Data Processing Agreement
Last updated: 11 July 2026 · This DPA forms part of the Terms of Service between the Merchant ("Controller") and Bamaja Integrated Online Services Ltd ("Processor")
1. Roles and scope
For personal data of the Merchant's customers processed through the Ngozi service, the Merchant is the Data Controller and Bamaja is the Data Processor under the Nigeria Data Protection Act 2023 (NDPA). This DPA applies for as long as the Merchant's account exists plus the deletion period below.
2. Processing details
| Item | Description |
|---|---|
| Subject matter | Operation of an AI customer-care assistant on the Merchant's WhatsApp number. |
| Nature and purpose | Receiving, storing and responding to customer messages; capturing orders and bookings; forwarding receipt images; producing business reports. |
| Data subjects | Customers and prospective customers who message the Merchant's number. |
| Data categories | Phone numbers, display names, message content, order and delivery details, images voluntarily sent by customers (including payment-receipt screenshots). |
| Duration | While the account is active; deletion within 30 days of termination or verified instruction. |
3. Processor obligations
- Instructions only: we process customer data solely to provide the service and on the Merchant's documented instructions (including dashboard actions and owner commands), unless law requires otherwise.
- Confidentiality: personnel with access are bound by confidentiality obligations.
- Security: TLS encryption in transit, per-business data isolation, access controls, monitored infrastructure, and secured media storage.
- Sub-processors: listed below; we will inform merchants of material changes. We remain responsible for sub-processors' performance.
- Assistance: we assist the Controller with data-subject requests (access, correction, deletion) and NDPA obligations, at no charge for reasonable requests.
- Breach notice: we notify the Controller without undue delay, and in any case within 72 hours of becoming aware of a personal-data breach affecting their data, with the information needed for the Controller's own obligations.
- Deletion/return: on termination or instruction, personal data is deleted within 30 days, except records retained under legal obligation.
- Audit: on reasonable written notice, we will provide information necessary to demonstrate compliance with this DPA.
4. Approved sub-processors
| Sub-processor | Role | Location |
|---|---|---|
| AI language-model provider (currently DeepSeek) | Generation of assistant replies from conversation context | International |
| Cloud hosting providers | Compute, database and media storage | Europe |
| Paystack | Merchant subscription billing (no customer data) | Nigeria |
| WhatsApp (Meta) | Message transport network | International |
5. International transfers
Where processing occurs outside Nigeria, we apply appropriate safeguards consistent with the NDPA, including contractual protections with providers and data minimisation (only the data needed to answer a conversation is sent to the AI provider).
6. Controller obligations
The Merchant confirms it has a lawful basis to process its customers' data, provides any notices required to its customers (Ngozi discloses that she is an AI assistant when asked), and will use the service's controls (delete customer, block, data corrections) to give effect to data-subject requests.
7. Liability and order of precedence
Liability under this DPA follows the limitations in the Terms of Service. If this DPA conflicts with the Terms on data-protection matters, this DPA prevails.
Contact for data matters: Bamaja Integrated Online Services Ltd, Lagos · WhatsApp 0912 000 9870.