Data Processing Agreement

This DPA applies wherever CediSync processes personal data on your behalf in connection with the service. You are the data controller; CediSync is the data processor. Each party complies with its obligations under the Ghana Data Protection Act, 2012 (Act 843) and any other applicable data protection law.

Subject matter: provision of the CediSync software service.

Duration: the term of your subscription, plus retention periods set out in the privacy policy.

Nature and purpose: operating a bureau management platform — rates, trades, close, reports, governance.

Categories of data: bureau staff personal data, bureau customer records, and operational data generated by use of the service.

Data subjects: bureau employees and bureau customers.

As processor, CediSync will:

• Process personal data only on documented instructions from you, unless required by law.
• Ensure all personnel authorised to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures.
• Assist you in responding to data subject requests where you cannot do so yourself.
• Notify you of personal data breaches without undue delay.
• Delete or return personal data at the end of the service, at your election.
• Make available information needed to demonstrate compliance and support audits.

You authorise CediSync to use the sub-processors listed below. We will notify you of proposed additions or replacements at least 30 days in advance.

[Counsel review — confirm accurate and complete sub-processor list; add any additional regional processors.]

Our technical and organisational measures are described in detail on the security page. Summary:

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• Row-level data isolation per bureau in the database.
• Role-based access with least-privilege defaults.
• Audit logging of every data access and change.
• Daily encrypted backups with 30-day retention and point-in-time recovery.

Primary processing takes place in AWS af-south-1 (Cape Town). Where a sub-processor operates outside the African continent, transfers are protected by standard contractual clauses or an equivalent lawful mechanism.

[Counsel review — verify transfer mechanism and applicability to Ghana's cross-border regime.]

Where a data subject exercises rights that require access to personal data held in the service, CediSync will assist you to respond within the time limits in applicable law.

Where CediSync becomes aware of a personal data breach, we will notify you without undue delay — and in any event within 72 hours — with the information reasonably available at the time.

On termination of the service, CediSync will, at your election, return all personal data to you in a machine-readable format or delete it, and will delete existing copies within 90 days (beyond what is legally required for retention).

On reasonable written notice, and subject to appropriate confidentiality obligations, you may audit CediSync's compliance with this DPA once per 12-month period.

[Counsel review — confirm audit cadence and expense allocation.]

For DPA questions and execution: hello@cedisync.com. For security matters: security@cedisync.com.