Data Processing Agreement

GDPR-Compliant Agreement for ISP Subscriber Data Processing

Article 28 GDPR Compliant Kenya Data Protection Act 2019 Standard Contractual Clauses

Table of Contents

Agreement Structure

  1. Preamble
  2. Definitions
  3. Subject Matter
  4. Duration
  5. Nature & Purpose

Processor Obligations

  1. Processor Responsibilities
  2. Controller Instructions
  3. Security Measures
  4. Sub-processing
  5. Data Subject Rights

Technical & Legal

  1. Breach Notification
  2. Deletion & Return
  3. Audit Rights
  4. Liability
  5. Miscellaneous

DATA PROCESSING AGREEMENT

Version 2.1 | Effective Date: January 1, 2026

Data Controller

  • Party: Internet Service Provider (ISP)
  • Role: Data Controller
  • Data: Subscriber Personal Data

Data Processor

  • Party: TrendWave Connect Ltd.
  • Role: Data Processor
  • Service: ISP Billing & Management Software
1.
PREAMBLE

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Data Controller and TrendWave Connect Ltd. (the "Data Processor") for the provision of ISP billing and management software services.

This DPA reflects the parties' agreement with respect to the Processing of Subscriber Personal Data in accordance with the requirements of Data Protection Laws, including:

  • Regulation (EU) 2016/679 (General Data Protection Regulation - "GDPR")
  • Kenya Data Protection Act, 2019
  • Any applicable data protection laws in the Data Controller's jurisdiction

This DPA shall be effective upon the Data Controller's acceptance of the Terms of Service and shall continue until termination of all Service Agreements.

2.
DEFINITIONS

Capitalized terms used but not defined herein shall have the meanings given to them in the Terms of Service. The following definitions apply throughout this DPA:

Subscriber Personal Data
Any information relating to an identified or identifiable natural person who is an end-customer of the Data Controller's ISP services, processed through the TrendWave Connect platform.
Data Processing
Any operation or set of operations performed on Subscriber Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
Technical and Organizational Measures
Measures to ensure a level of security appropriate to the risk, including encryption, pseudonymization, access controls, backup systems, and regular security testing.
Sub-processor
Any third party engaged by the Data Processor to Process Subscriber Personal Data on behalf of the Data Controller.
Data Protection Laws
All laws and regulations applicable to the Processing of Subscriber Personal Data under this DPA.
3.
SUBJECT MATTER AND DETAILS OF PROCESSING

The subject matter, nature, and purpose of Processing, the types of Subscriber Personal Data, and categories of Data Subjects are as follows:

ANNEX 1: DETAILS OF PROCESSING ACTIVITIES

Category Details
Data Controller The Internet Service Provider (ISP) using TrendWave Connect software
Data Processor TrendWave Connect Ltd.
Data Subjects End-customers (subscribers) of the Data Controller's ISP services
Categories of Data
  • Identification data (name, ID number)
  • Contact information (address, email, phone)
  • Billing and payment information
  • Network usage data and bandwidth statistics
  • Service configuration and preferences
  • Support and communication records
Processing Operations
  • Billing and invoicing automation
  • Payment processing and reconciliation
  • Network bandwidth monitoring and management
  • Customer support ticket management
  • Service provisioning and configuration
  • Data analytics and reporting
Processing Purpose Provision of ISP billing, management, and network monitoring services to enable the Data Controller to deliver internet services to its subscribers
Retention Period As specified in the Privacy Policy, but not exceeding the term of the Service Agreement plus 90 days for transition purposes
4.
DURATION OF PROCESSING

The Processing of Subscriber Personal Data under this DPA shall continue for the duration of the Service Agreement, unless otherwise agreed in writing or required by applicable Data Protection Laws.

Upon termination of the Service Agreement, the Data Processor shall:

  • Cease all Processing of Subscriber Personal Data
  • Return or delete all Subscriber Personal Data in accordance with Clause 12
  • Provide written confirmation of deletion upon request
5.
NATURE AND PURPOSE OF PROCESSING

The Data Processor shall Process Subscriber Personal Data solely for the following purposes:

  1. Billing Services: Automated invoicing, payment processing, and financial reporting for ISP subscribers
  2. Network Management: Bandwidth monitoring, usage tracking, and network performance optimization
  3. Customer Support: Management of subscriber support tickets and service requests
  4. Service Provisioning: Configuration and management of internet services for subscribers
  5. Compliance Reporting: Generation of reports required by regulatory authorities
  6. System Operations: Maintenance, troubleshooting, and improvement of the software platform

The Data Processor shall not Process Subscriber Personal Data for any other purpose without the prior written consent of the Data Controller, unless required by applicable law.

6.
DATA PROCESSOR OBLIGATIONS

The Data Processor shall:

  1. Process Subscriber Personal Data only on documented instructions from the Data Controller, unless required by law
  2. Ensure that persons authorized to Process Subscriber Personal Data have committed themselves to confidentiality
  3. Implement appropriate technical and organizational measures as specified in Annex 2
  4. Assist the Data Controller in ensuring compliance with Data Protection Laws
  5. Make available to the Data Controller all information necessary to demonstrate compliance
  6. Cooperate with supervisory authorities in the performance of their tasks

ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

Security Area Implementation Measures
Encryption AES-256 encryption for data at rest; TLS 1.3 for data in transit
Access Control Role-based access control; Multi-factor authentication; Regular access reviews
Network Security Firewalls; Intrusion detection systems; DDoS protection; Network segmentation
Physical Security 24/7 monitored data centers; Biometric access controls; Environmental controls
Backup & Recovery Daily encrypted backups; 30-day retention; Disaster recovery testing quarterly
Incident Response Documented response procedures; 24/7 security monitoring; Regular incident drills
Security Testing Regular vulnerability assessments; Penetration testing annually; Code security reviews
7.
CONTROLLER INSTRUCTIONS

The Data Controller shall provide all instructions regarding the Processing of Subscriber Personal Data through the software platform's administrative interface or via written communication to the designated contact point.

The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes Data Protection Laws. In such cases, the Data Processor may suspend Processing until the instruction is modified.

Instructions may include, but are not limited to:

  • Configuration of data retention periods
  • Specification of data export formats and schedules
  • Authorization of specific data processing activities
  • Requests for data deletion or modification
  • Approval of Sub-processor engagements
8.
SECURITY OF PROCESSING

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of natural persons, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures shall include, as appropriate:

  1. The pseudonymization and encryption of Subscriber Personal Data
  2. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
  3. The ability to restore the availability and access to Subscriber Personal Data in a timely manner
  4. A process for regularly testing, assessing, and evaluating the effectiveness of security measures

The Data Processor shall provide the Data Controller with documentation describing the security measures upon request.

9.
SUB-PROCESSING

The Data Controller hereby authorizes the Data Processor to engage the following categories of Sub-processors:

ANNEX 3: AUTHORIZED SUB-PROCESSORS

Sub-processor Service Location DPA in Place
AWS Africa (Cape Town) Cloud Infrastructure South Africa ✓ Yes
Truehost Kenya Hosting Services Kenya ✓ Yes
Safaricom (M-Pesa) Payment Processing Kenya ✓ Yes
Stripe International Payment Processing Ireland/USA ✓ Yes
SendGrid (Twilio) Email Services USA ✓ Yes

The Data Processor shall:

  1. Inform the Data Controller of any intended changes concerning the addition or replacement of Sub-processors
  2. Provide the Data Controller with 30 days to object to such changes
  3. Impose the same data protection obligations on Sub-processors as set out in this DPA
  4. Remain fully liable to the Data Controller for the performance of Sub-processors' obligations
10.
DATA SUBJECT RIGHTS

Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests for exercising Data Subjects' rights.

The Data Processor shall:

  1. Promptly notify the Data Controller if it receives a request from a Data Subject
  2. Not respond to any Data Subject request without the Data Controller's prior written consent
  3. Provide necessary functionality within the software platform to facilitate Data Subject rights requests
  4. Assist in the identification of relevant Data Subjects and retrieval of their data

The software platform includes the following features to support Data Subject rights:

  • Data export functionality for Data Portability requests
  • Data deletion tools for Right to Erasure requests
  • Data modification capabilities for Rectification requests
  • Access logging for Right of Access requests
11.
PERSONAL DATA BREACH NOTIFICATION

The Data Processor shall notify the Data Controller without undue delay after becoming aware of a Personal Data Breach affecting Subscriber Personal Data.

Such notification shall include, where possible:

  1. A description of the nature of the breach
  2. The categories and approximate number of Data Subjects concerned
  3. The categories and approximate number of Personal Data records concerned
  4. The likely consequences of the breach
  5. The measures taken or proposed to be taken to address the breach

The Data Processor shall cooperate with the Data Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

Notification Timeline:

  • Initial notification within 24 hours of becoming aware
  • Detailed report within 72 hours
  • Regular updates until resolution
12.
DELETION OR RETURN OF PERSONAL DATA

At the choice of the Data Controller, the Data Processor shall delete or return all Subscriber Personal Data to the Data Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data.

The Data Processor shall complete such deletion or return within 90 days of termination of the Service Agreement, unless:

  1. Applicable law requires further storage
  2. The Data Controller requests an extension for transition purposes
  3. Legal proceedings or investigations require retention

Deletion shall be carried out in accordance with industry best practices, including:

  • Secure erasure of data from production systems
  • Deletion of backup copies according to retention schedules
  • Verification and certification of deletion upon request
13.
AUDIT RIGHTS

The Data Controller has the right to audit the Data Processor's compliance with this DPA. Such audits shall:

  1. Be conducted with reasonable prior notice (not less than 30 days)
  2. Not exceed one audit per calendar year, unless a Personal Data Breach has occurred
  3. Be conducted during normal business hours
  4. Not unreasonably disrupt the Data Processor's operations

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance, including:

  • Security certifications and audit reports
  • Documentation of security measures
  • Records of Processing activities
  • Breach notification logs

Alternatively, the Data Controller may accept:

  • Third-party audit reports (e.g., SOC 2, ISO 27001)
  • Certifications from recognized standards bodies
  • Questionnaires completed by the Data Processor
14.
LIABILITY

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set forth in the Terms of Service.

The Data Processor's total liability for all claims arising from or related to this DPA shall not exceed the limitations set forth in the Terms of Service.

The Data Processor shall be liable for the acts and omissions of its Sub-processors to the same extent the Data Processor would be liable if performing the services directly under this DPA.

15.
MISCELLANEOUS

Governing Law: This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service.

Order of Precedence: In the event of any conflict or inconsistency between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data protection matters.

Amendments: This DPA may be amended by the Data Processor with 30 days' prior written notice to the Data Controller. Continued use of the services after such notice constitutes acceptance of the amended DPA.

Severability: If any provision of this DPA is found to be unenforceable, the remaining provisions shall remain in full force and effect.

Notices: All notices under this DPA shall be sent to the contact points specified in the Terms of Service.

ACCEPTANCE OF AGREEMENT

This Data Processing Agreement is incorporated by reference into the Terms of Service. By accepting the Terms of Service, the Data Controller agrees to be bound by this DPA.

For Data Controllers (ISPs): Acceptance occurs upon either:

  1. Clicking "I Accept" during the registration process, or
  2. First use of the TrendWave Connect software platform

For TrendWave Connect: This DPA is automatically effective for all Data Controllers using our software services.

FOR THE DATA CONTROLLER Authorized Signatory
FOR TRENDWAVE CONNECT LTD. Data Protection Officer
View Terms of Service View Privacy Policy

Return to Homepage | Contact DPO

DPA Version: 2.1 | GDPR Article 28 Compliant | Last Updated: December 15, 2026

© 2026 TrendWave Connect Ltd. All rights reserved.