Data Processing Agreement

VoteEdge processes Personal Data only on the Customer’s documented instructions. The Customer Agreement, Order Form, and the Platform’s in-app configuration choices made by the Customer’s authorised administrators constitute the Customer’s documented instructions. Where VoteEdge is required by law to process Personal Data otherwise than on the Customer’s instructions, VoteEdge will (where lawful) inform the Customer before doing so.

VoteEdge ensures that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations (whether by contract, professional code, or statute) and trained to handle Personal Data lawfully.

VoteEdge implements appropriate technical and organisational measures as set out in Annex B. These measures take into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of data subjects.

VoteEdge engages sub-processors only under the conditions set out in clause 8 and Annex A. VoteEdge enters into a written contract with each sub-processor that imposes obligations no less protective than those set out in this DPA, in particular obligations of confidentiality, security, and assistance with data-subject requests.

VoteEdge notifies the Customer without undue delay, and in any case within 72 hours, of becoming aware of a Personal Data breach affecting the Customer’s Personal Data. The notification will include, to the extent known at the time:

• the nature of the breach, the categories and approximate number of data subjects, and the categories and approximate number of records concerned;
• the likely consequences of the breach;
• the measures taken or proposed to be taken to address the breach and to mitigate its possible adverse effects.

The Customer remains primarily responsible for any notification it owes to the relevant data protection regulator under Nigeria (NG · NDPA 2023, s. 40), Ghana (GH · Act 843, s. 30), Kenya (KE · DPA 2019, s. 43), South Africa (ZA · POPIA, s. 22), or Rwanda (RW · Law N° 058/2021, art. 30). VoteEdge will provide reasonable cooperation, information, and assistance to enable the Customer to discharge that obligation.

VoteEdge, taking into account the nature of the processing, assists the Customer (by appropriate technical and organisational measures, insofar as this is possible) in the fulfilment of the Customer’s obligation to respond to requests from data subjects exercising rights under the applicable statute. Where a data subject makes a request directly to VoteEdge in respect of data processed on a Customer’s behalf, VoteEdge will forward the request to the Customer without undue delay and (unless a binding legal request requires otherwise) will not respond to the data subject directly, save to acknowledge receipt and route the request.

VoteEdge makes available to the Customer, on reasonable written request, the information necessary to demonstrate compliance with the obligations set out in this DPA. The Customer may, at its own cost, audit VoteEdge’s processing of the Customer’s Personal Data not more frequently than once per twelve (12) months, except where reasonable notice is given following a confirmed Personal Data breach. Where VoteEdge holds a current third-party attestation covering the relevant scope, VoteEdge may, at its discretion, offer that attestation in lieu of a full on-site audit.. Audits do not extend to other customers’ data, confidential information, or trade-secret information.

On termination or expiry of the Customer Agreement, and subject to clause 15 of the Customer Agreement, VoteEdge either returns the Customer’s Personal Data to the Customer through the documented export surfaces or deletes it (subject to applicable retention floors and to any binding legal hold). Where the Customer requests export, VoteEdge cooperates with reasonable efforts to provide the data in a structured, commonly used, machine-readable format.

• Multi-tier authentication including password (with strength rules and history), optional multi-factor authentication, and recoverable email-based reset.
• Role-based access control with per-project tenant scoping enforced at the data-access layer; least-privilege defaults.
• Bootstrap of platform-operator (Company) accounts from environment configuration, with explicit invitation-only provisioning of Customer-tier and Field-team accounts.
• Cross-project data isolation: list-views and queries are scoped to the active Project; cross-project access surfaces an audit row.
• Audit log of every privileged mutation, recording actor, timestamp, IP address, and structured metadata.

• TLS in transit between client and platform.
• At-rest encryption of stored data through the underlying database and object-storage providers.
• Cryptographic hash-chain over election-day result reports, with publication of signed press-kit certificates verifiable by third parties.

• Two-supervisor quorum required for material amendments to election-day result reports above a configurable threshold.
• Hash-chain integrity of result-report rows: amendments do not modify rows in place but chain a corrected row onto the previous terminal report.
• Server-side validation of submitted geographies against the seeded administrative hierarchy, with auto-flagging of impossible combinations.
• Server-side sanitisation of free-text fields used in messaging and incident reporting (HTML stripping, control-character removal, scheme neutralisation).

• Database backup and point-in-time recovery procedures.
• Documented disaster-recovery runbook with election-day fast-path procedures and RTO targets.
• Redundancy in the result-transmission pipeline, with offline-first field-collection clients and durable queue + retry on the email outbox.
• Boot-time invariant checks that refuse to start the platform with a stalled ingest pipeline.

• Rate limits on authentication, password reset, MFA-need probe, public contact form, and high-cardinality export endpoints.
• CSRF protection on every authenticated mutation route.
• Service-worker isolation policy that excludes authenticated surfaces from cross-session cache reuse.
• Permissions-Policy header restricting browser-feature exposure; dev-only allowance for geolocation in the field-collection client.

• Automated unit, integration, and end-to-end test suites covering authentication, authorisation, scope, ingest, analytics, election-day workflows, and the export surfaces.
• Continuous integration with required green status for unit, integration, and a representative subset of end-to-end tests.
• Periodic security review of the change-set, with lockable file-level invariants guarding scope, tenancy, transaction atomicity, and permission gating.

• A documented incident-response runbook covering the first 60 seconds (decision tree), point-in-time recovery, signing-key restoration, R2 / object-storage restoration, and customer communication templates.
• Severity-graded notification thresholds for the platform operator and (where applicable) the Customer.
• Post-incident review with retention of forensic artefacts.

Reliant on (NG · NDPA 2023, s. 41). For each transfer, the parties rely on (i) NDPC adequacy recognition, where issued, or (ii) a binding contractual instrument approved by the NDPC, or (iii) the data subject’s explicit consent, or (iv) one of the specific derogations in s. 41(3) .

Reliant on (GH · Act 843, s. 47). For each transfer, the parties rely on (i) the recipient country’s adequate level of protection, or (ii) DPC authorisation.

Reliant on (KE · DPA 2019, ss. 48-49). For each transfer, the parties rely on (i) appropriate safeguards including standard contractual clauses approved by the ODPC, or (ii) the data subject’s explicit consent, or (iii) one of the derogations in s. 49.

Reliant on (ZA · POPIA, s. 72). For each transfer, the parties rely on the recipient being subject to a law, BCRs, or binding agreement that provides an adequate level of protection, or on the data subject’s consent, or on a transfer that is necessary for the conclusion or performance of a contract.

Reliant on (RW · Law N° 058/2021, arts. 48-49). For each transfer, the parties rely on the recipient country’s adequate level of protection or on specific safeguards approved by the supervisory authority.