Skip to content
Dimarak

Data Processing Addendum (DPA)

This DPA forms part of the Terms, Order Form, or SOW between Dimarak Ltd. ("Processor") and the customer ("Controller") where Dimarak processes personal data on the customer’s behalf. It reflects requirements under GDPR/UK GDPR and comparable laws.

Effective: September 17, 2025
Download PDFDownload DOCX

Introduction & Parties

This DPA is between Dimarak Ltd., with its principal place of business in Accra, Ghana (the "Processor"), and the entity identified in the applicable Order Form or SOW (the "Controller"). Capitalized terms not defined here have the meaning given in the main agreement between the parties (the "Agreement").

Definitions

"Data Protection Laws" means laws applicable to the processing of Personal Data, including GDPR and UK GDPR. "Personal Data", "Processing", "Controller", and "Processor" have the meanings given in GDPR.

Roles & Scope

The parties acknowledge that Controller determines the purposes and means of processing Personal Data and Processor processes Personal Data on behalf of Controller to provide the services described in the Agreement and Annex A.

Processor Instructions

  • Processor will process Personal Data only on documented instructions from Controller, including transfers to a third country or international organization, unless required by law.
  • Processor will promptly inform Controller if, in its opinion, an instruction infringes Data Protection Laws.

Confidentiality

Processor ensures that persons authorized to process Personal Data are bound by confidentiality obligations and receive appropriate data protection training.

Subprocessors

  • Controller authorizes Processor to engage Subprocessors for the purposes described in Annex A.
  • Processor will impose data protection obligations on Subprocessors equivalent to those in this DPA and remains responsible for their performance.
  • Processor maintains a current list of Subprocessors at /legal/subprocessors and will provide notice of changes allowing Controller to object on reasonable grounds.

International Transfers

Where Processor transfers Personal Data outside the EEA/UK to a country not recognized as providing an adequate level of protection, the parties shall implement appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as applicable.

The SCCs (Module 2: Controller to Processor) are incorporated by reference and will apply where required. Annexes to this DPA provide the relevant details for the SCCs.

Security Measures

Processor implements technical and organizational measures appropriate to the risk, including measures described in Annex D and on the Security page (e.g., encryption, access controls, logging, and incident response).

Security Incidents

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach and provide information reasonably required for Controller to meet its obligations, consistent with Annex D and Processor policies.

Data Subject Requests

Taking into account the nature of processing, Processor will assist Controller by appropriate technical and organizational measures, insofar as possible, to fulfill obligations to respond to requests for exercising data subjects’ rights.

Return & Deletion

At Controller’s choice, Processor will delete or return all Personal Data after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage.

Audits & Reports

Processor will make available information necessary to demonstrate compliance and allow for audits by Controller or an auditor mandated by Controller, subject to reasonable scheduling, confidentiality, and fee arrangements.

Assistance & Cooperation

Processor will assist Controller with data protection impact assessments, consultations with supervisory authorities, and breach notifications, taking into account the nature of processing and information available to Processor.

Liability

Liability is governed by the Agreement. Nothing in this DPA increases either party’s liability beyond that agreed in the Agreement.

Term & Termination

This DPA remains in effect for the duration of the Agreement and until Processor deletes or returns Personal Data per the section above.

Governing Law

Unless otherwise specified in the Agreement, this DPA is governed by the same law and jurisdiction as the Agreement.

Annexes

Annex A — Subject Matter & Duration

Services, processing purpose, duration: as described in the applicable SOW/Order Form.

Annex B — Data Subjects & Categories of Data
  • Data subjects: customer personnel, end‑users, vendors (as applicable)
  • Categories: identifiers, contact details, usage and telemetry data, support content
  • Special categories: not intended; if processed, only with documented instruction
Annex C — Processing Operations

Hosting, storage, retrieval, transmission, structuring, and support operations to provide the services.

Annex D — Technical & Organizational Measures
  • Access control (SSO/OIDC, RBAC), least‑privilege, and logging
  • Encryption in transit and at rest; key management by cloud provider
  • Network security and segmentation (VPC), vulnerability management
  • Backup and recovery; incident response with post‑mortems
  • Supplier risk management and security training
Annex E — Subprocessors

See current list at /legal/subprocessors.

Annex F — Standard Contractual Clauses

Where required, the EU SCCs (Module 2) and the UK IDTA (as applicable) are hereby incorporated by reference.

This DPA is a template for general informational purposes and does not constitute legal advice. Customers should review with counsel.