Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and Tribus Global Ltd ("LeadsBox", "we", "us") and governs the processing of Personal Data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

In this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person processed by LeadsBox on behalf of Customer
"Data Subject" means the individual to whom Personal Data relates
"Processing" has the meaning given in applicable data protection laws
"Controller" means the entity that determines the purposes and means of Processing Personal Data
"Processor" means the entity that Processes Personal Data on behalf of the Controller

2. Roles and Scope

2.1 Customer acts as the Controller and LeadsBox acts as the Processor of Personal Data processed through the LeadsBox service.

2.2 This DPA applies to the Processing of Personal Data by LeadsBox for the purpose of providing the services described in the Terms of Service.

2.3 The nature, purpose, and types of Personal Data processed are detailed in Appendix A below.

3. Customer's Obligations

Customer warrants that:

It has a lawful basis for Processing Personal Data and sharing it with LeadsBox
It has provided all necessary notices to Data Subjects
Its Processing instructions comply with applicable data protection laws
It has obtained all necessary consents from Data Subjects

4. LeadsBox's Obligations

LeadsBox shall:

Process Personal Data only on documented instructions from Customer
Ensure persons authorized to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organizational measures to protect Personal Data
Notify Customer without undue delay upon becoming aware of a Personal Data breach
Assist Customer in responding to Data Subject requests
Delete or return Personal Data upon termination of services

5. Sub-Processors

5.1 Customer grants LeadsBox general authorization to engage sub-processors for specific Processing activities.

5.2 Current sub-processors include:

Amazon Web Services (AWS) - Cloud infrastructure and data storage
Render - Application hosting
PostgreSQL (Managed Database) - Database services
OpenAI - AI-powered features processing
Paystack - Payment processing
PostHog - Analytics

5.3 LeadsBox will notify Customer of any new sub-processor at least 30 days before engagement. Customer may object on reasonable grounds.

6. Security Measures

LeadsBox implements industry-standard security measures including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Regular security assessments and penetration testing
Access controls and authentication mechanisms
Regular data backups with encryption
Employee security training and background checks
Incident response and breach notification procedures

7. Data Subject Rights

7.1 LeadsBox will assist Customer in fulfilling Data Subject requests, including:

Right of access
Right to rectification
Right to erasure ("right to be forgotten")
Right to data portability
Right to object to Processing

7.2 LeadsBox will respond to Data Subject requests within 30 days or as required by applicable law.

8. Data Transfers

8.1 Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA).

8.2 For transfers from the EEA to third countries, LeadsBox relies on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission
Appropriate safeguards as required by GDPR Article 46

9. Data Breach Notification

9.1 LeadsBox will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.

9.2 Notifications will include:

Nature of the breach
Categories and approximate number of affected Data Subjects
Likely consequences of the breach
Measures taken or proposed to address the breach

10. Audits and Inspections

10.1 LeadsBox will make available to Customer information necessary to demonstrate compliance with this DPA.

10.2 Customer may conduct audits or inspections upon reasonable notice (at least 30 days) and no more than once per year, unless required by law or following a data breach.

11. Data Retention and Deletion

11.1 Upon termination of services, LeadsBox will:

Delete all Personal Data within 30 days, unless legally required to retain it
Provide Customer with a copy of Personal Data upon request (at no additional cost)
Certify deletion in writing upon Customer request

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

13. Term and Termination

This DPA will remain in effect for as long as LeadsBox Processes Personal Data on behalf of Customer or until termination of the Terms of Service.

Appendix A: Details of Processing

Nature and Purpose of Processing

LeadsBox processes Personal Data to provide multi-channel messaging, CRM, invoicing, and analytics services to Customer.

Duration of Processing

For the duration of the Terms of Service, plus 30 days for data deletion.

Categories of Data Subjects

Customer's end-users and contacts
Customer's employees and team members
Message senders and recipients

Types of Personal Data

Contact information (name, email, phone number)
Message content (text, images, files)
Transaction data (invoices, payments, receipts)
Usage data (IP addresses, browser information, timestamps)
Social media identifiers (WhatsApp ID, Instagram handle, etc.)

Special Categories of Data

Customer must not submit special categories of personal data (sensitive data) unless explicitly agreed in writing.

1. Definitions

In this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person processed by LeadsBox on behalf of Customer
"Data Subject" means the individual to whom Personal Data relates
"Processing" has the meaning given in applicable data protection laws
"Controller" means the entity that determines the purposes and means of Processing Personal Data
"Processor" means the entity that Processes Personal Data on behalf of the Controller

2. Roles and Scope

2.1 Customer acts as the Controller and LeadsBox acts as the Processor of Personal Data processed through the LeadsBox service.

2.2 This DPA applies to the Processing of Personal Data by LeadsBox for the purpose of providing the services described in the Terms of Service.

2.3 The nature, purpose, and types of Personal Data processed are detailed in Appendix A below.

3. Customer's Obligations

Customer warrants that:

It has a lawful basis for Processing Personal Data and sharing it with LeadsBox
It has provided all necessary notices to Data Subjects
Its Processing instructions comply with applicable data protection laws
It has obtained all necessary consents from Data Subjects

4. LeadsBox's Obligations

LeadsBox shall:

Process Personal Data only on documented instructions from Customer
Ensure persons authorized to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organizational measures to protect Personal Data
Notify Customer without undue delay upon becoming aware of a Personal Data breach
Assist Customer in responding to Data Subject requests
Delete or return Personal Data upon termination of services

5. Sub-Processors

5.1 Customer grants LeadsBox general authorization to engage sub-processors for specific Processing activities.

5.2 Current sub-processors include:

Amazon Web Services (AWS) - Cloud infrastructure and data storage
Render - Application hosting
PostgreSQL (Managed Database) - Database services
OpenAI - AI-powered features processing
Paystack - Payment processing
PostHog - Analytics

5.3 LeadsBox will notify Customer of any new sub-processor at least 30 days before engagement. Customer may object on reasonable grounds.

6. Security Measures

LeadsBox implements industry-standard security measures including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Regular security assessments and penetration testing
Access controls and authentication mechanisms
Regular data backups with encryption
Employee security training and background checks
Incident response and breach notification procedures

7. Data Subject Rights

7.1 LeadsBox will assist Customer in fulfilling Data Subject requests, including:

Right of access
Right to rectification
Right to erasure ("right to be forgotten")
Right to data portability
Right to object to Processing

7.2 LeadsBox will respond to Data Subject requests within 30 days or as required by applicable law.

8. Data Transfers

8.1 Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA).

8.2 For transfers from the EEA to third countries, LeadsBox relies on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission
Appropriate safeguards as required by GDPR Article 46

9. Data Breach Notification

9.1 LeadsBox will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.

9.2 Notifications will include:

Nature of the breach
Categories and approximate number of affected Data Subjects
Likely consequences of the breach
Measures taken or proposed to address the breach

10. Audits and Inspections

10.1 LeadsBox will make available to Customer information necessary to demonstrate compliance with this DPA.

10.2 Customer may conduct audits or inspections upon reasonable notice (at least 30 days) and no more than once per year, unless required by law or following a data breach.

11. Data Retention and Deletion

11.1 Upon termination of services, LeadsBox will:

Delete all Personal Data within 30 days, unless legally required to retain it
Provide Customer with a copy of Personal Data upon request (at no additional cost)
Certify deletion in writing upon Customer request

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

13. Term and Termination

This DPA will remain in effect for as long as LeadsBox Processes Personal Data on behalf of Customer or until termination of the Terms of Service.

Appendix A: Details of Processing

Nature and Purpose of Processing

LeadsBox processes Personal Data to provide multi-channel messaging, CRM, invoicing, and analytics services to Customer.

Duration of Processing

For the duration of the Terms of Service, plus 30 days for data deletion.

Categories of Data Subjects

Customer's end-users and contacts
Customer's employees and team members
Message senders and recipients

Types of Personal Data

Contact information (name, email, phone number)
Message content (text, images, files)
Transaction data (invoices, payments, receipts)
Usage data (IP addresses, browser information, timestamps)
Social media identifiers (WhatsApp ID, Instagram handle, etc.)

Special Categories of Data

Customer must not submit special categories of personal data (sensitive data) unless explicitly agreed in writing.

Data Processing Agreement (DPA)

1. Definitions

2. Roles and Scope

3. Customer's Obligations

4. LeadsBox's Obligations

5. Sub-Processors

6. Security Measures

7. Data Subject Rights

8. Data Transfers

9. Data Breach Notification

10. Audits and Inspections

11. Data Retention and Deletion

12. Liability and Indemnification

13. Term and Termination

Appendix A: Details of Processing

Nature and Purpose of Processing

Duration of Processing

Categories of Data Subjects

Types of Personal Data

Special Categories of Data

Data Processing Agreement (DPA)

1. Definitions

2. Roles and Scope

3. Customer's Obligations

4. LeadsBox's Obligations

5. Sub-Processors

6. Security Measures

7. Data Subject Rights

8. Data Transfers

9. Data Breach Notification

10. Audits and Inspections

11. Data Retention and Deletion

12. Liability and Indemnification

13. Term and Termination

Appendix A: Details of Processing

Nature and Purpose of Processing

Duration of Processing

Categories of Data Subjects

Types of Personal Data

Special Categories of Data