Data Processing Agreement
Last Updated: 6 April 2026
Parties to This Agreement
Data Processor:Jabaricom Technologies Limited, incorporated in the Republic of Zambia ("Jabaricom" or "Processor")
Data Controller:The entity identified in the Order Form as the Subscriber ("Subscriber" or "Controller")
Background
A. The Controller is a professional services firm that has subscribed to the Jabaricom platform (the "Service") under a Terms of Service agreement and associated Order Form with Jabaricom (together, the "Principal Agreement").
B. In providing the Service, Jabaricom will process personal data on behalf of the Controller, including personal data belonging to the Controller's own clients and counterparties uploaded to or processed through the Service.
C. The parties enter into this Data Processing Agreement ("DPA") to set out the terms on which Jabaricom processes such personal data as a processor on the Controller's behalf, in accordance with the Zambia Data Protection Act No. 3 of 2021 (the "Act") and any other applicable data protection law.
D. This DPA forms part of the Principal Agreement and is incorporated by reference. In the event of a conflict between this DPA and the Principal Agreement, this DPA prevails on matters of data processing.
1. Definitions
In this DPA, the following terms have the meanings set out below. Terms defined in the Principal Agreement and not defined here carry the same meaning.
| Term | Meaning |
|---|---|
| Act | The Zambia Data Protection Act No. 3 of 2021, as amended. |
| Controller | The Subscriber determining purposes and means of processing personal data within Subscriber Data. |
| Data Subject | An identified or identifiable natural person whose personal data appears in Subscriber Data. |
| Personal Data | Any information relating to an identified or identifiable natural person, as defined under the Act. |
| Processing | Any operation performed on personal data, including collection, storage, use, disclosure, transmission, erasure, or destruction. |
| Processor | Jabaricom, processing personal data on behalf of the Controller under this DPA. |
| Security Incident | Any confirmed or reasonably suspected breach leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. |
| Special Category Data | Personal data requiring heightened protection (e.g., health, biometric, genetic, political or religious data). |
| Sub-processor | A third party engaged by Jabaricom to process personal data on Jabaricom behalf. |
| Subscriber Data | All personal data uploaded to or generated within the Service by or on behalf of the Controller. |
2. Subject Matter and Duration of Processing
The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are set out in Schedule 1 (Processing Specification). Jabaricom processes personal data under this DPA for the Subscription Term and any additional period required by applicable law, subject to Clause 10.
3. Jabaricom's Obligations as Processor
3.1 Processing on Instructions Only
Jabaricom processes personal data only on documented Controller instructions, except where required otherwise by applicable law. If Jabaricom believes an instruction infringes applicable data protection law, it will promptly inform the Controller.
3.2 Confidentiality of Processing
All authorised personnel are bound by confidentiality obligations and process personal data only as necessary for their functions.
3.3 Security
Jabaricom implements and maintains technical and organisational measures in Schedule 3 (or equivalent/higher controls), and reviews controls periodically.
3.4 Sub-processors
Controller grants general authorisation for sub-processors listed in Schedule 2. Jabaricom imposes equivalent obligations by contract, remains liable for sub-processor performance, and provides notice before additions or replacement.
Controller may object on reasonable data protection grounds within the stated notice period. If unresolved in good faith, Controller may terminate under the Principal Agreement terms.
3.5 Assistance with Data Subject Rights
Jabaricom provides reasonable assistance for Controller responses to data subject rights requests. Requests received directly are forwarded to Controller unless legally required otherwise.
3.6 Assistance with Controller Compliance
- Security of processing obligations
- Security incident notifications
- Data protection impact assessments
- Regulatory consultation where required
3.7 Records of Processing
Jabaricom maintains internal records of processing activities carried out on behalf of Controller and makes them available to the Data Protection Commissioner on request.
3.8 No Training on Subscriber Data
Jabaricom will not use personal data in Subscriber Data to train or fine-tune any AI model. AI calls transmit only minimum data necessary for contextual responses.
4. Controller's Obligations
- Maintain a valid lawful basis for all uploaded personal data.
- Provide required notices and obtain required consents.
- Ensure instructions to Jabaricom comply with applicable law.
- Train Users and ensure compliance with this DPA and law.
- Promptly notify Jabaricom of changes affecting processing compliance.
- Not upload Special Category Data without prior written acknowledgement and Schedule 1 update.
5. Special Category Data
The Service is not designed for Special Category Data by default. Controller must not upload such data without prior written agreement from Jabaricom.
If Special Category Data is inadvertently uploaded, Controller must notify Jabaricom immediately. The parties will agree in writing on remedial steps, including deletion or enhanced safeguards.
This restriction is a material term of the DPA due to elevated risk profile.
6. Security Incidents
6.1 Notification
Jabaricom notifies Controller without undue delay and within 72 hours of confirming a Security Incident, with phased updates where necessary.
6.2 Cooperation
Jabaricom cooperates to support Controller regulatory and data subject notifications where required.
6.3 Remediation
Jabaricom takes prompt containment, investigation, and remediation actions and keeps Controller informed of material developments.
6.4 Responsibility
Notification does not constitute admission of fault; parties cooperate in good faith to determine cause and responsibility.
7. International Transfers of Personal Data
Controller acknowledges processing may involve cross-border transfers as set out in Schedule 2 and the Privacy Policy.
Safeguards include:
- Written processor agreements with equivalent data protection obligations
- Use of certified sub-processors (e.g., ISO 27001/SOC 2)
- TLS 1.2+ encryption for data in transit
- Contractual purpose limitations for sub-processors
8. Audit Rights
Controller may audit DPA compliance on reasonable notice (minimum 30 days), no more than once per calendar year unless a documented basis exists for suspected material breach.
Audit scope is limited, must avoid unreasonable disruption, and may be replaced by relevant third-party attestations (e.g., SOC 2, ISO 27001) where sufficient.
9. Liability
Liability under this DPA is subject to limitations and exclusions in the Principal Agreement. This DPA does not expand liability caps. Liability between parties is apportioned by degree of responsibility where both are liable for the same loss.
10. Data Return and Deletion on Termination
- 30-day export window for Subscriber Data after termination.
- Permanent deletion within 90 days after export window or export completion, except where legal/compliance retention obligations apply.
- Written deletion confirmation available on request.
- Restricted processing for any retained data until lawful retention ends.
11. Term
This DPA begins on the Principal Agreement effective date and continues for the Subscription Term. Termination of the Principal Agreement automatically terminates this DPA, except provisions that survive by nature.
12. General
12.1 Governing Law
This DPA is governed by laws of the Republic of Zambia, including the Zambia Data Protection Act No. 3 of 2021.
12.2 Relationship to Principal Agreement
DPA is incorporated by reference and prevails on data processing matters in case of conflict.
12.3 Amendments
Amendments require written agreement by both parties, except Schedule 2 updates under sub-processor notice process.
12.4 Severability
Invalid provisions are modified or severed; remaining provisions continue.
12.5 Entire Agreement on Data Processing
This DPA, schedules, and the Principal Agreement are the entire agreement on data processing under the Service.
Execution
This DPA is entered into by authorised representatives as of the applicable Order Form execution date, or if none, as of first subscription activation.
For Jabaricom Technologies Limited (Processor)
Signature: __________________________
Name: __________________________
Title: __________________________
Date: __________________________
For the Subscriber (Controller)
Signature: __________________________
Name: __________________________
Title: __________________________
Date: __________________________
Schedule 1 - Processing Specification
| Element | Details |
|---|---|
| Subject matter of processing | Provision of AI-powered workflow management, document intelligence, and engagement management services. |
| Duration of processing | Subscription Term plus periods required for deletion obligations under Clause 10. |
| Nature of processing | Storage, retrieval, inference transmission, classification, indexing, search, display, and deletion. |
| Purpose of processing | Provide Service per Controller instructions, including AI-powered features. |
| Categories of personal data | Identity/contact, financial/transactional, engagement, communication, AI interaction data; Special Category Data excluded by default. |
| Categories of data subjects | Controller clients and personnel, counterparties, and authorised users within Controller organisation. |
| Permitted purposes for AI inference transfers | Minimum contextual data for query response and email classification. |
| Restrictions on processing | No unrelated processing, no selling/sharing outside Schedule 2, no model training on Subscriber Data, no impermissible combining of datasets. |
Schedule 2 - Approved Sub-processors
Last updated: 6 April 2026
| Sub-processor | Purpose | Data Transferred | Location of Processing | Safeguards |
|---|---|---|---|---|
| Microsoft Azure | Primary cloud infrastructure | All Schedule 1 categories | South Africa North | Microsoft DPA; ISO 27001, SOC 1/2, PCI DSS |
| Azure OpenAI Service | Primary AI inference | Minimum context data for inference | South Africa North / Sweden Central | Microsoft DPA; no-training API terms |
| Anthropic (Claude API) | Secondary AI inference | Minimum context data for inference | United States | Anthropic API terms and processing commitments |
| SendGrid (Twilio) | Transactional email delivery | User emails and transactional message content | United States | Twilio DPA; SOC 2 |
Schedule 3 - Technical and Organisational Security Measures
A. Access Controls
- Role-based access controls (RBAC) per Administrator settings.
- Need-to-know personnel access with logging and periodic review.
- MFA available for all users and strongly recommended for Administrators.
- One-way cryptographic password hashing.
- Automatic session timeout controls.
B. Encryption
- TLS 1.2+ for data in transit.
- AES-256 encryption at rest in Azure infrastructure.
- TLS 1.2+ for inference-provider transit paths.
C. Infrastructure Security
- Hosted in Azure South Africa North certified infrastructure.
- Firewall and network segmentation controls.
- Signed token controls for blob/object access.
- No direct public database endpoints.
D. Monitoring and Logging
- Personnel access logging and periodic review.
- Authentication, access pattern, and error condition logging.
- 90-day log retention for security and diagnostics.
- Periodic internal security configuration reviews.
E. Incident Response
- Documented detection, containment, investigation, and remediation process.
- Controller notification process aligned with Clause 6 timelines.
- Post-incident root-cause and prevention reviews.
F. Personnel and Organisational Measures
- Confidentiality obligations for personnel with data access.
- Need-to-know access and role-change access reviews.
- Ongoing awareness of data protection obligations.
G. Sub-processor Oversight
- Annual review of sub-processor security posture and certifications.
- Equivalent contractual obligations for all sub-processors.
- Monitoring of sub-processor incident/compliance changes.
H. Development and Change Management
- Security considerations in feature development lifecycle.
- Pre-deployment review of data/security-impacting changes.
- Version-controlled infrastructure configuration and rollback readiness.
Jabaricom Technologies Limited | Lusaka, Zambia | hello@jabaricom.com | jabaricom.com