro; 1 year on Growth; unlimited on Business/Enterprise)
  • Payment records: retained for 7 years (Nigerian tax compliance)

7.2. Deletion on termination

Upon termination of the Agreement, QApoint will delete or anonymise all Personal Data within 90 days, unless longer retention is required by law. The Customer may request a data export prior to termination.

8. Data Breach Notification

QApoint will notify the Customer without undue delay, and in any event within 72 hoursof becoming aware of a personal data breach likely to result in a risk to the rights and freedoms of Data Subjects. Notification will be sent to the Customer's registered email address and will include:

  • Nature of the breach and categories of data affected
  • Approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

The Customer is responsible for notifying NITDA and affected Data Subjects as required under NDPR Section 2.8.

9. Audit Rights

QApoint will make available all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by the Customer or a mandated auditor. Audits require at least 14 days' written notice and must be conducted during normal business hours without unreasonably disrupting QApoint's operations.

10. Liability

Each party's liability under this DPA is subject to the limitations set out in the Agreement. QApoint's total liability for claims under this DPA shall not exceed the fees paid by the Customer in the 12 months preceding the claim.

11. Governing Law

This DPA is governed by the laws of the Federal Republic of Nigeria. Any disputes shall be submitted to the exclusive jurisdiction of the Nigerian courts. For Customers operating under GDPR, this DPA shall also be interpreted in accordance with GDPR requirements.

12. How to Execute This DPA

Enterprise Customers requiring a signed, countersigned DPA should contact legal@qapoint.com. QApoint will provide a signed PDF within 3 business days.

For all other Customers, use of the QApoint Services constitutes acceptance of this DPA as part of the Agreement, as permitted under NDPR and standard SaaS practice.

Data Protection Contact

QApoint Technologies Ltd

Data Protection Officer: privacy@qapoint.com

Legal enquiries: legal@qapoint.com

Registered in Nigeria · RC number: [pending]

Privacy PolicyTerms of ServiceEnterprise enquirieslegal@qapoint.com