Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between OgiAfrica Company Limited ("Processor", "Ōgi") and the Customer ("Controller") and governs Ōgi’s processing of Personal Data on the Controller’s behalf in the provision of the services.
1. Definitions
- Applicable Law — the Tanzania Data Protection Act (Act No. 11 of 2022), its regulations, and any other data-protection law applicable to a Processing activity.
- Personal Data, Processing, Data Subject, Controller, Processor, Sub-processor — as defined in Applicable Law.
- Services — the Ōgi services described in the Terms and Order Form.
2. Roles of the parties
For Personal Data processed in the course of delivering the Services, the Controller determines the purposes and means of Processing; Ōgi processes Personal Data on the Controller's documented instructions as Processor. Each party remains independently responsible for compliance with Applicable Law within its role.
3. Scope & instructions
Ōgi will process Personal Data only (a) as necessary to provide the Services, (b) in accordance with the Controller's documented instructions (including those in the Terms, this DPA, and the dashboard configuration), and (c) as required by Applicable Law. Ōgi will inform the Controller if an instruction would violate Applicable Law.
4. Nature & purpose of processing
Purpose. Provision of the payment orchestration, gateway, connector and agent services described in the Terms.
Categories of Data Subjects. End users (payers), merchant staff, authorised agents.
Categories of Personal Data. Name, MSISDN, email, masked PAN, account reference, device and IP metadata, transaction records.
Special categories. None processed intentionally.
Duration. For the term of the Services plus retention per Applicable Law.
5. Confidentiality
Ōgi ensures that personnel authorised to Process Personal Data are bound by confidentiality obligations and receive annual training on privacy, security and AML. Access is on a least-privilege basis with quarterly recertification.
6. Security measures
Ōgi implements appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. Measures include:
- TLS 1.3 in transit; AES-256 at rest; tokenisation of sensitive fields.
- HSM-backed key management with annual rotation.
- RBAC, SSO with hardware 2FA, and just-in-time access for production.
- 24×7 SOC, SIEM, automated anomaly detection.
- Penetration testing at least annually by independent firms.
- Dual-region resilience with tested DR runbooks.
Full control catalogue at trust.html.
7. Sub-processors
The Controller authorises Ōgi to engage Sub-processors for Processing as necessary to provide the Services, subject to written agreements imposing obligations no less protective than this DPA. Ōgi remains liable for Sub-processor acts or omissions.
Current Sub-processors are listed at ogiafrica.com/subprocessors and updated as changes occur. We will give at least 30 days' notice of new or replacement Sub-processors; the Controller may object on reasonable grounds and, if objection cannot be resolved, terminate the affected Services.
8. International transfers
Where Ōgi transfers Personal Data outside Tanzania, it will ensure an adequate level of protection through (a) adequacy decision, (b) Standard Contractual Clauses, or (c) another lawful mechanism under Applicable Law. Primary data residency remains Tanzania.
9. Data subject rights
Taking into account the nature of the Processing, Ōgi will assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to Data Subject requests to exercise rights under Applicable Law. Requests received directly by Ōgi will be forwarded to the Controller without undue delay.
10. Personal data breach notification
Ōgi will notify the Controller without undue delay and in any event within 48 hours of becoming aware of a Personal Data breach affecting Controller data, with sufficient information to allow the Controller to meet its own notification obligations. Notifications go to the designated security contact on the Order Form.
11. Audit rights
Ōgi will make available to the Controller all information necessary to demonstrate compliance with this DPA, and will contribute to audits conducted by the Controller or a mutually agreed independent auditor, no more than once every 12 months (absent a Personal Data breach), on 30 days' notice, during business hours, and subject to confidentiality undertakings. Ōgi may satisfy audit obligations by providing recent independent third-party audit reports (e.g. ISO 27001, SOC 2) where available.
12. Return or deletion
On termination, and at the Controller's choice expressed within 30 days, Ōgi will return or delete all Personal Data processed on the Controller's behalf, except where retention is required by Applicable Law. Deletion will be completed within 90 days of termination.
13. Liability
The parties' liability under this DPA is subject to the limitation of liability in the Terms. Where both parties are liable for the same damage, liability is apportioned per each party's share of responsibility.
14. Governing law & precedence
This DPA is governed by the laws of Tanzania. In case of conflict, this DPA prevails over the Terms on Personal Data matters, and Applicable Law prevails over both.