Data Processing Agreement

1. Definitions

2. Scope of Processing

Elymica processes personal data on behalf of the Controller solely for the purposes of delivering the Elymica platform as described in the applicable service agreement. These purposes include:

• Authenticating users and managing sessions within the Controller's tenant.
• Recording and reporting on learner progress, quiz results, and certificate issuance.
• Delivering course content to enrolled learners.
• Processing subscription payments via authorised payment providers.
• Generating usage and compliance reports for the Controller.
• Maintaining audit logs of administrative actions within the tenant.

Elymica will not process personal data for any purpose beyond those instructed by the Controller or required by applicable law. If Elymica is legally required to process data beyond the Controller’s instructions, it will inform the Controller before doing so unless prohibited by law.

3. Elymica’s Obligations as Processor

3.1 Processing on Instructions

Elymica will process personal data only on the documented instructions of the Controller, as set out in the service agreement and this DPA. Elymica will immediately inform the Controller if, in its view, an instruction infringes applicable data protection law.

3.2 Confidentiality

Elymica ensures that all staff authorised to process personal data are bound by contractual confidentiality obligations. Access to production data is limited to personnel who require it to perform their role.

3.3 Technical and Organisational Measures

Elymica implements and maintains the following security measures:

• PostgreSQL Row-Level Security (RLS) enforcing tenant isolation at the database layer.
• TLS 1.2+ encryption for all data in transit between clients and the platform.
• Bcrypt password hashing with per-user salts; plaintext passwords are never stored.
• Two-factor authentication (OTP) required for all administrative and staff accounts.
• Short-lived JWT session tokens with automatic expiry.
• Append-only audit logs capturing all administrative actions with actor identity.
• Restricted SSH key access to production infrastructure with 2FA.
• Regular dependency vulnerability scanning on platform builds.
• Staged database migrations with tested rollback paths.

3.4 Staff Training

Elymica ensures that all personnel with access to personal data receive appropriate training on data protection obligations and are aware of their responsibilities under this DPA.

3.5 Breach Notification

In the event of a personal data breach, Elymica will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. Notification will include, where available: the nature of the breach, categories and approximate volume of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

Breach notifications will be sent to the Controller’s designated security contact. Controllers are responsible for their own regulatory notification obligations. Elymica will provide reasonable assistance in preparing those notifications.

4. Sub-Processors

Elymica engages the following sub-processors. Each is bound by a data processing agreement with terms at least equivalent to this DPA:

Elymica will notify the Controller of any intended addition or replacement of sub-processors by email at least 14 days in advance, giving the Controller the opportunity to object. Where a Controller objects on reasonable data protection grounds, Elymica will work in good faith to accommodate the objection or allow the Controller to exit their agreement without penalty.

5. Data Subject Rights

Elymica will assist the Controller in fulfilling its obligations to respond to data subject rights requests, including access, correction, deletion, portability, objection, and restriction. Where Elymica receives a request directly from a data subject, it will promptly forward it to the Controller unless legally required to respond directly.

Elymica provides the following technical mechanisms to support data subject rights:

• Data export: Controllers may request a structured export of tenant personal data in JSON or CSV format.
• Deletion: Controllers may request erasure of individual user records or an entire tenant dataset.
• Correction: Administrators can update user profile data directly in the admin portal.
• Audit log: All data access and modification events are logged and available for Controller review.

6. Deletion on Contract Termination

Upon termination of the service agreement, the Controller may request a full data export within 30 days of termination. Following the export window (or immediately upon written instruction), Elymica will delete or irreversibly anonymise all personal data belonging to the Controller’s tenant, with the exception of data that Elymica is required to retain under applicable law (e.g. payment records for accounting compliance, which are retained for seven years).

Elymica will provide written confirmation of deletion within 14 days of completing the process.

7. Audit Rights

The Controller may, upon 30 days’ written notice and no more than once per calendar year, request an audit of Elymica’s data processing activities relevant to this DPA. Elymica will make available all information reasonably necessary to demonstrate compliance, including security documentation, sub-processor agreements, and audit logs.

Where an audit is conducted by an independent third-party auditor, the auditor must sign a confidentiality agreement acceptable to Elymica before accessing any system or documentation. The Controller bears the cost of the audit unless Elymica is found to be in material breach of this DPA.

8. Cross-Border Data Transfers

Platform data is primarily hosted in Germany (EU) via Hetzner. Some personal data may transit through Cloudflare’s global edge network. Where payment data is processed, it is handled by the relevant payment provider in their respective jurisdiction.

Where personal data is transferred outside the Controller’s jurisdiction, Elymica ensures appropriate safeguards are in place including Standard Contractual Clauses (SCCs) where required by applicable law. Controllers operating under GDPR should contact us to discuss transfer impact assessments if required.

9. Governing Law

This DPA is governed by the laws of Kenya, including the Data Protection Act 2019 and any implementing regulations. Where the Controller is subject to additional data protection regimes (e.g. GDPR, South Africa’s POPIA), Elymica will work in good faith to accommodate applicable obligations. Disputes arising from this DPA are subject to the jurisdiction of the courts of Nairobi, Kenya.