Data Processing Addendum

1. Definitions

• Applicable Data Protection Law means the Nigeria Data Protection Act 2023 and any regulations, guidance, or codes of practice issued under it, together with any other data-protection or privacy law that applies to the processing of Personal Data under this DPA.
• Controller, Processor, Personal Data, Data Subject, Processing, and Personal Data Breach have the meanings given to them under Applicable Data Protection Law.
• Customer Personal Data means Personal Data that Tech Adventures processes on the Customer's behalf in providing the Service, as described in Annex 1.
• Sub-processor means any third party engaged by Tech Adventures to process Customer Personal Data.

2. Roles and scope

For the purposes of this DPA and in respect of Customer Personal Data:

• The Customer is the Controller.
• Tech Adventures is the Processor, acting on the Customer's documented instructions.

This DPA applies for as long as Tech Adventures processes Customer Personal Data. Details of the subject matter, duration, nature and purpose of processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.

Tech Adventures processes Personal Data in other contexts as a Controller — for example, account and billing information of the individuals at the Customer who use the Service, and aggregated usage analytics. That Controller-level processing is governed by our Privacy Policy and is outside the scope of this DPA.

3. Customer obligations

The Customer represents and warrants that:

• It has a valid lawful basis under Applicable Data Protection Law to collect, use, and share Customer Personal Data with Tech Adventures for the purposes of the Service.
• It has given Data Subjects (including Candidates) all notices and obtained all consents required by Applicable Data Protection Law, including in respect of automated decision-making, voice recording, and interview recording where relevant.
• Its instructions to Tech Adventures will at all times comply with Applicable Data Protection Law.
• It will not submit to the Service any Personal Data that is outside the categories described in Annex 1 without our prior written agreement, and in particular will not submit sensitive health, financial-account, or government-identifier data beyond what the Service is designed to process.

4. Tech Adventures' obligations

4.1 Documented instructions

Tech Adventures will process Customer Personal Data only:

• To provide, maintain, secure, and support the Service in accordance with the Terms of Service and any configuration the Customer sets inside the Service (these together constitute the Customer's documented instructions), and any further reasonable written instructions consistent with the Terms.
• To comply with Applicable Data Protection Law and other applicable law; where we are required by law to process Customer Personal Data otherwise than on the Customer's instructions, we will notify the Customer unless the law prohibits us from doing so.

If we believe that an instruction from the Customer infringes Applicable Data Protection Law, we will notify the Customer without undue delay.

4.2 Confidentiality

Tech Adventures will ensure that personnel authorised to process Customer Personal Data are bound by written confidentiality obligations and have received appropriate training on data protection.

4.3 Security

Tech Adventures will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to it. A summary of those measures is set out in Annex 2. We may update our security measures from time to time, provided the updates do not materially reduce the protection of Customer Personal Data.

4.4 Personal Data Breach notification

If Tech Adventures becomes aware of a Personal Data Breach affecting Customer Personal Data, we will:

• Notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach;
• Provide the Customer with the information reasonably available to us about the nature, likely consequences, categories, and approximate number of Data Subjects and records affected;
• Take reasonable steps to contain the breach and mitigate its effects;
• Cooperate with the Customer's reasonable requests related to the breach, including in support of any notifications the Customer may need to make to the Nigeria Data Protection Commission, any other regulator, or affected Data Subjects.

Our notification of a Personal Data Breach is not an acknowledgement of fault or liability.

4.5 Assistance with Data Subject rights

Taking into account the nature of the processing, Tech Adventures will provide reasonable assistance to the Customer, through appropriate technical and organisational measures, to enable the Customer to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, objection, and not to be subject to automated decision-making). If we receive a request from a Data Subject relating to Customer Personal Data, we will promptly forward the request to the Customer and will not respond to it directly unless instructed by the Customer or required to do so by law.

4.6 Assistance with DPIAs and prior consultation

Taking into account the nature of the processing and the information available to us, Tech Adventures will provide the Customer with reasonable assistance in carrying out data protection impact assessments and in any prior consultations with the Nigeria Data Protection Commission or other competent supervisory authority, where required by Applicable Data Protection Law.

4.7 Return or deletion of Customer Personal Data

At the Customer's choice, Tech Adventures will delete or return Customer Personal Data at the end of the provision of the Service, subject to the retention periods described in our Privacy Policy and any legal requirement to retain the data. For a period of up to thirty (30) days after termination or expiry of the Terms of Service, the Customer may request an export of its Customer Personal Data.

5. Sub-processors

The Customer provides Tech Adventures with a general authorisation to engage Sub-processors to process Customer Personal Data, subject to the requirements in this section.

Tech Adventures will:

• Maintain a list of the categories of Sub-processors we rely on and, on request, the current specific Sub-processors within each category; the current list of categories is set out in Annex 3.
• Impose written data-protection obligations on each Sub-processor that are substantially the same as, or no less protective than, the obligations in this DPA.
• Remain responsible to the Customer for each Sub-processor's performance.
• Give the Customer at least thirty (30) days' prior notice of the addition or replacement of any Sub-processor that materially changes the processing of Customer Personal Data. The Customer may object to the change on reasonable data-protection grounds by written notice within that period. If the parties cannot agree on a resolution, the Customer may terminate the affected portion of the Service and receive a pro-rata refund of prepaid fees for services not yet delivered.

6. International transfers

Where Tech Adventures or its Sub-processors transfer Customer Personal Data out of Nigeria, the transfer will be made only under safeguards permitted by Applicable Data Protection Law — for example, contractual protections that require the recipient to protect the data to a standard comparable to Nigerian law, or another transfer mechanism approved or recognised by the Nigeria Data Protection Commission.

7. Audits

Tech Adventures will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. We will respond to reasonable written requests for information from the Customer about our security, privacy, and compliance practices within a reasonable timeframe.

Where the Customer is required by Applicable Data Protection Law to carry out an audit that goes beyond the information we have already made available, the Customer may, on at least thirty (30) days' prior written notice and no more than once in any twelve-month period (except as required by a supervisory authority or following a Personal Data Breach), carry out an audit of Tech Adventures' compliance with this DPA. Audits will be conducted during business hours, will not unreasonably interfere with our operations, will respect the confidentiality of our other customers, and will be at the Customer's cost unless the audit identifies a material breach by Tech Adventures.

8. Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service. Nothing in this DPA excludes or limits liability that cannot be excluded or limited by Applicable Data Protection Law.

9. Term and termination

This DPA is effective from the date the Customer first accepts the Terms of Service and remains in force for as long as Tech Adventures processes Customer Personal Data. Obligations that by their nature should survive termination — including those relating to confidentiality, security, breach notification, deletion, and liability — will survive.

10. Governing law and precedence

This DPA is governed by the laws of the Federal Republic of Nigeria and is subject to the jurisdiction clause in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails in respect of the processing of Customer Personal Data. In all other respects the Terms of Service prevail.

Annex 1 — Details of Processing

Subject matter

The processing of Customer Personal Data that Tech Adventures carries out in order to provide the EasyHire service to the Customer.

Duration

For the term of the Terms of Service and any additional period during which Tech Adventures retains Customer Personal Data in accordance with the Privacy Policy or Applicable Data Protection Law.

Nature and purpose of processing

• Hosting and storing Customer Personal Data.
• Parsing CVs and extracting structured information from them.
• Generating draft job postings, screening questions, and assessment rubrics for the Customer to review and edit.
• Receiving, storing, and scoring written assessment responses.
• Recording, transcribing, and scoring voice assessments.
• Transcribing and summarising scheduled interviews where the Customer enables the meeting assistant.
• Scheduling interviews and issuing related emails.
• Generating Candidate summaries and recommendations to support the Customer's review.
• Providing the in-product AI assistant and other contextual support features.
• Securing the Service, preventing abuse, and supporting the Customer.

Types of Personal Data

• Identity and contact information (name, email, phone).
• Professional information (CV content, employment history, education, skills, portfolio links).
• Assessment content (written responses, audio recordings, transcripts, uploaded files).
• Interview content (schedules, transcripts, summaries).
• Communications between the Customer and the Candidate made through the Service.
• Technical information relating to use of the Service (IP, device, cookies), to the extent associated with a Data Subject.

Categories of Data Subjects

• Candidates who apply to roles the Customer posts through the Service.
• Individuals at the Customer's organisation who use the Service (to the extent they appear in Customer Personal Data, for example in notes or messages).
• Interview participants who join calls at which the meeting assistant is present.

Sensitive or special-category data

The Service is not designed to process sensitive or special-category Personal Data. The Customer agrees not to submit such data unless agreed with us in writing.

Annex 2 — Technical and Organisational Measures

Tech Adventures maintains a security programme that includes the following measures, which may be updated from time to time provided the protection of Customer Personal Data is not materially reduced:

• Encryption. Encryption of Customer Personal Data in transit using current industry-standard protocols, and encryption at rest for data stored in our primary data stores and file storage.
• Access control. Role-based access to production systems, least-privilege principles, multi-factor authentication for privileged access, and periodic review of access rights.
• Network security. Firewalls, isolated production environments, and secure administrative channels.
• Secure development. Code review, secret management, dependency monitoring, and separation of production and non-production environments.
• Logging and monitoring. Centralised logging of significant events on production systems and monitoring for unusual activity.
• Backups and resilience. Regular backups of critical data and recovery procedures.
• Sub-processor management. Contractual data-protection obligations with every Sub-processor that processes Customer Personal Data.
• Personnel. Written confidentiality obligations for personnel and regular training on data protection and security.
• Incident response. Documented procedures for detecting, triaging, and responding to security and data-protection incidents, including Personal Data Breach notification.
• Data minimisation and retention. Retention periods aligned with the Privacy Policy and the Customer's instructions, with deletion or anonymisation when retention periods expire.

Annex 3 — Sub-processor Categories

Tech Adventures engages Sub-processors in the following categories to provide the Service. A current list of specific Sub-processors within each category is available on request from info@easyhire.africa.

• Cloud hosting and storage — platforms that host the application and store Customer Personal Data.
• AI inference providers — large-language- model providers used to generate scores, summaries, and recommendations.
• Speech-to-text providers — services that transcribe voice recordings and calls.
• Meeting-transcription providers — services that support the meeting assistant on interview calls.
• Email delivery providers — services that send transactional and notification emails to Candidates and the Customer.
• Payment processors — regulated providers that process Customer billing.
• Calendar and video-conferencing providers — services the Customer connects for interview scheduling and meetings.
• Analytics and error-monitoring providers — services used to understand product usage and to detect and diagnose errors.
• Customer-support tooling — services used to respond to support requests from the Customer.

Contact