Data Processing Agreement (DPA)

The Controller (Merchant) determines the purposes and means of processing of Personal Data relating to its end customers. The Processor (Wajub) processes Personal Data only on documented instructions of the Controller. Wajub shall not process Personal Data for its own purposes, sell Personal Data to third parties, or use Personal Data for marketing without separate consent. Wajub shall immediately inform the Controller if an instruction infringes Data Protection Legislation.

Wajub ensures that any person authorised to process Personal Data has committed to confidentiality. Access is granted on a strict need-to-know basis with granular permissions and full audit logging. Technical measures include: TLS 1.3 in transit, AES-256 at rest, HSM for encryption keys, mandatory 2FA, IP whitelisting, strict sandbox/production isolation, 24/7 security monitoring, SAST/DAST/SCA scans, quarterly penetration tests, PCI DSS (SAQ-A), ISO 27001 and SOC 2 frameworks.

The Controller provides general authorisation for Wajub to engage Sub-processors. The current list is available at wajub.com/legal/subprocessors. Wajub shall notify the Controller at least 30 days before engaging a new Sub-processor. The Controller may object within 14 days on reasonable grounds relating to data protection. If no solution is found, the Controller may suspend affected Services without penalty.

The Controller is responsible for responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection). Wajub shall assist by providing relevant Personal Data in a structured format within 7 days, implementing technical measures for erasure or restriction, and documenting processing activities. If Wajub receives a direct request from a Data Subject, it shall forward the request to the Controller within 48 hours.

Wajub shall notify the Controller without undue delay (and within 24 hours of becoming aware) of any Personal Data breach affecting data processed on behalf of the Controller. The notification shall include the nature of the breach, categories and approximate number of Data Subjects and records, contact details, likely consequences, and measures taken. Wajub shall assist the Controller in complying with its obligations under Articles 33 and 34 GDPR.

Retention periods : transaction data 10 years, API logs (production) 1 year (extendable to 7), API logs (sandbox) 90 days, KYC/KYB documents duration of relationship + 5 years, audit trail 10 years. Within 30 days of termination, the Controller may request export of Personal Data. After this period, Wajub shall delete all Personal Data subject to legal retention requirements.

Personal Data may be processed in Cameroon, Côte d'Ivoire, Senegal (Wajub offices), France (EU headquarters), EU member states, United States, and South Africa. For transfers to countries without an adequacy decision, Wajub relies on Standard Contractual Clauses (SCCs, EU Commission Decision 2021/914), Binding Corporate Rules (BCR), and documented Transfer Impact Assessments (TIA). Copies of SCCs are available on request from dpo@wajub.com.

The Controller may audit Wajub's compliance with this DPA once per year (or more frequently in case of a data breach), during business hours, at the Controller's expense (unless non-compliance is revealed). If an on-site audit is not feasible, Wajub shall provide SOC 2 readiness assessment, ISO 27001 gap assessment, PCI DSS SAQ-A self-assessment, and security questionnaire responses (CAIQ or equivalent).

Each party shall be liable for damages caused by its own infringement of this DPA. If Wajub breaches this DPA materially, the Controller may suspend processing of Personal Data until compliance is restored. If Wajub fails to restore compliance within 14 days of notification, the Controller may terminate the affected Services without penalty. Upon termination, Wajub shall delete all Personal Data (subject to legal retention) and certify deletion in writing.

Categories of Personal Data: identity data (name, email, phone, address), transaction data (amount, currency, date, reference, status, payment method), technical data (IP address, device fingerprint, browser, OS), authentication data (3DS result, mobile money confirmation), payment token, location data (country, city), session data, communication data, and KYC/KYB data (ID document, selfie, company documents). Categories of Data Subjects: end customers (buyers/payers), beneficiaries of payouts, merchants' representatives, platform sellers. Wajub does not intentionally process special categories of data (Article 9 GDPR) except biometric data for KYC with explicit consent.